Admissions control of a device

US 10,230,531 B2
Filed: 10/23/2014
Issued: 03/12/2019
Est. Priority Date: 10/23/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

detecting, by a control device, a first device in a communication fabric that supports memory semantic operations between the first device and a second device, wherein the first device is one component of a larger group of components forming a larger device, the first device being selected from a group of components consisting of;

an individual memory device, an individual graphics controller;

an individual accelerator, an individual I/O component;

an individual ingress interface;

an individual egress interface;

an individual digital signal processor, and an individual switch; and

performing, by the control device, an admissions control process with the first device to determine whether the first device is authorized to communicate over the communication fabric, wherein the admissions control process comprises retrieving a certificate from an address within an address space at the first device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A control device performs an admissions control process with a first device to determine whether the first device is authorized to communicate over the communication fabric that supports memory semantic operations.

Citations

23 Claims

1. A method comprising:
- detecting, by a control device, a first device in a communication fabric that supports memory semantic operations between the first device and a second device, wherein the first device is one component of a larger group of components forming a larger device, the first device being selected from a group of components consisting of;
  
  an individual memory device, an individual graphics controller;
  
  an individual accelerator, an individual I/O component;
  
  an individual ingress interface;
  
  an individual egress interface;
  
  an individual digital signal processor, and an individual switch; and
  
  performing, by the control device, an admissions control process with the first device to determine whether the first device is authorized to communicate over the communication fabric, wherein the admissions control process comprises retrieving a certificate from an address within an address space at the first device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - in response to the admissions control process succeeding, enabling, by the control device, communication by the first device over the communication fabric.
  - 3. The method of claim 2, wherein enabling, by the control device, the communication by the first device over the communication fabric comprises instructing a switch to enable routing of packets for the first device.
  - 4. The method of claim 3, wherein detecting the first device comprises detecting the first device that is newly connected to or newly activated in the communication fabric, wherein the switch is to route packets of the newly connected or newly activated first device just to the control device until the admissions control process succeeds.
  - 5. The method of claim 1, further comprising:
    - in response to the admissions control process succeeding, sending, by the control device, a transaction integrity key to the first device, the transaction integrity key used in providing security for transactions of the first device.
  - 6. The method of claim 1, wherein performing the admissions control process uses a security element to verify the first device.
  - 7. The method of claim 6, wherein the security element is at least one of a public key, a private key, and a certificate.
  - 8. The method of claim 1, further comprising:
    - determining, by the control device, whether the first device supports a security header in transactions over the communication fabric; and
      
      in response to determining that the first device does not support the security header, configuring, by the control device, a gateway to act as a proxy for the first device, the proxy to insert the security header for a transaction of the first device.
  - 9. The method of claim 8, wherein configuring the gateway further comprises configuring the gateway that performs at least one selected from among:
    - inserting or modifying an access key in a packet on behalf of the first device to access a resource over the communication fabric, changing a component identifier in the packet for communication involving the first device, and restricting transaction types that are allowed for the first device.
  - 10. The method of claim 1, wherein the first device is an individual memory device and wherein the second device is a processor.

11. A control device comprising:
- at least one hardware processor to;
  
  determine whether a first device supports a security feature, wherein the first device is one component of a group of components forming a larger device, the first device being selected from a group of components consisting of;
  
  an individual memory device, an individual graphics controller, an individual accelerator;
  
  an individual I/O component;
  
  an individual ingress interface;
  
  an individual egress interface;
  
  an individual digital signal processor; and
  
  an individual switch;
  
  in response to determining that the first device supports the security feature,perform admissions control to determine whether the first device is authorized to communicate over a communication fabric that supports memory semantic operations, andsend a key to the first device to implement the security feature; and
  
  in response to determining that the first device does not support the security feature,configure a gateway to act as a proxy for the first device to implement the security feature such that the gateway generates a hash-based device authenticating security value and inserts the hash-based device authenticating security value into a security header of a packet received from the first device.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The control device of claim 11, wherein the key is for generating a security value to include in a transaction packet sent by the first device over the communication fabric.
  - 13. The control device of claim 11, wherein the admissions control comprises performing a challenge-response process or retrieving a certificate from the first device.
  - 14. The control device of claim 11, wherein the at least one processor is to further, in response to determining that the first device supports the security feature, configure the switch to enable routing of packets between the first device and other devices connected to the communication fabric.
  - 15. The control device of claim 11, wherein the configuring of the gateway further comprises configuring the gateway that performs at least one selected from among:
    - inserting or modifying an access key in a packet on behalf of the first device to access a resource over the communication fabric, changing a component identifier in the packet for communication involving the first device, and restrict transaction types that are allowed for the first device.

16. An article comprising at least one non-transitory machine-readable storage medium storing instructions that upon execution cause a gateway to:
- in response to an admissions control process authorizing a first device to communicate over a communication fabric that supports memory semantic operations, implement a security feature on behalf of the first device, wherein the security feature includes generating a device authenticating hash-based security value and inserting the hash-based device authenticating security value into a security header of a packet received from the first device, wherein the first device is an individual component of a group of components forming a larger a device selected from a group of components consisting of;
  
  an individual memory device, an individual graphics controller;
  
  an individual accelerator;
  
  an individual I/O component;
  
  an individual ingress interface;
  
  an individual egress interface;
  
  an individual digital signal processor, and an individual switch; and
  
  perform policy enforcement comprising at least one selected from among;
  
  inserting or modifying an access key in a packet on behalf of the first device to access a resource over the communication fabric, changing a component identifier in the packet for communication involving the first device, and restricting transaction types that are allowed for the first device.

17. A method comprising:
- receiving, with the gateway, a transaction packet from a first device in a communication fabric, wherein the first device is one component of a group of components forming a larger device, the first device being selected from a group of components consisting of;
  
  an individual memory device, an individual graphics controller;
  
  an individual accelerator;
  
  an individual I/O component;
  
  an individual ingress interface;
  
  an individual egress interface;
  
  an individual digital signal processor; and
  
  an individual switch;
  
  adding, with the gateway, a security header to the transaction packet;
  
  receiving, with a gateway, a transaction integrity key from a control device;
  
  generating, with the gateway, a hash-based device authenticating security value;
  
  inserting the hash-based device authenticating security value into the security header of the transaction packet; and
  
  forwarding the transaction packet for transmission to a second device in the communication fabric.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The method of claim 17 further comprising performing, with the gateway, policy enforcement comprising at least one selected from among:
    - inserting or modifying an access key in a packet on behalf of the first device to access a resource over the communication fabric, changing a component identifier in the packet for communication involving the first device, and restricting transaction types that are allowed for the first device.
  - 19. The method of claim 17 further comprising:
    - receiving, with the gateway, a second transaction packet targeting the first device, the second transaction packet comprising a second hash-based device authenticating security value in a second security header of the second transaction packet;
      
      performing, with the gateway, verification based upon the second hash-based device authenticating security value; and
      
      in response to successful verification, removing the second security header from the second transaction packet and transmitting the second transaction packet without the second security header through a switch to the first device in the communication fabric.
  - 20. The method of claim 17 further comprising:
    - inserting or modifying, with the gateway, an access key in the transaction packet on behalf of the first device to access a resource over the communication fabric.
  - 21. The method of claim 17 further comprising changing, with the gateway, a component identifier in the transaction packet for communication involving the first device.
  - 22. The method of claim 17 further comprising restricting, with the gateway, transaction types that are allowed for the first device.
  - 23. The method of claim 17 further comprising the gateway being configured by a control device to serve the first device in response to the first device not supporting a security feature in the transaction packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Edwards, Nigel, Krause, Michael R.
Primary Examiner(s)
Pyzocha, Michael

Application Number

US15/323,705
Publication Number

US 20170163427A1
Time in Patent Office

1,601 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 2209/56   Financial cryptography, e.g...

H04L 45/72   Routing based on the source...

H04L 63/0281   Proxies

H04L 63/0823   using certificates cryptogr...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3263   involving certificates, e.g...

H04L 9/3271   using challenge-response

Admissions control of a device

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Admissions control of a device

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links