Apparatus and method for inssec packet generation
First Claim
Patent Images
1. An apparatus that generates an encrypted Virtual Extensible Local Area Network (VxLAN) packet for layer-2 data center interconnect, the apparatus comprising:
- a hardware network interface unit to send and receive packets from a network, wherein at least one of the received packets is a VxLAN based packet that at least includes;
a Media Access Control (MAC) header, an Internet Protocol (IP) Header, either a User Datagram Protocol (UDP) header or a Transmission Control Protocol (TCP) header, a VxLAN header, a payload data, and a cyclic redundancy check (CRC);
a processor coupled to the hardware network interface unit, wherein the processor transforms the VxLAN packet into an encrypted VxLAN packet by at least performing the steps comprising;
encrypting the payload data of the VxLAN packet via a form of Media Access Control Security (MACSec);
inserting a MACSec header after the UDP or TCP header of the VxLAN packet; and
inserting an integrity check value (ICV) between the encrypted payload and the CRC of the VAAN packet, wherein the ICV is configured to cover, so as to be derived as an integrity checksum of, at least the MACSec header and the encrypted payload but not a MAC address of the MAC header.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are provided herein to achieve data security and integrity using the cryptographic machinery of IEEE MACSec for TCP or UDP packets, for example, VxLAN, iVxLAN, and VxLAN-GPE packet. In particular, the disclosed techniques generate InsSec packets from received VxLAN based packets, in which the generated InsSec packets include an integrity checksum that that does not cover the MAC address of the packet.
-
Citations
20 Claims
-
1. An apparatus that generates an encrypted Virtual Extensible Local Area Network (VxLAN) packet for layer-2 data center interconnect, the apparatus comprising:
- a hardware network interface unit to send and receive packets from a network, wherein at least one of the received packets is a VxLAN based packet that at least includes;
a Media Access Control (MAC) header, an Internet Protocol (IP) Header, either a User Datagram Protocol (UDP) header or a Transmission Control Protocol (TCP) header, a VxLAN header, a payload data, and a cyclic redundancy check (CRC);
a processor coupled to the hardware network interface unit, wherein the processor transforms the VxLAN packet into an encrypted VxLAN packet by at least performing the steps comprising;
encrypting the payload data of the VxLAN packet via a form of Media Access Control Security (MACSec);
inserting a MACSec header after the UDP or TCP header of the VxLAN packet; and
inserting an integrity check value (ICV) between the encrypted payload and the CRC of the VAAN packet, wherein the ICV is configured to cover, so as to be derived as an integrity checksum of, at least the MACSec header and the encrypted payload but not a MAC address of the MAC header. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- a hardware network interface unit to send and receive packets from a network, wherein at least one of the received packets is a VxLAN based packet that at least includes;
-
11. A method of generating an encrypted Virtual Extensible Local Area Network (VxLAN) packet for layer-2 data center interconnect, the method comprising:
- receiving packets from a network via a hardware network interface unit, wherein at least one of the received packets is a (VxLAN) based packet that at least includes;
a Media Access Control (MAC) header, an Internet Protocol (IP) Header, either a User Datagram Protocol (UDP) header or a Transmission Control Protocol (TCP) header, a VxLAN Header, a payload data, integrity check value (ICV) and a cyclic redundancy check (CRC), wherein the ICV is configured to cover, so as to be derived as an integrity checksum of, at least the MACSec header and the encrypted payload but not a MAC address of the MAC header;
transforming, by a processor, the VxLAN packet into an encrypted VxLAN packet by at least performing the steps comprising;
encrypting, by the processor, the payload data of the VxLAN packet via a form of Media Access Control Security (MACSec);
inserting, by the processor, a MACSec header after the UDP or TCP header of the VxLAN packet; and
inserting, by the processor, an integrity check value (ICV) between the encrypted payload and the CRC of the VXLAN packet, wherein the ICV is configured to cover at least the MACSec header and the encrypted payload but not a MAC address of the MAC header. - View Dependent Claims (12, 13, 14, 15, 16, 17)
- receiving packets from a network via a hardware network interface unit, wherein at least one of the received packets is a (VxLAN) based packet that at least includes;
-
18. An apparatus for decrypting a Virtual Extensible Local Area Network (VxLAN) packet for layer-2 data center interconnect, the apparatus comprising:
-
a hardware network interface unit to send and receive packets from a network; a processor coupled to the hardware network interface unit, wherein the processor; determines whether at least one of the received packets is an encrypted VxLAN packet carrying a secured payload of a given type by identifying whether the packet has a User Datagram Protocol (UDP) header or a Transmission Control Protocol (TCP) header that includes a predefined layer-4 security port number associated with the given type, wherein the encrypted VxLAN packet includes at least;
a Media Access Control (MAC) header, an Internet Protocol (IP) Header, either a User Datagram Protocol (UDP) header or a Transmission Control Protocol (TCP) header, a Media Access Control Security (MACSec) header, a VxLAN header, an encrypted payload, a integrity check value (ICV), and a cyclic redundancy check (CRC), wherein the ICV is configured to cover, so as to be derived as an integrity checksum of, at least the packet'"'"'s Media Access Control Security (MACSec) header and the packet'"'"'s encrypted payload but not a MAC address of the packet'"'"'s MAC header, wherein the MACSec header includes an EtherType field to a second packet'"'"'s UDP or TCP header;upon determining that the encrypted VxLAN packet includes the predefined layer-4 security port number, decrypt the secure payload of the encrypted VxLAN packet and check the ICV; and upon the ICV check passing, move the layer-4 destination port number from the MACSec EtherType field to the UDP or TCP header, remove the MACSec header, correct the CRC, and pass a resulting packet to an application-specific integrated circuit (ASIC) switch or router. - View Dependent Claims (19, 20)
-
Specification