Apparatus and method for inssec packet generation

US 10,454,928 B2
Filed: 10/25/2016
Issued: 10/22/2019
Est. Priority Date: 10/25/2016
Status: Active Grant

First Claim

Patent Images

1. An apparatus that generates an encrypted Virtual Extensible Local Area Network (VxLAN) packet for layer-2 data center interconnect, the apparatus comprising:

a hardware network interface unit to send and receive packets from a network, wherein at least one of the received packets is a VxLAN based packet that at least includes;

a Media Access Control (MAC) header, an Internet Protocol (IP) Header, either a User Datagram Protocol (UDP) header or a Transmission Control Protocol (TCP) header, a VxLAN header, a payload data, and a cyclic redundancy check (CRC);

a processor coupled to the hardware network interface unit, wherein the processor transforms the VxLAN packet into an encrypted VxLAN packet by at least performing the steps comprising;

encrypting the payload data of the VxLAN packet via a form of Media Access Control Security (MACSec);

inserting a MACSec header after the UDP or TCP header of the VxLAN packet; and

inserting an integrity check value (ICV) between the encrypted payload and the CRC of the VAAN packet, wherein the ICV is configured to cover, so as to be derived as an integrity checksum of, at least the MACSec header and the encrypted payload but not a MAC address of the MAC header.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided herein to achieve data security and integrity using the cryptographic machinery of IEEE MACSec for TCP or UDP packets, for example, VxLAN, iVxLAN, and VxLAN-GPE packet. In particular, the disclosed techniques generate InsSec packets from received VxLAN based packets, in which the generated InsSec packets include an integrity checksum that that does not cover the MAC address of the packet.

Citations

20 Claims

1. An apparatus that generates an encrypted Virtual Extensible Local Area Network (VxLAN) packet for layer-2 data center interconnect, the apparatus comprising:
- a hardware network interface unit to send and receive packets from a network, wherein at least one of the received packets is a VxLAN based packet that at least includes;
  
  a Media Access Control (MAC) header, an Internet Protocol (IP) Header, either a User Datagram Protocol (UDP) header or a Transmission Control Protocol (TCP) header, a VxLAN header, a payload data, and a cyclic redundancy check (CRC);
  
  a processor coupled to the hardware network interface unit, wherein the processor transforms the VxLAN packet into an encrypted VxLAN packet by at least performing the steps comprising;
  
  encrypting the payload data of the VxLAN packet via a form of Media Access Control Security (MACSec);
  
  inserting a MACSec header after the UDP or TCP header of the VxLAN packet; and
  
  inserting an integrity check value (ICV) between the encrypted payload and the CRC of the VAAN packet, wherein the ICV is configured to cover, so as to be derived as an integrity checksum of, at least the MACSec header and the encrypted payload but not a MAC address of the MAC header.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The apparatus of claim 1, wherein the ICV is configured to cover, so as to be derived as an integrity checksum of, at least the MACSec header, the encrypted payload, and the UDP or TCP header, but not the MAC address of the MAC header.
  - 3. The apparatus of claim 1, wherein the ICV is configured to cover, so as to be derived as an integrity checksum of, at least the MACSec header, the encrypted payload, the UDP or TCP header, and the IP header but not the MAC address of the MAC header.
  - 4. The apparatus of claim 1, wherein the MACSec header includes an EtherType field, wherein the MAC Header includes an EtherType field, wherein the IP header includes a protocol field, wherein the UDP or TCP header includes a UDP or TCP length field, and a layer-4 destination port field comprising a layer-4 destination port number, and wherein the processor transforms the VxLAN packet into the encrypted VxLAN packet by further performing the steps comprising:
    - copying the layer-4 destination port number from the UDP or TCP header into the MACSec EtherType field;
      
      overwriting the layer-4 destination port number of the UDP or TCP header layer-4 destination port field with a predefined layer-4 security port number that indicates that the encrypted VxLAN packet is carrying a given type of secured payload;
      
      updating the UDP or TCP length field to reflected added bytes; and
      
      replacing the CRC with a new CRC;
      
      wherein the operation of inserting the MACSec header comprises inserting a MACSec header after the UDP or TCP header of the VxLAN packet and before the VxLAN header.
  - 5. The apparatus of claim 4, wherein prior to encrypting the payload data of the VxLAN packet through the use of a form of MACSec, the processor:
    - calculates an offset to use in the encryption according to the fields of the VxLAN packet; and
      
      retrieves an encryption key by accessing an entry in a key store table using a corresponding table key, wherein the table key is selected from a group consisting of a packet outer destination IP address, a packet outer source IP address, a packet outer VLAN ID, and combinations thereof.
  - 6. The apparatus of claim 5, wherein the processor calculates the offset by:
    - setting the offset initially to 16 bytes when a VLAN tag is detected and setting the offset initially to 12 when no VLAN tag is detected;
      
      incrementing by 28 bytes if the packet is an IPv4 packet incrementing by 48 bytes if the packet is an IPv6 packet;
      
      incrementing by 8 bytes if the packet is a UDP packet; and
      
      incrementing by 20 bytes if the packet is a TCP packet.
  - 7. The apparatus of claim 5, wherein the processor:
    - receives a second packet from the hardware network interface unit;
      
      determines whether the second packet is carrying a payload of the given type of secured payload by identifying whether the second packet has a UDP or TCP header that includes the predefined layer-4 security port number;
      
      upon determining that the second packet includes the predefined layer-4 security port number, determine if there is a matching state in the key store table for the second packet;
      
      upon determining that there is a matching state, decrypt the second packet and check the ICV; and
      
      upon the ICV check passing, move the layer-4 destination port number from the MACSec EtherType field to the second packet'"'"'s UDP or TCP header, remove the MACSec header from the second packet, correct the second packet'"'"'s CRC, and pass the second packet to an application-specific integrated circuit (ASIC) switch or router.
  - 8. The apparatus of claim 1, wherein the processor resides within an Application Centric Infrastructure (ACI) switch of an ACI fabric system.
  - 9. The apparatus of claim 1, wherein the hardware network interface unit is an application-specific integrated circuit (ASIC) switch or router, and wherein the processor is a physical layer (PHY) device.
  - 10. The apparatus of claim 9, wherein the PHY device is an ASIC that is external to the ASIC switch or router.

11. A method of generating an encrypted Virtual Extensible Local Area Network (VxLAN) packet for layer-2 data center interconnect, the method comprising:
- receiving packets from a network via a hardware network interface unit, wherein at least one of the received packets is a (VxLAN) based packet that at least includes;
  
  a Media Access Control (MAC) header, an Internet Protocol (IP) Header, either a User Datagram Protocol (UDP) header or a Transmission Control Protocol (TCP) header, a VxLAN Header, a payload data, integrity check value (ICV) and a cyclic redundancy check (CRC), wherein the ICV is configured to cover, so as to be derived as an integrity checksum of, at least the MACSec header and the encrypted payload but not a MAC address of the MAC header;
  
  transforming, by a processor, the VxLAN packet into an encrypted VxLAN packet by at least performing the steps comprising;
  
  encrypting, by the processor, the payload data of the VxLAN packet via a form of Media Access Control Security (MACSec);
  
  inserting, by the processor, a MACSec header after the UDP or TCP header of the VxLAN packet; and
  
  inserting, by the processor, an integrity check value (ICV) between the encrypted payload and the CRC of the VXLAN packet, wherein the ICV is configured to cover at least the MACSec header and the encrypted payload but not a MAC address of the MAC header.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11, wherein the ICV is configured to cover, so as to be derived as an integrity checksum of, at least the MACSec header, the encrypted payload, and the UDP or TCP header, but not the MAC address of the MAC header.
  - 13. The method of claim 11, wherein the ICV is configured to cover, so as to be derived as an integrity checksum of, at least the MACSec header, the encrypted payload, the UDP or TCP header, and the IP header but not the MAC address of the MAC header.
  - 14. The method of claim 11, wherein the MACSec header includes an EtherType field, wherein the MAC Header includes an EtherType field, wherein the IP header includes a protocol field, wherein the UDP or TCP header includes a UDP or TCP length field, and a layer-4 destination port field comprising a layer-4 destination port number, and wherein the transforming of the VxLAN packet into the encrypted VxLAN packet is performed by further performing at least the steps comprising:
    - copying the layer-4 destination port number from the UDP or TCP header into the MACSec EtherType field;
      
      overwriting the layer-4 destination port number of the UDP or TCP header layer-4 destination port field with a predetermined layer-4 port number to indicate that the encrypted VxLAN packet is carrying a given type of secured payload;
      
      updating the UDP or TCP length field to reflected added bytes; and
      
      replacing the CRC with a new CRC;
      
      wherein the operation of inserting the MACSec header comprises inserting a MACSec header after the UDP or TCP header of the VxLAN packet and before the VxLAN header.
  - 15. The method of claim 14, further comprising:
    - prior to the step of encrypting the payload data of the VxLAN packet through the use of a form of MACSec;
      
      calculating an offset to use in the encryption according to the fields of the VxLAN packet; and
      
      retrieving an encryption key by accessing an entry in a key store table using a corresponding table key, wherein the table key is selected from a group consisting of a packet outer destination IP address, a packet outer source IP address, a packet outer VLAN ID, and combinations thereof.
  - 16. The method of claim 15, wherein the step of calculating the offset comprises:
    - setting the offset initially to 16 bytes when a VLAN tag is detected and setting the offset initially to 12 when no VLAN tag is detected;
      
      incrementing by 28 bytes if the packet is an IPv4 packet;
      
      incrementing by 48 bytes if the packet is an IPv6 packet;
      
      incrementing by 8 bytes if the packet is a UDP packet; and
      
      incrementing by 20 bytes if the packet is a TCP packet.
  - 17. The method of claim 15, further comprising:
    - receiving a second packet via the hardware network interface unit;
      
      determining whether the second packet is carrying a payload of the given type of secured payload by identifying whether the second packet has a UDP or TCP header that includes the predetermined layer-4 port number;
      
      upon determining that the second packet includes the predetermined layer-4 port number, determining if is there is a matching state in the key store table for the second packet;
      
      upon determining that there is a matching state, decrypting the second packet and checking the ICV; and
      
      upon the ICV check passing, moving the layer-4 destination port number from the MACSec EtherType field to the second packet'"'"'s UDP or TCP header, remove the MAC Sec header from the second packet, correct the second packet'"'"'s CRC, and pass the second packet to an application-specific integrated circuit (ASIC) switch or router.

18. An apparatus for decrypting a Virtual Extensible Local Area Network (VxLAN) packet for layer-2 data center interconnect, the apparatus comprising:
- a hardware network interface unit to send and receive packets from a network;
  
  a processor coupled to the hardware network interface unit, wherein the processor;
  
  determines whether at least one of the received packets is an encrypted VxLAN packet carrying a secured payload of a given type by identifying whether the packet has a User Datagram Protocol (UDP) header or a Transmission Control Protocol (TCP) header that includes a predefined layer-4 security port number associated with the given type, wherein the encrypted VxLAN packet includes at least;
  
  a Media Access Control (MAC) header, an Internet Protocol (IP) Header, either a User Datagram Protocol (UDP) header or a Transmission Control Protocol (TCP) header, a Media Access Control Security (MACSec) header, a VxLAN header, an encrypted payload, a integrity check value (ICV), and a cyclic redundancy check (CRC), wherein the ICV is configured to cover, so as to be derived as an integrity checksum of, at least the packet'"'"'s Media Access Control Security (MACSec) header and the packet'"'"'s encrypted payload but not a MAC address of the packet'"'"'s MAC header, wherein the MACSec header includes an EtherType field to a second packet'"'"'s UDP or TCP header;
  
  upon determining that the encrypted VxLAN packet includes the predefined layer-4 security port number, decrypt the secure payload of the encrypted VxLAN packet and check the ICV; and
  
  upon the ICV check passing, move the layer-4 destination port number from the MACSec EtherType field to the UDP or TCP header, remove the MACSec header, correct the CRC, and pass a resulting packet to an application-specific integrated circuit (ASIC) switch or router.
- View Dependent Claims (19, 20)
- - 19. The apparatus of claim 18, wherein the hardware network interface unit is an application-specific integrated circuit (ASIC) switch or router, and wherein the processor is a physical layer (PHY) device.
  - 20. The apparatus of claim 19, wherein the PHY device is an ASIC that is external to the ASIC switch or router.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Edsall, Thomas James
Primary Examiner(s)
Reza, Mohammad W
Assistant Examiner(s)
Khan, Moeen

Application Number

US15/333,906
Publication Number

US 20180115548A1
Time in Patent Office

1,092 Days
Field of Search

713150, 713151, 713153, 713160, 370389, 370392
US Class Current
CPC Class Codes

H04L 12/462   LAN interconnection over a ...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 2012/4629   using multilayer switching,...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/0876   based on the identity of th...

H04L 69/16   Implementation or adaptatio...

Apparatus and method for inssec packet generation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for inssec packet generation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links