Network infrastructure validation of network management frames

US 20050141498A1
Filed: 01/05/2005
Published: 06/30/2005
Est. Priority Date: 10/16/2003
Status: Active Grant

First Claim

Patent Images

1. A method for validating network management frames, comprising:

receiving a management frame;

obtaining a key for a source of the management frame; and

validating the management frame using the key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A detection-based defense to a wireless network. Elements of the infrastructure, e.g., access points or scanning-only access points, detect intruders by detecting spoofed frames, such as from rogue access points. Access points include a signature, such as a message integrity check, with their management frames in a manner that enables neighboring access points to be able to validate the management frames, and to detect spoofed frames. When a neighboring access point receives a management frame, obtains a key for the access point sending the frame, and validates the management frame using the key.

70 Citations

View as Search Results

31 Claims

1. A method for validating network management frames, comprising:
- receiving a management frame;
  
  obtaining a key for a source of the management frame; and
  
  validating the management frame using the key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, wherein the obtaining a key step further comprises:
    - authenticating with a security server on the network; and
      
      receiving the key from the security server.
  - 3. The method of claim 1, wherein the obtaining a key step further comprises:
    - authenticating with a security server on the network; and
      
      receiving the key from a source that has been authenticated by the security server.
  - 4. The method of claim 1, further comprising:
    - obtaining a new key for the source after a rekey request; and
      
      validating subsequent management frames using the new key.
  - 5. The method of claim 1, the management frame further comprising a signature, the validating step further comprising validating the signature.
  - 6. The method of claim 5, the signature further comprising a time stamp.
  - 7. The method of claim 5, the signature further comprising a sequence number.
  - 8. The method of claim 5, the signature further comprising a time stamp and a sequence number.
  - 9. The method of claim 8, the validating step further comprising determining the management frame is invalid when the timestamp is older than a predetermined criteria.
  - 10. The method of claim 5, the validating step further comprising validating the signature using the key.
  - 11. The method of claim 5, wherein the signature is based on the key for the source.
  - 12. The method of claim 5, the signature further comprising a sequence number and a message integrity check.
  - 13. The method of claim 5, wherein the signature is contained within an information element appended to the management frame.
  - 14. The method of claim 1, the validating step further comprising determining a frame is invalid when the frame does not have a signature field.
  - 15. The method of claim 1, wherein the management frame is one of a beacon, a probe request, a probe response, an association request, an association response, Deauthentication, Authentication and Disassociation.
  - 16. The method of claim 1, the obtaining a key step further comprises receiving the key from the source via a secure network connection.
  - 17. The method of claim 16, wherein the secure network connection is a wired backbone.
  - 18. The method of claim 16, wherein the source is authenticated by a security server on the secure network connection.
  - 19. The method of claim 1, the validating step further comprising:
    - determining the management frame is invalid when the signature from the management frame cannot be validated based on the key.
  - 20. The method of claim 1, wherein the source is an access point.

21. A method for distributing signature keys between access points of a wireless network by a security server, comprising:
- authenticating a first access point;
  
  authenticating a second access point;
  
  assigning a first signature key to the first access point;
  
  receiving a request from the second access point for a signature key for the first access point; and
  
  sending the first signature key to the second access point.
- View Dependent Claims (22, 23, 31)
- - 22. The method of claim 21, further comprising:
    - storing the request from the second access point for the signature key for the first access point;
      
      updating the first signature key, producing a second signature key;
      
      sending the second signature key to the first access point; and
      
      sending the second signature key to the second access point.
  - 23. The method of claim 21, further comprising:
    - the receiving a request further comprising receiving a request from a plurality of access points requesting the signature key for the first access point;
      
      the receiving a request further comprising storing a list of the plurality of access points requesting the signature for the first access point;
      
      updating the first signature key, producing a second signature key; and
      
      propogating the second signature key to the plurality of access points requesting the signature for the first access point.
  - 31. The computer-readable medium of instructions of claim 21, further comprising:
    - means for storing the request from the second access point for the signature key for the first access point;
      
      means for updating the first signature key, producing a second signature key;
      
      means for sending the second signature key to the first access point; and
      
      means for sending the second signature key to the second access point.

24. An access point, comprising:
- a wireless transceiver;
  
  a controller coupled to the wireless transceiver for controlling the wireless transceiver; and
  
  a network backbone transceiver enabling the controller to communicate with another node on a network;
  
  wherein the wireless transceiver receives a management frame from a second access point, the controller responsive to the receipt of the management frame obtains a key for the second access point via the network backbone transceiver; and
  
  wherein the controller is configured for validating the management frame using the key.
- View Dependent Claims (25, 26)
- - 25. The access point of claim 24, wherein the management frame further comprises a signature, the controller being configured to be responsive to the signature to validating the signature using the key for the second access point.
  - 26. The access point of claim 25, wherein the signature comprises a time stamp and a sequence number, the controller being configured to be responsive to validating the time stamp and sequence number using the key for the second access point.

27. A computer-readable medium of instructions, comprising:
- means for receiving a management frame from a second access point;
  
  means for obtaining a key for the second access point; and
  
  means for validating the management frame using the key.
- View Dependent Claims (28, 29)
- - 28. The computer-readable medium of instructions of claim 27, wherein the management frame further comprises a signature, further comprising means for validating the signature using the key for the second access point.
  - 29. The computer-readable medium of claim 28, wherein the signature comprises a time stamp and a sequence number, further comprising:
    - means for validating the time stamp and sequence number using the key for the second access point.

30. A computer-readable medium of instructions, comprising:
- means for authenticating a first access point;
  
  means for authenticating a second access point;
  
  means for assigning a first signature key to the first access point;
  
  means for receiving a request from the second access point for a signature key for the first access point; and
  
  means for sending the first signature key to the second access point.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Shuen, Pauline, Krischer, Mark, Olson, Timothy, Cam Winget, Nancy, Sanzgiri, Ajit, Yang, Sheausong

Granted Patent

US 7,558,960 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/389
CPC Class Codes

H04L 41/00   Arrangements for maintenanc...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 63/1408   by monitoring network traff...

H04W 12/04   Key management, e.g. using ...

H04W 12/10   Integrity

H04W 12/12   Detection or prevention of ...

H04W 12/122   Counter-measures against at...

H04W 12/61   Time-dependent

H04W 84/12   WLAN [Wireless Local Area N...

H04W 88/08   Access point devices

Network infrastructure validation of network management frames

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

70 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Network infrastructure validation of network management frames

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links