Dynamic host configuration and network access authentication

US 20060036733A1
Filed: 10/29/2004
Published: 02/16/2006
Est. Priority Date: 07/09/2004
Status: Active Grant

First Claim

Patent Images

1. A method for binding dynamic host configuration and network access authentication, comprising:

providing a network access authenticator to authenticate at least one client device;

providing a dynamic host configuration server to dynamically distribute IP addresses for client devices;

maintaining synchronization of an authentication session between the at least one client device and the network access authenticator and a dynamic host configuration session between the dynamic host configuration server and said at least one client device when either an authentication session or a dynamic host configuration session is lost.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to some embodiments, systems and methods for binding dynamic host configuration and network access authentication are provided related to, inter alia, interactions between a PAA (PANA Authentication Agent) and a DHCP (Dynamic Host Configuration Protocol) server, such as, e.g., for synchronization between the PANA SA state and the DHCP SA state, such as, e.g., maintaining synchronization when a connection is lost. In some embodiments, systems and methods for binding network bridge and network access authentication are also provided related to, inter alia, interactions between a PAA and a layer-2 switch, such as, e.g., for avoiding service thefts and the like (such as, e.g., MAC address and/or IP address spoofing) in the context of, e.g., the above. In some other embodiments, systems and methods for bootstrapping multicast security from network access authentication protocol are also provided related to, inter alia, key management for protected IP multicast streams, such as, e.g., to avoid IP multicast streams unnecessarily received and/or processed by unauthorized receivers connected to the same layer 2 segment as authorized receivers in the context of, e.g., the above.

264 Citations

78 Claims

1. A method for binding dynamic host configuration and network access authentication, comprising:
- providing a network access authenticator to authenticate at least one client device;
  
  providing a dynamic host configuration server to dynamically distribute IP addresses for client devices;
  
  maintaining synchronization of an authentication session between the at least one client device and the network access authenticator and a dynamic host configuration session between the dynamic host configuration server and said at least one client device when either an authentication session or a dynamic host configuration session is lost.

2. A system for binding dynamic host configuration and network access authentication, comprising:
- a network access authenticator for authenticating at least one client device;
  
  a dynamic host configuration server configured to dynamically distribute IP addresses for client devices;
  
  said system being configured to maintain synchronization of an authentication session between the at least one client device and the network access authenticator and a dynamic host configuration session between the dynamic host configuration server and said at least one client device in a manner to maintain synchronization when either an authentication session or a dynamic host configuration session is lost.

3. The system of 2, wherein said network access authenticator uses authentication protocol to carry authentication information for network access.

4. The system of 3, wherein said authentication protocol includes PANA as a protocol to carry authentication information for network access.

5. The system of 4, wherein EAP is used as an authentication protocol that is carried by the protocol to carry authentication information for network access.

6. The system of 2, wherein said dynamic host configuration server is a dynamic host configuration protocol (DHCP) server.

7. The system of 2, wherein, upon termination of an authentication session, said authenticator is configured to transmit a message to the dynamic host configuration server informing that the session has terminated.

8. The system of 7, wherein said message informs the dynamic host configuration server that a dynamic host configuration key derived from the authentication session is no longer valid.

9. The system of 7, wherein the system is configured to update configuration files in the dynamic host configuration server.

10. The system of 7, wherein the system is configured to rewrite or reload configuration files in the dynamic host configuration server.

11. The system of 7, wherein the authenticator is configured send a deletion request to the dynamic host configuration server to delete the client configuration.

12. The system of 2, wherein, upon termination of an authentication session, said system is configured to update authentication session keys, while leaving dynamic host configuration keys untouched.

13. The system of 2, wherein, upon termination of an authentication session, said system is configured to update authentication session keys, but to update dynamic host configuration keys at a later time.

14. The system of 2, wherein, upon termination of an authentication session, a new authentication session key is established between the authenticator and a client and said system is configured to promptly restart the dynamic host configuration session using a new dynamic host configuration key.

15. The system of 2, wherein the system is configured such that, upon restarting of said dynamic host configuration server, non-volatile memory storage is used to recover the states of the dynamic host configuration keys.

16. The system of 15, wherein said dynamic host configuration server is configured such that upon restarting, the dynamic host configuration server saves a dynamic host configuration key table and a binding table to non-volatile memory storage.

17. The system of 2, wherein the system is configured such that, upon rebooting of said dynamic host configuration server, said dynamic host configuration server is configured to inform the authenticator that dynamic host configuration keys have been erased.

18. The system of 2, wherein the system is configured such that, upon rebooting of said dynamic host configuration server, said authenticator knows of a reboot of the dynamic host configuration server so as to be aware that dynamic host configuration keys have been erased.

19. The system of 2, wherein the system is configured such that, upon loss of dynamic host configuration key information, said dynamic host configuration server is configured to request the authenticator to resend dynamic host configuration key information and is configured to restore the dynamic host configuration key table based on a response from said authenticator.

20. The system of 19, wherein the dynamic host configuration server is configured to request the authenticator to resend dynamic host configuration keys when the dynamic host configuration server starts.

21. The system of 19, wherein the authenticator is configured to send all valid dynamic host configuration keys to the dynamic host configuration server.

22. The system of 2, wherein the system is configured such that, upon expiration of dynamic host configuration bindings, a client requests the authenticator to re-authenticate and update the dynamic host configuration key prior to dynamic host configuration message exchanges.

23. The system of 2, wherein the system is configured such that, upon expiration of dynamic host configuration bindings, said dynamic host configuration server requests the authenticator to re-authenticate and update the dynamic host configuration key prior to dynamic host configuration message exchanges.

24. The system of 2, wherein the system is configured such that while authentication messages are exchanged to create a new dynamic host configuration key between the authenticator and a client, the authenticator is configured to avoid sending a message which indicates that a new authentication session has been successfully established until the dynamic host configuration key is installed on the dynamic host configuration server.

25. A system for binding dynamic host configuration and network access authentication, comprising:
- a network access authenticator for authenticating at least one client device;
  
  a dynamic host configuration server configured to dynamically distribute IP addresses for client devices; and
  
  said system being configured to synchronize an authentication session between the at least one client device and the network access authenticator and a dynamic host configuration session between the dynamic host configuration server and said at least one client device after the initial bootstrapping of the dynamic host configuration session.

26. A method for network access authentication to prevent malicious attackers from gaining unauthorized access to a network, including:
- arranging a network bridge to prevent malicious attackers from gaining unauthorized access to a network, said network bridge having client ports for communication with at least one client and at least one server port for communication with the network;
  
  using said network bridge to prevent malicious attackers from gaining unauthorized access based on an unauthorized forwarding database in said network bridge.

27. A system for network access authentication, including:
- a network bridge arranged to prevent malicious attackers from gaining unauthorized access to a network;
  
  said network bridge including client ports for communication with at least one client and at least one server port in communication with the network;
  
  said network bridge including at least one forwarding database storing address and bridge port data, including an unauthorized forwarding database (UFD), said network bridge being configured to prevent malicious attackers from gaining unauthorized access based on said at least one forwarding database.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 51, 52, 53)
- - 28. The system of claim 27, wherein said at least one forwarding database includes an authorized forwarding database (AFD).
  - 29. The system of claim 28, wherein said data includes pairs of MAC addresses and network bridge port numbers.
  - 30. The system of claim 29, wherein said network bridge is configured such that MAC addresses do not appear more than one time in the authorized forwarding database.
  - 31. The system of claim 28, wherein said system is configured such that when a client is disconnected, a corresponding record is removed from the authorized forwarding database.
  - 32. The system of claim 27, wherein said data includes pairs of MAC addresses and network bridge port numbers.
  - 33. The system of claim 32, wherein said network bridge is configured such that MAC addresses do not appear more than one time in the unauthorized forwarding database.
  - 34. The system of claim 32, wherein said system is configured such that MAC addresses that already appear in an unauthorized forwarding database or an authorized forwarding database are prohibited from being added to the unauthorized forwarding database.
  - 35. The system of claim 27, wherein said at least one forwarding database includes a penalty list (PL) database.
  - 36. The system of claim 35, wherein said data includes pairs of MAC addresses and network bridge port numbers.
  - 37. The system of claim 36, wherein said data also includes timeout information.
  - 38. The system of claim 27, wherein said at least one forwarding database includes at least one database selected from the group consisting of said unauthorized forwarding database, an authorized forwarding database and a penalty list database, and wherein said bridge is configured to filter packets according to a matching with said at least one database.
  - 39. The system of claim 38, wherein said bridge is configured such that a packet received at a client port of the bridge is considered to match with a record in at least one of said databases, if the MAC address field of the record equals the source MAC address of the packet and the port number field of the record contains a value for said client port.
  - 40. The system of claim 38, wherein said bridge is configured such that a packet received at a server port of the bridge is considered to match with a record in at least one of said databases, if the MAC address field of the record equals the destination MAC address of the packet.
  - 41. The system of claim 38, wherein said bridge is configured such that packets are checked for filtering purposes in a manner that if a packet matches a record in an authorized forwarding database, the bridge forwards the packet.
  - 42. The system of claim 38, wherein said bridge is configured such that packets are checked for filtering purposes in a manner that if a packet matches a record in an unauthorized forwarding database, the bridge looks into the IP header of the packet, and, if the packet is addressed to a node external to the network, the bridge blocks the packet, and, if the packet is addressed to a node inside the network, the bridge forwards authorized packets.
  - 43. The system of claim 38, wherein said bridge is configured such that packets are checked for filtering purposes in a manner that if a packet matches a record in a penalty list database, the bridge blocks the packet.
  - 44. The system of claim 38, wherein said bridge is configured such that packets are checked for filtering purposes in a manner that if a packet received at a client port has a MAC address found in an authorized forwarding database or an unauthorized forwarding database, the bridge blocks the packet.
  - 51. The system of claim 27, wherein the bridge is configured not to forward authentication packets or dynamic host configuration packets from one client port to another client port in order to prevent faking of an authenticator or dynamic host configuration server.
  - 52. The system of claim 27, wherein said at least one database includes said unauthorized forwarding database, and wherein said bridge is configured to notify the authenticator and the dynamic host configuration server of an addition of a record to the unauthorized forwarding database or the removal of a record therefrom, such notification including the port number and the MAC address of the record.
  - 53. The system of claim 27, wherein said at least one database includes said unauthorized forwarding database, and wherein said bridge is configured to answer a query from either of the authenticator or the dynamic host configuration server of an addition of a record to the unauthorized forwarding database or the removal of a record therefrom so that the authenticator or the dynamic host configuration server can know the port identifier of a client.

45. A method for network access authentication to prevent malicious attackers from gaining unauthorized access to a network, including:
- arranging a network bridge to prevent malicious attackers from gaining unauthorized access to a network, said network bridge having client ports for communication with at least one client and at least one server port for communication with the network; and
  
  using said network bridge to attach a port identifier tag to a packet to be transmitted from a server port and to forward the tagged packet instead of the original packet.

46. A system for network access authentication, including:
- a network bridge arranged to prevent malicious attackers from gaining unauthorized access to a network;
  
  said network bridge including client ports for communication with at least one client and at least one server port for communication with the network;
  
  said network bridge being configured to attach a port identifier tag to a packet to be transmitted from a server port and to forward the tagged packet instead of the original packet.
- View Dependent Claims (47, 48, 49, 50)
- - 47. The system of claim 46, wherein said bridge is configured such that when the bridge receives a tagged packet sent from an authenticator or a dynamic host configuration server, the bridge looks at a port identifier in the tag and forwards an untagged packet to the port specified in the tag.
  - 48. The system of claim 46, wherein said port identifier includes a bridge identifier and a port number.
  - 49. The system of claim 46, wherein said system is configured to distinguish server sessions by using a combination of a port identifier and a MAC address.
  - 50. The system of claim 46, wherein said bridge is configured to block packets with a port identifier tag sent from client ports.

54. A method for inhibiting unauthorized access to multicast communications, comprising:
- bootstrapping multicast security from network access authentication protocol to avoid IP multicast streams unnecessarily received and/or processed by unauthorized receivers.

55. A system for inhibiting unauthorized access to multicast communications, comprising:
- an authentication agent to authenticate at least one multicast listener for at least one multicast sender said system being configured to bootstrap multicast security from network access authentication protocol to avoid IP multicast streams unnecessarily received and/or processed by unauthorized receivers.
- View Dependent Claims (56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78)
- - 56. The system of claim 55, wherein said system is configured to use a dynamically generated shared secret.
  - 57. The system of claim 56, wherein said shared secret has a limited lifetime.
  - 58. The system of claim 57, wherein said system is configured to establish a security association between a multicast listener and a multicast router based on said shared secret.
  - 59. The system of claim 58, wherein said security association is an MLDA security association and said shared secret is an MLDA-key.
  - 60. The system of claim 56, wherein the shared secret is derived from an authentication session key which is dynamically created by using a network access authentication protocol.
  - 61. The system of claim 60, wherein said network access authentication protocol includes PANA or IEEE 802.1X.
  - 62. The system of claim 61, wherein the authentication session key is derived from an EAP Master Session Key through an AAA-key.
  - 63. The system of claim 56, wherein said system includes an authentication agent that is an authenticator of network access protocol, wherein said authentication agent is configured to receive a key from an authentication server and is configured to transmit said shared secret to a multicast router.
  - 64. The system of claim 56, wherein the shared secret is encrypted and carried over a network access authentication protocol.
  - 65. The system of claim 64, wherein said network access authentication protocol includes PANA or IEEE 802.1X.
  - 66. The system of claim 64, wherein the shared secret is an MLDA-key.
  - 67. The system of claim 64, wherein the shared secret is received from a key distribution center.
  - 68. The system of claim 55, further including using IPsec to protect protocol exchanges.
  - 69. The system of claim 55, further including using ESP to protect protocol exchanges.
  - 70. The system of claim 68, wherein an underlying IPsec security association (SA) forms a Group Security Association that is either a one-to-many or a many-to-many association between multicast listeners and multicast routers.
  - 71. The system of claim 70, wherein the system is configured such that to automatically create an IPsec Group Security Association, a multicast key management protocol is used.
  - 72. The system of claim 55, further including a link-layer switch that supports copying of layer-2 multicast frames to a limited set of ports to provide access control of multicast traffic over a shared link.
  - 73. The system of claim 72, wherein a multicast router is configured to control such a link-layer switch in a manner that multicast packets are forwarded to ports where there are multicast listeners from which cryptographically valid messages are received.
  - 74. The system of claim 55, wherein said system is configured to include a higher-layer per-packet security to inhibit free-riding of multicast services over shared access links.
  - 75. The system of claim 74, wherein a mechanism is provided to automatically establish a security association for a secure application session with multicast keys.
  - 76. The system of claim 75, wherein said mechanism includes bootstrapping a multicast key management protocol that is used for establishing for a secure application session.
  - 77. The system of claim 75, wherein said mechanism includes carrying application session keys over a network access authentication protocol.
  - 78. The system of claim 77, wherein said system is configured so that after network access authentication is completed with success, the authentication agent obtains a copy of an application session key from a key distribution center, and transmits the key to a multicast application receiver over a network access authentication protocol, while a multicast application sender also receives a copy of the key from the key distribution center, whereby the multicast application sender and the multicast application receiver can send and receive multicast application traffic with said higher-layer per-packet security.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Four Batons Wireless LLC
Original Assignee
Toshiba Corporation
Inventors
Oba, Yoshihiro, Fujimoto, Kensaku, Katsube, Yasuhiro

Granted Patent

US 8,688,834 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/225
CPC Class Codes

H04L 61/5014   using dynamic host configur...

H04L 63/08   for authentication of entit...

H04L 67/14   Session management for real...

Dynamic host configuration and network access authentication

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

264 Citations

78 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic host configuration and network access authentication

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

264 Citations

78 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links