Dynamic host configuration and network access authentication
First Claim
1. A method for binding dynamic host configuration and network access authentication, comprising:
- providing a network access authenticator to authenticate at least one client device;
providing a dynamic host configuration server to dynamically distribute IP addresses for client devices;
maintaining synchronization of an authentication session between the at least one client device and the network access authenticator and a dynamic host configuration session between the dynamic host configuration server and said at least one client device when either an authentication session or a dynamic host configuration session is lost.
3 Assignments
0 Petitions
Accused Products
Abstract
According to some embodiments, systems and methods for binding dynamic host configuration and network access authentication are provided related to, inter alia, interactions between a PAA (PANA Authentication Agent) and a DHCP (Dynamic Host Configuration Protocol) server, such as, e.g., for synchronization between the PANA SA state and the DHCP SA state, such as, e.g., maintaining synchronization when a connection is lost. In some embodiments, systems and methods for binding network bridge and network access authentication are also provided related to, inter alia, interactions between a PAA and a layer-2 switch, such as, e.g., for avoiding service thefts and the like (such as, e.g., MAC address and/or IP address spoofing) in the context of, e.g., the above. In some other embodiments, systems and methods for bootstrapping multicast security from network access authentication protocol are also provided related to, inter alia, key management for protected IP multicast streams, such as, e.g., to avoid IP multicast streams unnecessarily received and/or processed by unauthorized receivers connected to the same layer 2 segment as authorized receivers in the context of, e.g., the above.
264 Citations
78 Claims
-
1. A method for binding dynamic host configuration and network access authentication, comprising:
-
providing a network access authenticator to authenticate at least one client device;
providing a dynamic host configuration server to dynamically distribute IP addresses for client devices;
maintaining synchronization of an authentication session between the at least one client device and the network access authenticator and a dynamic host configuration session between the dynamic host configuration server and said at least one client device when either an authentication session or a dynamic host configuration session is lost.
-
-
2. A system for binding dynamic host configuration and network access authentication, comprising:
-
a network access authenticator for authenticating at least one client device;
a dynamic host configuration server configured to dynamically distribute IP addresses for client devices;
said system being configured to maintain synchronization of an authentication session between the at least one client device and the network access authenticator and a dynamic host configuration session between the dynamic host configuration server and said at least one client device in a manner to maintain synchronization when either an authentication session or a dynamic host configuration session is lost.
-
-
3. The system of 2, wherein said network access authenticator uses authentication protocol to carry authentication information for network access.
-
4. The system of 3, wherein said authentication protocol includes PANA as a protocol to carry authentication information for network access.
-
5. The system of 4, wherein EAP is used as an authentication protocol that is carried by the protocol to carry authentication information for network access.
-
6. The system of 2, wherein said dynamic host configuration server is a dynamic host configuration protocol (DHCP) server.
-
7. The system of 2, wherein, upon termination of an authentication session, said authenticator is configured to transmit a message to the dynamic host configuration server informing that the session has terminated.
-
8. The system of 7, wherein said message informs the dynamic host configuration server that a dynamic host configuration key derived from the authentication session is no longer valid.
-
9. The system of 7, wherein the system is configured to update configuration files in the dynamic host configuration server.
-
10. The system of 7, wherein the system is configured to rewrite or reload configuration files in the dynamic host configuration server.
-
11. The system of 7, wherein the authenticator is configured send a deletion request to the dynamic host configuration server to delete the client configuration.
-
12. The system of 2, wherein, upon termination of an authentication session, said system is configured to update authentication session keys, while leaving dynamic host configuration keys untouched.
-
13. The system of 2, wherein, upon termination of an authentication session, said system is configured to update authentication session keys, but to update dynamic host configuration keys at a later time.
-
14. The system of 2, wherein, upon termination of an authentication session, a new authentication session key is established between the authenticator and a client and said system is configured to promptly restart the dynamic host configuration session using a new dynamic host configuration key.
-
15. The system of 2, wherein the system is configured such that, upon restarting of said dynamic host configuration server, non-volatile memory storage is used to recover the states of the dynamic host configuration keys.
-
16. The system of 15, wherein said dynamic host configuration server is configured such that upon restarting, the dynamic host configuration server saves a dynamic host configuration key table and a binding table to non-volatile memory storage.
-
17. The system of 2, wherein the system is configured such that, upon rebooting of said dynamic host configuration server, said dynamic host configuration server is configured to inform the authenticator that dynamic host configuration keys have been erased.
-
18. The system of 2, wherein the system is configured such that, upon rebooting of said dynamic host configuration server, said authenticator knows of a reboot of the dynamic host configuration server so as to be aware that dynamic host configuration keys have been erased.
-
19. The system of 2, wherein the system is configured such that, upon loss of dynamic host configuration key information, said dynamic host configuration server is configured to request the authenticator to resend dynamic host configuration key information and is configured to restore the dynamic host configuration key table based on a response from said authenticator.
-
20. The system of 19, wherein the dynamic host configuration server is configured to request the authenticator to resend dynamic host configuration keys when the dynamic host configuration server starts.
-
21. The system of 19, wherein the authenticator is configured to send all valid dynamic host configuration keys to the dynamic host configuration server.
-
22. The system of 2, wherein the system is configured such that, upon expiration of dynamic host configuration bindings, a client requests the authenticator to re-authenticate and update the dynamic host configuration key prior to dynamic host configuration message exchanges.
-
23. The system of 2, wherein the system is configured such that, upon expiration of dynamic host configuration bindings, said dynamic host configuration server requests the authenticator to re-authenticate and update the dynamic host configuration key prior to dynamic host configuration message exchanges.
-
24. The system of 2, wherein the system is configured such that while authentication messages are exchanged to create a new dynamic host configuration key between the authenticator and a client, the authenticator is configured to avoid sending a message which indicates that a new authentication session has been successfully established until the dynamic host configuration key is installed on the dynamic host configuration server.
-
25. A system for binding dynamic host configuration and network access authentication, comprising:
-
a network access authenticator for authenticating at least one client device;
a dynamic host configuration server configured to dynamically distribute IP addresses for client devices; and
said system being configured to synchronize an authentication session between the at least one client device and the network access authenticator and a dynamic host configuration session between the dynamic host configuration server and said at least one client device after the initial bootstrapping of the dynamic host configuration session.
-
-
26. A method for network access authentication to prevent malicious attackers from gaining unauthorized access to a network, including:
-
arranging a network bridge to prevent malicious attackers from gaining unauthorized access to a network, said network bridge having client ports for communication with at least one client and at least one server port for communication with the network;
using said network bridge to prevent malicious attackers from gaining unauthorized access based on an unauthorized forwarding database in said network bridge.
-
-
27. A system for network access authentication, including:
-
a network bridge arranged to prevent malicious attackers from gaining unauthorized access to a network;
said network bridge including client ports for communication with at least one client and at least one server port in communication with the network;
said network bridge including at least one forwarding database storing address and bridge port data, including an unauthorized forwarding database (UFD), said network bridge being configured to prevent malicious attackers from gaining unauthorized access based on said at least one forwarding database. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 51, 52, 53)
-
-
45. A method for network access authentication to prevent malicious attackers from gaining unauthorized access to a network, including:
-
arranging a network bridge to prevent malicious attackers from gaining unauthorized access to a network, said network bridge having client ports for communication with at least one client and at least one server port for communication with the network; and
using said network bridge to attach a port identifier tag to a packet to be transmitted from a server port and to forward the tagged packet instead of the original packet.
-
-
46. A system for network access authentication, including:
-
a network bridge arranged to prevent malicious attackers from gaining unauthorized access to a network;
said network bridge including client ports for communication with at least one client and at least one server port for communication with the network;
said network bridge being configured to attach a port identifier tag to a packet to be transmitted from a server port and to forward the tagged packet instead of the original packet. - View Dependent Claims (47, 48, 49, 50)
-
-
54. A method for inhibiting unauthorized access to multicast communications, comprising:
bootstrapping multicast security from network access authentication protocol to avoid IP multicast streams unnecessarily received and/or processed by unauthorized receivers.
-
55. A system for inhibiting unauthorized access to multicast communications, comprising:
-
an authentication agent to authenticate at least one multicast listener for at least one multicast sender said system being configured to bootstrap multicast security from network access authentication protocol to avoid IP multicast streams unnecessarily received and/or processed by unauthorized receivers. - View Dependent Claims (56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78)
-
Specification