Method and system for including security information with a packet

US 20060112426A1
Filed: 11/30/2004
Published: 05/25/2006
Est. Priority Date: 11/23/2004
Status: Active Grant

First Claim

Patent Images

1-56. -56. (canceled)

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for including security information with a packet is disclosed. A packet is detected as it exits a first network and enters a second network. The first network is configured to support a network security technique, and the second network is not configured to support the network security technique. Network security information associated with the network security technique is included with the packet. A network device is configured to include network security information in overhead of a packet. A method for identifying a first network device in a network is also disclosed. Identification information of the first network is communicated to a second network device.

108 Citations

View as Search Results

116 Claims

1-56. -56. (canceled)

57. A method comprising:
- detecting a packet exiting a first network and entering a second network, wherein the first network is configured to support a network security technique, and the second network is not configured to support the network security technique;
  
  determining whether the packet will traverse a network node capable of processing packet security information; and
  
  forwarding the packet, wherein the forwarding the packet is performed regardless of whether the packet will traverse the network node capable of processing packet security information.
- View Dependent Claims (58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71)
- - 58. The method of claim 57, wherein the determining further comprises:
    - including packet security information with the packet if the packet will traverse the network node capable of processing packet security information.
  - 59. The method of claim 58, further comprising at least one of:
    - encrypting the packet; and
      
      including a digital signature with the packet.
  - 60. The method of claim 58, further comprising:
    - detecting the packet exiting the second network and entering a third network, wherein the third network employs the network security technique; and
      
      processing the packet security information.
  - 61. The method of claim 58, wherein the security information is included in a location within overhead of the packet such that the security information does not affect forwarding of the packet from the second network to a third network.
  - 62. The method of claim 61, wherein the first, second and third networks are layer-2 networks, the first network and the second network are coupled with a first layer-3 router, and the second network and the third network are coupled with a second layer-3 router.
  - 63. The method of claim 62, wherein the second layer-3 router is not configured to perform packet security processing, and the packet security information in the overhead of the packet does not affect the second layer-3 router'"'"'s ability to process the packet.
  - 64. The method of claim 63, wherein the packet security information comprises at least one of:
    - a group key, and a digital signature.
  - 65. The method of claim 61, further comprising:
    - determining whether a perimeter device of the third network is capable of processing the packet security information.
  - 66. The method of claim 65, further comprising determining whether identification information of the third network matches routing information of the packet.
  - 67. The method of claim 66, further comprising:
    - obtaining the identification information, wherein the obtaining the identification information comprises a least one of;
      
      configuring an egress node of the first network to recognize the identification information, using a network protocol to distribute the identification information, and storing the identification information at a management station.
  - 68. The method of claim 67, wherein the identification information is included in a forwarding table.
  - 69. The method of claim 67, wherein the storing the identification information at the management station further comprises:
    - including the identification information in an identification information list.
  - 70. The method of claim 69, wherein the identification information is a destination prefix, and the routing information of the packet is a portion of a destination address of the packet.
  - 71. The method of claim 69, wherein the identification information list is an access control list.

72. An apparatus comprising:
- means for detecting a packet exiting a first network and entering a second network, wherein the first network is configured to support a network security technique, and the second network is not configured to support the network security technique;
  
  means for determining whether the packet will traverse a network node capable of processing packet security information; and
  
  means for forwarding the packet, wherein the forwarding the packet is performed regardless of whether the packet will traverse the network node capable of processing packet security information.
- View Dependent Claims (73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86)
- - 73. The apparatus of claim 72, wherein the determining further comprises:
    - means for including packet security information with the packet if the packet will traverse the network node capable of processing packet security information.
  - 74. The apparatus of claim 73, further comprising at least one of:
    - means for encrypting the packet; and
      
      means for including a digital signature with the packet.
  - 75. The apparatus of claim 73, further comprising:
    - means for detecting the packet exiting the second network and entering a third network, wherein the third network employs the network security technique; and
      
      means for processing the packet security information.
  - 76. The apparatus of claim 73, wherein the security information is included in a location within overhead of the packet such that the security information does not affect forwarding of the packet from the second network to a third network.
  - 77. The apparatus of claim 76, wherein the first, second and third networks are layer-2 networks, the first network and the second network are coupled with a first layer-3 router, and the second network and the third network are coupled with a second layer-3 router.
  - 78. The apparatus of claim 77, wherein the second layer-3 router is not configured to perform packet security processing, and the packet security information in the overhead of the packet does not affect the second layer-3 router'"'"'s ability to process the packet.
  - 79. The apparatus of claim 78, wherein the packet security information comprises at least one of:
    - a group key, and a digital signature.
  - 80. The apparatus of claim 76, further comprising:
    - means for determining whether a perimeter device of the third network is capable of processing the packet security information.
  - 81. The apparatus of claim 80, further comprising:
    - means for determining whether identification information of the third network matches routing information of the packet.
  - 82. The apparatus of claim 81, further comprising:
    - means for obtaining the identification information, wherein the means for obtaining the identification information comprises a least one of;
      
      means for configuring an egress node of the first network to recognize the identification information, means for using a network protocol to distribute the identification information, and means for storing the identification information at a management station.
  - 83. The apparatus of claim 82, wherein the identification information is included in a forwarding table.
  - 84. The apparatus of claim 82, wherein the means for storing the identification information at the management station further comprises:
    - means for including the identification information in an identification information list.
  - 85. The apparatus of claim 84, wherein the identification information is a destination prefix, and the routing information of the packet is a portion of a destination address of the packet.
  - 86. The apparatus of claim 84, wherein the identification information list is an access control list.

87. A computer program product comprising:
- a first set of instructions, executable on a computer system, configured to detect a packet exiting a first network and entering a second network, wherein the first network is configured to support a network security technique, and the second network is not configured to support the network security technique;
  
  a second set of instructions, executable on the computer system, configured to determine whether the packet will traverse a network node capable of processing packet security information;
  
  a third set of instructions, executable on the computer system, configured to forward the packet, wherein the third set of instructions is configured to forward the packet regardless of whether the packet will traverse the network node capable of processing packet security information; and
  
  computer readable media, wherein the computer program product is encoded in the computer readable media.
- View Dependent Claims (88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101)
- - 88. The computer program product of claim 87, wherein the second set of instructions further comprises:
    - a first subset of instructions, executable on the computer system, configured to include packet security information with the packet if the packet will traverse the network node capable of processing packet security information.
  - 89. The computer program product of claim 88, further comprising at least one of:
    - a fourth set of instructions, executable on the computer system, configured to encrypt the packet; and
      
      a fifth set of instructions, executable on the computer system, configured to include a digital signature with the packet.
  - 90. The computer program product of claim 88, further comprising:
    - a fourth set of instructions, executable on the computer system, configured to detect the packet exiting the second network and entering a third network, wherein the third network employs the network security technique; and
      
      a fifth set of instructions, executable on the computer system, configured to process the packet security information.
  - 91. The computer program product of claim 88, wherein the security information is included in a location within overhead of the packet such that the security information does not affect forwarding of the packet from the second network to a third network.
  - 92. The computer program product of claim 91, wherein the first, second and third networks are layer-2 networks, the first network and the second network are coupled with a first layer-3 router, and the second network and the third network are coupled with a second layer-3 router.
  - 93. The computer program product of claim 92, wherein the second layer-3 router is not configured to perform packet security processing, and the packet security information in the overhead of the packet does not affect the second layer-3 router'"'"'s ability to process the packet.
  - 94. The computer program product of claim 93, wherein the packet security information comprises at least one of:
    - a group key, and a digital signature.
  - 95. The computer program product of claim 91, further comprising:
    - a fourth set of instructions, executable on the computer system, configured to determine whether a perimeter device of the third network is capable of processing the packet security information.
  - 96. The computer program product of claim 95, further comprising a fifth set of instructions, executable on the computer system, configured to determine whether identification information of the third network matches routing information of the packet.
  - 97. The computer program product of claim 96, further comprising:
    - a sixth set of instructions, executable on the computer system, configured to obtain the identification information, wherein the sixth set of instructions comprises a least one of;
      
      a second subset of instructions, executable on the computer system, configured to configure an egress node of the first network to recognize the identification information, a third subset of instructions, executable on the computer system, configured to use a network protocol to distribute the identification information, and a fourth subset of instructions, executable on the computer system, configured to store the identification information at a management station.
  - 98. The computer program product of claim 97, wherein the identification information is included in a forwarding table.
  - 99. The computer program product of claim 97, wherein the fourth subset of instructions further comprises:
    - a fifth subset of instructions, executable on the computer system, configured to include the identification information in an identification information list.
  - 100. The computer program product of claim 99, wherein the identification information is a destination prefix, and the routing information of the packet is a portion of a destination address of the packet.
  - 101. The computer program product of claim 99, wherein the identification information list is an access control list.

102. A method comprising:
- generating identification information, wherein the identification information identifies a first network device in a network; and
  
  communicating the identification information to a second network device in the network, wherein the identification information is associated with the first network device, the first and second network devices are each capable of performing packet security processing, and a third network device within the network is incapable of performing packet security processing.
- View Dependent Claims (103, 104, 105, 106)
- - 103. The method of claim 102, further comprising:
    - including the identification information in an identification information list; and
      
      storing the identification information list at a network management station.
  - 104. The method of claim 103, wherein the identification information is a destination prefix.
  - 105. The method of claim 104, further comprising:
    - including packet security information in a location in a packet that is accessible by the second network device.
  - 106. The method of claim 105, wherein the including the packet security information is performed by the first network device.

107. An apparatus comprising:
- means for generating identification information, wherein the identification information identifies a first network device in a network; and
  
  means for communicating the identification information to a second network device in the network, wherein the identification information is associated with the first network device, the first and second network devices are each capable of performing packet security processing, and a third network device within the network is incapable of performing packet security processing.
- View Dependent Claims (108, 109, 110, 111)
- - 108. The apparatus of claim 107, further comprising:
    - means for including the identification information in an identification information list; and
      
      means for storing the identification information list at a network management station.
  - 109. The apparatus of claim 108, wherein the identification information is a destination prefix.
  - 110. The apparatus of claim 109, further comprising:
    - means for including packet security information in a location in a packet that is accessible by the second network device.
  - 111. The apparatus of claim 110, wherein the means for including the packet security information is included in the first network device.

112. A computer program product comprising:
- a first set of instructions, executable on a computer system, configured to generate identification information, wherein the identification information identifies a first network device in a network;
  
  a second set of instructions, executable on the computer system, configured to communicate the identification information to a second network device in the network, wherein the identification information is associated with the first network device, the first and second network devices are each capable of performing packet security processing, and a third network device within the network is incapable of performing packet security processing; and
  
  computer readable media, wherein the computer program product is encoded in the computer readable media.

113. The computer program product of claim 1112, further comprising:
- a third set of instructions, executable on the computer system, configured to include the identification information in an identification information list; and
  
  a fourth set of instructions, executable on the computer system, configured to store the identification information list at a network management station.

114. The computer program product of claim 1113, wherein the identification information is a destination prefix.
- View Dependent Claims (115, 116)
- - 115. The computer program product of claim 114, further comprising:
    - a fifth set of instructions, executable on the computer system, configured to include packet security information in a location in a packet that is accessible by the second network device.
  - 116. The computer program product of claim 115, wherein the fifth set of instructions is included in the first network device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Michael D. Smith, Michael Fine, Padmanabha Nallur, Wilson Kok
Original Assignee
Michael D. Smith, Michael Fine, Padmanabha Nallur, Wilson Kok
Inventors
Fine, Michael, Nallur, Padmanabha, Smith, Michael R., Kok, Wilson

Granted Patent

US 7,877,601 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/13
CPC Class Codes

H04L 63/20 for managing network securi...

Method and system for including security information with a packet

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

108 Citations

116 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for including security information with a packet

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

108 Citations

116 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links