Method and apparatus for multiple generic exclusion offsets for security protocols

US 20080002724A1
Filed: 06/30/2006
Published: 01/03/2008
Est. Priority Date: 06/30/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

receiving a data packet encapsulated by a first zone indicator includinga description of a first zone in the data packet, anda list of one or more security operations, the first zone in the data packet to be excluded from processing by the one or more security operations of the list; and

processing the data packet via one or more security operations, the processing according to the first zone indicator.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus to define multiple zones in a data packet for exclusion from processing by security operations of a security protocol. In one embodiment, each defined zone has an associated list of security operations from which the zone is protected.

38 Citations

View as Search Results

30 Claims

1. A method comprising:
- receiving a data packet encapsulated by a first zone indicator includinga description of a first zone in the data packet, anda list of one or more security operations, the first zone in the data packet to be excluded from processing by the one or more security operations of the list; and
  
  processing the data packet via one or more security operations, the processing according to the first zone indicator.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 14, 15)
- - 2. The method of claim 1 wherein the description of the first zone includesa first field representing a location of the first zone of the data packet, anda second field representing a length of the first zone of the data packet.
  - 3. The method of claim 1 wherein the one or more security operations of the list include at least one of data encryption and data authentication.
  - 4. The method of claim 1 wherein the data packet is further encapsulated by one or more additional zone indicators corresponding to one or more zones in the data packet, each additional zone indicator includinga description of a zone in the data packet corresponding to the each additional zone indicator, anda list of security operations, the corresponding zone in the data packet to be excluded from processing by the security operations listed in the each additional zone indicator;
    - wherein the data packet is further encapsulated by a generic indicator including a field representing a total number of zone indicators in the data packet;
      
      wherein the data packet is further encapsulated by an identifier signifying a protocol used to describe an exclusion of one or more zones in the data packet each from processing by one or more security operations; and
      
      wherein the processing of the data packet is further according to the one or more additional zone indicators.
  - 5. The method of claim 4 wherein the identifier is a field in the generic indicator
  - 6. The method of claim 4 wherein the identifier is external to the generic header
  - 7. The method of claim 4 wherein the protocol used to describe an exclusion of one or more zones in the data packet from processing by one or more security operations is negotiated using one of a pushed policy, an application function, and out-of-band communication.
  - 8. The method of claim 1 wherein the first zone indicator is part of header information of the data packet.
  - 9. The method of claim 8 wherein the header information comprises a Media Access Control header.
  - 10. The method of claim 9 wherein the Media Access Control header conforms to the Institute of Electrical &
    - Electronics Engineers (IEEE) 802.1AE standard.
  - 11. The method of claim 1, the first zone in the data packet to identify as a source of the data packet one of a virtual machine, an operating system, a VLAN stream, and an electronic system configured to transmit the data packet through an aggregation device.
  - 13. The method of claim 1, wherein the data packet is received from a first entity via a wired connection to a port, the information of the first zone to identify the first entity, the method further comprising:
    - receiving from a second entity via the wired connection to the port a second data packet encapsulated by a second zone indicator includinga description of a second zone in the second data packet, anda second list of one or more security operations, the second zone in the data packet to be excluded from processing by the one or more security operations of the second list;
      
      processing the second data packet via one or more security operations, the processing the second data packet according to the second zone indicator, the information of the second zone to identify the second entity; and
      
      identifying the first entity based at least in part on the unprocessed information of the first zone;
      
      identifying the second entity based at least in part on the unprocessed information of the second zone.
  - 14. The method of claim 13 further comprising associating a set of unique security attributes to each of the first and second unique identifiers.
  - 15. The method of claim 14 wherein the set of unique security attributes comprises a cryptographic key

12. The method of claim 111 wherein the first zone in the data packet comprises at least one of a MAC address and an IP address

16. A computerized system comprising:
- a receiving unit to receive a data packet encapsulated by a first zone indicator includinga description of a first zone in the data packet, anda list of one or more security operations, the first zone in the data packet to be excluded from processing by the one or more security operations of the list; and
  
  a memory unit to store the data packet;
  
  a processing unit to process the stored data packet via one or more security operations, the processing according to the first zone indicator.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computerized system of claim 16 wherein the description of the first zone includesa first field representing a location of the first zone of the data packet, anda second field representing a length of the first zone of the data packet.
  - 18. The computerized system of claim 16 wherein the data packet is further encapsulated by one or more additional zone indicators corresponding to one or more zones in the data packet, each additional zone indicator includinga description of a zone in the data packet corresponding to the each additional zone indicator, anda list of security operations, the corresponding zone in the data packet to be excluded from processing by the security operations listed in the each additional zone indicator;
    - wherein the data packet is further encapsulated by a generic indicator including a field representing a total number of zone indicators in the data packet;
      
      wherein the data packet is further encapsulated by an identifier signifying a protocol used to describe an exclusion of one or more zones in the data packet each from processing by one or more security operations; and
      
      the processing unit further to process of the data packet according to the one or more additional zone indicators.
  - 19. The computerized system of claim 16 wherein the first zone indicator is part of a Media Access Control header.
  - 20. The computerized system of claim 16 wherein the data packet is received from a first entity, the information of the first zone to identify the first entity, the receiving unit further to receive from a second entity a second data packet encapsulated by a second zone indicator includinga description of a second zone in the second data packet, anda second list of one or more security operations, the second zone in the data packet to be excluded from processing by the one or more security operations of the second list;
    - the memory unit further to store the second data packet;
      
      the processing unit further to process the stored second data packet via one or more security operations according to the second zone indicator, the information of the second zone to identify the second entity; and
      
      the computerized system further comprising an identifying unit to identifying the first and second entities based at least in part on the unprocessed information of the first and second zones;

21. An apparatus comprising:
- a port to receive a data packet encapsulated by a first zone indicator includinga description of a first zone in the data packet, anda list of one or more security operations, the first zone in the data packet to be excluded from processing by the one or more security operations of the list; and
  
  a memory storage device to store the data packet;
  
  a processor to process the data packet via one or more security operations, the processing according to the first zone indicator.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The apparatus of claim 21 wherein the description of the first zone includesa first field representing a location of the first zone of the data packet, anda second field representing a length of the first zone of the data packet.
  - 23. The apparatus of claim 21 wherein the data packet is further encapsulated by one or more additional zone indicators corresponding to one or more zones in the data packet, each additional zone indicator includinga description of a zone in the data packet corresponding to the each additional zone indicator, anda list of security operations, the corresponding zone in the data packet to be excluded from processing by the security operations listed in the each additional zone indicator;
    - wherein the data packet is further encapsulated by a generic indicator including a field representing a total number of zone indicators in the data packet;
      
      wherein the data packet is further encapsulated by an identifier signifying a protocol used to describe an exclusion of one or more zones in the data packet each from processing by one or more security operations; and
      
      wherein the processing of the data packet is further according to the one or more additional zone indicators.
  - 24. The apparatus of claim 21 wherein the first zone indicator is part of a Media Access Control header.
  - 25. The apparatus of claim 21 wherein the data packet is received from a first entity, the information of the first zone to identify the first entity, the port further to receive from a second entity a second data packet encapsulated by a second zone indicator includinga description of a second zone in the second data packet, anda second list of one or more security operations, the second zone in the data packet to be excluded from processing by the one or more security operations of the second list;
    - the memory storage device further to store the second data packet;
      
      the processor further to process the stored second data packet via one or more security operations according to the second zone indicator, the information of the second zone to identify the second entity; and
      
      the computerized system further comprising an identifying unit to identifying the first and second entities based at least in part on the unprocessed information of the first and second zones;

26. A machine-readable medium that provides instructions, which when executed by a set of one or more processors, cause said set of processors to perform operations comprising:
- receiving a data packet encapsulated by a first zone indicator includinga description of a first zone in the data packet, anda list of one or more security operations, the first zone in the data packet to be excluded from processing by the one or more security operations of the list; and
  
  processing the data packet via one or more security operations, the processing according to the first zone indicator.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The machine-readable medium of claim 26 wherein the description of the first zone includesa first field representing a location of the first zone of the data packet, anda second field representing a length of the first zone of the data packet.
  - 28. The machine-readable medium of claim 26 wherein the data packet is further encapsulated by one or more additional zone indicators corresponding to one or more zones in the data packet, each additional zone indicator includinga description of a zone in the data packet corresponding to the each additional zone indicator, anda list of security operations, the corresponding zone in the data packet to be excluded from processing by the security operations listed in the each additional zone indicator;
    - wherein the data packet is further encapsulated by a generic indicator including a field representing a total number of zone indicators in the data packet;
      
      wherein the data packet is further encapsulated by an identifier signifying a protocol used to describe an exclusion of one or more zones in the data packet each from processing by one or more security operations; and
      
      wherein the processing of the data packet is further according to the one or more additional zone indicators.
  - 29. The machine-readable medium of claim 26 wherein the first zone indicator is part of a Media Access Control header.
  - 30. The machine-readable medium of claim 26 wherein the data packet is received from a first entity via a wired connection to a port, the information of the first zone to identify the first entity, the operations further comprising:
    - receiving from a second entity via the wired connection to the port a second data packet encapsulated by a second zone indicator includinga description of a second zone in the second data packet, anda second list of one or more security operations, the second zone in the data packet to be excluded from processing by the one or more security operations of the second list;
      
      processing the second data packet via one or more security operations, the processing the second data packet according to the second zone indicator, the information of the second zone to identify the second entity; and
      
      identifying the first entity based at least in part on the unprocessed information of the first zone;
      
      identifying the second entity based at least in part on the unprocessed information of the second zone.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Dewan, Prashant, Khosravi, Hormuzd, Long, Men, Durham, David, Grewal, Karanvir

Application Number

US11/479,157
Publication Number

US 20080002724A1
Time in Patent Office

Days
Field of Search
US Class Current

370/401
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/104   Grouping of entities

H04L 63/164   at the network layer

H04L 69/22   Parsing or analysis of headers

Method and apparatus for multiple generic exclusion offsets for security protocols

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

38 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for multiple generic exclusion offsets for security protocols

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links