TUNNELING SECURITY ASSOCIATION MESSAGES THROUGH A MESH NETWORK

US 20080063205A1
Filed: 09/07/2006
Published: 03/13/2008
Est. Priority Date: 09/07/2006
Status: Active Grant

First Claim

Patent Images

1. A network, comprising:

a first node configured to transmit a first packet to a mesh authenticator node, wherein the first packet comprises an EAP request message;

a mesh authenticator node configured to receive the first packet and to transmit a first EAP encapsulation request message, wherein the first EAP encapsulation request message comprises the EAP request message;

a mesh key distributor configured to receive the first EAP encapsulation request message over a secure channel between the mesh authenticator node and mesh key distributor; and

an authentication server configured to receive the contents of the first EAP encapsulation message over a wired link from the mesh key distributor, to authenticate the first node, to generate a final EAP response message, and to transmit the final EAP response message to the mesh key distributor,wherein the mesh key distributor is configured to receive the final EAP response message from the authentication server, to generate a final EAP encapsulation response message to the mesh authenticator node, wherein the final EAP encapsulation response message comprises an EAP response message and has a message type, and to transmit the final EAP encapsulation response message to the mesh authenticator over the secure channel.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosure relates to techniques and technologies for establishing a secure link between a mesh authenticator and a mesh key distributor for transporting security association messages. The secure link can allow the mesh key distributor to communicate results of an authentication process to the mesh authenticator.

84 Citations

View as Search Results

43 Claims

1. A network, comprising:
- a first node configured to transmit a first packet to a mesh authenticator node, wherein the first packet comprises an EAP request message;
  
  a mesh authenticator node configured to receive the first packet and to transmit a first EAP encapsulation request message, wherein the first EAP encapsulation request message comprises the EAP request message;
  
  a mesh key distributor configured to receive the first EAP encapsulation request message over a secure channel between the mesh authenticator node and mesh key distributor; and
  
  an authentication server configured to receive the contents of the first EAP encapsulation message over a wired link from the mesh key distributor, to authenticate the first node, to generate a final EAP response message, and to transmit the final EAP response message to the mesh key distributor,wherein the mesh key distributor is configured to receive the final EAP response message from the authentication server, to generate a final EAP encapsulation response message to the mesh authenticator node, wherein the final EAP encapsulation response message comprises an EAP response message and has a message type, and to transmit the final EAP encapsulation response message to the mesh authenticator over the secure channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. A network according to claim 1, wherein the mesh authenticator node is further configured to:
    - transmit a second packet to the first node.
  - 3. A network according to claim 2, wherein the second packet comprises the final EAP response message.
  - 4. A network according to claim 1, wherein the message type comprises:
    - an accept message type if authentication of the first node was successful and the authentication server provided an accept indication to the mesh key distributor to indicate that the first node is accepted.
  - 5. A network according to claim 4, wherein the accept message type provides an indication to the mesh authenticator node that the first node should be granted access.
  - 6. A network according to claim 4, when the final EAP encapsulation response message comprises the accept message type, wherein the final EAP encapsulation response message indicates that the first node has been authenticated by the authentication server.
  - 7. A network according to claim 1, wherein the message type comprises:
    - a reject message type if EAP authentication of the first node failed and the authentication server provided a reject indication to the mesh key distributor to indicate that the first node is rejected.
  - 8. A network according to claim 7, wherein the reject message type provides an indication to the mesh authenticator node that the first node should not be granted access.
  - 9. A network according to claim 7, when the final EAP encapsulation response message comprises the reject message type, wherein the final EAP encapsulation response message indicates that the authentication of the first node was rejected by the authentication server.
  - 10. A network according to claim 9, wherein the mesh authenticator node is further configured to terminate an association with the first node when the mesh authenticator node receives a final EAP encapsulation response message comprising the reject message type.
  - 11. A network according to claim 1, wherein the first EAP encapsulation message comprises:
    - an EAP encapsulation request message comprising a first EAP encapsulation information element.
  - 12. A network according to claim 11, wherein the first EAP encapsulation information element comprises:
    - a first message integrity check (MIC) field which contains a message integrity check value for integrity checking and ensures that a valid EAP message is passed to the authentication server from the mesh key distributor;
      
      a first EAP message type field which specifies that the message type is a request;
      
      a first message token field which specifies a unique nonce value chosen by the mesh authenticator node; and
      
      a first EAP message field which contains an EAP request message.
  - 13. A network according to claim 12, wherein the first EAP encapsulation information element further comprises:
    - a first Message Integrity Check (MIC) control field which comprises a MIC algorithm field used to select an algorithm for calculating the MIC, a reserved field and an information element (IE) count field which specifies that one IE is protected by the MIC and included in the MIC calculation; and
      
      a first address field which specifies the MAC address of the first node.
  - 14. A network according to claim 12, further comprising:
    - receiving the EAP encapsulation request message at the mesh key distributor;
      
      verifying the first MIC value; and
      
      storing the unique nonce value specified in the first message token field for use in constructing the final EAP encapsulation response message.
  - 15. A network according to claim 1, wherein the final EAP encapsulation response message provides an indication to the mesh authenticator node to perform appropriate action when authenticating the first node.
  - 16. A network according to claim 1, wherein the final EAP encapsulation response message further comprises a second EAP encapsulation information element.
  - 17. A network according to claim 16, wherein the second EAP encapsulation information element comprises:
    - a second message integrity check (MIC) field which contains a message integrity check value for integrity checking to ensure that a valid EAP response message will be passed to the first node from the mesh authenticator node;
      
      a second EAP message type field which specifies the message type;
      
      a second message token field which contains the value of the message token field in the corresponding EAP encapsulation request message to which the EAP encapsulation response message corresponds, wherein the second message token field specifies a value that is identical to the unique nonce value chosen by the mesh authenticator node; and
      
      a second EAP message field which contains an EAP response message.
  - 18. A network according to claim 17, wherein the second EAP encapsulation information element further comprises:
    - a second Message Integrity Check (MIC) control field which comprises a MIC algorithm field which is used to select an algorithm for calculating the MIC, a reserved field and an information element (IE) count field which specifies that the frame includes one IE to be protected by the MIC and included in the MIC calculation; and
      
      a second address field which specifies the MAC address of the first node.
  - 19. A network according to claim 17, wherein the mesh authenticator node is further configured to receive the final EAP encapsulation response message from the mesh key distributor, to verify the second message integrity check value at the mesh authenticator node, and use the second message token field to verify that the second message token received in the final EAP encapsulation response message matches the first message token sent in the EAP encapsulation request message.
  - 20. A network according to claim 1, wherein the first node comprises:
    - a supplicant node participating in EAP authentication.
  - 21. A network according to claim 1, wherein the network complies with an IEEE 802.11 standard.

22. A method, comprising:
- transmitting, from a first node, a first packet to a second node, wherein the first packet comprises an EAP request message;
  
  receiving the first packet at the second node;
  
  transmitting, from the second node, a first EAP encapsulation request message to a mesh key distributor over the secure channel between the second node and the mesh key distributor, wherein the first EAP encapsulation request message comprises the EAP request message; and
  
  transmitting, from the mesh key distributor, a final EAP encapsulation response message to the second node over the secure channel between the second node and the mesh key distributor, wherein the final EAP encapsulation response message comprises an indication of a message type.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 23. A method according to claim 22, further comprising:
    - transmitting a second packet from the second node to the first node, wherein the second packet comprises the final EAP response message.
  - 24. A method according to claim 22, further comprising:
    - delivering contents of the first EAP encapsulation request message from the mesh key distributor to an authentication server;
      
      authenticating the first node at the authentication server, and generating a final EAP encapsulation response message at the mesh key distributor, wherein the final EAP encapsulation response message comprises an EAP response message and has a message type, and transmitting the final EAP encapsulation response message to the second node; and
      
      receiving, at the second node, the final EAP encapsulation response message from the mesh key distributor.
  - 25. A method according to claim 24, wherein the message type comprises:
    - an accept message type if authentication of the first node was successful and the authentication server provided an accept indication to the mesh key distributor to indicate that the first node is accepted.
  - 26. A method according to claim 25, wherein the accept message type provides an indication to the second node that the first node should be granted access.
  - 27. A method according to claim 25, when the final EAP encapsulation response message comprises the accept message type, wherein the final EAP encapsulation response message indicates that the first node has been authenticated by the authentication server.
  - 28. A method according to claim 24, wherein the message type comprises:
    - a reject message type if EAP authentication of the first node failed and the authentication server provided a reject indication to the mesh key distributor to indicate that the first node is rejected.
  - 29. A method according to claim 28, wherein the reject message type provides an indication to the second node that the first node should not be granted access.
  - 30. A method according to claim 28, when the final EAP encapsulation response message comprises the reject message type, wherein the final EAP encapsulation response message indicates that the authentication of the first node was rejected by the authentication server.
  - 31. A method according to claim 30, further comprising:
    - terminating an association with the first node at the second node when the second node receives the final EAP encapsulation response message comprising the reject message type.
  - 32. A method according to claim 22, wherein the first EAP encapsulation message comprises:
    - an EAP encapsulation request message comprising;
      
      a first category field;
      
      a first action value field; and
      
      a first EAP encapsulation information element.
  - 33. A method according to claim 32, wherein the first EAP encapsulation information element comprises:
    - a first message integrity check (MIC) field which contains a message integrity check value for integrity checking and ensures that a valid EAP message is passed to the authentication server from the mesh key distributor;
      
      a first EAP message type field which specifies that the message type is a request;
      
      a first message token field which specifies a unique nonce value chosen by the second node; and
      
      a first EAP message field which contains an EAP request message.
  - 34. A method according to claim 33, wherein the first EAP encapsulation information element further comprises:
    - a first Message Integrity Check (MIC) control field which comprises a MIC algorithm field used to select an algorithm for calculating the MIC, a reserved field and an information element (IE) count field which specifies that one IE is protected by the MIC and included in the MIC calculation; and
      
      a first address field which specifies the MAC address of the first node.
  - 35. A method according to claim 33, further comprising:
    - receiving the EAP encapsulation request message at the mesh key distributor;
      
      verifying the first MIC value; and
      
      storing the unique nonce value specified in the first message token field for use in constructing the final EAP encapsulation response message.
  - 36. A method according to claim 22, wherein the final EAP encapsulation response message provides an indication to the second node to perform appropriate action when authenticating the first node.
  - 37. A method according to claim 22, wherein the final EAP encapsulation response message further comprises:
    - a second category field;
      
      a second action value; and
      
      a second EAP encapsulation information element.
  - 38. A method according to claim 37, wherein the second EAP encapsulation information element comprises:
    - a second message integrity check (MIC) field which contains a message integrity check value for integrity checking to ensure that a valid EAP response message is passed to the first node from the second node;
      
      a second EAP message type field which specifies the message type;
      
      a second message token field which contains the value of the message token field in the corresponding EAP encapsulation request message to which the EAP encapsulation response message corresponds, wherein the second message token field specifies a value that is identical to the unique nonce value chosen by the second node; and
      
      a second EAP message field which contains an EAP response message.
  - 39. A method according to claim 38, wherein the second EAP encapsulation information element further comprises:
    - a second Message Integrity Check (MIC) control field which comprises a MIC algorithm field which is used to select an algorithm for calculating the MIC, a reserved field and an information element (IE) count field which specifies that the frame includes one IE to be protected by the MIC and included in the MIC calculation; and
      
      a second address field which specifies the MAC address of the first node.
  - 40. A method according to claim 38, further comprising:
    - receiving the final EAP encapsulation response message from the mesh key distributor at the second node;
      
      verifying the second message integrity check value at the second node;
      
      using the second message token field to verify that the second message token received in the final EAP encapsulation response message matches the first message token sent in the EAP encapsulation request message.
  - 41. A method according to claim 22, wherein the first node comprises a supplicant node participating in EAP authentication.
  - 42. A method according to claim 22, wherein the second node comprises a mesh authenticator node.
  - 43. A method according to claim 22, wherein the network complies with an IEEE 802.11 standard.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ARRIS Enterprises LLC (CommScope Holding Company, Inc.)
Original Assignee
Motorola, Inc. (Motorola Solutions, Inc.)
Inventors
Emeott, Stephen P., Braskich, Anthony J.

Granted Patent

US 7,707,415 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/270
CPC Class Codes

H04L 63/0892   by using authentication-aut...

H04L 63/123   received data contents, e.g...

H04L 63/162   at the data link layer

H04W 12/069   using certificates or pre-s...

TUNNELING SECURITY ASSOCIATION MESSAGES THROUGH A MESH NETWORK

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

84 Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

TUNNELING SECURITY ASSOCIATION MESSAGES THROUGH A MESH NETWORK

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links