Security encapsulation of ethernet frames
First Claim
1. A method for encapsulating data packets in a communication network, the method comprising:
- receiving a data packet having an Ethernet frame from a communication network, the Ethernet frame having an original header and original payload;
encrypting the original payload to provide an encrypted payload;
determining an encapsulation header for encrypted payload, the encapsulation header including security association information; and
constructing an encapsulated packet from the original header, the encapsulation header, and the encapsulated payload.
12 Assignments
0 Petitions
Accused Products
Abstract
A technique for encapsulating data packets at a Data Link Layer to provide security functions. The technique first encrypts a payload to provide an encrypted payload. The encrypted payload is inserted in an output encapsulated frame. Also added to the output encapsulated frame is an encapsulation header that includes security information, such as a security packet index (SPI) value used to identify a security association (SA). Because the output encapsulated frame may now be longer than maximum allowed Ethernet Path Maximum Transmission Unit (PMTU), the encapsulation header also preferably includes a fragmentation field. The fragmentation field supports the ability to fragment the encrypted datagrams into smaller pieces.
-
Citations
12 Claims
-
1. A method for encapsulating data packets in a communication network, the method comprising:
-
receiving a data packet having an Ethernet frame from a communication network, the Ethernet frame having an original header and original payload; encrypting the original payload to provide an encrypted payload; determining an encapsulation header for encrypted payload, the encapsulation header including security association information; and constructing an encapsulated packet from the original header, the encapsulation header, and the encapsulated payload. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An apparatus comprising:
-
a receiver for receiving a data packet having an Ethernet frame from a communication device, the Ethernet frame having an original header and original payload; an encryptor, for encrypting the original payload, to provide an encrypted payload; a packet processor, for determining an encapsulation header for the encrypted payload, the encapsulation header comprising security association information; and a packet assembler for assembling an encapsulated packet from the original header, the encapsulation header, and the encapsulated payload. - View Dependent Claims (8, 9, 10, 11, 12)
-
Specification