METHOD AND SYSTEM FOR SECURING A NETWORK UTILIZING IPSEC and MACSEC PROTOCOLS

US 20080126559A1
Filed: 11/02/2007
Published: 05/29/2008
Est. Priority Date: 11/29/2006
Status: Active Grant

First Claim

Patent Images

1. A method for computer networking, the method comprisingin one or more network nodes, converting between Ethernet packets comprising payloads secured utilizing IPsec protocols and Ethernet packets secured utilizing MACsec protocols.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Aspects of a method and system for securing a network utilizing IPsec and MACsec protocols are provided. In one or more network nodes, aspects of the invention may enable conversion between Ethernet packets comprising payloads secured utilizing IPsec protocols and Ethernet packets secured utilizing MACsec protocols. For example, IPsec connections may be terminated at an ingress network node and IPsec connections may be regenerated at an egress network node. Packets secured utilizing MACsec protocols may be detected based on an Ethertype. Packets comprising payloads secured utilizing IPsec protocols may be detected based on a protocol field or a next header field. The conversion may be based on a data structure stored by and/or accessible to the network nodes. Aspects of the invention may enable securing data utilizing MACsec protocols when tunneling IPsec secured data through non-IPsec enabled nodes.

96 Citations

View as Search Results

36 Claims

1. A method for computer networking, the method comprisingin one or more network nodes, converting between Ethernet packets comprising payloads secured utilizing IPsec protocols and Ethernet packets secured utilizing MACsec protocols.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method according to claim 1, comprisingconverting at a first network node, Ethernet packets comprising payloads secured utilizing IPsec protocols to Ethernet packets secured utilizing MACsec protocols;
    - andconverting at a second network node, Ethernet packets secured utilizing MACsec protocols to Ethernet packets comprising payloads secured utilizing IPsec protocols.
  - 3. The method according to claim 2, comprising terminating an IPSec connection at said first network node via said conversion at said first network edge node.
  - 4. The method according to claim 2, comprising regenerating an IPsec connection at said second network node via said conversion at said second network edge node.
  - 5. The method according to claim 1, comprising detecting whether said Ethernet packets are secured utilizing said MACsec protocols based on an Ethertype.
  - 6. The method according to claim 1, comprising detecting whether said Ethernet packets comprise payloads that are secured utilizing said IPsec protocols based on a protocol field and/or a next header field.
  - 7. The method according to claim 1, wherein a known relationship between said Ethernet packets comprising payloads secured utilizing IPsec protocols and said Ethernet packets secured utilizing MACsec protocols is utilized to perform said conversion.
  - 8. The method according to claim 1, wherein a data structure stored in said one or more network nodes comprises information that enables said conversion.
  - 9. The method according to claim 1, wherein said one or more network nodes are enabled to determine when said conversions are necessary based on a source and/or a destination of a block of data.
  - 10. The method according to claim 1 wherein at least one of said one or more network nodes is enabled to discover network boundaries between security protocols.
  - 11. The method according to claim 10, wherein said discovery of said boundaries enables determining which network nodes perform said conversion.
  - 12. The method according to claim 1, wherein said conversion enables securing data utilizing MACsec protocols while tunneling said Ethernet frames comprising IPsec secured payloads through non IPsec enabled nodes.

13. A machine readable storage having stored thereon, a computer program having at least one code section for networking, the at least one code section being executable by a machine for causing the machine to perform steps comprising:
- in one or more network nodes, converting between Ethernet packets comprising payloads secured utilizing IPsec protocols and Ethernet packets secured utilizing MACsec protocols.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The machine readable storage according to claim 13, wherein said at least one code section enables converting at a first network node, Ethernet packets comprising payloads secured utilizing IPsec protocols to Ethernet packets secured utilizing MACsec protocols;
    - andconverting at a second network node, Ethernet packets secured utilizing MACsec protocols to Ethernet packets comprising payloads secured utilizing IPsec protocols.
  - 15. The machine readable storage according to claim 14, comprising terminating an IPSec connection at said first network node via said conversion at said first network edge node.
  - 16. The machine readable storage according to claim 14, comprising regenerating an IPsec connection at said second network node via said conversion at said second network edge node.
  - 17. The machine readable storage according to claim 13, comprising detecting whether said Ethernet packets are secured utilizing said MACsec protocols based on an Ethertype.
  - 18. The machine readable storage according to claim 13, comprising detecting whether said Ethernet packets comprise payloads that are secured utilizing said IPsec protocols based on a protocol field and/or a next header field.
  - 19. The machine readable storage according to claim 13, wherein a known relationship between said Ethernet packets comprising payloads secured utilizing IPsec protocols and said Ethernet packets secured utilizing MACsec protocols is utilized to perform said conversion.
  - 20. The machine readable storage according to claim 13, wherein a data structure stored in said one or more network nodes comprises information that enables said conversion.
  - 21. The machine readable storage according to claim 13, wherein said one or more network nodes are enabled to determine when said conversions are necessary based on a source and/or a destination of a block of data.
  - 22. The machine readable storage according to claim 13, wherein at least one of said one or more network nodes is enabled to discover network boundaries between security protocols.
  - 23. The machine readable storage according to claim 22, wherein said discovery of said boundaries enables determining which network nodes perform said conversion.
  - 24. The machine readable storage according to claim 13, wherein said conversion enables securing data utilizing MACsec protocols while tunneling said Ethernet frames comprising IPsec secured payloads through non IPsec enabled nodes.

25. A system for computer networking, the system comprising:
- in one or more network nodes, at least one processor that enables converting between Ethernet packets comprising payloads secured utilizing IPsec protocols and Ethernet packets secured utilizing MACsec protocols.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The system according to claim 25, wherein said at least one code section enables converting at a first network node, Ethernet packets comprising payloads secured utilizing IPsec protocols to Ethernet packets secured utilizing MACsec protocols;
    - andconverting at a second network node, Ethernet packets secured utilizing MACsec protocols to Ethernet packets comprising payloads secured utilizing IPsec protocols.
  - 27. The system according to claim 26, comprising terminating an IPSec connection at said first network node via said conversion at said first network edge node.
  - 28. The system according to claim 26, comprising regenerating an IPsec connection at said second network node via said conversion at said second network edge node.
  - 29. The system according to claim 25, comprising detecting whether said Ethernet packets are secured utilizing said MACsec protocols based on an Ethertype.
  - 30. The system according to claim 25, comprising detecting whether said Ethernet packets comprise payloads that are secured utilizing said IPsec protocols based on a protocol field and/or a next header field.
  - 31. The system according to claim 25, wherein a known relationship between said Ethernet packets comprising payloads secured utilizing IPsec protocols and said Ethernet packets secured utilizing MACsec protocols is utilized to perform said conversion.
  - 32. The system according to claim 25, wherein a data structure stored in said one or more network nodes comprises information that enables said conversion.
  - 33. The system according to claim 25, wherein said one or more network nodes are enabled to determine when said conversions are necessary based on a source and/or a destination of a block of data.
  - 34. The system according to claim 25, wherein at least one of said one or more network nodes is enabled to discover network boundaries between security protocols.
  - 35. The system according to claim 25, wherein said discovery of said boundaries enables determining which network nodes perform said conversion.
  - 36. The system according to claim 25, wherein said conversion enables securing data utilizing MACsec protocols while tunneling said Ethernet frames comprising IPsec secured payloads through non IPsec enabled nodes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Elzur, Uri, Kim, Yongbum, Qi, Zheng, Buer, Mark, Tamer, Ford, Akyol, Bora

Granted Patent

US 7,853,691 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/232
CPC Class Codes

H04L 63/0464   using hop-by-hop encryption...

H04L 63/162   at the data link layer

H04L 63/164   at the network layer

H04L 69/08   Protocols for interworking;...

METHOD AND SYSTEM FOR SECURING A NETWORK UTILIZING IPSEC and MACSEC PROTOCOLS

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

96 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR SECURING A NETWORK UTILIZING IPSEC and MACSEC PROTOCOLS

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

96 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links