Method and apparatus for distributing group data in a tunneled encrypted virtual private network

US 20090083536A1
Filed: 04/15/2005
Published: 03/26/2009
Est. Priority Date: 04/15/2005
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, in a data communications device, a packet that is to be transmitted to a plurality of destinations in a network;

identifying an encryption key for the packet based, at least in part, on a data stream associated with the packet and on a security information shared between the data communications device and members of the plurality of destinations in the network;

applying a security association to the packet using the security information to create a secured packet;

identifying a set of identified members of the plurality of destinations that are authorized to have the encryption key;

replicating the secured packet for the set of identified members of the plurality of destinations; and

transmitting a replicated secured packet from the data communications device to members of the plurality of destinations that are authorized to maintain the security association.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A packet forwarding process, on a data communications device, forwards a packet to a plurality of destinations within a network from that data communications device using an “encrypt then replicate” method. The packet forwarding process receives a packet that is to be transmitted to the plurality of destinations, and applies a security association to the packet using security information shared between the data communications device, and the plurality of destinations, to create a secured packet. The secured packet contains a header that has a source address and a destination address. The source address is inserted into the header, and then the packet forwarding process replicates the secured packet, once for each of the plurality of destinations. After replication, the destination address is inserted into the header, and the packet forwarding process transmits each replicated secured packet to each of the plurality of destinations authorized to maintain the security association.

36 Citations

View as Search Results

25 Claims

1. A method, comprising:
- receiving, in a data communications device, a packet that is to be transmitted to a plurality of destinations in a network;
  
  identifying an encryption key for the packet based, at least in part, on a data stream associated with the packet and on a security information shared between the data communications device and members of the plurality of destinations in the network;
  
  applying a security association to the packet using the security information to create a secured packet;
  
  identifying a set of identified members of the plurality of destinations that are authorized to have the encryption key;
  
  replicating the secured packet for the set of identified members of the plurality of destinations; and
  
  transmitting a replicated secured packet from the data communications device to members of the plurality of destinations that are authorized to maintain the security association.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The method of claim 1 wherein applying a security association to the packet using security information shared between the data communications device and the plurality of destinations to create a secured packet comprises:
    - encapsulating the packet for transmission throughout the network;
      
      creating a header for the encapsulated packet, the header containing a source address location for indicating an originating location of the packet, and a destination address location for indicating a final location of the packet; and
      
      inserting a source address into the source address location within the header of the packet, the source address indicating the origination location of the packet.
  - 7. The method of claim 1 wherein applying a security association to the packet using security information shared between the data communications device and the plurality of destinations to create a secured packet comprises:
    - creating a plurality of the secured packet, one for each of the plurality of destinations; and
      
      inserting a respective destination address into a header within each of the plurality of the secured packet, the respective destination address indicating a network address of a respective one of the plurality of destinations.
  - 8. The method of claim 1 wherein the packet is a multicast packet containing a multicast address of a multicast group and wherein applying a security association to the packet using security information shared between the data communications device and the plurality of destinations to create a secured packet comprises:
    - selecting security information that is shared between the data communications device and any of the plurality of destinations that is a member of the multicast group corresponding to the multicast address of the packet; and
      
      encrypting the packet using the selected shared security information such that any downstream devices in the plurality of destinations that receive the transmitted replicated encrypted packet are able to decrypt the packet using the same shared security information.
  - 9. The method of claim 1 wherein network is a non-broadcast multi-access (NBMA) network, and wherein the security associations include shared encryption information available to each destination and to the data communications device and wherein applying a security association to the packet using security information shared between the data communications device and the plurality of destinations to create a secured packet comprises:
    - applying the shared encryption information to encrypt the packet once regardless of the number of destinations to which the packet is transmitted.
  - 10. The method of claim 1 wherein transmitting each replicated secured packet from the data communications device to each of the plurality of destinations authorized to maintain the security association comprises:
    - transmitting the replicated secured packet to an unauthorized destination.
  - 11. The method of claim 1 comprising:
    - repeating operations of receiving a packet, applying a security association to the packet, replicating the secured packet for each of the plurality of destinations, and transmitting each replicated secured packet, such that for each individually received packet, the security association is only applied once prior to replication of that packet to each of the plurality of destinations.
  - 12. The method of claim 1 comprising:
    - maintaining a list of destinations that share the security association, the list based on a successful completion of secure packet transmission between the data communications device and each of the plurality of destinations; and
      
      receiving a new security association via a key distribution management system, the new security association to be used for future packet transmissions between the data communications device and each of the plurality of destinations on the list of destinations that share the security association.

2. (canceled)

13. A computerized device comprising:
- a memory;
  
  a processor;
  
  a communications interface;
  
  an interconnection mechanism coupling the memory, the processor and the communications interface;
  
  where the memory is encoded with a packet forwarding application that when executed on the processor produces a packet forwarding process that causes the computerized device to forward a packet to a plurality of destinations within a network from that computerized device by performing the operations of;
  
  receiving a packet that is to be transmitted to the plurality of destinations;
  
  applying a security association to the packet using security information shared between the data communications device and the plurality of destinations to create a secured packet;
  
  replicating the secured packet for each of the plurality of destinations; and
  
  transmitting each replicated secured packet from the data communications device to each of the plurality of destinations authorized to maintain the security association.
- View Dependent Claims (3, 4, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 3. The method of claim 21 where the network is a non-broadcast multi-access (NBMA) network, and wherein identifying the encryption key comprises:
    - registering with a key distribution management system;
      
      receiving the encryption key from the key distribution management system; and
      
      installing the encryption key supplied by the key distribution management system; and
      
      where identifying the set of identified members authorized to have the encryption key comprises;
      
      receiving notification from a member of the plurality of destinations indicating that the member has received the encryption key from the key distribution management system.
  - 4. The method of claim 3 wherein the key distribution management system is located on a device other than the data communications device, and wherein registering with a key distribution management system comprises:
    - performing an authentication technique with the key distribution management system; and
      
      wherein receiving notification from each of the plurality of destinations comprises;
      
      utilizing a tunnel mapping protocol to determine which of the plurality of destinations indicate successful receipt of the encryption key.
  - 5. The method of claim 4 wherein utilizing a tunnel mapping protocol comprises:
    - identifying at least one destination that does not maintain a shared security association with the plurality of destinations;
      
      applying a security association exclusive to the identified destination to the packet to create an exclusive secured packet that is to be transmitted exclusively to the identified destination; and
      
      transmitting the exclusive secured packet to the identified destination.
  - 14. The computerized device of claim 13 wherein when the computerized device performs the operation of applying a security association to the packet using security information shared between the computerized device and the plurality of destinations, the computerized device performs the operation of:
    - identifying an encryption key for that packet based on a data stream associated with the packet; and
      
      determining which of the plurality of destinations is authorized to have the encryption key.
  - 15. The computerized device of claim 14 wherein the network is a non-broadcast multi-access (NBMA) network, and wherein when the computerized device performs the operation of identifying an encryption key for that packet based on a data stream associated with the packet, the computerized device performs the operation of:
    - registering with a key distribution management system;
      
      receiving the encryption key from the key distribution management system; and
      
      installing the encryption key supplied by the key distribution management system; and
      
      wherein when the computerized device performs the operation of determining which of the plurality of destinations is authorized to have the encryption key, the computerized device performs the operation of;
      
      receiving notification from each of the plurality of destinations indicating that each of the plurality of destinations has received the encryption key from the key distribution management system.
  - 16. The computerized device of claim 15 wherein the key distribution management system is located on a device other than the computerized device, and wherein when the computerized device performs the operation of registering with a key distribution management system, the computerized device performs the operation of:
    - performing an authentication technique with the key distribution management system; and
      
      wherein when the computerized device performs the operation of receiving notification from each of the plurality of destinations, the computerized device performs the operation of;
      
      utilizing a tunnel mapping protocol to determine which of the plurality of destinations indicate successful receipt of the encryption key.
  - 17. The computerized device of claim 16 wherein when the computerized device performs the operation of utilizing a tunnel mapping protocol, the computerized device performs the operation of:
    - identifying at least one destination that does not maintain a shared security association with the plurality of destinations;
      
      applying a security association exclusive to the identified destination to the packet to create an exclusive secured packet that is to be transmitted exclusively to the identified destination; and
      
      transmitting the exclusive secured packet to the identified destination.
  - 18. The computerized device of claim 13 wherein when the computerized device performs the operation of applying a security association to the packet using security information shared between the computerized device and the plurality of destinations to create a secured packet, the computerized device performs the operation of:
    - encapsulating the packet for transmission throughout the network;
      
      creating a header for the encapsulated packet, the header containing a source address location for indicating an originating location of the packet, and a destination address location for indicating a final location of the packet; and
      
      inserting a source address into the source address location within the header of the packet, the source address indicating the origination location of the packet.
  - 19. The computerized device of claim 13 wherein when the computerized device performs the operation of applying a security association to the packet using security information shared between the computerized device and the plurality of destinations to create a secured packet, the computerized device performs the operation of:
    - creating a plurality of the secured packet, one for each of the plurality of destinations; and
      
      inserting a respective destination address into a header within each of the plurality of the secured packet, the respective destination address indicating a network address of a respective one of the plurality of destinations.
  - 20. The computerized device of claim 13 wherein the packet is a multicast packet containing a multicast address of a multicast group and wherein when the computerized device performs the operation of applying a security association to the packet using security information shared between the computerized device and the plurality of destinations to create a secured packet, the computerized device performs the operation of:
    - selecting security information that is shared between the computerized device and any of the plurality of destinations that is a member of the multicast group corresponding to the multicast address of the packet; and
      
      encrypting the packet using the selected shared security information such that any downstream devices in the plurality of destinations that receive the transmitted replicated encrypted packet are able to decrypt the packet using the same shared security information.
  - 21. The computerized device of claim 13 wherein network is a non-broadcast multi-access (NBMA) network, and wherein the security associations include shared encryption information available to each destination and to the computerized device and wherein when the computerized device performs the operation of applying a security association to the packet using security information shared between the computerized device and the plurality of destinations to create a secured packet, the computerized device performs the operation of:
    - applying the shared encryption information to encrypt the packet once regardless of the number of destinations to which the packet is transmitted.
  - 22. The computerized device of claim 13 wherein when the computerized device performs the operation of transmitting each replicated secured packet from the computerized device to each of the plurality of destinations authorized to maintain the security association, the computerized device performs the operation of:
    - transmitting the replicated secured packet to an unauthorized destination.
  - 23. The computerized device of claim 13 wherein the computerized device performs the operation of:
    - repeating operations of receiving a packet, applying a security association to the packet, replicating the secured packet for each of the plurality of destinations, and transmitting each replicated secured packet, such that for each individually received packet, the security association is only applied once prior to replication of that packet to each of the plurality of destinations.
  - 24. The computerized device of claim 13 wherein the computerized device performs the operation of:
    - maintaining a list of destinations that share the security association, the list based on a successful completion of secure packet transmission between the computerized device and each of the plurality of destinations; and
      
      receiving a new security association via a key distribution management system, the new security association to be used for future packet transmissions between the computerized device and each of the plurality of destinations on the list of destinations that share the security association.

25. A computer readable medium encoded with compute programming logic that when executed on a process in a computerized device produces a process that forwards a packet to a plurality of destinations within a network by causing the computerized device to perform the operations of:
- receiving a packet that is to be transmitted to the plurality of destinations;
  
  applying a security association to the packet using security information shared between the data communications device and the plurality of destinations to create a secured packet;
  
  replicating the secured packet for each of the plurality of destinations; and
  
  transmitting each replicated secured packet from the data communications device to each of the plurality of destinations authorized to maintain the security association.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Sullenberger, Michael Lee, Vilhuber, Jan, Weis, Brian E., Detienne, Frederic R.P.

Granted Patent

US 7,761,702 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/153
CPC Class Codes

H04L 12/1886   with traffic restrictions f...

H04L 45/16   Multipoint routing

H04L 63/0428   wherein the data content is...

H04L 63/065   for group communications cr...

Method and apparatus for distributing group data in a tunneled encrypted virtual private network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

36 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for distributing group data in a tunneled encrypted virtual private network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others