PRESERVING SECURITY ASSOCATION IN MACSEC PROTECTED NETWORK THROUGH VLAN MAPPING

US 20090307751A1
Filed: 05/08/2009
Published: 12/10/2009
Est. Priority Date: 05/09/2008
Status: Active Grant

First Claim

Patent Images

1. A method of using a network device comprising:

receiving, via an ingress port, a data packet that includes a payload portion, a source network address and a destination network address,determining if the data packet includes a security tag that includes a role based authentication tag; and

if the data packet includes a security tag that includes a role based authentication tag, transmitting, via an egress port, at least the payload portion and the role based authentication tag towards, in a topological sense, the destination network address.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one general aspect, a method of using a network device may include receiving, via an ingress port, a data packet that includes a payload portion, a source network address and a destination network address. In various embodiments, the method may also include determining if the data packet includes a security tag that includes a role based authentication tag. In some embodiments, the method may include, if the data packet includes a security tag that includes a role based authentication tag, transmitting, via an egress port, at least the payload portion and the role based authentication tag towards, in a topological sense, the destination network address.

Citations

20 Claims

1. A method of using a network device comprising:
- receiving, via an ingress port, a data packet that includes a payload portion, a source network address and a destination network address,determining if the data packet includes a security tag that includes a role based authentication tag; and
  
  if the data packet includes a security tag that includes a role based authentication tag, transmitting, via an egress port, at least the payload portion and the role based authentication tag towards, in a topological sense, the destination network address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising, if the data packet does not include a security tag that includes a role based authentication tag:
    - assigning a predetermined role value to the data packet;
      
      generating a role based authentication tag that includes the predetermined role value;
      
      associating the role based authentication tag with the payload portion of the data packet; and
      
      transmitting, via an egress port, at least the payload portion and the role based authentication tag towards, in a topological sense, the destination network address.
  - 3. The method of claim 1, wherein transmitting, via an egress port, at least the payload portion and the role based authentication tag comprises:
    - determining whether or not a next network device, in a network path towards the destination network address, is configured to support a data packet that includes a security tag that includes a role based authentication tag; and
      
      if the next network device is configured to support a data packet that includes a security tag that includes a role based authentication tag;
      
      generating a security tag that includes the role based authentication tag,associating the security tag with the payload portion, andtransmitting at least the payload portion and the security tag to the next network device.
  - 4. The method of claim 3, wherein transmitting, via an egress port, at least the payload portion and the role based authentication tag comprises:
    - if the next network device is not configured to support a data packet that includes a security tag that includes a role based authentication tag;
      
      generating a virtual local area network (VLAN) tag that includes the role based authentication tag,associating the VLAN tag with the payload portion, andtransmitting at least the payload portion and the VLAN tag to the next network device.
  - 5. The method of claim 1, further comprising, if the data packet includes a security tag that includes a role based authentication tag:
    - generating a virtual local area network (VLAN) tag that includes the role based authentication tag;
      
      disassociating the security tag from the payload portion; and
      
      associating the VLAN tag with the payload portion.
  - 6. The method of claim 1, further comprising, if the data packet includes a security tag that includes a role based authentication tag:
    - determining a network route based at least in part upon the role based authentication tag.
  - 7. The method of claim 1, further comprising:
    - generating a virtual local area network (VLAN) tag that includes the role based authentication tag;
      
      wherein generating includes;
      
      placing the role based authentication tag within a VLAN identifier (ID) portion of the VLAN tag.
  - 8. The method of claim 1, wherein determining if the data packet includes a security tag comprises:
    - determining if the data packet includes a security tag that is substantially compatible with the I.E.E.E. 802.1 AE standard.
  - 9. The method of claim 1, wherein determining if the data packet includes a security tag that includes a role based authentication tag comprises:
    - determining if the role based authentication tag is included as a portion of a Secure Channel Identifier.

10. An apparatus comprising:
- an ingress port configured to;
  
  receive a data packet that includes a payload portion, a source network address and a destination network address,a processor configured to;
  
  determine if the data packet includes a security tag that includes a role based authentication tag; and
  
  an egress port configured to;
  
  if the data packet includes a security tag that includes a role based authentication tag, transmit at least the payload portion and the role based authentication tag towards, in a topological sense, the destination network address.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The apparatus of claim 10, wherein the processor is configured to, if the data packet does not include a security tag that includes a role based authentication tag:
    - assign a predetermined role value to the data packet,generate a role based authentication tag that includes the predetermined role value, andassociate the role based authentication tag with the payload portion of the data packet; and
      
      wherein the egress port is configured to;
      
      transmit at least the payload portion and the role based authentication tag towards, in a topological sense, the destination network address.
  - 12. The apparatus of claim 10, wherein the egress port is configured to:
    - determine whether or not a next network device, in a network path towards the destination network address, is configured to support a data packet that includes a security tag that includes a role based authentication tag, andif the next network device is configured to support a data packet that includes a security tag that includes a role based authentication tag;
      
      generate a security tag that includes the role based authentication tag,associate the security tag with the payload portion, andtransmit at least the payload portion and the security tag to the next network device.
  - 13. The apparatus of claim 12, wherein the egress port is configured to, if the next network device is not configured to support a data packet that includes a security tag that includes a role based authentication tag:
    - generate a virtual local area network (VLAN) tag that includes the role based authentication tag,associate the VLAN tag with the payload portion, andtransmit at least the payload portion and the VLAN tag to the next network device.
  - 14. The apparatus of claim 10, wherein the ingress port is configured to, if the data packet includes a security tag that includes a role based authentication tag:
    - generate a virtual local area network (VLAN) tag that includes the role based authentication tag;
      
      disassociate the security tag from the payload portion; and
      
      associate the VLAN tag with the payload portion.
  - 15. The apparatus of claim 10, wherein the processor is configured to:
    - determine a network route based at least in part upon the role based authentication tag.
  - 16. The apparatus of claim 10, wherein the ingress port is configured to, when generating a virtual local area network (VLAN) tag that includes the role based authentication tag:
    - place the role based authentication tag within a VLAN identifier (ID) portion of the VLAN tag.
  - 17. The apparatus of claim 10, wherein the processor is configured to:
    - determine if the data packet includes a security tag that is substantially compatible with the I.E.E.E. 802.1 AE standard.
  - 18. The apparatus of claim 10, wherein the processor is configured to:
    - determine if the role based authentication tag is included as a portion of a Secure Channel Identifier.

19. A computer program product for communicating information, the computer program product being tangibly embodied on a computer-readable medium and including executable code that, when executed, is configured to cause a network apparatus to:
- receive, via an ingress port, a data packet that includes a payload portion, a source network address and a destination network address,determine if the data packet includes a security tag that includes a role based authentication tag; and
  
  if the data packet includes a security tag that includes a role based authentication tag, transmit, via an egress port, at least the payload portion and the role based authentication tag towards, in a topological sense, the destination network address.
- View Dependent Claims (20)
- - 20. A computer program product of claim 19, wherein executable code that, when executed, is configured to cause a network apparatus to, if the data packet includes a security tag that includes a role based authentication tag:
    - generate a virtual local area network (VLAN) tag that includes the role based authentication tag;
      
      disassociate the security tag from the payload portion; and
      
      associate the VLAN tag with the payload portion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Qi, Zheng, IIlyadis, Nicholas, Lin, Meg, Buer, Mark

Granted Patent

US 8,700,891 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

H04L 63/101 Access control lists [ACL]

H04L 63/162 at the data link layer

PRESERVING SECURITY ASSOCATION IN MACSEC PROTECTED NETWORK THROUGH VLAN MAPPING

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

PRESERVING SECURITY ASSOCATION IN MACSEC PROTECTED NETWORK THROUGH VLAN MAPPING

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links