METHODS AND DEVICES FOR PACKET TAGGING USING IP INDEXING VIA DYNAMIC-LENGTH PREFIX CODE
First Claim
1. A method for packet tagging, the method comprising the steps of:
- (a) upon sending an internet-protocol (IP) packet, obtaining, by a sender module, a sender identity for a sender of said IP packet;
(b) securely tagging, by said sender module, said IP packet with said sender identity, wherein said IP packet includes a plurality of fixed-length fields, wherein said fixed-length fields are concatenated into a single fixed-length virtual field, and wherein said virtual field is shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint;
(c) determining, by a receiver module, said sender identity by extracting said sender identity from said IP packet;
(d) checking, by said receiver module, said IP packet to ensure said IP packet has been appropriately tagged; and
(e) enforcing a security policy, by said receiver module, according to said sender identity.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods including the steps of: upon sending an IP packet, obtaining, by a sender, a sender identity for a sender of the packet; securely tagging, by a sender, the packet with the sender identity, the packet having a plurality of fixed-length fields concatenated into a single fixed-length virtual field shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint; determining, by a receiver, the sender identity by extracting it from the packet; checking, by the receiver, the packet to ensure the packet has been appropriately tagged; and enforcing a security policy, by the receiver, according to the sender identity. Preferably, the step of obtaining includes: accessing, by the sender, a server for obtaining the sender identity; and associating, by the server, the sender identity with the endpoint. Most preferably, the associating is performed using a prefix code for encoding the identities.
30 Citations
23 Claims
-
1. A method for packet tagging, the method comprising the steps of:
-
(a) upon sending an internet-protocol (IP) packet, obtaining, by a sender module, a sender identity for a sender of said IP packet; (b) securely tagging, by said sender module, said IP packet with said sender identity, wherein said IP packet includes a plurality of fixed-length fields, wherein said fixed-length fields are concatenated into a single fixed-length virtual field, and wherein said virtual field is shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint; (c) determining, by a receiver module, said sender identity by extracting said sender identity from said IP packet; (d) checking, by said receiver module, said IP packet to ensure said IP packet has been appropriately tagged; and (e) enforcing a security policy, by said receiver module, according to said sender identity. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A device for enforcing network access control, the device comprising:
(a) a sender module configured for; (i) upon sending an internet-protocol (IP) packet, obtaining a sender identity for a sender of said IP packet; and (ii) securely tagging said IP packet with said sender identity, wherein said IP packet includes a plurality of fixed-length fields, wherein said fixed-length fields are concatenated into a single fixed-length virtual field, and wherein said virtual field is shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. A device for enforcing network access control, the device comprising:
(a) a receiver module configured for; (i) determining a sender identity by extracting said sender identity from an internet-protocol (IP) packet; (ii) checking said IP packet to ensure said IP packet has been appropriately tagged; and (iii) enforcing a security policy according to said sender identity. - View Dependent Claims (16)
-
17. A computer-readable storage medium having computer-readable code embodied on the computer-readable storage medium, the computer-readable code comprising:
-
(a) program code for, upon sending an internet-protocol (IP) packet, obtaining, by a sender module, a sender identity for a sender of said IP packet; (b) program code for securely tagging, by said sender module, said IP packet with said sender identity, wherein said IP packet includes a plurality of fixed-length fields, wherein said fixed-length fields are concatenated into a single fixed-length virtual field, and wherein said virtual field is shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint; (c) program code for determining, by a receiver module, said sender identity by extracting said sender identity from said IP packet; (d) program code for checking, by said receiver module, said IP packet to ensure said IP packet has been appropriately tagged; and (e) program code for enforcing a security policy, by said receiver module, according to said sender identity. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
Specification