Logical Partition Media Access Control Impostor Detector

US 20110161653A1
Filed: 12/24/2009
Published: 06/30/2011
Est. Priority Date: 12/24/2009
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

establishing a plurality of cryptographically secure channels, each channel between a monitoring device and a monitored device of a plurality of monitored devices, each monitored device of the plurality of monitored devices associated with unique address;

transmitting a heartbeat from the monitoring device to a first monitored device of the plurality of monitored devices via a first secure channel, corresponding to the first monitored device, of the plurality of secure channels;

if a response to the heartbeat is received, transmitting a second heartbeat from the monitoring device to a second monitored device of the plurality of monitor devices via the first secure channel; and

if a response to the heartbeat is not received, executing a spoofing detection scheme, comprising;

transmitting a second heartbeat to the first monitored device via an address associated with a second monitored device;

receiving a response to the second heartbeat; and

determining that a spoofing attack has occurred by the fact that the response to the second heartbeat has been received.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are techniques for to enable a virtual input/output server (VIOS) to establish cryptographically secure signals with target LPARs to detect an imposter or spoofing LPAR. The secure signal, or “heartbeat,” may be configured as an Internet Key Exchange/Internet Protocol Security (IKE/IPSec) encapsulated packet (ESP) connection or tunnel. Within the tunnel, the VIOS pings each target LPAR and, if a heartbeat is interrupted, the VIOS makes a determination as to whether the tunnel is broken, the corresponding LPAR is down or a media access control (MAC) spoofing attach is occurring. The determination is made by sending a heartbeat that is designed to fail unless the heartbeat is received by a spoofing device.

Citations

25 Claims

1. A method, comprising:
- establishing a plurality of cryptographically secure channels, each channel between a monitoring device and a monitored device of a plurality of monitored devices, each monitored device of the plurality of monitored devices associated with unique address;
  
  transmitting a heartbeat from the monitoring device to a first monitored device of the plurality of monitored devices via a first secure channel, corresponding to the first monitored device, of the plurality of secure channels;
  
  if a response to the heartbeat is received, transmitting a second heartbeat from the monitoring device to a second monitored device of the plurality of monitor devices via the first secure channel; and
  
  if a response to the heartbeat is not received, executing a spoofing detection scheme, comprising;
  
  transmitting a second heartbeat to the first monitored device via an address associated with a second monitored device;
  
  receiving a response to the second heartbeat; and
  
  determining that a spoofing attack has occurred by the fact that the response to the second heartbeat has been received.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the monitored devices are logical partitions (LPARs) of a computing device.
  - 3. The method of claim 1, wherein the monitoring device is a virtual input/output server (VIOS) of the computing device.
  - 4. The method of claim 1, further comprising determining that the first secure channel is broken by the fact that the response to the second heartbeat is not received.
  - 5. The method of claim 1, wherein the cryptographically secure channels are based on an Internet Key Exchange/Internet Protocol Security (IKE/IPSec) encapsulated packet (ESP) protocol.

6. A computing system, comprising:
- a processor;
  
  a computer-readable storage medium, coupled to the processor; and
  
  logic, stored on the computer-readable storage medium and executed on the processor, for;
  
  establishing a plurality of cryptographically secure channels, each channel between a monitoring device and a monitored device of a plurality of monitored devices, each monitored device associated with unique address;
  
  transmitting a heartbeat from the monitoring device to a first monitored device of the plurality of monitored devices via a first secure channel, corresponding to the first monitored device, of the plurality of secure channels;
  
  if a response to the heartbeat is received, transmitting a second heartbeat from the monitoring device to a second monitored device of the plurality of monitored devices via the first secure channel; and
  
  if a response to the heartbeat is not received, executing a spoofing detection scheme, comprising;
  
  transmitting a second heartbeat to the first monitored device via an address associated with a second monitored device;
  
  receiving a response to the second heartbeat; and
  
  determining that a spoofing attack has occurred by the fact that the response to the second heartbeat has been received.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, wherein the monitored devices are logical partitions (LPARs) of a computing device.
  - 8. The system of claim 6, wherein the monitoring device is a virtual input/output server (VIOS) of the computing device.
  - 9. The system of claim 6, the logic further comprising logic for determining that the first secure channel is broken by the fact that the response to the second heartbeat is not received.
  - 10. The system of claim 6, wherein the cryptographically secure channels are based on an Internet Key Exchange/Internet Protocol Security (IKE/IPSec) encapsulated packet (ESP) protocol.

11. A computing programming product, comprising:
- a computer-readable storage medium; and
  
  logic, stored on the computer-readable storage medium for execution on a processor, for;
  
  establishing a plurality of cryptographically secure channels, each channel between a monitoring device and a monitored device of a plurality of monitored devices, each monitored device associated with unique address;
  
  transmitting a heartbeat from the monitoring device to a first monitored device of the plurality of monitor devices via a first secure channel, corresponding to the first monitored device, of the plurality of secure channels;
  
  if a response to the heartbeat is received, transmitting a second heartbeat from the monitoring device to a second monitored device of the plurality of monitored devices via the first secure channel; and
  
  if a response to the heartbeat is not received, executing a spoofing detection scheme, comprising;
  
  transmitting a second heartbeat to the first monitored device via an address associated with a second monitored device;
  
  receiving a response to the second heartbeat; and
  
  determining that a spoofing attack has occurred by the fact that the response to the second heartbeat has been received.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computing programming product of claim 11, wherein the monitored devices are logical partitions (LPARs) of a computing device.
  - 13. The computing programming product of claim 11, wherein the monitoring device is a virtual input/output server (VIOS) of the computing device.
  - 14. The computing programming product of claim 11, the logic further comprising logic for determining that the first secure channel is broken by the fact that the response to the second heartbeat is not received.
  - 15. The computing programming product of claim 11, wherein the cryptographically secure channels are based on an Internet Key Exchange/Internet Protocol Security (IKE/IPSec) encapsulated packet (ESP) protocol.

16. A method, comprising:
- establishing by a hypervisor, coupled to a computing system, a plurality of cryptographically secure channels, each channel between a monitoring device of the computing system and a monitored device of a plurality of monitored devices of the computing system, each monitored device associated with unique address;
  
  transmitting a heartbeat from the monitoring device to a first monitored device of the plurality of monitored devices via a first secure channel, corresponding to the first monitored device, of the plurality of secure channels;
  
  if a response to the heartbeat is received, transmitting a second heartbeat from the monitoring device to a second monitored device of the plurality of monitored devices via the first secure channel; and
  
  if a response to the heartbeat is not received, executing a spoofing detection scheme, comprising;
  
  transmitting a second heartbeat to the first monitored device via an address associated with a second monitored device;
  
  receiving a response to the second heartbeat; and
  
  determining that a spoofing attack has occurred by the fact that the response to the second heartbeat has been received.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, wherein the monitored devices are logical partitions (LPARs) of the computing device.
  - 18. The method of claim 17, wherein the monitoring device is a virtual input/output server (VIOS) associated with the hypervisor.
  - 19. The method of claim 16, further comprising determining that the first secure channel is broken by the fact that the response to the second heartbeat is not received.
  - 20. The method of claim 16, wherein the cryptographically secure channels are based on an Internet Key Exchange/Internet Protocol Security (IKE/IPSec) encapsulated packet (ESP) protocol.

21. A method, comprising:
- establishing a plurality of cryptographically secure channels, each channel between a virtual input/output server (VIOS) and a monitored device of a plurality of monitored devices, each monitored device associated with unique address;
  
  transmitting a heartbeat from the VIOS to a first monitored device of the plurality of monitored devices via a first secure channel, corresponding to the first monitored device, of the plurality of secure channels;
  
  if a response to the heartbeat is received, transmitting a second heartbeat from the VIOS to a second monitored device of the plurality of monitored devices via the first secure channel; and
  
  if a response to the heartbeat is not received, executing a spoofing detection scheme, comprising;
  
  transmitting a second heartbeat to the first monitored device via an address associated with a second monitored device;
  
  receiving a response to the second heartbeat; and
  
  determining that a spoofing attack has occurred by the fact that the response to the second heartbeat has been received.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The method of claim 21, wherein the monitored devices are logical partitions (LPARs) of the computing device.
  - 23. The method of claim 21, wherein the VIOS is associated with a hypervisor.
  - 24. The method of claim 21, further comprising determining that the first secure channel is broken by the fact that the response to the second heartbeat is not received.
  - 25. The method of claim 21, wherein the cryptographically secure channels are based on an Internet Key Exchange/Internet Protocol Security (IKE/IPSec) encapsulated packet (ESP) protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Murillo, Jessica C., McBrearty, Gerald F., Mullen, Shawn P., Shieh, Johnny M., Keohane, Susann M.

Granted Patent

US 9,088,609 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/150
CPC Class Codes

H04L 43/10   Active monitoring, e.g. hea...

H04L 63/0428   wherein the data content is...

H04L 63/1466   Active attacks involving in...

H04L 63/1475   Passive attacks, e.g. eaves...

H04L 63/1483   service impersonation, e.g....

Logical Partition Media Access Control Impostor Detector

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Logical Partition Media Access Control Impostor Detector

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links