NETWORK DEVICE AUTHENTICATION

US 20110167268A1
Filed: 01/06/2010
Published: 07/07/2011
Est. Priority Date: 01/06/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

generating, via a first optical network device, a first authentication message comprising a first authentication code;

transmitting, via the first optical network device, the first authentication message to a second optical network device;

receiving, via the first optical network device, a second authentication message comprising a second authentication code generated via the second optical network device; and

authorizing, via the first optical network device, communication between the first optical network device and the second optical network device, based on the second authentication message.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, this disclosure relates to maintaining security between an optical network terminal (ONT) and an optical network aggregation device in an Active Ethernet network. An optical network aggregation device includes one or more optical Ethernet switches that can be adaptively configured to support authentication of one or more ONTs. For example, the optical network aggregation device may include a controller with an authentication unit for managing ONT authentication and an optical Ethernet interface for transmitting and receiving data over the optical network. The authentication unit may exchange authentication request messages via the optical Ethernet interface with an ONT and grant the ONT access to the provider network based on the exchange, thereby preventing rogue devices from gaining access to the provider network.

27 Citations

View as Search Results

41 Claims

1. A method comprising:
- generating, via a first optical network device, a first authentication message comprising a first authentication code;
  
  transmitting, via the first optical network device, the first authentication message to a second optical network device;
  
  receiving, via the first optical network device, a second authentication message comprising a second authentication code generated via the second optical network device; and
  
  authorizing, via the first optical network device, communication between the first optical network device and the second optical network device, based on the second authentication message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the first optical network device comprises one or more ports, and wherein authorizing communication between the first optical network device and the second optical network device, based on the second authentication message, comprises:
    - in response to receiving the second authorization message, generating, via the first optical network device, a third authentication code;
      
      comparing, via the first optical network device, the second authentication code and the third authentication code; and
      
      if the second authentication code matches the third authentication code, then;
      
      transmitting, via the first optical network device, a third authentication message to the second optical network device; and
      
      unblocking at least one of the one or more ports.
  - 3. The method of claim 1, wherein the first authentication message further comprises first message data, wherein the second authentication message further comprises second message data, wherein the first authentication code is computed based on the first message data and a first key, and wherein the second authentication code is computed based on the second message data and a second key.
  - 4. The method of claim 3, wherein computing the first authentication code comprises applying the first key and a message digest algorithm to the first message data, and wherein computing the second authentication code comprises applying the second key and the message digest algorithm to the second message data.
  - 5. The method of claim 3, wherein generating the first authentication message comprises:
    - generating the first authentication code by applying the first key and a message digest algorithm to the first message data; and
      
      applying a layer two header comprising a reserved media access control address to the first authentication message.
  - 6. The method of claim 3, wherein the first key is the same as the second key.
  - 7. The method of claim 3, wherein the first message data comprises a message type field, a server identification field, a server opaque data field, a first client type field, a first client identification field, and a client configuration field, andwherein the second message data comprises the message type field, the server identification field, the server opaque data field, a second client type field, a second client identification field, and the client configuration field.
  - 8. The method of claim 7, wherein the first optical network device comprises one or more ports, and wherein authorizing communication comprises:
    - generating, via the first optical network device, a third key based on the second client identification field and the first key;
      
      generating, via the first optical network device, a third authentication code by applying the third key and a message digest algorithm to the second message data;
      
      comparing the second authentication code with the third authentication code; and
      
      if the second authentication code matches the third authentication code, then;
      
      transmitting, via the first optical network device, a third authentication message to the second optical network device; and
      
      unblocking at least one of the one or more ports.
  - 9. The method of claim 1, further comprising receiving, from an administration interface of the first optical network device, configuration information comprising a key corresponding to at least one of a model, a type, and a manufacturer of the second optical network device.
  - 10. The method of claim 1, wherein the first optical network device is an optical network aggregation device, and wherein the second optical network device is an optical network termination device.

11. An optical network device comprising a processor configured to:
- generate a first authentication message comprising a first authentication code;
  
  transmit the first authentication message to a second optical network device;
  
  receive a second authentication message comprising a second authentication code generated via the second optical network device; and
  
  authorize communication between the optical network device and the second optical network device, based on the second authentication message.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The optical network device of claim 11 further comprising:
    - one or more ports,wherein the processor that is configured to authorize communication between the first optical network device and the second optical network device is further configured to;
      
      generate a third authentication code in response to receiving the second authentication message;
      
      compare the second authentication code and the third authentication code; and
      
      if the second authentication code matches the third authentication code, then;
      
      transmit a third authentication message to the second optical network device; and
      
      unblock at least one of the one or more ports.
  - 13. The optical network device of claim 11, wherein the first authentication message further comprises first message data, wherein the second authentication message further comprises second message data, and wherein the processor is further configured to:
    - compute the first authentication code based upon the first message data and a first key; and
      
      receive the second authentication code, wherein the second authentication code is generated via the second optical network device and based on the second message data and a second key.
  - 14. The optical network device of claim 13, wherein the processor is further configured to:
    - compute the first authentication code by applying the first key and a message digest algorithm to the first message data; and
      
      receive the second authentication code, wherein the second authentication code is generated via the second optical network device by applying the second key and the message digest algorithm to the second message data.
  - 15. The optical network device of claim 13, wherein the processor is further configured to:
    - generate the first authentication message by applying the first key and a message digest algorithm to the first message data; and
      
      apply a layer two header comprising a reserved media access control address to the first authentication message.
  - 16. The optical network device of claim 13, wherein the first key is the same as the second key.
  - 17. The optical network device of claim 13,wherein the first message data comprises a message type field, a server identification field, a server opaque data field, a first client type field, a first client identification field, and a client configuration field, andwherein the second message data comprises the message type field, the server identification field, the server opaque data field, a second client type field, a second client identification field, and the client configuration field.
  - 18. The optical network device of claim 17, further comprising:
    - one or more ports,wherein the processor is further configured to;
      
      generate a third key based on the second client identification field and the first key;
      
      generate a third authentication code by applying the third key and a message digest algorithm to the second message data;
      
      compare the second authentication code with the third authentication code; and
      
      if the second authentication code matches the third authentication code, then;
      
      transmit a third authentication message to the second optical network device; and
      
      unblock at least one of the one or more ports.
  - 19. The optical network device of claim 11, wherein the processor is further configured to receive, from an administration interface of the optical network device, configuration information comprising a key corresponding to at least one of a model, a type, and a manufacturer of the second optical network device.
  - 20. The optical network device of claim 11, wherein the optical network device is an optical network aggregation device, and wherein the second optical network device is an optical network termination device.

21. A computer-readable storage medium comprising instructions that, upon execution, cause one or more processors to:
- generate, via a first optical network device, a first authentication message comprising a first authentication code;
  
  transmit, via the first optical network device, the first authentication message to a second optical network device;
  
  receive, via the first optical network device, a second authentication message comprising a second authentication code generated via the second optical network device; and
  
  authorize, via the first optical network device, communication between the first optical network device and the second optical network device, based on the second authentication message.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The computer-readable storage medium of claim 21,wherein the first optical network device comprises one or more ports, andwherein the instructions that, upon execution, cause the one or more processors to authorize communication between the first optical network device and the second optical network device further comprise instructions that cause the one or more processors to:
    - generate, via the first optical network device, a third authentication code in response to receiving the second authentication message;
      
      compare the second authentication code and the third authentication code; and
      
      if the second authentication code matches the third authentication code, then;
      
      transmit, via the first optical network device, a third authentication message to the second optical network device; and
      
      unblock at least one of the one or more ports.
  - 23. The computer-readable storage medium of claim 21, wherein the first authentication message further comprises first message data and wherein the second authentication message further comprises second message data, and wherein the computer readable storage medium further comprises instructions that, upon execution, cause the one or more processors to:
    - compute the first authentication code based on the first message data and a first key; and
      
      receive the second authentication code, wherein the second authentication code is generated via the second optical device and based on the second message data and a second key.
  - 24. The computer-readable storage medium of claim 23,wherein the instructions that, upon execution, cause the one or more processors to compute the first authentication code further comprise instructions that cause the one or more processor to apply the first key and a message digest algorithm to the first message data, andwherein the second authentication code generated via the second optical network device is generated by applying the second key and the message digest algorithm to the second message data.
  - 25. The computer-readable storage medium of claim 23, wherein the instructions that, upon execution, cause the one or more processors to generate the first authentication message further comprise instructions that cause the one or more processors to:
    - generate the first authentication code by applying the first key and a message digest algorithm to the first message data; and
      
      apply a layer two header comprising a reserved media access control address to the first authentication message.
  - 26. The computer-readable storage medium of claim 23, wherein the first key is the same as the second key.
  - 27. The computer-readable storage medium of claim 23,wherein the first message data comprises a message type field, a server identification field, a server opaque data field, a first client type field, a first client identification field, and a client configuration field, andwherein the second message data comprises the message type field, the server identification field, the server opaque data field, a second client type field, a second client identification field, and the client configuration field.
  - 28. The computer-readable storage medium of claim 27, wherein the first optical network device comprises one or more ports, and wherein the instructions that, upon execution, cause the one or more processors to authorize communication further comprise instructions that cause the one or more processors to:
    - generate, via the first optical network device, a third key based on the second client identification field and the first key;
      
      generate, via the first optical network device, a third authentication code by applying the third key and a message digest algorithm to the second message data;
      
      compare the second authentication code with the third authentication code; and
      
      if the second authentication code matches the third authentication code, then;
      
      transmit, via the first optical network device, a third authentication message to the second optical network device; and
      
      unblock at least one of the one or more ports.
  - 29. The computer-readable storage medium of claim 21, further comprising instructions that, upon execution, cause the one or more processors to receive, from an administration interface of the first optical network device, configuration information comprising a key corresponding to at least one of a model, a type, and a manufacturer of the second optical network device.
  - 30. The computer-readable storage medium of claim 21, wherein the first optical network device is an optical network aggregation device, and wherein the second optical network device is an optical network termination device.

31. An optical network device comprising:
- means for generating a first authentication message comprising a first authentication code;
  
  means for transmitting the first authentication message to a second optical network device;
  
  means for receiving a second authentication message comprising a second authentication code generated via the second optical network device; and
  
  means for authorizing communication between the optical network device and the second optical network device, based on the second authentication message.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 32. The optical network device of claim 31, further comprising one or more ports, wherein the means for authorizing communication between the network optical device and the second optical network device, based on the second authentication message further comprises:
    - means for generating a third authentication code in response to receiving the second authorization message;
      
      means for comparing the second authentication code and the third authentication code; and
      
      if the second authentication code matches the third authentication code, then;
      
      means for transmitting a third authentication message to the second optical network device; and
      
      means for unblocking at least one of the one or more ports.
  - 33. The optical network device of claim 31, wherein the first authentication message further comprises first message data, wherein the second authentication message further comprises second message data, and wherein the optical network device further comprises:
    - means for computing the first authentication code based on the first message data and a first key; and
      
      means for receiving the second authentication code, wherein the second authentication code is generated via the second optical network device and based on the second message data and a second key.
  - 34. The optical network device of claim 33,wherein the means for computing the first authentication code comprises means for applying the first key and a message digest algorithm to the first message data, andwherein the second authentication code generated via the second optical network device is generated by applying the second key and the message digest algorithm to the second message data.
  - 35. The optical network device of claim 33, wherein the means for generating the first authentication message comprises:
    - means for generating the first authentication code by applying the first key and a message digest algorithm to the first message data; and
      
      means for applying a layer two header comprising a reserved media access control address to the first authentication message.
  - 36. The optical network device of claim 33, wherein the first key is the same as the second key.
  - 37. The optical network device of claim 33, wherein the first message data comprises a message type field, a server identification field, a server opaque data field, a first client type field, a first client identification field, and a client configuration field, andwherein the second message data comprises the message type field, the server identification field, the server opaque data field, a second client type field, a second client identification field, and the client configuration field.
  - 38. The optical network device of claim 37, further comprising one or more ports, wherein the means for authorizing communication comprises:
    - means for generating a third key based on the second client identification field and the first key;
      
      means for generating a third authentication code by applying the third key and a message digest algorithm to the second message data;
      
      means for comparing the second authentication code with the third authentication code; and
      
      if the second authentication code matches the third authentication code, then;
      
      means for transmitting a third authentication message to the second optical network device; and
      
      means for unblocking at least one of the one or more ports.
  - 39. The optical network device of claim 31, further comprising means for receiving, from an administration interface of the optical network device, configuration information comprising a key corresponding to at least one of a model, a type, and a manufacturer of the second optical network device.
  - 40. The optical network device of claim 31, wherein the optical network device is an optical network aggregation device, and wherein the second optical network device is an optical network termination device.

41. A system comprising:
- an optical network termination device; and
  
  an optical network aggregation device, wherein the optical network aggregation device comprises a processor configured to;
  
  generate a first authentication message comprising a first authentication code;
  
  transmit the first authentication message to the optical network termination device;
  
  receive a second authentication message comprising a second authentication code generated via the optical network termination device; and
  
  authorize communication between the optical network aggregation device and the optical network termination device, based on the second authentication message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Calix Incorporated
Original Assignee
Calix Networks Incorporated (Calix Incorporated)
Inventors
Missett, Shaun Noel, Baykal, Berkay

Granted Patent

US 8,495,371 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/169
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 2209/80   Wireless network architectu...

H04L 63/08   for authentication of entit...

H04L 63/126   the source of the received ...

H04L 9/3226   using a predetermined code,...

NETWORK DEVICE AUTHENTICATION

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK DEVICE AUTHENTICATION

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links