NETWORK DEVICE AUTHENTICATION

US 20110167269A1
Filed: 01/06/2010
Published: 07/07/2011
Est. Priority Date: 01/06/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

generating, via a first optical network device, a notification message;

transmitting, via the first optical network device, the notification message to a second optical network device;

receiving, via the first optical network device, a first authentication message comprising first message data and a first authentication code generated via the second optical network device based on the first message data and a first key;

generating, via the first optical network device, a second authentication message comprising second message data and a second authentication code generated based on the second message data and a second key;

transmitting, via the first optical network device, the second authentication message to the second optical network device; and

receiving, via the first optical network device, an authentication complete message from the second optical network device.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, this disclosure relates to maintaining security between an optical network terminal (ONT) and an optical network aggregation device in an Active Ethernet network. An optical network aggregation device includes one or more optical Ethernet switches that can be adaptively configured to support authentication of one or more ONTs. For example, the optical network aggregation device may include a controller with an authentication unit for managing ONT authentication and an optical Ethernet interface for transmitting and receiving data over the optical network. The authentication unit may exchange authentication request messages via the optical Ethernet interface with an ONT and grant the ONT access to the provider network based on the exchange, thereby preventing rogue devices from gaining access to the provider network.

46 Citations

View as Search Results

29 Claims

1. A method comprising:
- generating, via a first optical network device, a notification message;
  
  transmitting, via the first optical network device, the notification message to a second optical network device;
  
  receiving, via the first optical network device, a first authentication message comprising first message data and a first authentication code generated via the second optical network device based on the first message data and a first key;
  
  generating, via the first optical network device, a second authentication message comprising second message data and a second authentication code generated based on the second message data and a second key;
  
  transmitting, via the first optical network device, the second authentication message to the second optical network device; and
  
  receiving, via the first optical network device, an authentication complete message from the second optical network device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the first optical network device comprises one or more ports for sending and receiving network data to a set of client devices, and wherein the first optical network device, in response to receiving the authentication complete message, unblocks at least one of the one or more ports.
  - 3. The method of claim 1, wherein generating the second authentication code comprises:
    - applying the first key to a client ID in order to generate the second key; and
      
      applying the second key to the second message data.
  - 4. The method of claim 1, wherein generating the second authentication code comprises applying the first key and a message digest algorithm to the second message data.
  - 5. The method of claim 1, wherein the first message data comprises a message type field, a server identification field, a server opaque data field, a first client type field, a first client identification field, and a client configuration field, and wherein the second message data comprises the message type field, the server identification field, the server opaque data field, a second client type field, a second client identification field, and the client configuration field.
  - 6. The method of claim 5, wherein generating the second authentication message further comprises:
    - setting, via the first optical network device, the second client type field to the client type of the first optical network device; and
      
      setting, via the first optical network device, the second client identification field to at least one of a serial number of the first optical network device, a Media Access Control (MAC) address of the first optical network device, and a programmable value that uniquely identifies the first optical network device.
  - 7. The method of claim 1, wherein the first optical network device is an optical network termination device, and wherein the second optical network device is an optical network aggregation device.

8. An optical network device comprising a processor configured to:
- generate a notification message;
  
  transmit the notification message to a second optical network device;
  
  receive a first authentication message comprising first message data and a first authentication code, wherein the first authentication code is generated via the second optical network device based on the first message data and a first key;
  
  generate a second authentication message comprising second message data and a second authentication code generated based on the second message data and a second key;
  
  transmit the second authentication message to the second optical network device; and
  
  receive an authentication complete message from the second optical network device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The optical network device of claim 8, wherein the optical network device comprises one or more ports for sending and receiving network data to a set of client devices, and wherein the optical network device, in response to receiving the authentication complete message, unblocks at least one of the one or more ports.
  - 10. The optical network device of claim 8, wherein the processor that is configured to generate the second authentication code is further configured to:
    - apply the first key to a client ID in order to generate the second key; and
      
      apply the second key to the second message data.
  - 11. The optical network device of claim 8, wherein the processor that is configured to generate the second authentication code is further configured to apply the first key and a message digest algorithm to the second message data.
  - 12. The optical network device of claim 8, wherein the first message data comprises a message type field, a server identification field, a server opaque data field, a first client type field, a first client identification field, and a client configuration field, and wherein the second message data comprises the message type field, the server identification field, the server opaque data field, a second client type field, a second client identification field, and the client configuration field.
  - 13. The optical network device of claim 12, wherein the processor that is configured to generate the second authentication code is further configured to:
    - set the second client type field to the client type of the optical network device; and
      
      set the second client identification field to at least one of a serial number of the optical network device, a Media Access Control (MAC) address of the optical network device, and a programmable value that uniquely identifies the optical network device.
  - 14. The optical network device of claim 8, wherein the optical network device is an optical network termination device, and wherein the second optical network device is an optical network aggregation device.

15. A computer-readable storage medium comprising instructions that, upon execution, cause one or more processors to:
- generate, via a first optical network device, a notification message;
  
  transmit, via the first optical network device, the notification message to a second optical network device;
  
  receive, via the first optical network device, a first authentication message comprising first message data and a first authentication code generated via the second optical network device based on the first message data and a first key;
  
  generate, via the first optical network device, a second authentication message comprising second message data and a second authentication code generated based on the second message data and a second key;
  
  transmit, via the first optical network device, the second authentication message to the second optical network device; and
  
  receive, via the first optical network device, an authentication complete message from the second optical network device.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer-readable storage medium of claim 15,wherein the first optical network device comprises one or more ports for sending and receiving network data to a set of client devices, andwherein the instructions that, upon execution, cause the one or more processors to receive the authentication complete message further comprise instructions that cause the one or more processors to unblock at least one of the one or more ports.
  - 17. The computer-readable storage medium of claim 15, wherein the instructions that, upon execution, cause the one or more processors to generate the second authentication code further comprise instructions that cause the one or more processors to:
    - apply the first key to a client ID in order to generate the second key; and
      
      apply the second key to the second message data.
  - 18. The computer-readable storage medium of claim 15, wherein the instructions that, upon execution, cause the one or more processors to generate the second authentication code further comprise instructions that cause the one or more processors to apply the first key and a message digest algorithm to the second message data.
  - 19. The computer-readable storage medium of claim 15, wherein the first message data comprises a message type field, a server identification field, a server opaque data field, a first client type field, a first client identification field, and a client configuration field, and wherein the second message data comprises the message type field, the server identification field, the server opaque data field, a second client type field, a second client identification field, and the client configuration field.
  - 20. The computer-readable storage medium of claim 19, wherein the instructions that, upon execution, cause the one or more processors to generate the second authentication message further comprise instructions that cause the one or more processors to:
    - set, via the first optical network device, the second client type field to the client type of the first optical network device; and
      
      set, via the first optical network device, the second client identification field to at least one of a serial number of the first optical network device, a Media Access Control (MAC) address of the first optical network device, and a programmable value that uniquely identifies the first optical network device.
  - 21. The computer-readable storage medium of claim 15, wherein the first optical network device is an optical network termination device, and wherein the second optical network device is an optical network aggregation device.

22. An optical network device comprising:
- means for generating a notification message;
  
  means for transmitting the notification message to a second optical network device;
  
  means for receiving a first authentication message comprising first message data and a first authentication code generated via the second optical network device based on the first message data and a first key;
  
  means for generating a second authentication message comprising second message data and a second authentication code generated based on the second message data and a second key;
  
  means for transmitting the second authentication message to the second optical network device; and
  
  means for receiving an authentication complete message from the second optical network device.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The optical network device of claim 22, further comprising one or more ports for sending and receiving network data to a set of client devices, wherein the optical network device comprises means for unblocking at least one of the one or more ports in response to receiving the authentication complete message.
  - 24. The optical network device of claim 22, wherein the means for generating the second authentication code comprises:
    - means for applying the first key to a client ID in order to generate the second key; and
      
      means for applying the second key to the second message data.
  - 25. The optical network device of claim 22, wherein the means for generating the second authentication code comprises means for applying the first key and a message digest algorithm to the second message data.
  - 26. The optical network device of claim 22, wherein the first message data comprises a message type field, a server identification field, a server opaque data field, a first client type field, a first client identification field, and a client configuration field, and wherein the second message data comprises the message type field, the server identification field, the server opaque data field, a second client type field, a second client identification field, and the client configuration field.
  - 27. The optical network device of claim 25, wherein the means for generating the second authentication message further comprises:
    - means for setting the second client type field to the client type of the first optical network device; and
      
      means for setting the second client identification field to at least one of a serial number of the first optical network device, a Media Access Control (MAC) address of the first optical network device, and a programmable value that uniquely identifies the first optical network device.
  - 28. The optical network device of claim 22, wherein the first optical network device is an optical network termination device, and wherein the second optical network device is an optical network aggregation device.

29. A system comprising:
- an optical network aggregation device; and
  
  an optical network termination device, wherein the optical network termination device comprises a processor configured to;
  
  generate a notification message;
  
  transmit the notification message to the optical network aggregation device;
  
  receive a first authentication message comprising first message data and a first authentication code generated via the optical network aggregation device based on the first message data and a first key;
  
  generate a second authentication message comprising second message data and a second authentication code generated based on the second message data and a second key;
  
  transmit the second authentication message to the optical network aggregation device; and
  
  receive an authentication complete message from the optical network aggregation device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Calix Incorporated
Original Assignee
Calix Networks Incorporated (Calix Incorporated)
Inventors
Missett, Shaun Noel, Baykal, Berkay

Granted Patent

US 8,312,275 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/169
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 2209/80   Wireless network architectu...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 9/3226   using a predetermined code,...

NETWORK DEVICE AUTHENTICATION

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

46 Citations

29 Claims

Specification

Use Cases

Quick Links

Others

NETWORK DEVICE AUTHENTICATION

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

29 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others