NETWORK INFRASTRUCTURE VALIDATION OF NETWORK MANAGEMENT FRAMES
First Claim
Patent Images
1. A method for validating network management frames, comprising:
- receiving, by a validating device, a management frame that is not addressed to the validating device from a first device via a first interface, the management frame comprising a source address identifying a purported source device of the management frame and a destination address identifying at least one destination device on a first interface;
obtaining a key by the validating device for the purported source device of the management frame from the purported first device via a second interface in response to receiving the management frame not addressed to the validating device; and
validating, by the validating device, the management frame using the key obtained from the purported source device.
0 Assignments
0 Petitions
Accused Products
Abstract
A detection-based defense to a wireless network. Elements of the infrastructure, e.g., access points or scanning-only access points, detect intruders by detecting spoofed frames, such as from rogue access points. Access points include a signature, such as a message integrity check, with their management frames in a manner that enables neighboring access points to be able to validate the management frames, and to detect spoofed frames. When a neighboring access point receives a management frame, obtains a key for the access point sending the frame, and validates the management frame using the key.
23 Citations
23 Claims
-
1. A method for validating network management frames, comprising:
-
receiving, by a validating device, a management frame that is not addressed to the validating device from a first device via a first interface, the management frame comprising a source address identifying a purported source device of the management frame and a destination address identifying at least one destination device on a first interface; obtaining a key by the validating device for the purported source device of the management frame from the purported first device via a second interface in response to receiving the management frame not addressed to the validating device; and validating, by the validating device, the management frame using the key obtained from the purported source device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. An access point, comprising:
-
a wireless transceiver; a controller coupled to the wireless transceiver for controlling the wireless transceiver; and a second transceiver coupled to a network; wherein the controller is responsive to the wireless transceiver receiving a management frame not addressed to the wireless transceiver from a first device, the management frame comprising a source address of a purported second access point and is addressed to a wireless client; wherein the controller is responsive to receiving the management frame to communicate with the purported second access point via the second transceiver to obtain a key for the purported second access point for validating management frames purported to have been sent by the second access point in response to receiving the management frame not addressed to the wireless transceiver from the first device; and wherein the controller is configured for determining whether the first device is a rogue device pretending to be the purported second access point by attempting to validate the management frame with the key. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A method of operation for an authentication server, comprising:
-
establishing a first secure communication session with a first access point; establishing a second secure communication session with a second access point; receiving a request from the second access point for a key for validating management frames sent by the first access point via the second secure communication session; sending the key for validating management frames by the first access point to the second access point via the second secure communication session; determining the first access point has changed the key for validating management frames to an updated key; and automatically sending the updated key to the second access point via the second secure communication session responsive to determining the first access point has changed the key for validating management frames to an updated key. - View Dependent Claims (18, 19, 20, 21)
-
-
22. An apparatus, comprising:
-
an authentication server configured to communicate via a network to a plurality of access points; wherein the authentication server is configured to establish a first secure communication session with a first access point; wherein the authentication server is configured to establish a second secure communication session with a second access point; wherein the authentication server is configured to receive a request from the second access point for a key for validating management frames sent by the first access point via the second secure communication session; wherein the authentication server is responsive to receiving the request from the second access point to send the key for validating management frames for the first access point to the second access point via the second secure communication session; wherein the authentication server is configured to determine that the first access point has changed the key for validating management frames to an updated key; and wherein the authentication server is responsive to determining the first access point has changed the key for validating management frames to an updated key to automatically send the updated key to the second access point via the second secure communication session. - View Dependent Claims (23)
-
Specification