NETWORK INFRASTRUCTURE VALIDATION OF NETWORK MANAGEMENT FRAMES

US 20120210395A1
Filed: 04/25/2012
Published: 08/16/2012
Est. Priority Date: 10/16/2003
Status: Active Grant

First Claim

Patent Images

1. A method for validating network management frames, comprising:

receiving, by a validating device, a management frame that is not addressed to the validating device from a first device via a first interface, the management frame comprising a source address identifying a purported source device of the management frame and a destination address identifying at least one destination device on a first interface;

obtaining a key by the validating device for the purported source device of the management frame from the purported first device via a second interface in response to receiving the management frame not addressed to the validating device; and

validating, by the validating device, the management frame using the key obtained from the purported source device.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A detection-based defense to a wireless network. Elements of the infrastructure, e.g., access points or scanning-only access points, detect intruders by detecting spoofed frames, such as from rogue access points. Access points include a signature, such as a message integrity check, with their management frames in a manner that enables neighboring access points to be able to validate the management frames, and to detect spoofed frames. When a neighboring access point receives a management frame, obtains a key for the access point sending the frame, and validates the management frame using the key.

23 Citations

View as Search Results

23 Claims

1. A method for validating network management frames, comprising:
- receiving, by a validating device, a management frame that is not addressed to the validating device from a first device via a first interface, the management frame comprising a source address identifying a purported source device of the management frame and a destination address identifying at least one destination device on a first interface;
  
  obtaining a key by the validating device for the purported source device of the management frame from the purported first device via a second interface in response to receiving the management frame not addressed to the validating device; and
  
  validating, by the validating device, the management frame using the key obtained from the purported source device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein obtaining a key further comprises:
    - authenticating with a security server on the network; and
      
      receiving the key from the security server.
  - 3. The method of claim 1, further comprising:
    - obtaining a new key for the purported source device after a rekey request; and
      
      validating subsequent management frames having the source address identifying the purported source device received via the first interface using the new key.
  - 4. The method of claim 1, the management frame further comprising a signature, and wherein the validating further comprising validating the signature.
  - 5. The method of claim 4, the signature further comprising a time stamp.
  - 6. The method of claim 4, the signature further comprising a sequence number.
  - 7. The method of claim 4, the signature further comprising a time stamp and a sequence number.
  - 8. The method of claim 7, wherein validating further comprises determining the management frame is invalid when the timestamp is older than a predetermined criteria.
  - 9. The method of claim 4, wherein the signature is contained within an information element appended to the management frame.
  - 10. The method of claim 1, wherein the management frame is one of a beacon, a probe request, a probe response, an association request, an association response, Deauthentication, Authentication and Disassociation.
  - 11. The method of claim 1, wherein the source is a neighboring access point.

12. An access point, comprising:
- a wireless transceiver;
  
  a controller coupled to the wireless transceiver for controlling the wireless transceiver; and
  
  a second transceiver coupled to a network;
  
  wherein the controller is responsive to the wireless transceiver receiving a management frame not addressed to the wireless transceiver from a first device, the management frame comprising a source address of a purported second access point and is addressed to a wireless client;
  
  wherein the controller is responsive to receiving the management frame to communicate with the purported second access point via the second transceiver to obtain a key for the purported second access point for validating management frames purported to have been sent by the second access point in response to receiving the management frame not addressed to the wireless transceiver from the first device; and
  
  wherein the controller is configured for determining whether the first device is a rogue device pretending to be the purported second access point by attempting to validate the management frame with the key.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The access point set forth in claim 12, wherein the controller is further configured to authenticate with a security server on the network;
    - andthe controller is configured to receive the key from the security server via the second transceiver.
  - 14. The access point set forth in claim 12, wherein the controller validates the management frame by validating an information element comprising a message integrity check within the management frame with the key for validating management frames.
  - 15. The access point set forth in claim 14, wherein the information element further comprises a timestamp;
    - andwherein the controller further validates the management frame by validating the timestamp.
  - 16. The access point set forth in claim 14, wherein the information element further comprises a sequence number;
    - andwherein the controller further validates the management frame by validating the sequence number.

17. A method of operation for an authentication server, comprising:
- establishing a first secure communication session with a first access point;
  
  establishing a second secure communication session with a second access point;
  
  receiving a request from the second access point for a key for validating management frames sent by the first access point via the second secure communication session;
  
  sending the key for validating management frames by the first access point to the second access point via the second secure communication session;
  
  determining the first access point has changed the key for validating management frames to an updated key; and
  
  automatically sending the updated key to the second access point via the second secure communication session responsive to determining the first access point has changed the key for validating management frames to an updated key.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The method of claim 17, wherein the receiving a request further comprises receiving a plurality of requests are received from a plurality of access points for a key for validating management frames sent by the first access point via a plurality of secure communication sessions corresponding to the plurality of access points;
    - andwherein the automatically sending the updated key further comprises automatically sending the updated key to the plurality of access points via the plurality of secure communication sessions corresponding to the plurality of access points responsive to determining the first access point has changed the key for validating management frames to an updated key.
  - 19. The method of claim 18, further comprising storing an identifier that identifies the plurality of access points requesting the key for validating management frames sent by the first access point.
  - 20. The method of claim 17, wherein the second secure communication is established before sending the key for validating management frames by the first access point.
  - 21. The method of claim 17, further comprising assigning the key for validating management frames sent by the first access point.

22. An apparatus, comprising:
- an authentication server configured to communicate via a network to a plurality of access points;
  
  wherein the authentication server is configured to establish a first secure communication session with a first access point;
  
  wherein the authentication server is configured to establish a second secure communication session with a second access point;
  
  wherein the authentication server is configured to receive a request from the second access point for a key for validating management frames sent by the first access point via the second secure communication session;
  
  wherein the authentication server is responsive to receiving the request from the second access point to send the key for validating management frames for the first access point to the second access point via the second secure communication session;
  
  wherein the authentication server is configured to determine that the first access point has changed the key for validating management frames to an updated key; and
  
  wherein the authentication server is responsive to determining the first access point has changed the key for validating management frames to an updated key to automatically send the updated key to the second access point via the second secure communication session.
- View Dependent Claims (23)
- - 23. The apparatus set forth in claim 22, wherein the authentication server is configured to maintain a list of access points requesting the key to validate management frames sent by the first access point;
    - andwherein the authentication server is responsive to determining the first access point has changed the key for validating management frames to an updated key to automatically send the updated key to the plurality of access points.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ajit Sanzgiri, Mark Krishcer, Nancy Cam Winget, Pauline Shuen, Sheausong Yang, Timothy Olson
Original Assignee
Ajit Sanzgiri, Mark Krishcer, Nancy Cam Winget, Pauline Shuen, Sheausong Yang, Timothy Olson
Inventors
CAM WINGET, Nancy, KRISHCER, Mark, YANG, Sheausong, SANZGIRI, Ajit, OLSON, Timothy, SHUEN, Pauline

Granted Patent

US 8,533,832 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

H04L 41/00   Arrangements for maintenanc...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 63/1408   by monitoring network traff...

H04W 12/04   Key management, e.g. using ...

H04W 12/10   Integrity

H04W 12/12   Detection or prevention of ...

H04W 12/122   Counter-measures against at...

H04W 12/61   Time-dependent

H04W 84/12   WLAN [Wireless Local Area N...

H04W 88/08   Access point devices

NETWORK INFRASTRUCTURE VALIDATION OF NETWORK MANAGEMENT FRAMES

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK INFRASTRUCTURE VALIDATION OF NETWORK MANAGEMENT FRAMES

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links