METHOD AND APPARATUS FOR LOCAL AREA NETWORKS
First Claim
1. A method for determining optimal transfer points between local area network (LAN) segments representing a bridged, cryptographic virtual local area network (VLAN), comprising the steps of:
- reducing any bridged LAN to a spanning tree whose nodes are said bridges and whose edges are trunk links to induce a partial order on said bridges;
wherein a least bridge is the root of said spanning tree;
wherein the set of bridges together with a partial order define a complete, partially ordered set; and
wherein every nonempty subset of said bridges has a least upper bound;
wherein said least upper bound of all bridges requiring a received frame of a VLAN to belong to one of said LAN segments representing said VLAN is an optimal transfer point for converting received frames to frames for that LAN segment; and
deducing automatically, from an assignment of bridge access ports in said bridged VLAN to said LAN segments, the smallest set of LAN segments that must be associated with a given outbound trunk port in order to bridge said VLAN.
2 Assignments
0 Petitions
Accused Products
Abstract
A mechanism for segregating traffic amongst STAs that are associated with a bridge, referred to herein as the personal virtual bridged local area network (personal VLAN), is based upon the use of a VLAN to segregate traffic. The IEEE 802.1Q-1998 (virtual bridged LANs) protocol provides a mechanism that is extended by the invention to partition a LAN segment logically into multiple VLANs. In the preferred embodiment, a VLAN bridge forwards unicast and group frames only to those ports that serve the VLAN to which the frames belong. One embodiment of the invention extends the standard VLAN bridge model to provide a mechanism that is suitable for use within an AP. In a preferred embodiment, the Personal VLAN bridge extends the standard VLAN bridge in at least any of the following ways: VLAN discovery in which a personal VLAN bridge provides a protocol for VLAN discovery; VLAN extension in which a Personal VLAN allows a station to create a new port that serves a new VLAN, or to join an existing VLAN via an authentication protocol; Logical ports in which a Personal VLAN bridge can maintain more than one logical port per physical port, and bridges between ports of any kind; and cryptographic VLAN separation.
-
Citations
16 Claims
-
1. A method for determining optimal transfer points between local area network (LAN) segments representing a bridged, cryptographic virtual local area network (VLAN), comprising the steps of:
-
reducing any bridged LAN to a spanning tree whose nodes are said bridges and whose edges are trunk links to induce a partial order on said bridges;
wherein a least bridge is the root of said spanning tree;
wherein the set of bridges together with a partial order define a complete, partially ordered set; and
wherein every nonempty subset of said bridges has a least upper bound;wherein said least upper bound of all bridges requiring a received frame of a VLAN to belong to one of said LAN segments representing said VLAN is an optimal transfer point for converting received frames to frames for that LAN segment; and deducing automatically, from an assignment of bridge access ports in said bridged VLAN to said LAN segments, the smallest set of LAN segments that must be associated with a given outbound trunk port in order to bridge said VLAN. - View Dependent Claims (2, 3, 4)
-
-
5. A protocol for access link displacement in a bridged, cryptographic virtual local area network (VLAN), comprising bridges having inbound and outbound ports, which bridges decrypt encrypted segments, said protocol comprising the steps of:
-
recognizing an access port of a bridge of said bridged VLAN with which a displaced access link can be associated, wherein said access port may be virtual and created automatically; automatically assigning said access port to a LAN segment type based on a segment type of said displaced access link; and executing a transfer port protocol (TPP) for said bridged VLAN with said access port belonging to said assigned LAN segment type. - View Dependent Claims (6)
-
-
7. An access point for segregating traffic among a plurality of end stations, comprising:
-
a plurality of virtual Basic Service Sets (BSS), wherein each BSS has a unique security association with a set of end stations, wherein each BSS sends frames between the set of end stations; a frame having a cryptographic authentication code; the frame having a source media access control (MAC) address to determine a preliminary virtual local area network (VLAN) classification when the frame carries a null virtual LAN ID; the frame having a virtual LAN ID (VID) as the preliminary VLAN classification when the frame carries the VID; a table of security associations providing a cryptographic authentication code key based on the preliminary VLAN classification, wherein the cryptographic authentication code key is used to recompute a new cryptographic authentication code over a payload of the frame; the new cryptographic authentication code compared with the cryptographic authentication code; the preliminary VLAN classification implemented as a final VLAN classification when the new cryptographic authentication code and the cryptographic authentication code match, wherein the frame is decrypted; and the preliminary VLAN classification not implemented as the final VLAN classification when the new cryptographic authentication code and the cryptographic authentication code do not match, wherein the frame is discarded. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A method for joining an encrypted segment of a cryptographic VLAN, comprising the steps of:
-
adding a new station to a group; distributing encryption key material to the new station; and enabling all other stations in said group to eliminate said new station later by at least a subset of the other stations rekeying without every station so doing. - View Dependent Claims (14, 15, 16)
-
Specification