METHOD AND APPARATUS FOR LOCAL AREA NETWORKS

US 20130024692A1
Filed: 08/20/2012
Published: 01/24/2013
Est. Priority Date: 12/20/2001
Status: Active Grant

First Claim

Patent Images

1. A method for determining optimal transfer points between local area network (LAN) segments representing a bridged, cryptographic virtual local area network (VLAN), comprising the steps of:

reducing any bridged LAN to a spanning tree whose nodes are said bridges and whose edges are trunk links to induce a partial order on said bridges;

wherein a least bridge is the root of said spanning tree;

wherein the set of bridges together with a partial order define a complete, partially ordered set; and

wherein every nonempty subset of said bridges has a least upper bound;

wherein said least upper bound of all bridges requiring a received frame of a VLAN to belong to one of said LAN segments representing said VLAN is an optimal transfer point for converting received frames to frames for that LAN segment; and

deducing automatically, from an assignment of bridge access ports in said bridged VLAN to said LAN segments, the smallest set of LAN segments that must be associated with a given outbound trunk port in order to bridge said VLAN.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mechanism for segregating traffic amongst STAs that are associated with a bridge, referred to herein as the personal virtual bridged local area network (personal VLAN), is based upon the use of a VLAN to segregate traffic. The IEEE 802.1Q-1998 (virtual bridged LANs) protocol provides a mechanism that is extended by the invention to partition a LAN segment logically into multiple VLANs. In the preferred embodiment, a VLAN bridge forwards unicast and group frames only to those ports that serve the VLAN to which the frames belong. One embodiment of the invention extends the standard VLAN bridge model to provide a mechanism that is suitable for use within an AP. In a preferred embodiment, the Personal VLAN bridge extends the standard VLAN bridge in at least any of the following ways: VLAN discovery in which a personal VLAN bridge provides a protocol for VLAN discovery; VLAN extension in which a Personal VLAN allows a station to create a new port that serves a new VLAN, or to join an existing VLAN via an authentication protocol; Logical ports in which a Personal VLAN bridge can maintain more than one logical port per physical port, and bridges between ports of any kind; and cryptographic VLAN separation.

Citations

16 Claims

1. A method for determining optimal transfer points between local area network (LAN) segments representing a bridged, cryptographic virtual local area network (VLAN), comprising the steps of:
- reducing any bridged LAN to a spanning tree whose nodes are said bridges and whose edges are trunk links to induce a partial order on said bridges;
  
  wherein a least bridge is the root of said spanning tree;
  
  wherein the set of bridges together with a partial order define a complete, partially ordered set; and
  
  wherein every nonempty subset of said bridges has a least upper bound;
  
  wherein said least upper bound of all bridges requiring a received frame of a VLAN to belong to one of said LAN segments representing said VLAN is an optimal transfer point for converting received frames to frames for that LAN segment; and
  
  deducing automatically, from an assignment of bridge access ports in said bridged VLAN to said LAN segments, the smallest set of LAN segments that must be associated with a given outbound trunk port in order to bridge said VLAN.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, further comprising determining a transfer point for encapsulation and decapsulation for the bridged, cryptographic VLAN that minimizes cryptographic operations.
  - 3. The method of claim 2, wherein determining the transfer point comprises implementing a transfer port protocol (TPP) in the bridged, cryptographic VLAN to infer a location of the transfer point between segments.
  - 4. The method of claim 3, wherein implementing the TPP comprises:
    - a bridge sending a TPP announce frame to a TPP group address through each of its trunk ports for every VLAN known to it;
      
      when a bridge receives an announce frame on an inbound trunk port, said bridge appending to received routing path an entry for itself regarding the received VLAN ID, and forwarding said frame to each of its enabled, outbound trunk ports except the receiving inbound trunk port;
      
      wherein if said bridge has no other such trunk ports, then said bridge sending a final routing path and said received VLAN ID in a TPP reply frame to the MAC address that precedes said bridge in said routing path;
      
      an originating bridge of an announce frame creating a path consisting only of an entry for itself; and
      
      when a bridge receives a TPP reply frame, said bridge forwarding said reply frame to the bridge MAC address that precedes said bridge in said routing path; and
      
      if there is none, discarding said frame.

5. A protocol for access link displacement in a bridged, cryptographic virtual local area network (VLAN), comprising bridges having inbound and outbound ports, which bridges decrypt encrypted segments, said protocol comprising the steps of:
- recognizing an access port of a bridge of said bridged VLAN with which a displaced access link can be associated, wherein said access port may be virtual and created automatically;
  
  automatically assigning said access port to a LAN segment type based on a segment type of said displaced access link; and
  
  executing a transfer port protocol (TPP) for said bridged VLAN with said access port belonging to said assigned LAN segment type.
- View Dependent Claims (6)
- - 6. The protocol of claim 5, wherein said transfer point protocol (TPP) further comprising:
    - two frames types, one of said frame types comprising an announce frame, and a second of said frame types comprising a reply frame;
      
      wherein each of said frames contains a VLAN ID and a source bridge routing path, where each entry in said path is a unique pair containing a bridge MAC address and three bits, one bit for each LAN segment type, wherein said tagged bit is high if and only if a bridge addressed in said pair has an access port in a tagged set of said VLAN named in said frame, and wherein said untagged and encapsulated bits are set likewise.

7. An access point for segregating traffic among a plurality of end stations, comprising:
- a plurality of virtual Basic Service Sets (BSS), wherein each BSS has a unique security association with a set of end stations, wherein each BSS sends frames between the set of end stations;
  
  a frame having a cryptographic authentication code;
  
  the frame having a source media access control (MAC) address to determine a preliminary virtual local area network (VLAN) classification when the frame carries a null virtual LAN ID;
  
  the frame having a virtual LAN ID (VID) as the preliminary VLAN classification when the frame carries the VID;
  
  a table of security associations providing a cryptographic authentication code key based on the preliminary VLAN classification, wherein the cryptographic authentication code key is used to recompute a new cryptographic authentication code over a payload of the frame;
  
  the new cryptographic authentication code compared with the cryptographic authentication code;
  
  the preliminary VLAN classification implemented as a final VLAN classification when the new cryptographic authentication code and the cryptographic authentication code match, wherein the frame is decrypted; and
  
  the preliminary VLAN classification not implemented as the final VLAN classification when the new cryptographic authentication code and the cryptographic authentication code do not match, wherein the frame is discarded.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The access point of claim 7, further comprising a processor configured to compare the new cryptographic authentication code with the cryptographic authentication code.
  - 9. The access point of claim 7, wherein the access point is configurable to perform an authentication operation that generates the authentication code key.
  - 10. The access point of claim 7, wherein the new cryptographic authentication code is recomputed over the payload using a cryptographic message digest algorithm determined during an initial authentication operation.
  - 11. The access point of claim 7, wherein the final VLAN classification is used as a value of a VLAN classification parameter of any corresponding data request primitives.
  - 12. The access point of claim 7, wherein the cryptographic authentication code or the new cryptographic authentication code uniquely identifies the VLAN.

13. A method for joining an encrypted segment of a cryptographic VLAN, comprising the steps of:
- adding a new station to a group;
  
  distributing encryption key material to the new station; and
  
  enabling all other stations in said group to eliminate said new station later by at least a subset of the other stations rekeying without every station so doing.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13, said step of adding the new station to the group further comprising the step of:
    - a user'"'"'s station joining a cryptographic VLAN v through a mutual authentication protocol executed between said user, via said user'"'"'s station, and an authenticator residing on a v-aware bridge;
      
      wherein if mutual authentication succeeds, a secure ephemeral channel is created between said v-aware bridge and said new station to transfer an encryption key K ν
      
      , an authentication code key K¢
      
      ν
      
      , and m, random values R1, R2, . . . , Rm securely from said v-aware bridge to said new station, in which case said enabling step executes;
      
      otherwise, said protocol terminates immediately.
  - 15. The method of claim 14, said step of enabling all other stations in said group to eliminate said new station later further comprising the steps of:
    - said v-aware bridge choosing a new random value Rm+1 for said new station, and distributing said new random value Rm+1 to all v-aware bridges, and stations comprising v, in a broadcast frame that is encrypted under a distribution key K¢
      
      ¢
      
      ν and
      
      that carries an authentication code computed over ciphertext using K¢
      
      ν
      
      ; and
      
      said bridge then creating a new distribution key for v and distributing said new distribution key to all v-aware bridges and to members of v, including said new station, in a broadcast frame that is encrypted under K v and that carries an authentication code computed over said ciphertext using K¢
      
      v.
  - 16. The method of claim 15, wherein said new station can verify authenticity of a broadcast containing its own random value Rm+1, but is unable to decrypt said broadcast because it does not hold key K¢
    - ¢
      
      ν
      
      .

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
VOLPANO, DENNIS MICHAEL

Granted Patent

US 8,966,611 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/169
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 12/467   Arrangements for supporting...

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/123   received data contents, e.g...

Y10S 370/911   Bridge, e.g. brouter, bus e...

METHOD AND APPARATUS FOR LOCAL AREA NETWORKS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR LOCAL AREA NETWORKS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links