NETWORK INFRASTRUCTURE VALIDATION OF NETWORK MANAGEMENT FRAMES

US 20130333012A1
Filed: 08/12/2013
Published: 12/12/2013
Est. Priority Date: 10/16/2003
Status: Active Grant

First Claim

Patent Images

1. A method of operation for an authentication server, comprising:

establishing a first secure communication session with a first access point;

establishing a second secure communication session with a second access point;

receiving a request from the second access point for a key for validating management frames sent by the first access point via the second secure communication session;

sending the key for validating management frames by the first access point to the second access point via the second secure communication session;

determining the first access point has changed the key for validating management frames to an updated key; and

automatically sending the updated key to the second access point via the second secure communication session responsive to determining the first access point has changed the key for validating management frames to an updated key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A detection-based defense to a wireless network. Elements of the infrastructure, e.g., access points or scanning-only access points, detect intruders by detecting spoofed frames, such as from rogue access points. Access points include a signature, such as a message integrity check, with their management frames in a manner that enables neighboring access points to be able to validate the management frames, and to detect spoofed frames. When a neighboring access point receives a management frame, obtains a key for the access point sending the frame, and validates the management frame using the key.

32 Citations

View as Search Results

18 Claims

1. A method of operation for an authentication server, comprising:
- establishing a first secure communication session with a first access point;
  
  establishing a second secure communication session with a second access point;
  
  receiving a request from the second access point for a key for validating management frames sent by the first access point via the second secure communication session;
  
  sending the key for validating management frames by the first access point to the second access point via the second secure communication session;
  
  determining the first access point has changed the key for validating management frames to an updated key; and
  
  automatically sending the updated key to the second access point via the second secure communication session responsive to determining the first access point has changed the key for validating management frames to an updated key.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the receiving a request further comprises receiving a plurality of requests from a plurality of access points for a key for validating management frames sent by the first access point via a plurality of secure communication sessions corresponding to the plurality of access points;
    - andwherein the automatically sending the updated key further comprises automatically sending the updated key to the plurality of access points via the plurality of secure communication sessions corresponding to the plurality of access points responsive to determining the first access point has changed the key for validating management frames to an updated key.
  - 3. The method of claim 2, further comprising storing an identifier that identifies the plurality of access points requesting the key for validating management frames sent by the first access point.
  - 4. The method of claim 1, wherein the second secure communication is established before sending the key for validating management frames by the first access point.
  - 5. The method of claim 1, further comprising assigning the key for validating management frames sent by the first access point.
  - 6. The method of claim 1, wherein at least one of receiving a request from the second access point, sending the key to the second access point, and sending the updated key to the second access point is via a secure protocol.

7. An apparatus, comprising:
- an authentication server configured to communicate via a network to a plurality of access points;
  
  wherein the authentication server is configured to establish a first secure communication session with a first access point;
  
  wherein the authentication server is configured to establish a second secure communication session with a second access point;
  
  wherein the authentication server is configured to receive a request from the second access point for a key for validating management frames sent by the first access point via the second secure communication session;
  
  wherein the authentication server is responsive to receiving the request from the second access point to send the key for validating management frames for the first access point to the second access point via the second secure communication session;
  
  wherein the authentication server is configured to determine that the first access point has changed the key for validating management frames to an updated key; and
  
  wherein the authentication server is responsive to determining the first access point has changed the key for validating management frames to an updated key to automatically send the updated key to the second access point via the second secure communication session.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The apparatus set forth in claim 7, wherein the authentication server is configured to receive a plurality of requests from the plurality of access points for a key for validating management frames sent by the first access point via the plurality of secure communication sessions corresponding to each of the plurality of access points;
    - andwherein the authentication server is configured to automatically send the updated key to the plurality of access points via the plurality of secure communication sessions corresponding to the plurality of access points responsive to determining the first access point has changed the key for validating management frames to an updated key.
  - 9. The apparatus set forth in claim 8, wherein the authentication server is configured to store an identifier that identifies the plurality of access points requesting the key for validating management frames sent by the first access point.
  - 10. The apparatus set forth in claim 7, wherein the authentication server is configured to establish the second secure communication session before sending the key for validating management frames by the first access point.
  - 11. The apparatus as set forth in claim 7, wherein the authentication server is configured to assign the key for validating management frames sent by the first access point.

12. The apparatus as set forth in 7, wherein the authentication server is configured to receive a request from the second access point via a secure protocol, send the key to the second access point via a secure protocol, and send the updated key to the second access point are via a secure protocol.

13. Logic encoded in a non-transitory computer readable medium for execution by a processor, and when executed is operable to:
- establishing a first secure communication session with a first access point;
  
  establishing a second secure communication session with a second access point;
  
  receiving a request from the second access point for a key for validating management frames sent by the first access point via the second secure communication session;
  
  sending the key for validating management frames by the first access point to the second access point via the second secure communication session;
  
  determining the first access point has changed the key for validating management frames to an updated key; and
  
  automatically sending the updated key to the second access point via the second secure communication session responsive to determining the first access point has changed the key for validating management frames to an updated key.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The logic set forth in claim 13, further operable to receive a plurality of requests from a plurality of access points for a key for validating management frames sent by the first access point via a plurality of secure communication sessions corresponding to the plurality of access points;
    - andfurther operable to automatically send the updated key to the plurality of access points via the plurality of secure communication sessions corresponding to the plurality of access points responsive to determining the first access point has changed the key for validating management frames to an updated key.
  - 15. The logic set forth in claim 14, further operable to store an identifier that identifies the plurality of access points requesting the key for validating management frames sent by the first access point.
  - 16. The logic set forth in claim 13, further operable to establish the second secure communication before sending the key for validating management frames by the first access point.
  - 17. The logic set forth in claim 13, further operable to assign the key for validating management frames sent by the first access point.
  - 18. The logic set forth in claim 13, further operable to perform at least one of receiving a request from the second access point via a secure protocol, sending the key to the second access point via a secure protocol, and sending the updated key to the second access point via a secure protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
YANG, Sheausong, SANZGIRI, Ajit, OLSON, Timothy, SHUEN, Pauline, KRISCHER, Mark, CAM-WINGET, Nancy

Granted Patent

US 9,264,895 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

H04L 41/00   Arrangements for maintenanc...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 63/1408   by monitoring network traff...

H04W 12/04   Key management, e.g. using ...

H04W 12/10   Integrity

H04W 12/12   Detection or prevention of ...

H04W 12/122   Counter-measures against at...

H04W 12/61   Time-dependent

H04W 84/12   WLAN [Wireless Local Area N...

H04W 88/08   Access point devices

NETWORK INFRASTRUCTURE VALIDATION OF NETWORK MANAGEMENT FRAMES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

32 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK INFRASTRUCTURE VALIDATION OF NETWORK MANAGEMENT FRAMES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links