REDUCED AUTHENTICATION TIMES IN CONSTRAINED COMPUTER NETWORKS

US 20140095864A1
Filed: 09/28/2012
Published: 04/03/2014
Est. Priority Date: 09/28/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

monitoring an authentication time for one or more nodes in a low power and lossy network (LLN);

dynamically correlating the authentication time with a location of the one or more nodes in the LLN to identify one or more authentication-delayed nodes;

selecting, based on the location of the one or more authentication-delayed nodes, one or more key-delegation nodes to receive one or more network keys for localized authentication of one or more of the authentication-delayed nodes; and

distributing the one or more network keys to the one or more key-delegation nodes.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a capable node in a low power and lossy network (LLN) may monitor the authentication time for one or more nodes in the LLN. The capable node may dynamically correlate the authentication time with the location of the one or more nodes in the LLN in order to identify one or more authentication-delayed nodes. The node may then select, based on the location of the one or more authentication-delayed nodes, one or more key-delegation nodes to receive one or more network keys so that the key-delegation nodes may perform localized authentication of one or more of the authentication-delayed nodes. The capable node may then distribute the one or more network keys to the one or more key-delegation nodes.

43 Citations

View as Search Results

25 Claims

1. A method, comprising:
- monitoring an authentication time for one or more nodes in a low power and lossy network (LLN);
  
  dynamically correlating the authentication time with a location of the one or more nodes in the LLN to identify one or more authentication-delayed nodes;
  
  selecting, based on the location of the one or more authentication-delayed nodes, one or more key-delegation nodes to receive one or more network keys for localized authentication of one or more of the authentication-delayed nodes; and
  
  distributing the one or more network keys to the one or more key-delegation nodes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as in claim 1, further comprising:
    - receiving an authentication request from one or more authentication-delayed nodes via the one or more key-delegation nodes;
      
      forwarding, over a backhaul connection, the authentication request to an authentication server for authentication;
      
      receiving, over the backhaul connection, an authentication result from the authentication server; and
      
      forwarding the authentication result to the one or more key-delegation nodes.
  - 3. The method as in claim 2, further comprising:
    - determining that the backhaul connection is disrupted; and
      
      in response,dynamically buffering, for a period of time, the authentication request from the one or more authentication-delayed nodes; and
      
      forwarding the authentication request when the backhaul connection is restored.
  - 4. The method as in claim 3, wherein the period of time is proportional to the location of the one or more authentication-delayed nodes in the LLN.
  - 5. The method as in claim 3, further comprising:
    - communicating to the one or more authentication-delayed nodes that the authentication request has been dynamically buffered to prevent the one or more authentication-delayed nodes from re-transmitting a new authentication request.
  - 6. The method as in claim 1, further comprising:
    - limiting a number of authentication-delayed nodes to which a particular key-delegation node is allowed to distribute the network key.
  - 7. The method as in claim 1, wherein the location is measured as a number of hops the authentication request must travel between the authentication-delayed node and a backhaul connection to the LLN.
  - 8. The method as in claim 1, further comprising:
    - communicating a migration message to the one or more authentication-delayed nodes, the migration message instructing the one or more authentication-delayed nodes to seek and join an alternate network if available.
  - 9. The method as in claim 8, wherein communicating the migration message to the one or more authentication-delayed nodes is in response to a backhaul parameter, the backhaul parameter selected from a group consisting of:
    - backhaul connection duration per unit of time, average duration of backhaul connection, number of failed authentication requests, and number of pending authentication requests.

10. A method, comprising:
- receiving, from a border router, one or more network keys at a dynamically selected key-delegation node in a computer network;
  
  receiving, from one or more authentication requesting nodes in the computer network, an authentication request;
  
  distributing, to the one or more authentication requesting nodes, the one or more network keys in response to the authentication request;
  
  forwarding the authentication request from the one or more authentication requesting nodes to an authentication server via the border router; and
  
  receiving, from the authentication server via the border router, an authentication reply, wherein the authentication reply is either confirmation or rejection of authentication.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method as in claim 10, further comprising:
    - advertising, to the border router, capability of the key-delegation node to act as a key-delegation node.
  - 12. The method as in claim 10, wherein the key-delegation node is limited to distribute the network key to a number of authentication requesting nodes in the computer network.
  - 13. The method as in claim 10, further comprising, in response to a rejection of authentication of a particular authentication requesting node:
    - assigning a restricted status to the particular authentication requesting node; and
      
      multicasting the restricted status of the particular authentication requesting node into the computer network to prevent authenticated nodes from communicating with the particular authentication requesting node.
  - 14. The method as in claim 13, wherein preventing authenticated nodes from communicating with the particular authentication requesting node comprises preventing authenticated nodes from choosing the particular authentication requesting node as a parent in a directed acyclic graph (DAG).
  - 15. The method as in claim 13, wherein the restricted status lapses after a pre-determined period of time to allow for a re-authentication request from the particular authentication request node.
  - 16. The method as in claim 15, wherein the pre-determined period of time increases based on a number of re-authentication attempts by the particular authentication requesting node.

17. An apparatus, comprising:
- one or more network interfaces to communicate with a low power and lossy network (LLN);
  
  a processor coupled to the network interfaces and adapted to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  monitor an authentication time for one or more nodes in a low power and lossy network (LLN);
  
  dynamically correlate the authentication time with a location of the one or more nodes in the LLN to identify one or more authentication-delayed nodes;
  
  select, based on the location of the one or more authentication-delayed nodes, one or more key-delegation nodes to receive one or more network keys for localized authentication of one or more of the authentication-delayed nodes; and
  
  distribute the one or more network keys to the one or more key-delegation nodes.
- View Dependent Claims (18, 19, 20)
- - 18. The apparatus as in claim 17, wherein the process when executed is further operable to:
    - receive an authentication request from one or more authentication-delayed nodes via the one or more key-delegation nodes;
      
      forward, over a backhaul connection, the authentication request to an authentication server for authentication;
      
      receive, over the backhaul connection, an authentication result from the authentication server; and
      
      forward the authentication result to the one or more key-delegation nodes.
  - 19. The apparatus as in claim 18, wherein the process when executed is further operable to:
    - determine that the backhaul connection is disrupted; and
      
      in response,dynamically buffer, for a period of time, the authentication request from the one or more authentication-delayed nodes; and
      
      forward the authentication request when the backhaul connection is restored.
  - 20. The apparatus as in claim 19, wherein the process when executed is further operable to:
    - communicate to the one or more authentication-delayed nodes that the authentication request has been dynamically buffered to prevent the one or more authentication-delayed nodes from re-transmitting a new authentication request.

21. An apparatus, comprising:
- one or more network interfaces to communicate with a computer network;
  
  a processor coupled to the network interfaces and adapted to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  receive, from a border router, one or more network keys as a dynamically selected key-delegation node;
  
  receive, from one or more authentication requesting nodes in the computer network, an authentication request;
  
  distribute, to the one or more authentication requesting nodes, the one or more network keys in response to the authentication request;
  
  forward the authentication request from the one or more authentication requesting nodes to an authentication server via the border router; and
  
  receive, from the authentication server via the border router, an authentication reply, wherein the authentication reply is either confirmation or rejection of authentication.
- View Dependent Claims (22, 23, 24)
- - 22. The apparatus as in claim 21, wherein the key-delegation node is limited to distribute the network key to a number of authentication requesting nodes in the computer network.
  - 23. The apparatus as in claim 21, wherein the process when executed, in response to a rejection of authentication of a particular authentication requesting node, is further operable to:
    - assign a restricted status to the particular authentication requesting node; and
      
      multicast the restricted status of the particular authentication requesting node into the computer network to prevent authenticated nodes from communicating with the particular authentication requesting node.
  - 24. The apparatus as in claim 23, wherein preventing authenticated nodes from communicating with the particular authentication requesting node comprises preventing authenticated nodes from choosing the particular authentication requesting node as a parent in a directed acyclic graph (DAG).

25. A method, comprising:
- logging authentication requests received from an authentication requesting node at an authenticated node in a computer network;
  
  determining a priority level for the authentication requests based on a number of authentication requests received from the authentication requesting node, wherein a higher priority is given to the authentication requests in response to the number being greater than a threshold, and a standard priority is given to the authentication requests in response to the number being below the threshold; and
  
  forwarding the authentication requests toward an authentication server according to the determined priority level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Dasgupta, Sukrit, Vasseur, Jean-Philippe

Granted Patent

US 8,984,277 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/155
CPC Class Codes

H04L 45/64   using an overlay routing layer

H04L 47/2475   for supporting traffic char...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0853   using an additional device,...

H04L 63/0884   by delegation of authentica...

H04L 67/12   specially adapted for propr...

REDUCED AUTHENTICATION TIMES IN CONSTRAINED COMPUTER NETWORKS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

43 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

REDUCED AUTHENTICATION TIMES IN CONSTRAINED COMPUTER NETWORKS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links