NETWORK CONNECTION AUTOMATION

US 20150082039A1
Filed: 09/17/2013
Published: 03/19/2015
Est. Priority Date: 11/29/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for authenticating a connection, comprising:

under the control of one or more computer systems configured with executable instructions,receiving, at a computing resource service provider network device and from a customer device connected with the computing resource service provider over a secure connection, cryptographic authentication information generated based at least in part on a secret key of the customer;

forwarding, from the computing resource service provider network device, the cryptographic authentication information to an authentication service that is operable to authenticate the cryptographic authentication information; and

as a result of the authentication service successfully authenticating the cryptographic authentication information, configuring the computing resource service provider network device to route network traffic from the customer device to one or more services of the computing resource service provider different from the authentication service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing resource service provider receives a request from a customer to establish a physical connection between a provider network device and a customer network device in a colocation center. Once the connection has been established, the customer may transmit cryptographic authentication information, through the physical connection, to the provider network device. The provider network device transmits this information to an authentication service operated by the computing resource service provider to verify the authenticity of the information. If the information is authentic, the authentication service may re-configure the provider network device to allow the customer to access one or more services provided by the computing resource service provider. The authentication service may transmit cryptographic authentication information to the customer to verify the identity of the computing resource service provider.

74 Citations

View as Search Results

25 Claims

1. A computer-implemented method for authenticating a connection, comprising:
- under the control of one or more computer systems configured with executable instructions,receiving, at a computing resource service provider network device and from a customer device connected with the computing resource service provider over a secure connection, cryptographic authentication information generated based at least in part on a secret key of the customer;
  
  forwarding, from the computing resource service provider network device, the cryptographic authentication information to an authentication service that is operable to authenticate the cryptographic authentication information; and
  
  as a result of the authentication service successfully authenticating the cryptographic authentication information, configuring the computing resource service provider network device to route network traffic from the customer device to one or more services of the computing resource service provider different from the authentication service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein the secret key is a private key from a public-private cryptographic key pair.
  - 3. The computer-implemented method of claim 1, further comprising provisioning a network interface for the customer on the computing resource service provider network device as a result of the authentication service successfully authenticating the cryptographic authentication information.
  - 4. The computer-implemented method of claim 1, wherein the secure connection is established based at least in part on a physical connection in a colocation center, the physical connection comprising one or more cables connected from a set of customer ports to a set of computing resource service provider ports.
  - 5. The computer-implemented method of claim 1, further comprising:
    - receiving additional cryptographic authentication information from the customer device one or more times over an amount of time; and
      
      continued routing of the network traffic from the customer device to the one or more services is contingent on successfully authenticating the additional cryptographic authentication information.
  - 6. The computer-implemented method of claim 1, wherein the secure connection comprises a secure tunnel over a public communications network.
  - 7. The computer-implemented method of claim 1, wherein the method is performed in accordance with an authentication protocol used by the customer device and the computing resource service provider network device.
  - 8. The computer-implemented method of claim 1, further comprising receiving, through a communications channel that lacks the computing resource service provider network device, the secret key of the customer.

9. A network device, comprising:
- one or more communications ports configured to receive one or more signals from outside of the network device, including a communications port that is connected to a provider network that includes one or more services including an authentication service;
  
  one or more processors that are operatively coupled with the one or more communications ports;
  
  memory including instructions executable by the one or more processors that when executed by the one or more processors cause the one or more processors to;
  
  forward cryptographic authentication information received over a connection from a customer device connected to one or more communications ports to an authentication service that is operable to authenticate the cryptographic authentication information;
  
  receive reconfiguration information, from the authentication service as a result of the authentication service having successfully authenticated the cryptographic information, to enable the network device to forward data from the customer device to one or more services of the computing resource service provider; and
  
  reconfigure to forward data from the customer device to the one or more services of the computing resource service provider in accordance with the reconfiguration information.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The network device of claim 9, wherein the cryptographic authentication information received from the customer device is generated based at least in part on a secret key of a customer.
  - 11. The network device of claim 10, wherein the secret key is a private key from a public-private cryptographic key pair.
  - 12. The network device of claim 9, wherein the connection is a secure tunnel over a public communications network.
  - 13. The network device of claim 9, wherein the instructions further cause the one or more processors to transmit the cryptographic authentication information, verifiable by the customer device, from the authentication service to the customer device.
  - 14. The network device of claim 9, wherein the instructions further cause the one or more processors to forward additional cryptographic authentication information received from the customer device to the authentication service one or more times over time.
  - 15. The network device of claim 9, wherein the signals are received through one or more fiber-optic cables connected from the customer device to the one or more communications ports.
  - 16. The network device of claim 9, wherein the instructions further cause the one or more processors to provision a network interface for processing data from the customer device, based at least in part on the reconfiguration information.

17. One or more non-transitory computer-readable storage media having collectively stored therein instructions that, when executed by one or more processors of an authentication service, cause the authentication service to:
- make a determination whether cryptographic authentication information generated based at least in part on a secret key of a customer and received from the customer through a secure connection with a computing resource service provider network device is authentic;
  
  take one or more actions based at least in part on the determination, wherein;
  
  if the determination indicates that the cryptographic authentication information is authentic, the one or more actions include transmitting reconfiguration information to the computing resource service provider network device, thereby causing the computing resource service provider network device to route network traffic from a customer device to one or more other services of the computing resource service provider; and
  
  if the determination indicates that the cryptographic authentication information is inauthentic, the one or more actions include causing the computing resource service provider network device to deny network traffic from the customer device to the one or more other services of the computing resource service provider.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. The one or more non-transitory computer-readable storage media of claim 17, wherein causing the computing resource service provider to deny the network traffic includes transmitting reconfiguration information for denying network traffic from the customer device to the one or more other services of the computing resource service provider to the computing resource service provider network device.
  - 19. The one or more non-transitory computer-readable storage media of claim 17, wherein the secret key is a private key from a public-private cryptographic key pair.
  - 20. The one or more non-transitory computer-readable storage media of claim 17, wherein the one or more actions further include provisioning a network interface for the customer on the computing resource service provider network device as a result of the determination indicating that the cryptographic authentication information is authentic.
  - 21. The one or more non-transitory computer-readable storage media of claim 17, wherein the secure connection is established based at least in part on a physical connection in a colocation center, the physical connection comprising one or more cables connected from a set of customer ports to a set of computing resource service provider ports.
  - 22. The one or more non-transitory computer-readable storage media of claim 17, wherein the secure connection comprises a secure tunnel over a public communications network.
  - 23. The one or more non-transitory computer-readable storage media of claim 17, wherein the cryptographic authentication information is transmitted through the secure connection in accordance with an authentication protocol used by the customer and the computing resource service provider network device.
  - 24. The one or more non-transitory computer-readable storage media of claim 17, wherein the instructions further cause the authentication service to generate second cryptographic information verifiable by the customer and transmit the cryptographic authentication information through the computing resource service provider network device to the customer.
  - 25. The one or more non-transitory computer-readable storage media of claim 17, wherein the instructions further cause the authentication service to make additional determinations based at least in part on additional cryptographic authentication information received from the customer one or more times over time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Stalzer, Mark Edward, Arllen, Christian Arthur

Granted Patent

US 9,692,732 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

H04L 12/1435   volume-based

H04L 41/046   comprising network manageme...

H04L 41/0896   Bandwidth or capacity manag...

H04L 43/0811   by checking connectivity

H04L 45/306   Route determination based o...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 67/14   Session management for real...

H04L 9/40   Network security protocols

NETWORK CONNECTION AUTOMATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

74 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK CONNECTION AUTOMATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

74 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links