Enabling Packet Handling Information in the Clear for MACSEC Protected Frames

US 20150131798A1
Filed: 01/12/2015
Published: 05/14/2015
Est. Priority Date: 10/05/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a network device, unsecured data sent from a source device towards a destination device;

generating, at the network device, encrypted payload data from the unsecured data using techniques according to the Media Access Control Security (MACSEC) standard of IEEE 802.1 AE;

generating a MACSEC security tag;

inserting, at the network device, the encrypted payload data and the MACSEC security tag in an encrypted portion of a packet that transports the encrypted payload data towards the destination device;

appending, at the network device, packet handling information to an encrypted portion of the packet, wherein the packet handling information is in an unencrypted and unauthenticated portion of the packet; and

sending, at the network device, the packet on a network.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided to append packet handling information “in the clear” ahead of security related information in a packet to be routed over a network to optimize wide area network deployments of security-configured equipment. In one form, at a network device that performs connectionless secure communication and network routing of packets, data is received from a source device to be sent through a network to a destination device. Packet handling information is inserted in a packet that is to be used to transport the data. The packet handling information is configured to enable controlled handling of the packet in the network and is inserted in an unprotected portion of the packet. Encrypted payload data is generated from the data received from the source device. The encrypted payload data and security information are inserted in a protected portion of the packet and the packet is sent to the network.

23 Citations

View as Search Results

25 Claims

1. A method comprising:
- receiving, at a network device, unsecured data sent from a source device towards a destination device;
  
  generating, at the network device, encrypted payload data from the unsecured data using techniques according to the Media Access Control Security (MACSEC) standard of IEEE 802.1 AE;
  
  generating a MACSEC security tag;
  
  inserting, at the network device, the encrypted payload data and the MACSEC security tag in an encrypted portion of a packet that transports the encrypted payload data towards the destination device;
  
  appending, at the network device, packet handling information to an encrypted portion of the packet, wherein the packet handling information is in an unencrypted and unauthenticated portion of the packet; and
  
  sending, at the network device, the packet on a network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising:
    - generating, at the network device, the packet handling information from a portion of the unsecured data received from the source device.
  - 3. The method of claim 1, further comprising:
    - generating Integrity Check Value (ICV) information; and
      
      inserting the ICV information in the packet.
  - 4. The method of claim 1, further comprising:
    - generating the packet that transports the encrypted payload data towards the destination device; and
      
      parsing the packet to determine a selected location to insert the MACSEC security tag, and wherein inserting the MACSEC security tag includes;
      
      inserting the MACSEC security tag at the selected location of the packet.
  - 5. The method of claim 1, wherein inserting the MACSEC security tag comprises:
    - inserting the MACSEC security tag at a position in the packet determined from one or more of a source address, a destination address, an encapsulation type, a virtual local area network (VLAN) tag, and a Multiprotocol Label Switching label.
  - 6. The method of claim 1, wherein inserting the encrypted payload data and the MACSEC security tag includes:
    - inserting the encrypted payload data and the MACSEC security tag in an authenticated portion of the packet.
  - 7. The method of claim 1, wherein the packet handling information comprises one or more virtual local area network (VLAN) tags.
  - 8. The method of claim 6, wherein the packet handling information comprises a value added into a Priority Code Point field of a virtual local area network (VLAN) tag.
  - 9. The method of claim 7, and further comprising:
    - setting a value for the Priority Code Point field in the VLAN tag to indicate a priority level of the packet.
  - 10. The method of claim 1, wherein the packet handling information comprises one or more Multiprotocol Label Switching labels.
  - 11. The method of claim 1, wherein the packet handling information comprises Quality of Service (QoS) information.
  - 12. The method of claim 1, wherein the packet handling information comprises a Traffic Class field added in a Multiprotocol Label Switching label header in the unencrypted portion of the packet.
  - 13. The method of claim 1, wherein appending the packet handling information comprises appending a plurality of different pieces of packet handling information in the packet.
  - 14. The method of claim 13, wherein appending the packet handling information comprises appending at least some of the plurality of pieces of packet handling information in an authenticated portion of the packet.

15. A method comprisingat a network device that performs connectionless secure communication and network routing of packets in a network, receiving a packet that includes encrypted payload data generated according to the Media Access Control Security (MACSEC) standard of IEEE 802.1, a MACSEC security tag, and packet handling information, wherein the encrypted payload data and the MACSEC security tag are in an encrypted portion of the packet and the packet handling information is in an unencrypted and unauthenticated portion of the packet;
- parsing the packet beyond a portion of the packet that includes a source address and a destination address of the packet to obtain the MACSEC security tag; and
  
  using the MACSEC security tag to decrypt the encrypted payload data.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 16. The method of claim 15, wherein parsing comprises:
    - parsing the packet to a position after the packet handling information.
  - 17. The method of claim 15, wherein the MACSEC security tag is located at a position in the packet determined from one or more of a source address, a destination address, an encapsulation type, a virtual local area network (VLAN) tag, and a Multiprotocol Label Switching label.
  - 18. The method of claim 15, wherein the encrypted payload data and the MACSEC security tag are in an authenticated portion of the packet.
  - 19. The method of claim 15, wherein the packet handling information comprises one or more virtual local area network (VLAN) tags.
  - 20. The method of claim 19, wherein the packet handling information comprises a value added into a Priority Code Point field of a virtual local area network (VLAN) tag.
  - 21. The method of claim 15, wherein the packet handling information comprises one or more Multiprotocol Label Switching labels.
  - 22. The method of claim 15, wherein the packet handling information comprises Quality of Service (QoS) information.
  - 23. The method of claim 15, wherein the packet handling information comprises a Traffic Class field added in a Multiprotocol Label Switching label header in the unencrypted portion of the packet.
  - 24. The method of claim 15, wherein the packet handling information comprises a plurality of different pieces of packet handling information in the packet.
  - 25. The method of claim 24, wherein at least some of the plurality of pieces of packet handling information are in an authenticated portion of the packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Chopra, Rakesh

Granted Patent

US 9,571,283 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/270
CPC Class Codes

H04L 12/462   LAN interconnection over a ...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 12/4645   Details on frame tagging ro...

H04L 2209/80   Wireless network architectu...

H04L 45/50   using label swapping, e.g. ...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/162   at the data link layer

H04L 9/32   including means for verifyi...

H04W 12/088   using filters or firewalls

Enabling Packet Handling Information in the Clear for MACSEC Protected Frames

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Enabling Packet Handling Information in the Clear for MACSEC Protected Frames

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links