Enabling Packet Handling Information in the Clear for MACSEC Protected Frames
First Claim
1. A method comprising:
- receiving, at a network device, unsecured data sent from a source device towards a destination device;
generating, at the network device, encrypted payload data from the unsecured data using techniques according to the Media Access Control Security (MACSEC) standard of IEEE 802.1 AE;
generating a MACSEC security tag;
inserting, at the network device, the encrypted payload data and the MACSEC security tag in an encrypted portion of a packet that transports the encrypted payload data towards the destination device;
appending, at the network device, packet handling information to an encrypted portion of the packet, wherein the packet handling information is in an unencrypted and unauthenticated portion of the packet; and
sending, at the network device, the packet on a network.
0 Assignments
0 Petitions
Accused Products
Abstract
Techniques are provided to append packet handling information “in the clear” ahead of security related information in a packet to be routed over a network to optimize wide area network deployments of security-configured equipment. In one form, at a network device that performs connectionless secure communication and network routing of packets, data is received from a source device to be sent through a network to a destination device. Packet handling information is inserted in a packet that is to be used to transport the data. The packet handling information is configured to enable controlled handling of the packet in the network and is inserted in an unprotected portion of the packet. Encrypted payload data is generated from the data received from the source device. The encrypted payload data and security information are inserted in a protected portion of the packet and the packet is sent to the network.
23 Citations
25 Claims
-
1. A method comprising:
-
receiving, at a network device, unsecured data sent from a source device towards a destination device; generating, at the network device, encrypted payload data from the unsecured data using techniques according to the Media Access Control Security (MACSEC) standard of IEEE 802.1 AE; generating a MACSEC security tag; inserting, at the network device, the encrypted payload data and the MACSEC security tag in an encrypted portion of a packet that transports the encrypted payload data towards the destination device; appending, at the network device, packet handling information to an encrypted portion of the packet, wherein the packet handling information is in an unencrypted and unauthenticated portion of the packet; and sending, at the network device, the packet on a network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method comprising
at a network device that performs connectionless secure communication and network routing of packets in a network, receiving a packet that includes encrypted payload data generated according to the Media Access Control Security (MACSEC) standard of IEEE 802.1, a MACSEC security tag, and packet handling information, wherein the encrypted payload data and the MACSEC security tag are in an encrypted portion of the packet and the packet handling information is in an unencrypted and unauthenticated portion of the packet; -
parsing the packet beyond a portion of the packet that includes a source address and a destination address of the packet to obtain the MACSEC security tag; and using the MACSEC security tag to decrypt the encrypted payload data. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
Specification