VERIFYING DATA PLANE PATHS BASED ON A VALIDATED SECURE CONTROL PLANE
First Claim
1. A method, comprising:
- sending, from an origin device in a computer network, a plurality of packets along a communication path toward a destination device in the computer network, each packet including a lifespan indicator;
receiving, at the origin device, a plurality of response messages from a plurality of intermediate devices, respectively, each intermediate device being located along the communication path, wherein a response message communicated by an intermediate device when the intermediate device receives a packet of the plurality of packets and the lifespan indicator of the received packet has expired;
determining a plurality of secure path objects included in the plurality of response messages, respectively, each secure path object defining a path from a corresponding intermediate device to the destination device, in accordance with control plane information associated with the corresponding intermediate device;
validating the plurality of secure path objects based on validation information accessible by the origin device; and
checking validation results of the plurality of secure path objects to determine whether a packet that is sent from the origin device and received by the destination device travels along a particular communication path as dictated by control plane information, wherein the origin device, the destination device, and the plurality of intermediate devices are each part of a respective autonomous system (AS).
2 Assignments
0 Petitions
Accused Products
Abstract
In one embodiment, a plurality of packets is sent from an origin device along a communication path toward a destination device. Each packet includes a lifespan indicator which is incrementally increased for each subsequently sent packet. A plurality of response messages are received at the origin device from a plurality of intermediate devices, respectively. A plurality of secure path objects included in the plurality of response messages, respectively, is determined. Additionally, the plurality of secure path objects are validated based on validation information accessible by the origin device. Validation results of the plurality of secure path objects are checked to determine whether a packet that is sent from the origin device and received by the destination device travels along a particular communication path as dictated by control plane information.
19 Citations
25 Claims
-
1. A method, comprising:
-
sending, from an origin device in a computer network, a plurality of packets along a communication path toward a destination device in the computer network, each packet including a lifespan indicator; receiving, at the origin device, a plurality of response messages from a plurality of intermediate devices, respectively, each intermediate device being located along the communication path, wherein a response message communicated by an intermediate device when the intermediate device receives a packet of the plurality of packets and the lifespan indicator of the received packet has expired; determining a plurality of secure path objects included in the plurality of response messages, respectively, each secure path object defining a path from a corresponding intermediate device to the destination device, in accordance with control plane information associated with the corresponding intermediate device; validating the plurality of secure path objects based on validation information accessible by the origin device; and checking validation results of the plurality of secure path objects to determine whether a packet that is sent from the origin device and received by the destination device travels along a particular communication path as dictated by control plane information, wherein the origin device, the destination device, and the plurality of intermediate devices are each part of a respective autonomous system (AS). - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. An apparatus, comprising:
-
one or more network interfaces that communicate with a computer network; a processor coupled to the one or more network interfaces and configured to execute a process; and a memory configured to store program instructions which contain the process executable by the processor, the process comprising; sending, as an origin device in the computer network, a plurality of packets along a communication path toward a destination device in the computer network, each packet including a lifespan indicator which is incrementally increased for each subsequently sent packet; receiving a plurality of response messages from a plurality of intermediate devices, respectively, each intermediate device being located along the communication path between the origin device and the destination device, wherein a response message is received from an intermediate device when the intermediate device receives a packet of the plurality of packets and the lifespan indicator of the received packet has expired; determining a plurality of secure path objects included in the plurality of response messages, respectively, each secure path object defining a hop-by-hop path from a corresponding intermediate device to the destination device, in accordance with control plane information associated with the corresponding intermediate device; validating the plurality of secure path objects based on validation information accessible by the origin device; and verifying whether a packet that is sent from the origin device and received by the destination device travels along a particular communication path as dictated by control plane information, based on validation results of the plurality of secure path objects, wherein the origin device, the destination device, and the plurality of intermediate devices are each part of a respective autonomous system (AS). - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor operable to perform a process comprising:
-
sending, as an origin device in the computer network, a plurality of packets along a communication path toward a destination device in the computer network, each packet including a lifespan indicator which is incrementally increased for each subsequently sent packet; receiving a plurality of response messages from a plurality of intermediate devices, respectively, each intermediate device being located along the communication path between the origin device and the destination device, wherein a response message is received from an intermediate device when the intermediate device receives a packet of the plurality of packets and the lifespan indicator of the received packet has expired; determining a plurality of secure path objects included in the plurality of response messages, respectively, each secure path object defining a hop-by-hop path from a corresponding intermediate device to the destination device, in accordance with control plane information associated with the corresponding intermediate device; validating the plurality of secure path objects based on validation information accessible by the origin device; and verifying whether a packet that is sent from the origin device and received by the destination device travels along a particular communication path as dictated by control plane information, based on validation results of the plurality of secure path objects, wherein the origin device, the destination device, and the plurality of intermediate devices are each part of a respective autonomous system (AS).
-
Specification