TWO FACTOR AUTHENTICATION OF ICR TRANSPORT AND PAYLOAD FOR INTERCHASSIS REDUNDANCY

US 20150288690A1
Filed: 04/08/2014
Published: 10/08/2015
Est. Priority Date: 04/08/2014
Status: Active Grant

First Claim

Patent Images

1. A method in a first network device of an inter-chassis redundancy (ICR) system, the ICR system comprising the first network device communicatively coupled to a second network device of the ICR system, the method comprising:

in response to determining to transmit an ICR message to the second network device, generating the ICR message by;

generating a second authentication digest, wherein the second authentication digest is used by the second network device to perform a second level authentication of the ICR message,generating a first authentication digest, wherein the first authentication digest is used by the second network device to perform a first level authentication of the ICR message, andincluding the first authentication digest and the second authentication digest in the ICR message; and

transmitting the ICR message that includes the first authentication digest and the second authentication digest to the second network device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Exemplary methods for performing authentication by a first network device of an inter-chassis redundancy (ICR) system, the ICR system comprising the first network device communicatively coupled to a second network device of the ICR system, includes in response to determining to transmit an ICR message to the second network device, generating the ICR message by generating a first and second authentication digest. In one embodiment, the methods include encrypting a payload of the ICR message, and transmitting the ICR message that includes the first and second authentication digest to the second network device. In another aspect of the invention, the methods include receiving an ICR message from the second network device and performing a first level authentication of the received ICR message. The methods further include in response to determining the first level authentication is successful, performing a second level authentication of the received ICR message.

Citations

39 Claims

1. A method in a first network device of an inter-chassis redundancy (ICR) system, the ICR system comprising the first network device communicatively coupled to a second network device of the ICR system, the method comprising:
- in response to determining to transmit an ICR message to the second network device, generating the ICR message by;
  
  generating a second authentication digest, wherein the second authentication digest is used by the second network device to perform a second level authentication of the ICR message,generating a first authentication digest, wherein the first authentication digest is used by the second network device to perform a first level authentication of the ICR message, andincluding the first authentication digest and the second authentication digest in the ICR message; and
  
  transmitting the ICR message that includes the first authentication digest and the second authentication digest to the second network device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein generating the second authentication digest comprises applying a hash-based message authentication code (HMAC) function to a key, an application header included in the ICR message, and application data included in the ICR message.
  - 3. The method of claim 1, wherein generating the first authentication digest comprises applying a hash-based message authentication code (HMAC) function to a key and the second authentication digest.
  - 4. The method of claim 1, wherein generating the first authentication digest comprises applying a hash-based message authentication code (HMAC) function to a key, an Internet Protocol (IP) header included in the ICR message, and a common header included in the ICR message.
  - 5. The method of claim 1, wherein generating the ICR message further comprises encrypting application data of the ICR message, and wherein the transmitted ICR message includes the encrypted application data.
  - 6. The method of claim 1, wherein the first authentication digest and the second authentication digest are contiguously located in the ICR message.
  - 7. The method of claim 1, wherein the first authentication digest and the second authentication digest are different in size.

8. A first network device of an inter-chassis redundancy (ICR) system, the ICR system comprising the first network device communicatively coupled to a second network device of the ICR system, the first network device comprising:
- a set of one or more processors; and
  
  a machine-readable storage medium containing instructions, which when executed by the set of one or more processors, cause the first network device to in response to determining to transmit an ICR message to the second network device;
  
  generate a second authentication digest, wherein the second authentication digest is used by the second network device to perform a second level authentication of the ICR message, generate a first authentication digest, wherein the first authentication digest is used by the second network device to perform a first level authentication of the ICR message, and include the first authentication digest and the second authentication digest in the ICR message; and
  
  transmit the ICR message that includes the first authentication digest and the second authentication digest to the second network device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The first network device of claim 8, wherein generating the second authentication digest comprises applying a hash-based message authentication code (HMAC) function to a key, an application header included in the ICR message, and application data included in the ICR message.
  - 10. The first network device of claim 8, wherein generating the first authentication digest comprises applying a hash-based message authentication code (HMAC) function to a key and the second authentication digest.
  - 11. The first network device of claim 8, wherein generating the first authentication digest comprises applying a hash-based message authentication code (HMAC) function to a key, an Internet Protocol (IP) header included in the ICR message, and a common header included in the ICR message.
  - 12. The first network device of claim 8, wherein generating the ICR message further comprises encrypting application data of the ICR message, and wherein the transmitted ICR message includes the encrypted application data.
  - 13. The first network device of claim 8, wherein the first authentication digest and the second authentication digest are contiguously located in the ICR message.
  - 14. The first network device of claim 8, wherein the first authentication digest and the second authentication digest are different in size.

15. A non-transitory computer-readable medium having computer instructions stored therein, which when executed by a processor of a first network device of an inter-chassis redundancy (ICR) system, the ICR system comprising the first network device communicatively coupled to a second network device of the ICR system, cause the processor to perform operations comprising:
- in response to determining to transmit an ICR message to the second network device, generating the ICR message by;
  
  generating a second authentication digest, wherein the second authentication digest is used by the second network device to perform a second level authentication of the ICR message,generating a first authentication digest, wherein the first authentication digest is used by the second network device to perform a first level authentication of the ICR message, andincluding the first authentication digest and the second authentication digest in the ICR message; and
  
  transmitting the ICR message that includes the first authentication digest and the second authentication digest to the second network device.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transitory computer-readable medium of claim 15, wherein generating the second authentication digest comprises applying a hash-based message authentication code (HMAC) function to a key, an application header included in the ICR message, and application data included in the ICR message.
  - 17. The non-transitory computer-readable medium of claim 15, wherein generating the first authentication digest comprises applying a hash-based message authentication code (HMAC) function to a key and the second authentication digest.
  - 18. The non-transitory computer-readable medium of claim 15, wherein generating the first authentication digest comprises applying a hash-based message authentication code (HMAC) function to a key, an Internet Protocol (IP) header included in the ICR message, and a common header included in the ICR message.
  - 19. The non-transitory computer-readable medium of claim 15, wherein generating the ICR message further comprises encrypting application data of the ICR message, and wherein the transmitted ICR message includes the encrypted application data.
  - 20. The non-transitory computer-readable medium of claim 15, wherein the first authentication digest and the second authentication digest are contiguously located in the ICR message.
  - 21. The non-transitory computer-readable medium of claim 15, wherein the first authentication digest and the second authentication digest are different in size.

22. A method in a first network device of an inter-chassis redundancy (ICR) system, the ICR system comprising the first network device communicatively coupled to a second network device of the ICR system, the method comprising:
- receiving an ICR message from the second network device;
  
  performing a first level authentication of the received ICR message based on a first authentication digest included in the received ICR message; and
  
  in response to determining the first level authentication is successful, performing a second level authentication of the received ICR message based on a second authentication digest included in the received ICR message.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. The method of claim 22, wherein performing the first level authentication of the received ICR message comprises:
    - generating a first authentication digest by applying a hash-based message authentication code (HMAC) function to a key and the second authentication digest included in the received ICR message; and
      
      comparing the generated first authentication digest against a first authentication digest included in the received ICR message, wherein the first level authentication of the ICR message is successful if the generated first authentication digest matches the first authentication digest included in the received ICR message.
  - 24. The method of claim 22, wherein performing the first level authentication of the received ICR message comprises:
    - generating a first authentication digest by applying a hash-based message authentication code (HMAC) function to a key, an Internet Protocol (IP) header included in the received ICR message, and a common header included in the received ICR message; and
      
      comparing the generated first authentication digest against the first authentication digest included in the received ICR message, wherein the first level authentication of the ICR message is successful if the generated first authentication digest matches the first authentication digest included in the received ICR message.
  - 25. The method of claim 22, wherein performing the second level authentication of the received ICR message comprises:
    - generating a second authentication digest by applying a hash-based message authentication code (HMAC) function to a key, an application header included in the received ICR message, and application data included in the received ICR message; and
      
      comparing the generated second authentication digest against the second authentication digest included in the received ICR message, wherein the second level authentication of the ICR message is successful if the generated second authentication digest matches the second authentication digest included in the received ICR message.
  - 26. The method of claim 22, further comprising decrypting the application data included in the received ICR message.
  - 27. The method of claim 22, wherein the first level authentication and the second level authentication of the received ICR message are performed in a distributed manner.

28. A first network device of an inter-chassis redundancy (ICR) system, the ICR system comprising the first network device communicatively coupled to a second network device of the ICR system, the first network device comprising:
- a set of one or more processors; and
  
  a machine-readable storage medium containing instructions, which when executed by the set of one or more processors, cause the first network device to receive an ICR message from the second network device;
  
  perform a first level authentication of the received ICR message based on a first authentication digest included in the received ICR message; and
  
  in response to determining the first level authentication is successful, perform a second level authentication of the received ICR message based on a second authentication digest included in the received ICR message.
- View Dependent Claims (29, 30, 31, 32, 33)
- - 29. The first network device of claim 28, wherein performing the first level authentication of the received ICR message comprises:
    - generating a first authentication digest by applying a hash-based message authentication code (HMAC) function to a key and the second authentication digest included in the received ICR message; and
      
      comparing the generated first authentication digest against a first authentication digest included in the received ICR message, wherein the first level authentication of the ICR message is successful if the generated first authentication digest matches the first authentication digest included in the received ICR message.
  - 30. The first network device of claim 28, wherein performing the first level authentication of the received ICR message comprises:
    - generating a first authentication digest by applying a hash-based message authentication code (HMAC) function to a key, an Internet Protocol (IP) header included in the received ICR message, and a common header included in the received ICR message; and
      
      comparing the generated first authentication digest against the first authentication digest included in the received ICR message, wherein the first level authentication of the ICR message is successful if the generated first authentication digest matches the first authentication digest included in the received ICR message.
  - 31. The first network device of claim 28, wherein performing the second level authentication of the received ICR message comprises:
    - generating a second authentication digest by applying a hash-based message authentication code (HMAC) function to a key, an application header included in the received ICR message, and application data included in the received ICR message; and
      
      comparing the generated second authentication digest against the second authentication digest included in the received ICR message, wherein the second level authentication of the ICR message is successful if the generated second authentication digest matches the second authentication digest included in the received ICR message.
  - 32. The first network device of claim 28, wherein the instructions further cause first network device to decrypt the application data included in the received ICR message.
  - 33. The first network device of claim 28, wherein the first level authentication and the second level authentication of the received ICR message are performed in a distributed manner.

34. A non-transitory computer-readable medium having computer instructions stored therein, which when executed by a processor of a first network device of an inter-chassis redundancy (ICR) system, the ICR system comprising the first network device communicatively coupled to a second network device of the ICR system, cause the processor to perform operations comprising:
- receiving an ICR message from the second network device;
  
  performing a first level authentication of the received ICR message based on a first authentication digest included in the received ICR message; and
  
  in response to determining the first level authentication is successful, performing a second level authentication of the received ICR message based on a second authentication digest included in the received ICR message.
- View Dependent Claims (35, 36, 37, 38, 39)
- - 35. The non-transitory computer-readable medium of claim 34, wherein performing the first level authentication of the received ICR message comprises:
    - generating a first authentication digest by applying a hash-based message authentication code (HMAC) function to a key and the second authentication digest included in the received ICR message; and
      
      comparing the generated first authentication digest against a first authentication digest included in the received ICR message, wherein the first level authentication of the ICR message is successful if the generated first authentication digest matches the first authentication digest included in the received ICR message.
  - 36. The non-transitory computer-readable medium of claim 34, wherein performing the first level authentication of the received ICR message comprises:
    - generating a first authentication digest by applying a hash-based message authentication code (HMAC) function to a key, an Internet Protocol (IP) header included in the received ICR message, and a common header included in the received ICR message; and
      
      comparing the generated first authentication digest against the first authentication digest included in the received ICR message, wherein the first level authentication of the ICR message is successful if the generated first authentication digest matches the first authentication digest included in the received ICR message.
  - 37. The non-transitory computer-readable medium of claim 34, wherein performing the second level authentication of the received ICR message comprises:
    - generating a second authentication digest by applying a hash-based message authentication code (HMAC) function to a key, an application header included in the received ICR message, and application data included in the received ICR message; and
      
      comparing the generated second authentication digest against the second authentication digest included in the received ICR message, wherein the second level authentication of the ICR message is successful if the generated second authentication digest matches the second authentication digest included in the received ICR message.
  - 38. The non-transitory computer-readable medium of claim 34, further comprising decrypting the application data included in the received ICR message.
  - 39. The non-transitory computer-readable medium of claim 34, wherein the first level authentication and the second level authentication of the received ICR message are performed in a distributed manner.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Pal, Yogendra

Granted Patent

US 9,319,222 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/64   Protecting data integrity, ...

H04L 63/08   for authentication of entit...

H04L 63/12   Applying verification of th...

H04L 63/123   received data contents, e.g...

H04L 9/3242   involving keyed hash functi...

TWO FACTOR AUTHENTICATION OF ICR TRANSPORT AND PAYLOAD FOR INTERCHASSIS REDUNDANCY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

TWO FACTOR AUTHENTICATION OF ICR TRANSPORT AND PAYLOAD FOR INTERCHASSIS REDUNDANCY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links