Metropolitan area network arrangement for serving virtual data networks

US 4,897,874 A
Filed: 03/31/1988
Issued: 01/30/1990
Est. Priority Date: 03/31/1988
Status: Expired due to Term

First Claim

Patent Images

1. In a network for serving users of a plurality of user groups, a method of preventing users of one group from obtaining unauthorized access to users of another group, comprising the steps of:

generating a user authorization data base for authorizing access by a first user to members of ones of a plurality of groups from input from a superuser;

processing a login packet, comprising an identification of a login destination user group and an identification of said first user, from said first user to determine whether said first user is authorized in said authorization data base to access said destination user group;

if said determining step determines that said first user is authorized to access said destination user group, recording data in a source checker data base indicating that said first user is authorized to send packets to said destination user group;

thereafter, ascertaining in said recorded data, for every data entity, comprising said identification of said first user and an identification of a destination user group for said data entity, whether said first user is authorized to send data to said destination user group; and

transmitting said data entry to a user of said destination user group if said ascertaining step indicates that said first user is authorized.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A high capacity metropolitan area network (MAN) is described. Data traffic from users is connected to data concentrators at the edge of the network, and is transmitted over fiber optic data links to a hub where the data is switched. The hub includes a plurality of data switching modules, each having a control means, and each connected to a distributed control space division switch. Advantageously, the data switching modules, whose inputs are connected to the concentrators, perform all checking and routing functions, while the 1024×1024 maximum size space division switch, whose outputs are connected to the concentrators, provides a large fan-out distribution network for reaching many concentrators from each data switching module. Distributed control of the space division switch permits several million connection and disconnection actions to be performed each second, while the pipelined and parallel operation within the control means permits each of the 256 switching modules to process at least 50,000 transactions per second. The data switching modules chain groups of incoming packets destined for a common outlet of the space division switch so that only one connection in that switch is required for transmitting each group of chained packets from a data switching module to a concentrator. MAN provides security features including a port identification supplied by the data concentrators, and a check that each packet is from an authorized source user, transmitting on a port associated with that user, to an authorized destination user that is in the same group (virtual network) as the source user.

194 Citations

8 Claims

1. In a network for serving users of a plurality of user groups, a method of preventing users of one group from obtaining unauthorized access to users of another group, comprising the steps of:
- generating a user authorization data base for authorizing access by a first user to members of ones of a plurality of groups from input from a superuser;
  
  processing a login packet, comprising an identification of a login destination user group and an identification of said first user, from said first user to determine whether said first user is authorized in said authorization data base to access said destination user group;
  
  if said determining step determines that said first user is authorized to access said destination user group, recording data in a source checker data base indicating that said first user is authorized to send packets to said destination user group;
  
  thereafter, ascertaining in said recorded data, for every data entity, comprising said identification of said first user and an identification of a destination user group for said data entity, whether said first user is authorized to send data to said destination user group; and
  
  transmitting said data entry to a user of said destination user group if said ascertaining step indicates that said first user is authorized.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 wherein said data entity is a packet.
  - 3. The method of claim 1 wherein:
    - said login packet and said data entity each comprise an identification of a user port;
      
      said recording step comprises the step of recording data indicating that said first user is authorized to access said destination user group if transmitting from a user port identified in said login packet;
      
      said ascertaining step comprises ascertaining in said recorded data whether said first user is authorized to transmit from a user port identified in said data entity;
      
      further comprising the step of supplying a source user port identification to each of said data entities from within said network and outside control by said users.
  - 4. The method of claim 1 further comprising the steps of:
    - if said authorization step indicates that said first user is authorized to receive data from said destination user group, recording data in a routing data base indicating that said first user is authorized to receive packets form said destination user group;
      
      supplying a source user port identification to each of said entities from within said network outside control by said users;
      
      wherein said step of processing a login comprises the step of accessing a data base comprising a table of passwords and corresponding user and group identification;
      
      wherein said step of generating a user authorization data base comprises the step of entering data for building an authorization table;
      
      wherein said step of ascertaining for every data entity comprises the step of ascertaining for every data packet whether said first user is authorized to send data to said destination user group;
      
      wherein said transmitting step comprises searching said routing data base to ascertain the identity of a destination port for said every data packet.

5. In a data network, a method of transmitting data entities from a source user to a user that is member of a group, comprising the steps of:
- supplying, for every data entity transmitted by said source user, a source user port identification from within said network and outside control of said source user;
  
  ascertaining, for every data entity, comprising an identification of said source user and said group, whether said source user is authorized to transmit data entities to a user of said group from said identified source user port; and
  
  transmitting said data entity to a user of said group if said ascertaining step indicates that said source user is authorized.

6. In a network for serving users of a plurality of user groups, a method of preventing users of one group from obtaining unauthorized access too users of another group, comprising the steps of:
- generating a user authorization data base for authorizing access by a first user to members of ones of a plurality of groups from input from a superuser;
  
  supplying, for data packets transmitted by said first user, a source user port identification from within said network and outside control by said first user;
  
  processing a login packet, comprising an identification of a destination user group, an identification of said first user, and a user port identification for said first user, from said first user to determine whether said first user is authorized in said authorization data base to transmit data packets from said source user port for said first user to a member of said destination user group;
  
  if said authorization step indicates that said first user is authorized to send packets to a member of said destination user group, recording data to indicate that said first user is authorized to send packets to said destination user group from said source user port;
  
  if said authorization step further indicates that said first user is authorized to receive data from members of said destination user group, recording that said first user is authorized to receive packets form said members of said destination user group at said source user port;
  
  thereafter, ascertaining, for every data packet, comprising said identification of said first user, said user port for said first user, and an identification of a destination user group, whether said first user is authorized to send data from a port identification of said data packet to a member of said destination user group;
  
  transmitting said data packet to a user of said destination group if said ascertaining step indicates that said first user is authorized; and
  
  recording identifications of users and user ports which transmit unauthorized packets.

7. A data network, comprising:
- a source authorization data base comprising data indicating, for each active source user, authorization for said source user and at least one source group of which said source user is a member;
  
  a destination authorization data base comprising data indicating, for each active destination user, authorization for said destination user and at least one destination user group of which said destination user is a member; and
  
  means, responsive to source user, destination user, and group data in a data packet received by said network for checking in said source authorization data base and said destination authorization data base whether said source user and group is authorized to transmit to said destination user and group.
- View Dependent Claims (8)
- - 8. The data network of claim 7 further comprising:
    - means for supplying a source user port identification from within said network and outside the control of said user;
      
      wherein said source authorization data base further comprises port identification data; and
      
      said means for checking comprises means for checking, whether said source user is authorized to transit form a port identified by said source user port identification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
American Telephone & Telegraph Company (AT&T, Inc.), Bell Telephone Laboratories, Inc. (Nokia Corporation)
Original Assignee
American Telephone & Telegraph Company (AT&T, Inc.)
Inventors
Zelle, Bruce R., Lidinsky, William P., Weddige, Ronald C., Steele, Scott B., Roediger, Gary A.
Primary Examiner(s)
Cangialosi, Salvatore

Application Number

US07/175,548
Time in Patent Office

670 Days
Field of Search

380/3, 380/4, 380/23, 380/24, 380/25, 380/49, 340/825.31, 340/825.34, 370/60, 370/85, 370/90, 370/94, 178/2 R
US Class Current

726/13
CPC Class Codes

H04L 12/2852   Metropolitan area networks

H04L 12/56   Packet switching systems

H04L 63/0272   Virtual private networks

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/123   received data contents, e.g...

H04L 9/40   Network security protocols

Metropolitan area network arrangement for serving virtual data networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

194 Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Metropolitan area network arrangement for serving virtual data networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

194 Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links