Method and apparatus for providing secure network communications

US 5,935,245 A
Filed: 04/29/1997
Issued: 08/10/1999
Est. Priority Date: 12/13/1996
Status: Expired due to Term

First Claim

Patent Images

1. A method for preventing completed reception of an unauthorized packet by a network adaptor comprising:

beginning to receive a packet from a communication channel;

using a count value and a value bit vector (VBV) to compare data in said packet at said count value to said value bit vector;

completing reception of said packet if said compare indicates that data in said packet matches said value bit vector; and

aborting reception of said packet without passing said packet to higher layer software if said compare indicates that data in said packet does not match said value bit vector.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data pattern enforcer provides secure network communications at an adaptor layer by comparing transmitted and received packets to a set of rules to verify that said packets are appropriately being transmitted or received. The data pattern enforcer prevents application or other software with access to an adaptor on a network from using the adaptor for packet sniffing or spoofing. In a specific embodiment, the data pattern enforcer verifies packets at the layer 2 adaptor level using a value bit vector (which may be alterable or may be preset to a value, including to zero), a count value, and a mask to compare to data found in packets.

Citations

24 Claims

1. A method for preventing completed reception of an unauthorized packet by a network adaptor comprising:
- beginning to receive a packet from a communication channel;
  
  using a count value and a value bit vector (VBV) to compare data in said packet at said count value to said value bit vector;
  
  completing reception of said packet if said compare indicates that data in said packet matches said value bit vector; and
  
  aborting reception of said packet without passing said packet to higher layer software if said compare indicates that data in said packet does not match said value bit vector.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1 further comprising:
    - using a don'"'"'t care bit vector (DCBV) to indicate that certain bits in said VBV should not be compared to bits in said packet.
  - 3. The method according to claim 2 wherein said count value is a non-alterable value and may be implicit in said compare function.
  - 4. The method according to claim 1 wherein said compare takes place at a data link layer protocol and said packets are never passed up to a higher layer protocol if said compare fails.
  - 5. The method according to claim 4 wherein said count value indicates data in a layer 3 address of said packet.
  - 6. The method according to claim 3 wherein said data comprise a security field included in said packet.
  - 7. The method according to claim 1 wherein said count value indicates data in a packet header.
  - 8. The method according to claim 7 wherein said count value indicates data in a layer 2 address of said packet.
  - 9. The method according to claim 1 wherein said count value is a non-alterable value and may be implicit in said compare function.

10. A method for preventing completed transmission of an unauthorized packet by an adaptor card comprising:
- receiving a packet to transmit from a higher layer protocol;
  
  beginning to transmit a packet on a communication channel;
  
  using a count value and a value bit vector (VBV) to compare data in said packet at said count value to said value bit vector;
  
  if said compare indicates that data in said packet matches said value bit vector, completing transmission of said packet; and
  
  if said compare indicates that data in said packet does not match said value bit vector, aborting transmission of said packet.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method according to claim 10 further comprising:
    - using a don'"'"'t care bit vector (DCBV) to indicate that certain bits in said VBV should not be compared to bits in said packet.
  - 12. The method according to claim 10 wherein said compare takes place at a data link layer.
  - 13. The method according to claim 10 wherein said count value indicates data in a packet header.
  - 14. The method according to claim 13 wherein said count value indicates data in a layer 2 address of said packet.
  - 15. The method according to claim 13 wherein said data comprises a layer 3 address of said packet.
  - 16. The method according to claim 13 wherein said data comprises a security field included in said packet.

17. A method for preventing completed reception of an unauthorized packet by a network adaptor comprising:
- beginning to receive a packet from a communication channel;
  
  applying a rule to said packet at a packet reception layer;
  
  completing reception of said packet if said rule indicates that said packet is valid; and
  
  aborting reception of said packet without passing said packet to higher layer software if said rule indicates that said packet is not valid.

18. A method for preventing completed transmission of an unauthorized packet by an adaptor card comprising:
- receiving a packet to transmit from a higher layer protocol;
  
  applying a rule to said packet at a packet transmission layer;
  
  completing transmission of said packet if said rule indicates that said packet is valid; and
  
  aborting transmission of said packet if said rule indicates that said packet is not valid.

19. An adaptor driver for use in an end system comprising:
- an application interface for passing packets between a network and higher network layers;
  
  a set of adaptor layer packet verification rules;
  
  a data pattern enforcer for applying said rules to packets at the adaptor layer; and
  
  a network interface for communicating packets on a network.

20. A method for preventing completed reception of an unauthorized packet by a network adaptor comprising:
- beginning to receive a packet from a communication channel;
  
  using a count value and a value bit vector to apply a simple validation rule to packet values in said packet at said count value;
  
  completing reception of said packet if said simple validation rule indicates that data in said packet is valid; and
  
  aborting reception of said packet without passing said packet to higher layer protocols if said simple validation rule indicates that data in said packet is not valid.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The method according to claim 20 wherein said simple validation rule takes place at a data link layer protocol and said packets are never passed up to a higher layer protocol if said rule fails.
  - 22. The method according to claim 20 wherein said count value indicates packet values in a packet header.
  - 23. The method according to claim 20 wherein said packet values comprise a security field included in said packet.
  - 24. The method according to claim 20 wherein said count value is a preset, non-alterable value and may be implicit in said simple validation rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
3Com Corporation (HP Inc.)
Inventors
Sherer, William P.
Primary Examiner(s)
HUA, LY

Application Number

US08/827,965
Time in Patent Office

833 Days
Field of Search

395/186, 395/187.01, 395/188.01, 370/401, 370/392, 370/389, 340/825.07, 380/49
US Class Current

726/13
CPC Class Codes

H04L 12/40032 Details regarding a bus int...

H04L 63/1475 Passive attacks, e.g. eaves...

Method and apparatus for providing secure network communications

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing secure network communications

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links