Medium access control address authentication

US 6,115,376 A
Filed: 10/29/1997
Issued: 09/05/2000
Est. Priority Date: 12/13/1996
Status: Expired due to Term

First Claim

Patent Images

1. A method for improving network security in a network including a star configured interconnection device having a plurality of ports adapted for connection to respective MAC layer devices, comprising:

storing authentication data in the star configured interconnection device, the authentication data mapping MAC adresses to ports in the star configured interconnection device;

receiving a packet on a port;

accepting the packet carries a source MAC address which the authentication data maps to the port; and

executing an authentication protocol on the port to determine whether the MAC address originates from an authorized sender according to the authentication protocol when the packet does not carry a source MAC address which the authentication data maps to the port.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for improving network security in a network that includes a star configured interconnection device such as a repeater, a bridge or a switch, that has a plurality of ports adapted for connection to respective MAC layer devices includes storing authentication data in the star configured interconnection device that maps MAC addresses of end stations in the network to particular ports on the star configured interconnection device. Upon receiving a packet on a particular port, the process involves determining whether the packet carries a source address which the authentication data maps to the particular port. If the packet carries a source address which the authentication data maps to the particular port, then the packet is accepted. If the packet does not carry a source MAC address which the authentication maps to the port, then an authentication protocol is executed on the port to determine whether the MAC address originates from an authorized sender according to the authentication protocol.

144 Citations

37 Claims

1. A method for improving network security in a network including a star configured interconnection device having a plurality of ports adapted for connection to respective MAC layer devices, comprising:
- storing authentication data in the star configured interconnection device, the authentication data mapping MAC adresses to ports in the star configured interconnection device;
  
  receiving a packet on a port;
  
  accepting the packet carries a source MAC address which the authentication data maps to the port; and
  
  executing an authentication protocol on the port to determine whether the MAC address originates from an authorized sender according to the authentication protocol when the packet does not carry a source MAC address which the authentication data maps to the port.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the authentication protocol includes:
    - providing a secret value to authorized senders of MAC addresses; and
      
      challenging senders of MAC addresses to generate a response to the port using the secret value.
  - 3. The method of claim 1, including:
    - if the MAC addresses originate from an authorized sender according to the authentication protocol, then updating a table.
  - 4. The method of claim 1, including:
    - generating an authentication table during initialization of ports on the star configured interconnection device.
  - 5. The method of claim 1, including monitoring activity on the plurality of ports to detect disconnection of a MAC layer device from the ports, and upon detecting disconnection on a particular port, then updating the authentication data to unauthenticate a MAC address mapped to the particular port.
  - 6. The method of claim 2, wherein the secret value comprises an encryption key.
  - 7. The method of claim 2, wherein the secret value comprises a password.
  - 8. The method of claim 2, wherein the secret value comprises a private key for a public key/private key encryption algorithm.
  - 9. The method of claim 1, wherein the authentication data comprises a table storing authenticated MAC addresses for ports on the star configured interconnection device.
  - 10. The method of claim 1, wherein the star configured interconnection device comprises a repeater.
  - 11. The method of claim 1, wherein the star configured interconnection device comprises a bridge.
  - 12. The method of claim 1, wherein the star configured interconnection device comprises a switch.

13. A method for improving network security in a network including a star configured interconnection device having a plurality of ports adapted for connection to respective MAC layer devices, comprising:
- storing an authentication key for a MAC address in a MAC layer device;
  
  responding at the MAC layer device to a challenge from the star configured interconnection device, by sending a response based on the authentication key to the star configured interconnection device.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method of claim 13, wherein the MAC layer device comprises a network adapter.
  - 15. The method of claim 14, wherein the step of storing includes storing the authentication key in a non-volatile memory on the network adapter.
  - 16. The method of claim 14, wherein the step of storing includes providing code memory in the network adapter that is not readable by a host processor, and storing the authentication key in the code memory.
  - 17. The method of claim 13, wherein the authentication key comprises an encryption key.
  - 18. The method of claim 13, wherein the authentication key comprises a password.
  - 19. The method of claim 13, wherein the authentication key comprises a private key for a public key/private key encryption algorithm.

20. A network device, comprising:
- a plurality of ports adapted for connection across a transmission medium to respective MAC layer devices;
  
  memory including authentication data, the authentication data mapping MAC addresses to ports in the plurality of ports;
  
  processing resources which monitor a packet on a particular port in the plurality of ports, wherein the packet is accepted when the packet carries a source MAC address which the authentication data maps to the port, wherein an authentication protocol is executed on the port to determine whether the MAC address originates from an authorized sender according to authentication protocol when the packet does not carry a source MAC address which the authentication data maps to the port.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 21. The network device of claim 20, wherein a secret value is provided to authorized senders of MAC addresses, and the authentication protocol includes:
    - resources which challenge senders of MAC addresses to generate a response to the port using the secret value.
  - 22. The network device of claim 20, including:
    - resources which, if the MAC addresses originate from an authorized sender according to the authentication protocol, then update the authentication data.
  - 23. The network device of claim 21, including:
    - resources to generate the authentication table during initialization of ports in the plurality of ports.
  - 24. The network device of claim 21, wherein the secret value comprises an encryption key.
  - 25. The network device of claim 21, wherein the secret value comprises a password.
  - 26. The network device of claim 21, wherein the secret value comprises a private key for a public key/private key encryption algorithm.
  - 27. The network device of claim 20, wherein the authentication data comprises a table storing authenticated MAC addresses for ports on the star configured interconnection device.
  - 28. The network device of claim 20, including resources to repeat the packet on at least one other port in the plurality of ports if the packet is accepted.
  - 29. The network device of claim 20, including resources to forward the packet on at least one other port in the plurality of ports if the MAC layer destination of the packet is not known on the particular port, if the packet is accepted.
  - 30. The network device of claim 20, including resources to forward the packet on at least one other port in the plurality of ports through which the destination of the packet is known, if the packet is accepted.
  - 31. The network device of claim 20, including resources which monitor activity on the plurality of ports to detect disconnection of a MAC layer device from the ports, and upon detecting disconnection on a particular port, then update the authentication data to unauthenticate a MAC address mapped to the particular port.

32. A network adapter, comprising:
- a medium access control unit having a MAC address;
  
  memory storing an authentication key for the MAC address; and
  
  resources which respond to a challenge received at the medium access control unit by sending a response based on the authentication key through the medium access control unit.
- View Dependent Claims (33, 34, 35, 36, 37)
- - 33. The network adapter of claim 32, wherein the memory storing the authentication key comprises non-volatile memory.
  - 34. The network adapter of claim 32, wherein the memory storing the authentication key is not accessible by the host processor coupled to the network adapter.
  - 35. The network adapter of claim 32, wherein the authentication key comprises an encryption key.
  - 36. The network adapter of claim 32, wherein the authentication key comprises a password.
  - 37. The network adapter of claim 32, wherein the authentication key comprises a private key for a public key/private key encryption algorithm.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
3Com Corporation (HP Inc.)
Inventors
Sherer, W. Paul, Nessett, Danny M.
Primary Examiner(s)
Pham, Chi H.
Assistant Examiner(s)
Tran, Maikhanh

Application Number

US08/959,833
Time in Patent Office

1,042 Days
Field of Search

370/242, 370/245, 370/252, 370/389, 370/400-401, 370/407, 713/201, 709/224
US Class Current

370/389
CPC Class Codes

H04L 49/351 for local area network [LAN...

H04L 63/1466 Active attacks involving in...

Medium access control address authentication

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

144 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Medium access control address authentication

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

144 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links