Method for authentication of network devices in a data-over cable system

US 6,189,102 B1
Filed: 05/27/1998
Issued: 02/13/2001
Est. Priority Date: 05/27/1998
Status: Expired due to Term

First Claim

Patent Images

1. In a data-over-cable system including a plurality of network devices, a method of authenticating a network device, the method comprising the following steps:

receiving a first message on a third network device with a first network address for a first network device associated with a second network device during an initialization sequence for the first network device;

storing the first network address for the first network device and a second network address for the third network device in an internal table on the third network device;

receiving a second message on the third network device from the second network device to authenticate the first network device, wherein the second messages include a third network address for the first network device and a fourth network address for the second network device; and

determining with the internal table whether the third network address is equal to the first network address and whether the fourth network address is equal to the second network address, and if so, registering the first network device on the third network device.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authentication of network devices in a data-over-cable system is provided. The method includes storing a network address for customer premise equipment and a network address for a cable modem associated with the customer premise equipment in an internal table on a cable modem termination system during an initialization sequence for the customer premise equipment. If the cable modem termination system has to re-boot, or has to re-establish a connection to a cable modem, the internal table is used to prevent the cable modem from registering “rogue” network devices associated with a cable modem on the cable modem termination system. The authentication method allows a cable modem termination system to authenticate customer premise equipment or other network devices associated with a cable modem using internal tables. This authentication helps improve the security of a data-over-cable system and makes it less vulnerable to attack.

203 Citations

33 Claims

1. In a data-over-cable system including a plurality of network devices, a method of authenticating a network device, the method comprising the following steps:
- receiving a first message on a third network device with a first network address for a first network device associated with a second network device during an initialization sequence for the first network device;
  
  storing the first network address for the first network device and a second network address for the third network device in an internal table on the third network device;
  
  receiving a second message on the third network device from the second network device to authenticate the first network device, wherein the second messages include a third network address for the first network device and a fourth network address for the second network device; and
  
  determining with the internal table whether the third network address is equal to the first network address and whether the fourth network address is equal to the second network address, and if so, registering the first network device on the third network device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A computer readable medium having stored therein instructions for causing a central processing unit to execute the method of claim 1.
  - 3. The method of claim 1 wherein the first network device is customer premise equipment, the second network device is a cable modem, and the third network device is a cable modem termination system.
  - 4. The method of claim 1 wherein the first network address is an Internet Protocol address, the second network address is a Medium Access Protocol address.
  - 5. The method of claim 1 further comprising:
6. The method of claim 1 wherein the initialization sequence for the first network device includes a Dynamic Host Configuration Protocol initialization sequence.
7. The method of claim 1 wherein the step of receiving a first network address includes receiving a first network address for a first network device in a Dynamic Host Configuration Protocol acknowledgment message.
8. The method of claim 1 wherein the second message is a registration message.
9. The method of claim 1 wherein the internal table is an Address Resolution Protocol table.
10. The method of claim 1 wherein the step storing the first network address includes storing a second network address for the second network device.
11. The method of claim 1 wherein the step of storing the first network address includes storing a second network address for the first network device.

12. In a data-over-cable system including a plurality of network devices, a method of authenticating a network device, the method comprising the following steps:
- receiving a first network address on a third network device in a first message for a first network device associated with a second network device during an initialization sequence for the first network device;
  
  determining a first unique identifier for the first network device;
  
  storing the first network address and the first unique identifier for the first network device in a first internal table;
  
  storing the first network address for the first network device and a second network address for the second network device in second internal table on the third network device;
  
  sending the first message to the second network device;
  
  receiving a second message on the third network device from the second network device to authenticate the first network device, wherein the second message includes a second identifier and a third network address for the first network device and a fourth network address for the second network device; and
  
  determining with the first internal table whether the second identifier is equal to the first unique identifier, and if so, determining with the second internal table whether the third network address is equal to the first network address and whether the fourth network address is equal to the second network address, and if so, registering the first network device on the third network device.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 13. A computer readable medium having stored therein instructions for causing a central processing unit to execute the method of claim 12.
  - 14. The method of claim 12 further comprising:
15. The method of claim 12 wherein the first unique identifier and the second identifier are Domain Name System identifiers.
16. The method of claim 12 wherein the first network device is customer premise equipment, the second network device is a cable modem, and the third network device is a cable modem termination system.
17. The method of claim 12 wherein the first network address is an Internet Protocol address, the second network address is a Medium Access Protocol address.
18. The method of claim 12 wherein the first internal table is an Address Resolution Protocol table and the second internal table is an Address Resolution Protocol table.
19. The method of claim 12 wherein the first unique identifier and second identifier are Medium Access Protocol addresses.
20. The method of claim 12 wherein the step of determining with the first internal table whether the second identifier is equal to the first unique identifier includes:
- performing a reverse Domain Name System lookup on third network address to obtain the first unique identifier stored in the first internal table associated with the third network address; and
  
  determining whether the first unique identifier from the first internal table is equal to the second identifier from the second message.
21. The method of claim 12 further comprising:
- determining with the first internal table whether the second identifier is equal to the first unique identifier, and if not, rejecting registration of the first network device.
22. The method of claim 12 further comprising:
- determining with the first internal table whether the second identifier is equal to the first unique identifier, and if so, determining with the second internal table whether the third network address is equal to the first network address and whether the fourth network address is equal to the second network address, and if not, rejecting registration of the first network device.
23. The method of claim 12 wherein the first message is a Dynamic Host Configuration Protocol acknowledge message and the second message is a registration message.
24. The method of claim 12 wherein the first message and the second message are Dynamic Host Configuration Protocol messages.
25. The method of claim 12 wherein the step of determining a first unique identifier for the first network device includes determining the first unique identifier with an existing message field from the first message.

26. In a data-over-cable system with a plurality of network devices including cable modems and customer premise equipment, a method of authenticating a network device, the method comprising the following steps:
- receiving a first Internet Protocol address in a Dynamic Host Configuration Protocol acknowledgment message, for customer premise equipment associated with a cable modem on a cable modem termination system during an initialization sequence for the customer premise equipment;
  
  storing the first Internet Protocol address for the customer premise equipment and a first Medium Access Protocol address for the cable modem in an internal table on the cable modem;
  
  receiving a registration message from the cable modem to register the customer premise equipment, wherein the registration input includes a second Internet Protocol address for the customer premise equipment and a second Medium Access Protocol address for the cable modem; and
  
  determining with the internal table whether the second Internet Protocol address is equal to the first Internet Protocol address and whether the first Medium Access Protocol address is equal to the second Medium Access Protocol address, and if so, registering the customer premise equipment on the cable modem termination system, and thereby providing authentication of the Internal Protocol address for customer premise equipment.
- View Dependent Claims (27)
- - 27. A computer readable medium having stored therein instructions for causing a central processing unit to execute the method of claim 26.

28. In a data-over-cable system including a plurality of network devices including cable modems and customer premise equipment, a method of authenticating a network device, the method comprising the following steps:
- receiving a Dynamic Host Configuration Protocol acknowledgment message on a cable modem termination system with an Internet Protocol address for customer premise equipment associated with a cable modem during an initialization sequence for the customer premise equipment;
  
  determining a first unique identifier for the customer premise equipment, wherein the first unique identifier is a Medium Access Control address for the customer premise equipment received during an initialization sequence for the customer premise equipment;
  
  storing the Internet Protocol address and the Medium Access Control address for the customer premise equipment in a first internal table;
  
  storing the Internet Protocol address for the customer premise equipment and a Medium Access Protocol address for the cable modem in second internal table on the cable modem termination system;
  
  optionally adding the first unique identifier to the Dynamic Host Configuration Protocol acknowledgment message;
  
  sending the Dynamic Host Configuration Protocol acknowledgment message to the cable modem, wherein the cable modem forwards the Dynamic Host Configuration Protocol acknowledgment message to the customer premise equipment;
  
  receiving a registration message on the cable modem termination system from the cable modem to register the customer premise equipment, wherein the registration message includes a second identifier and a second Internet Protocol address for the customer premise equipment, and a second Medium Access Protocol address for the cable modem; and
  
  determining with the first internal table whether the second identifier is equal to the first unique identifier, and if so, determining with the second internal table whether the second Internet Protocol address is equal to the first Internet Protocol address and whether the second Medium Access Protocol address is equal to the second Medium Access Protocol address, and if so, registering the customer premise equipment on the cable modem termination system.
- View Dependent Claims (29)
- - 29. A computer readable medium having stored therein instructions for causing a central processing unit to execute the method of claim 28.

30. In a data-over-cable system including a plurality of network devices, a method of authenticating a network device, the method comprising the following steps:
- receiving a first message on a second network device with a first network address for a first network device during an initialization sequence for the first network device;
  
  storing the first network address for the first network device and a second network address for the second network device in a first internal table on the second network device; and
  
  adding an entry to a second internal table using the first network address and the second network address.
- View Dependent Claims (31, 32, 33)
- - 31. A computer readable medium having stored therein instructions for causing a central processing unit to execute the method of claim 30.
  - 32. The method of claim 30 wherein the step of adding an entry to a second internal table using the first network address and the second network address includes receiving a request from any of the first network device, the second network device or a third network device to add an entry to the second internal table.
  - 33. The method of claim 32 wherein the first network device is any or a cable modem or customer premise equipment, the second network device is a cable modem termination system, and the third network device is a dynamic host configuration protocol server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
3Com Corporation (HP Inc.)
Inventors
Beser, Nurettin B.
Primary Examiner(s)
Black, Thomas G.
Assistant Examiner(s)
CHEUNG, MARY DA ZHI WANG

Application Number

US09/085,585
Time in Patent Office

993 Days
Field of Search

713/201, 713/200, 709/200, 709/201, 709/202, 709/203, 709/217, 709/218, 709/219, 709/220, 709/222, 709/223, 709/224, 709/227, 709/228, 709/229, 709/230, 709/231, 709/232, 709/245, 709/249, 709/250
US Class Current

726/2
CPC Class Codes

H04L 61/00   Network arrangements, proto...

H04L 61/5014   using dynamic host configur...

H04L 63/0876   based on the identity of th...

H04L 63/1466   Active attacks involving in...

Method for authentication of network devices in a data-over cable system

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

203 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Method for authentication of network devices in a data-over cable system

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

203 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links