Method for authentication of network devices in a data-over cable system
First Claim
1. In a data-over-cable system including a plurality of network devices, a method of authenticating a network device, the method comprising the following steps:
- receiving a first message on a third network device with a first network address for a first network device associated with a second network device during an initialization sequence for the first network device;
storing the first network address for the first network device and a second network address for the third network device in an internal table on the third network device;
receiving a second message on the third network device from the second network device to authenticate the first network device, wherein the second messages include a third network address for the first network device and a fourth network address for the second network device; and
determining with the internal table whether the third network address is equal to the first network address and whether the fourth network address is equal to the second network address, and if so, registering the first network device on the third network device.
6 Assignments
0 Petitions
Accused Products
Abstract
A method for authentication of network devices in a data-over-cable system is provided. The method includes storing a network address for customer premise equipment and a network address for a cable modem associated with the customer premise equipment in an internal table on a cable modem termination system during an initialization sequence for the customer premise equipment. If the cable modem termination system has to re-boot, or has to re-establish a connection to a cable modem, the internal table is used to prevent the cable modem from registering “rogue” network devices associated with a cable modem on the cable modem termination system. The authentication method allows a cable modem termination system to authenticate customer premise equipment or other network devices associated with a cable modem using internal tables. This authentication helps improve the security of a data-over-cable system and makes it less vulnerable to attack.
203 Citations
33 Claims
-
1. In a data-over-cable system including a plurality of network devices, a method of authenticating a network device, the method comprising the following steps:
-
receiving a first message on a third network device with a first network address for a first network device associated with a second network device during an initialization sequence for the first network device;
storing the first network address for the first network device and a second network address for the third network device in an internal table on the third network device;
receiving a second message on the third network device from the second network device to authenticate the first network device, wherein the second messages include a third network address for the first network device and a fourth network address for the second network device; and
determining with the internal table whether the third network address is equal to the first network address and whether the fourth network address is equal to the second network address, and if so, registering the first network device on the third network device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
determining with the internal table whether the third network address is equal to the first network address and the fourth network address is equal to the second network address, and if not, rejecting registration of the first network device on the third network device.
-
-
6. The method of claim 1 wherein the initialization sequence for the first network device includes a Dynamic Host Configuration Protocol initialization sequence.
-
7. The method of claim 1 wherein the step of receiving a first network address includes receiving a first network address for a first network device in a Dynamic Host Configuration Protocol acknowledgment message.
-
8. The method of claim 1 wherein the second message is a registration message.
-
9. The method of claim 1 wherein the internal table is an Address Resolution Protocol table.
-
10. The method of claim 1 wherein the step storing the first network address includes storing a second network address for the second network device.
-
11. The method of claim 1 wherein the step of storing the first network address includes storing a second network address for the first network device.
-
12. In a data-over-cable system including a plurality of network devices, a method of authenticating a network device, the method comprising the following steps:
-
receiving a first network address on a third network device in a first message for a first network device associated with a second network device during an initialization sequence for the first network device;
determining a first unique identifier for the first network device;
storing the first network address and the first unique identifier for the first network device in a first internal table;
storing the first network address for the first network device and a second network address for the second network device in second internal table on the third network device;
sending the first message to the second network device;
receiving a second message on the third network device from the second network device to authenticate the first network device, wherein the second message includes a second identifier and a third network address for the first network device and a fourth network address for the second network device; and
determining with the first internal table whether the second identifier is equal to the first unique identifier, and if so, determining with the second internal table whether the third network address is equal to the first network address and whether the fourth network address is equal to the second network address, and if so, registering the first network device on the third network device. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
adding the first unique identifier to the first message before the first message is sent to the second network device.
-
-
15. The method of claim 12 wherein the first unique identifier and the second identifier are Domain Name System identifiers.
-
16. The method of claim 12 wherein the first network device is customer premise equipment, the second network device is a cable modem, and the third network device is a cable modem termination system.
-
17. The method of claim 12 wherein the first network address is an Internet Protocol address, the second network address is a Medium Access Protocol address.
-
18. The method of claim 12 wherein the first internal table is an Address Resolution Protocol table and the second internal table is an Address Resolution Protocol table.
-
19. The method of claim 12 wherein the first unique identifier and second identifier are Medium Access Protocol addresses.
-
20. The method of claim 12 wherein the step of determining with the first internal table whether the second identifier is equal to the first unique identifier includes:
-
performing a reverse Domain Name System lookup on third network address to obtain the first unique identifier stored in the first internal table associated with the third network address; and
determining whether the first unique identifier from the first internal table is equal to the second identifier from the second message.
-
-
21. The method of claim 12 further comprising:
-
determining with the first internal table whether the second identifier is equal to the first unique identifier, and if not, rejecting registration of the first network device.
-
-
22. The method of claim 12 further comprising:
-
determining with the first internal table whether the second identifier is equal to the first unique identifier, and if so, determining with the second internal table whether the third network address is equal to the first network address and whether the fourth network address is equal to the second network address, and if not, rejecting registration of the first network device.
-
-
23. The method of claim 12 wherein the first message is a Dynamic Host Configuration Protocol acknowledge message and the second message is a registration message.
-
24. The method of claim 12 wherein the first message and the second message are Dynamic Host Configuration Protocol messages.
-
25. The method of claim 12 wherein the step of determining a first unique identifier for the first network device includes determining the first unique identifier with an existing message field from the first message.
-
26. In a data-over-cable system with a plurality of network devices including cable modems and customer premise equipment, a method of authenticating a network device, the method comprising the following steps:
-
receiving a first Internet Protocol address in a Dynamic Host Configuration Protocol acknowledgment message, for customer premise equipment associated with a cable modem on a cable modem termination system during an initialization sequence for the customer premise equipment;
storing the first Internet Protocol address for the customer premise equipment and a first Medium Access Protocol address for the cable modem in an internal table on the cable modem;
receiving a registration message from the cable modem to register the customer premise equipment, wherein the registration input includes a second Internet Protocol address for the customer premise equipment and a second Medium Access Protocol address for the cable modem; and
determining with the internal table whether the second Internet Protocol address is equal to the first Internet Protocol address and whether the first Medium Access Protocol address is equal to the second Medium Access Protocol address, and if so, registering the customer premise equipment on the cable modem termination system, and thereby providing authentication of the Internal Protocol address for customer premise equipment. - View Dependent Claims (27)
-
-
28. In a data-over-cable system including a plurality of network devices including cable modems and customer premise equipment, a method of authenticating a network device, the method comprising the following steps:
-
receiving a Dynamic Host Configuration Protocol acknowledgment message on a cable modem termination system with an Internet Protocol address for customer premise equipment associated with a cable modem during an initialization sequence for the customer premise equipment;
determining a first unique identifier for the customer premise equipment, wherein the first unique identifier is a Medium Access Control address for the customer premise equipment received during an initialization sequence for the customer premise equipment;
storing the Internet Protocol address and the Medium Access Control address for the customer premise equipment in a first internal table;
storing the Internet Protocol address for the customer premise equipment and a Medium Access Protocol address for the cable modem in second internal table on the cable modem termination system;
optionally adding the first unique identifier to the Dynamic Host Configuration Protocol acknowledgment message;
sending the Dynamic Host Configuration Protocol acknowledgment message to the cable modem, wherein the cable modem forwards the Dynamic Host Configuration Protocol acknowledgment message to the customer premise equipment;
receiving a registration message on the cable modem termination system from the cable modem to register the customer premise equipment, wherein the registration message includes a second identifier and a second Internet Protocol address for the customer premise equipment, and a second Medium Access Protocol address for the cable modem; and
determining with the first internal table whether the second identifier is equal to the first unique identifier, and if so, determining with the second internal table whether the second Internet Protocol address is equal to the first Internet Protocol address and whether the second Medium Access Protocol address is equal to the second Medium Access Protocol address, and if so, registering the customer premise equipment on the cable modem termination system. - View Dependent Claims (29)
-
-
30. In a data-over-cable system including a plurality of network devices, a method of authenticating a network device, the method comprising the following steps:
-
receiving a first message on a second network device with a first network address for a first network device during an initialization sequence for the first network device;
storing the first network address for the first network device and a second network address for the second network device in a first internal table on the second network device; and
adding an entry to a second internal table using the first network address and the second network address. - View Dependent Claims (31, 32, 33)
-
Specification