Network connectable device and method for its installation and configuration
First Claim
1. A network device for connecting to a network, said network device requiring certain configuration parameters to be stored therein for proper functioning, comprisinga physical network interface, a device identifier observation circuit in said network device for reading device identifiers from received packets and recognizing packets containing a device identifier of said network device as being directed to said network device, and a computing block;
- and wherein said computing block is structured or programmed to authenticated received packets as coming from a reliable source authorized to configure said network device by computing computed device identifiers from cryptographic keys derived from recognized packets and to compare said computed device identifiers against locally stored known device identifiers which identify authentic transmitting parties authorized to configure said network device, said locally stored known device identifiers being compared by said computing block to said computed device identifiers for authentication of transmitting parties, and if a received packet is authenticated in this way, using configuration data therein to configure said network device.
1 Assignment
0 Petitions
Accused Products
Abstract
A network device (100, 300) is connected to a network (102) having also a management station (107) connected thereto. The method for configuring the network device comprises the steps of
transmitting from the management station a configuration packet to the network device (201),
authenticating at the network device the management station as the genuine transmitter of the configuration packet (202) and
decoding the configuration parameters contained in said configuration packet and storing them as the configuration parameters of the network device (203).
-
Citations
16 Claims
-
1. A network device for connecting to a network, said network device requiring certain configuration parameters to be stored therein for proper functioning, comprising
a physical network interface, a device identifier observation circuit in said network device for reading device identifiers from received packets and recognizing packets containing a device identifier of said network device as being directed to said network device, and a computing block; - and wherein said computing block is structured or programmed to authenticated received packets as coming from a reliable source authorized to configure said network device by computing computed device identifiers from cryptographic keys derived from recognized packets and to compare said computed device identifiers against locally stored known device identifiers which identify authentic transmitting parties authorized to configure said network device, said locally stored known device identifiers being compared by said computing block to said computed device identifiers for authentication of transmitting parties, and if a received packet is authenticated in this way, using configuration data therein to configure said network device.
- View Dependent Claims (2, 3, 4)
-
5. A method of configuring a network device coupled to a network from a remote management station also coupled to said network to which said network device is coupled, comprising.
transmitting from a management station coupled to a network to a network device to be configured or reconfigured and also coupled to said network a configuration packet containing a device identifier unique to the network device to be configured, and containing configuration data for said network device; -
at said network device to be configured or reconfigured, recognizing the device identifier in said configuration packet as said device identifier assigned to the network device to be configured or reconfigured; and
using said configuration data of said configuration packet which contains a device identifier unique to said network device to be configured or reconfigured to configure said network device and wherein said network has a broadcast address, and wherein said step of transmitting said configuration packet comprises a step of broadcasting said configuration packet to said broadcast address of said network, and wherein said step of recognizing said device identifier comprises examining each received broadcast packet and discarding packets that do not contain said device identifier of said network device to be configured or reconfigured.
-
-
6. A method of configuring a network device coupled to a network from a remote management station also coupled to said network to which said network device is coupled, comprising:
-
transmitting from a management station coupled to a network to a network device to be configured or reconfigured and also coupled to said network a configuration packet containing a device identifier unique to the network device to be configured, and containing configuration data for said network device;
at said network device to be configured or reconfigured, recognizing the device identifier in said configuration packet as said device identifier assigned to the network device to be configured or reconfigured; and
using said configuration data of said configuration packet which contains a device identifier unique to said network device to be configured or reconfigured to configure said network device and wherein said network has a broadcast address, and wherein said step of transmitting said configuration packet comprises a step of broadcasting said configuration packet to said broadcast address of said network, and wherein said step of recognizing said device identifier comprises examining each received broadcast packet and discarding packets that do not contain said device identifier of said network device to be configured or reconfigured and further comprising a step of authenticating said configuration packet as being from said management station and not from some other source not authorized to configure said network device.
-
-
7. A method for configuring a network device coupled to a network, comprising:
-
configuring a network device before installation on a network to operate in a dummy mode upon initial installation on said network such that said network device only reads device identifiers in received packets but does not otherwise process any data therein or processes data in received packets in only a factory-configured manner, and wherein said network has a broadcast address;
transmitting a configuration packet containing configuration data for said network device to be configured from a management station coupled to said network to said broadcast address of said network on which said network device to be configured resides, said configuration packet containing an identifying code of said network device to be configured or data derived from a cryptographic public key from which said device identifier of said network device to be configured can be derived;
at said network device to be configured, receiving said configuration packet transmitted to said broadcast address of said network, and authenticating said management station from which said configuration packet was sent by deriving said device identifier from said identifying code or said data derived from said cryptographic public key and comparing said device identifier so derived to said device identifier of said network device to be configured, and discarding any packet which does not contain a device identifier matching said device identifier of said network device to be configured;
using or decrypting and using said configuration data contained in said configuration packet to configure said network device.
-
-
8. A method for configuring a network device, comprising:
-
(1) configuring a network device before installation on a network to operate in a dummy mode upon initial installation on said network such that said network device reads device identifiers in received packets but does not otherwise process any data therein or processes data in received packets in only a factory-configured manner, and wherein said network has a broadcast address;
(2) transmitting a configuration packet containing configuration data for said network device to be configured from a management station coupled to said network to either said broadcast address of said network on which said network device to be configured resides or directly to said network address of said network device to be configured if said network device is initially configured to operate in dummy mode but to have a network address, said configuration packet containing a public key of said management station and data derived from a cryptographic public key from which said device identifier of said network device to be configured can be derived or said device identifier itself of said network device to be configured or an identification code corresponding to said device identifier of said network device to be configured;
(3) at said network device to be configured, receiving said configuration packet transmitted to said broadcast address or transmitted directly to said network address of said network device to be computed and deriving or reading the device identifier therein and comparing the device identifier so read or computed to said device identifier of said network device to be configured, and discarding any packets which do not match;
(4) using said public key contained in any configuration packets retained after step (3) to authenticate said management station from which said configuration packet was sent by deriving said device identifier from said public key transmitted with said configuration packet and either comparing said device identifier so derived to said device identifier of said management station which has been prestored in said network device to be configured or displaying said device identifier computed from said public key and waiting for a user to manually verify that said displayed device identifier computed from said public key is correct or otherwise authenticating that said configuration packet definitely came from said management station in any other known way, and discarding any packet which does not contain a device identifier matching said device identifier of said management station;
using or decrypting and using said configuration data contained in said configuration packet to configure said network device to create a newly configured network device. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method for configuring a network device, comprising:
-
(1) configuring a network device before installation on a network to operate in a dummy mode upon initial installation such that said network device only reads device identifiers in received packets but does not otherwise process any data therein or processes data in received packets in only a factory-configured manner, said network having a broadcast address;
(2) transmitting a packet from a management station coupled to said network to either said broadcast address of said network on which said network device to be configured resides or directly to a network address of said network device to be configured if said network device is initially configured to operate in dummy mode but to have a network address on said network, said configuration packet containing configuration data for said network device and a public key of said management station and a device identifier for said network device to be configured, said device identifier for said network device to be configured being either a cryptographic public key or derived from a cryptographic public key or a certificate accompanying said cryptographic public key, or an identification code corresponding to said device identifier;
(3) at the network device to be configured, receiving said configuration packet sent to said broadcast address of said network, or sent directly to said network device'"'"'s network address and deriving or reading said the device identifier therein and comparing said device identifier so read or computed to said device identifier of said network device to be configured, and discarding any packets which do not match;
(4) using said cryptographic public key contained in any configuration packets retained after step (3) to authenticate said management station from which said configuration packet was sent by deriving said device identifier from said cryptographic public key transmitted with said configuration packet and either comparing said device identifier so derived to a prestored device identifier of said management station or displaying said device identifier computed from said public key and waiting for a user to manually verify that the device identifier so displayed is correct or otherwise authenticating that said configuration packet definitely came from said management station in any other known way, and discarding any packet which does not contain a device identifier matching said device identifier of said management station;
(5) sending a reply packet from said network device to said management station, said reply packet including a public key for said network device;
(6) computing a shared secret in said network device from said public key of said management station, and computing a shared secret in said management station from said public key of said network device;
(7) setting up a secure communication link between said management station and said network device using said shared secret to authenticate and/or encrypt packets to be exchanged;
(8) sending a configuration packet to said network device to be configured;
(9) authenticating and/or decrypting said configuration packet using said shared secret, and, if authentic, using said configuration data contained in said configuration packet to configure said network device.
-
-
16. A method for configuring a network device, comprising:
-
(1) configuring a network device before installation on a network and a management station also on said network to have a shared secret key stored in tamper resistant manner, said network having a broadcast address;
(2) configuring said network device to operate in a dummy mode upon initial installation such that said network device only reads device identifiers in received packets but does not otherwise process any data therein or processes data in received packets in only a factory-configured manner;
(3) transmitting a configuration packet from a said management station to either said broadcast address of the network on which said network device to be configured resides or directly to a network address of said network device to be configured if said network device is initially configured to operate in dummy mode but to have a network address, said configuration packet containing configuration data for said network device and the device identifier for said the network device to be configured or cryptographic data from which said device identifier can be computed;
(4) at said network device to be configured, receiving said configuration packet transmitted to said broadcast address or said configuration packet transmitted directly to said network address of said network device to be configured and deriving or reading said device identifier therein and comparing said device identifier so read or computed to said device identifier of said network device to be configured, and discarding any packets which do not match;
(5) using said secret key stored in said network device to authenticate the source of said configuration packet as coming from said management station and discarding said the configuration packet if it did not come from said management station;
(6) authenticating and/or decrypting said configuration packet using said secret key, and, if authentic, using said configuration data contained in said configuration packet to configure said network device or simply using said the configuration data in said configuration packet to configure said network device if said configuration data is not encrypted.
-
Specification