Method for packet authentication in the presence of network address translations and protocol conversions
First Claim
1. A method for achieving packet authentication according to an applicable security policy between a sending node (903) and a receiving node (902) in a network which includes entities which carry out transformations on packets, characterised in that it comprises the steps ofdynamically discovering (1003, 1004) said transformations occurring to a packet en route between said sending node and said receiving node, checking (1004) that transformations which have occurred on packets (hereafter dynamically discovered, acceptable transformations) are acceptable based on the applicable security policy, and compensating (1004, 1006) for said dynamically discovered, acceptable transformations before authenticating packets transmitted from said sending node to said receiving node.
2 Assignments
0 Petitions
Accused Products
Abstract
For achieving packet authentication according to an applicable security policy between a sending node (903) and a receiving node (902) in a network, the following steps are taken:
the transformations occurring to a packet en route between the sending node and the receiving node are discovered dynamically (1003, 1004),
the discovered transformations are checked (1004) to be acceptable based on the applicable security policy, and
the dynamically discovered, acceptable transformations are compensated for (1004, 1006) before authenticating packets transmitted from the sending node to the receiving node.
238 Citations
22 Claims
-
1. A method for achieving packet authentication according to an applicable security policy between a sending node (903) and a receiving node (902) in a network which includes entities which carry out transformations on packets, characterised in that it comprises the steps of
dynamically discovering (1003, 1004) said transformations occurring to a packet en route between said sending node and said receiving node, checking (1004) that transformations which have occurred on packets (hereafter dynamically discovered, acceptable transformations) are acceptable based on the applicable security policy, and compensating (1004, 1006) for said dynamically discovered, acceptable transformations before authenticating packets transmitted from said sending node to said receiving node.
-
20. A method for achieving packet authentication for packets comprising a header structured according to an applicable security policy and transmitted between a sending node (903) and a receiving node (902) in a network wherein transformation on contents of said packets occurs as said packets propagate across a data path couplina said sendina node to said receiving node, characterised in that said packet authentication method comprises
inclusion in each said packet of a message authentication code (MAC) computed using an authentication code mechanism that does not include said packet header in the data used to calculate said message authentication code discovering transformations that occur on said content of said packets as they propagate across a data path coupling said sending node to said receiving node, and determining whether said discovered transformations are acceptable based on said applicable security policy, and compensating for any acceptable transformations in said packets before authenticating packets transmitted from said sending node to said receiving node by decrypting said message authentication code using a secret shared by both said sending node and said receiving node.
-
21. A network device (1300) for transmitting digital information in packet authenticated form according to an applicable security policy to another network device in a network wherein transformations on content of packets occurs as said packets propagate from said network device to said another network device, characterised in that it comprises means (1305, 1306, 1307) for
dynamically discovering said transformations occurring to a packet en route between said network device and said another network device, checking that said discovered transformations are acceptable based on said applicable security policy, said transformations being hereafter referred to as dynamically discovered, acceptable transformations, and compensating for said dynamically discovered, acceptable transformations before transmitting packets to be authenticated to said another network device.
-
22. A network device (1300) for receiving digital information in packet authenticated form according to an applicable security policy from a sending network device in a network wherein transformation on content of packets occurs as they propagate to said network device from said sending network device, characterised in that it comprises means (1305, 1306, 1307) for
dynamically discovering said transformations occurring to a packet en route between said network device and said sending network device, checking that said discovered transformations are acceptable based on the applicable security policy, said discovered transformations that are deemed acceptable being hereafter referred to as dynamically discovered, acceptable transformations, and compensating for said dynamically discovered, acceptable transformations before authenticating packets received from said sending network device.
Specification