Cryptographic peer discovery, authentication, and authorization for on-path signaling
First Claim
1. A method for secure network device policy configuration, the method comprising the computer-implemented steps of:
- storing a mapping between a group identifier and a particular cryptographic key, wherein the group identifier identifies a group of three or more network devices;
intercepting, at an intermediary network device, one or more data packets that (a) are addressed to a destination device other than the intermediary network device, (b) collectively contain a request, and (c) collectively contain the group identifier;
selecting, from among one or more cryptographic keys that are stored at the intermediary network device, the particular cryptographic key that is mapped to the group identifier;
sending, toward an upstream device that sent the one or more data packets toward the intermediary network device, a first message that contains a first challenge;
receiving a second message that contains a first response;
generating a verification value based on (a) the particular cryptographic key and (b) the first challenge;
determining whether the first response matches the verification value; and
in response to determining that the first response matches the verification value, performing particular steps comprising;
selecting, from among one or more authorization sets, a particular authorization set that is mapped to the group identifier;
determining whether the request is allowed by the particular authorization set; and
in response to determining that the request is allowed by the particular authorization set, configuring, based on the request, a policy of the intermediary network device.
1 Assignment
0 Petitions
Accused Products
Abstract
A method is disclosed for cryptographic peer discovery, authentication, and authorization. According to one embodiment, a data packet, which is addressed to a destination device other than an intermediary network device, is intercepted at the intermediary network device. The data packet contains a request and a group identifier. A shared secret cryptographic key, which is mapped to the group identifier, is selected. A challenge is sent toward an upstream device from whence the data packet came. A response is received. A verification value is generated based on the cryptographic key and the challenge. It is determined whether the response matches the verification value. If the response matches the verification value, then it is determined whether the request is allowed by an authorization set that is mapped to the group identifier. If the request is allowed, then a policy of the intermediary network device is configured based on the request.
45 Citations
21 Claims
-
1. A method for secure network device policy configuration, the method comprising the computer-implemented steps of:
-
storing a mapping between a group identifier and a particular cryptographic key, wherein the group identifier identifies a group of three or more network devices; intercepting, at an intermediary network device, one or more data packets that (a) are addressed to a destination device other than the intermediary network device, (b) collectively contain a request, and (c) collectively contain the group identifier; selecting, from among one or more cryptographic keys that are stored at the intermediary network device, the particular cryptographic key that is mapped to the group identifier; sending, toward an upstream device that sent the one or more data packets toward the intermediary network device, a first message that contains a first challenge; receiving a second message that contains a first response; generating a verification value based on (a) the particular cryptographic key and (b) the first challenge; determining whether the first response matches the verification value; and in response to determining that the first response matches the verification value, performing particular steps comprising; selecting, from among one or more authorization sets, a particular authorization set that is mapped to the group identifier; determining whether the request is allowed by the particular authorization set; and in response to determining that the request is allowed by the particular authorization set, configuring, based on the request, a policy of the intermediary network device. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus for secure network device policy configuration, comprising:
-
means for storing a mapping between a group identifier and a particular cryptographic key, wherein the group identifier identifies a group of three or more network devices; means for intercepting, at an intermediary network device, one or more data packets that (a) are addressed to a destination device other than the intermediary network device, (b) collectively contain a request, and (c) collectively contain the group identifier; means for selecting, from among one or more cryptographic keys that are stored at the intermediary network device, the particular cryptographic key that is mapped to the group identifier; means for sending, toward an upstream device that sent the one or more data packets toward the intermediary network device, a first message that contains a first challenge; means for receiving a second message that contains a first response; means for generating a verification value based on (a) the particular cryptographic key and (b) the first challenge; means for determining whether the first response matches the verification value; and means for selecting, in response to determining that the first response matches the verification value, and from among one or more authorization sets, a particular authorization set that is mapped to the group identifier; means for determining, in response to determining that the first response matches the verification value, whether the request is allowed by the particular authorization set; and means for configuring, in response to determining that the first response matches the verification value, in response to determining that the request is allowed by the particular authorization set, and based on the request, a policy of the intermediary network device. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. An apparatus for secure network device policy configuration, comprising:
-
a network interface that is coupled to a data network for receiving one or more packet flows therefrom; a processor; one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of; storing a mapping between a group identifier and a particular cryptographic key, wherein the group identifier identifies a group of three or more network devices; intercepting, at an intermediary network device, one or more data packets that (a) are addressed to a destination device other than the intermediary network device, (b) collectively contain a request, and (c) collectively contain the group identifier; selecting, from among one or more cryptographic keys that are stored at the intermediary network device, the particular cryptographic key that is mapped to the group identifier; sending, toward an upstream device that sent the one or more data packets toward the intermediary network device, a first message that contains a first challenge; receiving a second message that contains a first response; generating a verification value based on (a) the particular cryptographic key and (b) the first challenge; determining whether the first response matches the verification value; and in response to determining that the first response matches the verification value, performing particular steps comprising; selecting, from among one or more authorization sets, a particular authorization set that is mapped to the group identifier; determining whether the request is allowed by the particular authorization set; and in response to determining that the request is allowed by the particular authorization set, configuring, based on the request, a policy of the intermediary network device. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification