System, device, and method for controlling access in a multicast communication network

US 7,360,084 B1
Filed: 09/12/2000
Issued: 04/15/2008
Est. Priority Date: 05/15/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A communication system comprising:

a rendezvous point device that forwards multicast communication messages to members of a shared tree and is a root of the shared tree;

a designated device in communication with the rendezvous point device via a number of intermediate devices; and

a host device in communication with the designated device, wherein to join the shared tree;

the host device forwards an authentication key, uniquely generated by a key server for the host device, to the designated device;

the host device sends a join request to the designated device using a predetermined multicast group management protocol in order to join the shared tree for receiving the multicast communication messages forwarded by the rendezvous point device, the join request including the authentication key;

the designated device receives the join request and forwards to the rendezvous point device via the number of intermediate devices an encoded join request, wherein the encoded join request comprises a tag field computed using a keyed hashed function and the authentication key;

the rendezvous point device receives the encoded join request and authenticates the encoded join message-by comparing the authentication key received in the tag against a stored authentication key associated with the host device;

whereinthe host device is prevented from receiving the multicast communication messages forwarded by the rendezvous point device, if the rendezvous point device determines that the encoded join message is not authentic.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, device, and method for controlling access in a multicast communication network uses a centralized host authentication scheme to prevent unauthorized hosts from joining a shared multicast distribution tree. Each authorized host is allocated a unique authentication key, which is used by the designated router to encode the PIM join message and by the rendezvous point router to authenticate the PIM join message. If the PIM join message is authentic, then each PIM router from the rendezvous point router to the designated router establishes appropriate multicast routes to route multicast packets to the host. If the PIM join message is not authentic, then multicast packets are prevented from reaching the host.

112 Citations

View as Search Results

43 Claims

1. A communication system comprising:
- a rendezvous point device that forwards multicast communication messages to members of a shared tree and is a root of the shared tree;
  
  a designated device in communication with the rendezvous point device via a number of intermediate devices; and
  
  a host device in communication with the designated device, wherein to join the shared tree;
  
  the host device forwards an authentication key, uniquely generated by a key server for the host device, to the designated device;
  
  the host device sends a join request to the designated device using a predetermined multicast group management protocol in order to join the shared tree for receiving the multicast communication messages forwarded by the rendezvous point device, the join request including the authentication key;
  
  the designated device receives the join request and forwards to the rendezvous point device via the number of intermediate devices an encoded join request, wherein the encoded join request comprises a tag field computed using a keyed hashed function and the authentication key;
  
  the rendezvous point device receives the encoded join request and authenticates the encoded join message-by comparing the authentication key received in the tag against a stored authentication key associated with the host device;
  
  whereinthe host device is prevented from receiving the multicast communication messages forwarded by the rendezvous point device, if the rendezvous point device determines that the encoded join message is not authentic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The communication system of claim 1, wherein the key server provides the authentication key to both the host device and the rendezvous point device using a secure key distribution mechanism.
  - 3. The communication system of claim 1, wherein the host device sends the authentication key to the designated device in the join request.
  - 4. The communication system of claim 3, wherein the predetermined multicast group management protocol is an extended Internet Group Management Protocol (IGMP) including means for including the authentication key in the join request.
  - 5. The communication system of claim 1, wherein the designated device joins the shared tree on behalf of the host device.
  - 6. The communication system of claim 5, wherein the designated device establishes appropriate multicast routes for forwarding multicast communication messages to the host.
  - 7. The communication system of claim 1, wherein each intermediate device receives the encoded join request and forwards the encoded join request toward the rendezvous point device.
  - 8. The communication system of claim 7, wherein each intermediate device that is not already joined to the shared tree joins the shared tree on behalf of the host device and establishes appropriate multicast routes for forwarding multicast communication messages toward the host device upon receiving the encoded join request.
  - 9. The communication system of claim 7, wherein each intermediate device that is already joined to the shared tree waits for an explicit acknowledgment message from the rendezvous point device and establishes appropriate multicast routes for forwarding multicast communication messages toward the host device only upon receiving the explicit acknowledgment message from the rendezvous point device.
  - 10. The communication system of claim 1, wherein the rendezvous point device sends an explicit acknowledgment message toward the host device upon determining that the encoded join request is authentic.

11. A method comprising:
- obtaining an authentication key uniquely associated with a host device from a key server along with a group membership key following authentication of the host device by the key server; and
  
  sending a join request to a designated device using a predetermined multicast group management protocol, the join request including the authentication key for use by the designated device for encoding the join message prior to forwarding of the join message to a rendezvous point wherein the join message is encoded by inserting a tag field computed using a keyed hash function and the authentication key.
- View Dependent Claims (12)
- - 12. The method of claim 11, wherein the predetermined multicast group management protocol is an extended Internet Group Management Protocol (IGMP) including means for including the authentication key in the join request.

13. An apparatus comprising:
- receiving logic operably coupled to receive an authentication key uniquely generated for the apparatus and to receive a group membership key from a key server following authentication of the host device by the key server; and
  
  joining logic operably coupled to send a join request to a designated device using a predetermined multicast group management protocol, the join request including the authentication key for use by the designated device for encoding the join message prior to forwarding of the join message to a rendezvous point, to enable authentication of the join message at the rendezvous point by comparison of the authentication key associated with the host device against a stored key associated with the apparatus.
- View Dependent Claims (14)
- - 14. The apparatus of claim 13, wherein the predetermined multicast group management protocol is an extended Internet Group Management Protocol (IGMP) including means for including the authentication key in the join request.

15. A method of authentication a host device for access to a shared tree comprising:
- receiving a join request from a host device;
  
  generating an encoded join request using an authentication key uniquely associated with the host device, wherein the encoded join request comprises a tag field computed using a keyed hash function and the authentication key, the authentication key being received together with a group key by the host device following authentication of the host device by a key server and forwarded in the join request from the host device; and
  
  sending the encoded join request toward a rendezvous point device at the root of the shared tree to enable authentication of the join message at the rendezvous by comparing the authentication key uniquely associated with the host device against a stored authentication key associated with the host device at the rendezvous point.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15, wherein the join request includes the authentication key.
  - 17. The method of claim 15, further comprising:
    - joining a shared tree on behalf of the host device and establishing appropriate multicast routes for forwarding multicast communication messages to the host device.

18. An apparatus for securing a shared tree comprising:
- receiving logic operably coupled to receive a join request from a host device;
  
  encoding logic operably coupled to generate an encoded join request using an authentication key uniquely associated with the host device, wherein the encoded join request comprises a tag field computed using a keyed hash function and the authentication key, the authentication key being received by the host device following authentication of the host device by a key server and forwarded in the join request from the host device; and
  
  sending logic operably coupled to send the encoded join request toward a rendezvous point device at the root of the shared tree to enable authentication of the join message at the rendezvous point by comparing the authentication key associated with the host device against a stored authentication key associated with the host at the rendezvous point.
- View Dependent Claims (19, 20)
- - 19. The apparatus of claim 18, wherein the join request includes the authentication key.
  - 20. The apparatus of claim 18, further comprising:
    - joining logic operably coupled to join a shared tree on behalf of the host device; and
      
      routing logic operably coupled to establish appropriate multicast routes for forwarding multicast communication messages to the host device.

21. A computer readable medium having embodied therein a computer program for controlling a computer system, the computer program comprising:
- receiving logic programmed to receive a join request from a host device;
  
  encoding logic programmed to generate an encoded join request using an authentication key uniquely associated with the host device, wherein the encoded join request comprises a tag field computed using a keyed hash function and the authentication key, the authentication key being received by the host device together with a group key following authentication of the host device by a key server and forwarded in the join request from the host device; and
  
  sending logic programmed to send the encoded join request toward a rendezvous point device to enable authentication of the join message at the rendezvous point by comparing the authentication key associated with the host device against a stored key associated with the host device at the rendezvous point.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The computer readable medium of claim 21, wherein the join request includes the authentication key.
  - 23. The computer readable medium of claim 21, further comprising:
    - joining logic operably coupled to join a shared tree on behalf of the host device; and
      
      routing logic operably coupled to establish appropriate multicast routes for forwarding multicast communication messages to the host device.
  - 24. The computer readable medium of claim 21, wherein the computer readable medium is a computer storage medium.
  - 25. The computer readable medium of claim 21, wherein the computer readable medium is a computer communication medium.

26. A method comprising:
- receiving, from a designated routing device coupled to a host, an encoded join request for the host device, the encoded join request being encoded by the designated routing device using an authentication key uniquely associated with the host, wherein the encoded join request comprises a tag field computed using a keyed hash function and the authentication, the authentication key being received by the host device following authentication of the host device by a key server and forwarded in a join request forwarded from host device to the designated routing device;
  
  authenticating the encoded join request using the host device authentication key to determine whether or not the encoded join request is authentic by comparing the authentication key against a stored authentication key uniquely associated with the host; and
  
  establishing appropriate multicast routes for forwarding multicast communication messages to the host device if and only if the encoded join request is determined to be authentic.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The method of claim 26, wherein authenticating the encoded join request comprises:
    - maintaining a number of authentication keys uniquely associated with a corresponding number of host devices;
      
      determining the host device for the encoded join request; and
      
      searching a storage device for an authentication key uniquely associated with the host device.
  - 28. The method of claim 27, wherein authenticating the encoded join request further comprises:
    - failing to find an authentication key associated with the host device; and
      
      determining that the encoded join request is not authentic.
  - 29. The method of claim 27, wherein authenticating the encoded join request further comprises:
    - finding an authentication key associated with the host device; and
      
      authenticating the encoded join request using the authentication key associated with the host device.
  - 30. The method of claim 26, further comprising:
    - sending an explicit acknowledgment toward the host device if and only if the encoded join request is determined to be authentic.

31. An apparatus comprising:
- receiving logic operably coupled to receive an encoded join request for a host device, the encoded join request being encoded and forwarded by a designated routing device coupled to the host device using an authentication key uniquely associated with the host device, wherein the encoded join request comprises a tag field computed using a keyed hash function and the authentication key, the authentication key being received by the host device following authentication of the host device by a key server and forwarded in a join request forwarded from host device to the designated routing device;
  
  authenticating logic operably coupled to authenticate the encoded join request by comparing the host device authentication key to a stored authentication key associated with the host device to determine whether or not the encoded join request is authentic; and
  
  routing logic operably coupled to establish appropriate multicast routes for forwarding multicast communication messages to the host device if and only if the encoded join request is determined to be authentic.
- View Dependent Claims (32, 33, 34, 35)
- - 32. The apparatus of claim 31, wherein the authenticating logic is operably coupled to maintain a number of authentication keys, determine the host device for the encoded join request, and search for an authentication key associated with the host device.
  - 33. The apparatus of claim 32, wherein the authenticating logic is operably coupled to determine that the encoded join request is not authentic if the authenticating logic fails to find an authentication key associated with the host device.
  - 34. The apparatus of claim 32, wherein the authenticating logic is operably coupled to authenticate the encoded join request using an authentication key associated with the host device if the authenticating logic finds the authentication key associated with the host device.
  - 35. The apparatus of claim 31, further comprising:
    - acknowledgment logic operably coupled to send an explicit acknowledgment toward the host device if and only if the encoded join request is determined to be authentic.

36. A computer readable medium having embodied therein a computer program for controlling a computer system, the computer program comprising:
- receiving logic programmed to receive an encoded join request for a host device, the encoded join request being encoded and forwarded by a designated routing device coupled to the host device using an authentication key uniquely associated with the host device, the authentication key being received by the host device together with a group key following authentication of the host device by a key server and forwarded in a join request forwarded from host device to the designated routing device;
  
  authenticating logic programmed to authenticate the encoded join request by comparing the host device authentication key against a stored authentication key associated with the host device to determine whether or not the encoded join request is authentic; and
  
  routing logic programmed to establish appropriate multicast routes for forwarding multicast communication messages to the host device if and only if the encoded join request is determined to be authentic.
- View Dependent Claims (37, 38, 39, 40, 41, 42)
- - 37. The computer readable medium of claim 36, wherein the authenticating logic is programmed to maintain a number of authentication keys, determine the host device for the encoded join request, and search for an authentication key associated with the host device.
  - 38. The computer readable medium of claim 37, wherein the authenticating logic is programmed to determine that the encoded join request is not authentic if the authenticating logic fails to find an authentication key associated with the host device.
  - 39. The computer readable medium of claim 37, wherein the authenticating logic is programmed to authenticate the encoded join request using an authentication key associated with the host device if the authenticating logic finds the authentication key associated with the host device.
  - 40. The computer readable medium of claim 36, further comprising:
    - acknowledgment logic programmed to send an explicit acknowledgment toward the host device if and only if the encoded join request is determined to be authentic.
  - 41. The computer readable medium of claim 36, wherein the computer readable medium is a computer storage medium.
  - 42. The computer readable medium of claim 36, wherein the computer readable medium is a computer communication medium.

43. In a communication system having a host device, a designated device, and a rendezvous point device, a method comprising:
- sending a join request by the host device to the designated device in order to join a shared tree, the join request including an authentication key uniquely associated with the host device;
  
  sending an encoded join request by the designated device to the rendezvous point device, wherein the encoded join request comprises a tag field computed using a keyed hash function and the authentication key;
  
  authenticating the encoded join request by the rendezvous point device by comparing the host device authentication key against a stored authentication key associated with the host device;
  
  adding the host device to the shared tree, if the encoded join request is authentic; and
  
  excluding the host device from the shared tree, if the encoded join request is not authentic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Clearinghouse LLC (RPX Corporation)
Original Assignee
Nortel Networks Limited (Nortel Networks Corporation)
Inventors
Hardjono, Thomas P.
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Tran, Tongoc

Application Number

US09/660,370
Time in Patent Office

2,772 Days
Field of Search

713/201, 713/168, 713/150, 713/151, 713/153, 713/163, 713/162, 713156-157, 380/42, 380278- 27, 380/30, 709/238
US Class Current

713/163
CPC Class Codes

H04L 12/185   with management of multicas...

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

System, device, and method for controlling access in a multicast communication network

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

112 Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

System, device, and method for controlling access in a multicast communication network

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

112 Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links