System, device, and method for controlling access in a multicast communication network
First Claim
1. A communication system comprising:
- a rendezvous point device that forwards multicast communication messages to members of a shared tree and is a root of the shared tree;
a designated device in communication with the rendezvous point device via a number of intermediate devices; and
a host device in communication with the designated device, wherein to join the shared tree;
the host device forwards an authentication key, uniquely generated by a key server for the host device, to the designated device;
the host device sends a join request to the designated device using a predetermined multicast group management protocol in order to join the shared tree for receiving the multicast communication messages forwarded by the rendezvous point device, the join request including the authentication key;
the designated device receives the join request and forwards to the rendezvous point device via the number of intermediate devices an encoded join request, wherein the encoded join request comprises a tag field computed using a keyed hashed function and the authentication key;
the rendezvous point device receives the encoded join request and authenticates the encoded join message-by comparing the authentication key received in the tag against a stored authentication key associated with the host device;
whereinthe host device is prevented from receiving the multicast communication messages forwarded by the rendezvous point device, if the rendezvous point device determines that the encoded join message is not authentic.
6 Assignments
0 Petitions
Accused Products
Abstract
A system, device, and method for controlling access in a multicast communication network uses a centralized host authentication scheme to prevent unauthorized hosts from joining a shared multicast distribution tree. Each authorized host is allocated a unique authentication key, which is used by the designated router to encode the PIM join message and by the rendezvous point router to authenticate the PIM join message. If the PIM join message is authentic, then each PIM router from the rendezvous point router to the designated router establishes appropriate multicast routes to route multicast packets to the host. If the PIM join message is not authentic, then multicast packets are prevented from reaching the host.
112 Citations
43 Claims
-
1. A communication system comprising:
-
a rendezvous point device that forwards multicast communication messages to members of a shared tree and is a root of the shared tree; a designated device in communication with the rendezvous point device via a number of intermediate devices; and a host device in communication with the designated device, wherein to join the shared tree; the host device forwards an authentication key, uniquely generated by a key server for the host device, to the designated device; the host device sends a join request to the designated device using a predetermined multicast group management protocol in order to join the shared tree for receiving the multicast communication messages forwarded by the rendezvous point device, the join request including the authentication key; the designated device receives the join request and forwards to the rendezvous point device via the number of intermediate devices an encoded join request, wherein the encoded join request comprises a tag field computed using a keyed hashed function and the authentication key; the rendezvous point device receives the encoded join request and authenticates the encoded join message-by comparing the authentication key received in the tag against a stored authentication key associated with the host device;
whereinthe host device is prevented from receiving the multicast communication messages forwarded by the rendezvous point device, if the rendezvous point device determines that the encoded join message is not authentic. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method comprising:
-
obtaining an authentication key uniquely associated with a host device from a key server along with a group membership key following authentication of the host device by the key server; and sending a join request to a designated device using a predetermined multicast group management protocol, the join request including the authentication key for use by the designated device for encoding the join message prior to forwarding of the join message to a rendezvous point wherein the join message is encoded by inserting a tag field computed using a keyed hash function and the authentication key. - View Dependent Claims (12)
-
-
13. An apparatus comprising:
-
receiving logic operably coupled to receive an authentication key uniquely generated for the apparatus and to receive a group membership key from a key server following authentication of the host device by the key server; and joining logic operably coupled to send a join request to a designated device using a predetermined multicast group management protocol, the join request including the authentication key for use by the designated device for encoding the join message prior to forwarding of the join message to a rendezvous point, to enable authentication of the join message at the rendezvous point by comparison of the authentication key associated with the host device against a stored key associated with the apparatus. - View Dependent Claims (14)
-
-
15. A method of authentication a host device for access to a shared tree comprising:
-
receiving a join request from a host device; generating an encoded join request using an authentication key uniquely associated with the host device, wherein the encoded join request comprises a tag field computed using a keyed hash function and the authentication key, the authentication key being received together with a group key by the host device following authentication of the host device by a key server and forwarded in the join request from the host device; and sending the encoded join request toward a rendezvous point device at the root of the shared tree to enable authentication of the join message at the rendezvous by comparing the authentication key uniquely associated with the host device against a stored authentication key associated with the host device at the rendezvous point. - View Dependent Claims (16, 17)
-
-
18. An apparatus for securing a shared tree comprising:
-
receiving logic operably coupled to receive a join request from a host device; encoding logic operably coupled to generate an encoded join request using an authentication key uniquely associated with the host device, wherein the encoded join request comprises a tag field computed using a keyed hash function and the authentication key, the authentication key being received by the host device following authentication of the host device by a key server and forwarded in the join request from the host device; and sending logic operably coupled to send the encoded join request toward a rendezvous point device at the root of the shared tree to enable authentication of the join message at the rendezvous point by comparing the authentication key associated with the host device against a stored authentication key associated with the host at the rendezvous point. - View Dependent Claims (19, 20)
-
-
21. A computer readable medium having embodied therein a computer program for controlling a computer system, the computer program comprising:
receiving logic programmed to receive a join request from a host device; encoding logic programmed to generate an encoded join request using an authentication key uniquely associated with the host device, wherein the encoded join request comprises a tag field computed using a keyed hash function and the authentication key, the authentication key being received by the host device together with a group key following authentication of the host device by a key server and forwarded in the join request from the host device; and sending logic programmed to send the encoded join request toward a rendezvous point device to enable authentication of the join message at the rendezvous point by comparing the authentication key associated with the host device against a stored key associated with the host device at the rendezvous point. - View Dependent Claims (22, 23, 24, 25)
-
26. A method comprising:
-
receiving, from a designated routing device coupled to a host, an encoded join request for the host device, the encoded join request being encoded by the designated routing device using an authentication key uniquely associated with the host, wherein the encoded join request comprises a tag field computed using a keyed hash function and the authentication, the authentication key being received by the host device following authentication of the host device by a key server and forwarded in a join request forwarded from host device to the designated routing device; authenticating the encoded join request using the host device authentication key to determine whether or not the encoded join request is authentic by comparing the authentication key against a stored authentication key uniquely associated with the host; and establishing appropriate multicast routes for forwarding multicast communication messages to the host device if and only if the encoded join request is determined to be authentic. - View Dependent Claims (27, 28, 29, 30)
-
-
31. An apparatus comprising:
-
receiving logic operably coupled to receive an encoded join request for a host device, the encoded join request being encoded and forwarded by a designated routing device coupled to the host device using an authentication key uniquely associated with the host device, wherein the encoded join request comprises a tag field computed using a keyed hash function and the authentication key, the authentication key being received by the host device following authentication of the host device by a key server and forwarded in a join request forwarded from host device to the designated routing device; authenticating logic operably coupled to authenticate the encoded join request by comparing the host device authentication key to a stored authentication key associated with the host device to determine whether or not the encoded join request is authentic; and routing logic operably coupled to establish appropriate multicast routes for forwarding multicast communication messages to the host device if and only if the encoded join request is determined to be authentic. - View Dependent Claims (32, 33, 34, 35)
-
-
36. A computer readable medium having embodied therein a computer program for controlling a computer system, the computer program comprising:
-
receiving logic programmed to receive an encoded join request for a host device, the encoded join request being encoded and forwarded by a designated routing device coupled to the host device using an authentication key uniquely associated with the host device, the authentication key being received by the host device together with a group key following authentication of the host device by a key server and forwarded in a join request forwarded from host device to the designated routing device; authenticating logic programmed to authenticate the encoded join request by comparing the host device authentication key against a stored authentication key associated with the host device to determine whether or not the encoded join request is authentic; and routing logic programmed to establish appropriate multicast routes for forwarding multicast communication messages to the host device if and only if the encoded join request is determined to be authentic. - View Dependent Claims (37, 38, 39, 40, 41, 42)
-
-
43. In a communication system having a host device, a designated device, and a rendezvous point device, a method comprising:
-
sending a join request by the host device to the designated device in order to join a shared tree, the join request including an authentication key uniquely associated with the host device; sending an encoded join request by the designated device to the rendezvous point device, wherein the encoded join request comprises a tag field computed using a keyed hash function and the authentication key; authenticating the encoded join request by the rendezvous point device by comparing the host device authentication key against a stored authentication key associated with the host device; adding the host device to the shared tree, if the encoded join request is authentic; and excluding the host device from the shared tree, if the encoded join request is not authentic.
-
Specification