Self-configuring method and apparatus for providing secure communication between members of a group

US 7,558,877 B1
Filed: 09/12/2003
Issued: 07/07/2009
Est. Priority Date: 09/12/2003
Status: Active Grant

First Claim

Patent Images

1. A method of securing communication between at least two members of a group, wherein each member is an autonomous system comprising one or more network devices, the method including the steps of:

for a first communication between a first subset of members,forwarding, to at least one member of the group, a group security association corresponding to the group;

receiving, from the at least one member of the group, route information enabling communication with each of the one or more network devices of the autonomous system corresponding to the member, the route information identifying a border router that should be used as the next hop to the at least one member of the group;

identifying at least one other member of the group; and

reflecting the route information received from the at least one member of the group to the at least one other member of the group, including the step of securing the route information using the group security association, andfor a second communication between a second subset of members,securing route information using the same group security association used for the first communication between the first subset of members.

View all claims

23 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Each member of a group registers with the Security/Routing (S/R) device 30 and receives a Group Security Association (GSA) associated with the group. The member may register as part of a group by identifying the group and the other members. Alternatively, Routing Functionality auto-discovers the other members of the group. AS members are identified, Routing functionality reflects the routes of all members in the group to all other members of the group. The forwarding of the routes to the respective group members may be secured via the GSA associated with the group. Each member can forward communication directly to the group members, securing the communication using the group SA and standard tunneling techniques (such as IPsec, GRE, MPLS, etc.). Thus the S/R provides a mechanism for private networks to be built on top of an existing network without modification of any existing network components and much more scalable in operation and configuration than individual IP sec tunnels.

Citations

12 Claims

1. A method of securing communication between at least two members of a group, wherein each member is an autonomous system comprising one or more network devices, the method including the steps of:
- for a first communication between a first subset of members,forwarding, to at least one member of the group, a group security association corresponding to the group;
  
  receiving, from the at least one member of the group, route information enabling communication with each of the one or more network devices of the autonomous system corresponding to the member, the route information identifying a border router that should be used as the next hop to the at least one member of the group;
  
  identifying at least one other member of the group; and
  
  reflecting the route information received from the at least one member of the group to the at least one other member of the group, including the step of securing the route information using the group security association, andfor a second communication between a second subset of members,securing route information using the same group security association used for the first communication between the first subset of members.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method according to claim 1, further comprising the step of receiving a registration request from the at least one member of the group.
  - 3. The method according to claim 2 wherein the registration request includes a list including the at least one other member of the group.
  - 4. The method according to claim 3, wherein the step of identifying the at least one other member includes the step of forwarding a request for routing information to the at least one other member, the request including an identifier for the group.
  - 5. The method according to claim 3, wherein the step of identifying includes the step of auto-discovering the at least one other member of the group in response to the registration request by issuing a request for routing information to other devices in the network, the request for routing information including an identifier for the group.

6. Apparatus for providing secure communications between at least two members of a group over a backbone network comprising:
- a network device including;
  
  security association logic for forwarding a group security association of the group to the at least two members of the group for a first communication between a first subset of members;
  
  route reflection logic for identifying at least one of the at least two members of the group, receiving routing information for the at least one of the two members of the group, the route information identifying a border router that should be used as the next hop to the at least one member of the group, securing the routing information for the at least one of the two members of the group using the group security association and for forwarding the secured routing information to another one of the at least two members of the group; and
  
  the security association logic and router reflection logic performing the same functions for a second communication between a second subset of members, including using the same group security association.
- View Dependent Claims (7, 8)
- - 7. The apparatus of claim 6 wherein the logic for identifying at least one of the two members of the group is auto-discovery logic.
  - 8. The apparatus of claim 6 wherein the logic for identifying at least one of the two members of the group includes a list of members of the group.

9. A method for communicating securely by one member of a group of network devices with at least one other member of the group of network devices over a network backbone including the steps of:
- for a first communication between a first subset of members,receiving, at the one member, a group security association corresponding to the group; and
  
  forwarding, by the one member to the at least one other member of the group, routing information for the one member, the route information identifying a border router that should be used as the next hop to the one member of the group, the routing information being secured using the group security association of the group, andfor a second communication between a second subset of members,the one member using the same group security association used for the first communication between the first subset of members.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9 further including the steps of:
    - receiving, at the one member, routing information associated with the at least one other member of the group, wherein the routing information associated with the at least one other member of the group is secured using the group security association of the group.
  - 11. The method of claim 10 further comprising the steps of:
    - restoring the routing information associated with the at least one other member of the group using the group security association of the group;
      
      securing a packet for transmission to the at least one other member of the group using the group security association to provide a secured packet; and
      
      forwarding the secured packet to the at least one other member using the restored routing information.
  - 12. The method of claim 11 wherein the step of forwarding includes building a tunnel to the at least one other member of the group using the restored routing information and the group security association.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
Nortel Networks Limited (Nortel Networks Corporation)
Inventors
Fedyk, Donald, He, Haixiang, Dondeti, Lakshminath
Primary Examiner(s)
Caldwell; Andrew
Assistant Examiner(s)
RECEK, JASON D

Application Number

US10/661,734
Time in Patent Office

2,125 Days
Field of Search

709/225, 709/227, 709/218, 709/242, 709/229, 709/238, 709/236, 709/246
US Class Current

709/242
CPC Class Codes

H04L 63/20 for managing network securi...

Self-configuring method and apparatus for providing secure communication between members of a group

First Claim

23 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Self-configuring method and apparatus for providing secure communication between members of a group

First Claim

23 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links