Methods and apparatus for physical layer security of a network communications link
First Claim
1. A method of operating a communications port of a network communications device, comprising:
- maintaining capability information indicating that under normal operating conditions a communications link coupled to the communications port is capable of operating in a secure mode in which communications signals of the communications link are unintelligible to an intruder having an unauthorized physical connection to the communications link;
detecting occurrence of a link event of a type that can invoke an automatic communications-mode control mechanism to change the operating of the communications link to a non-secure mode in which communications signals of the communications link are intelligible to such an intruder; and
based on the capability information, responding to the detected occurrence of the link event by preventing the automatic communications mode control mechanism from changing the operating of the communications link to the non-secure mode, wherein the automatic communications-mode control mechanism comprises an auto-negotiation process conducted between the communications port and an end device coupled to the communications link, the auto-negotiation process being conducted in a secure mode to impede the detection of the content of the auto-negotiation process, and wherein standard auto-negotiation pulses are employed to serve as enemy indicators indicating the presence of the powered device, and non-standard signals are employed to serve as link negotiators to force operation of the communications link in the secure mode.
1 Assignment
0 Petitions
Accused Products
Abstract
A communications port of a network communications device maintains capability information indicating that under normal operating conditions a communications link is capable of operating in a secure mode in which communications signals of the communications link are unintelligible to an intruder having an unauthorized physical connection (e.g. tap) to the communications link. During operation, the port detects occurrence of a link event of a type that can invoke an automatic communications-mode control mechanism to change the operating of the communications link to a non-secure mode in which communications signals of the communications link are intelligible to such an intruder. An example is Ethernet auto-negotiation which can change from relatively secure 1000BaseT signaling to relatively non-secure 10/100BaseT signaling. Based on the capability information, the port responds to the link event by preventing the automatic communications mode control mechanism from changing the operating of the communications link to the non-secure mode.
-
Citations
28 Claims
-
1. A method of operating a communications port of a network communications device, comprising:
-
maintaining capability information indicating that under normal operating conditions a communications link coupled to the communications port is capable of operating in a secure mode in which communications signals of the communications link are unintelligible to an intruder having an unauthorized physical connection to the communications link; detecting occurrence of a link event of a type that can invoke an automatic communications-mode control mechanism to change the operating of the communications link to a non-secure mode in which communications signals of the communications link are intelligible to such an intruder; and based on the capability information, responding to the detected occurrence of the link event by preventing the automatic communications mode control mechanism from changing the operating of the communications link to the non-secure mode, wherein the automatic communications-mode control mechanism comprises an auto-negotiation process conducted between the communications port and an end device coupled to the communications link, the auto-negotiation process being conducted in a secure mode to impede the detection of the content of the auto-negotiation process, and wherein standard auto-negotiation pulses are employed to serve as enemy indicators indicating the presence of the powered device, and non-standard signals are employed to serve as link negotiators to force operation of the communications link in the secure mode. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A communications port of a network communications device, comprising:
-
a memory operative to maintain capability information indicating that under normal operating conditions a communications link coupled to the communications port is capable of operating in a secure mode in which communications signals of the communications link are unintelligible to an intruder having an unauthorized physical connection to the communications link; and control circuitry and specialized physical-layer (PHY) circuitry co-operative (1) to detect occurrence of a link event of a type that can invoke an automatic communications-mode control mechanism to change the operating of the communications link to a non-secure mode in which communications signals of the communications link are intelligible to such an intruder, and (2) based on the capability information, to respond to the detected occurrence of the link event by preventing the automatic communications mode control mechanism from changing the operating of the communications link to the non-secure mode, wherein the automatic communications-mode control mechanism comprises an auto-negotiation process conducted between the communications port and an end device coupled to the communications link, the auto-negotiation process being conducted in a secure mode to impede the detection of the content of the auto-negotiation process, and wherein standard auto-negotiation pulses are employed to serve as energy indicators indicating the presence of the powered device, and non-standard signals are employed to serve as link negotiators to force operation of the communications link in the secure mode. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
Specification