Method and apparatus for providing network security using security labeling

US 7,836,490 B2
Filed: 10/29/2003
Issued: 11/16/2010
Est. Priority Date: 10/29/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

comparing first security level information and second security level information,whereinsaid first security level information is stored in a security label of a packet received at a network node of a network,said first security level information represents a first security level,said first security level is a security level of a source of said packet,said second security level information is stored at said network node,said second security level information is received from another network node of said network as a result of said second security level information being registered in a context,said second security level information is configured to be updated by virtue of said second security level information being configured to be combined with third security level information,said second security level information represents a second security level,said second security level is a security level of a destination of said packet,said network comprises a plurality of network nodes,said network nodes comprise said network node and said another network node, andsaid network nodes are configured to convey packets to one another via others of said network nodes; and

indicating processing to be performed on said packet based on said comparing,whereinsaid processing comprisesdetermining whether to forward said packet from said network node to one of said network nodes.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for providing network security using security labeling is disclosed. The method includes comparing first security level information and second security level information, and indicating processing to be performed on the packet based on the comparing. The first security level information is stored in a security label of a packet received at a network node, while the second security level information is stored at the network node.

103 Citations

View as Search Results

95 Claims

1. A method comprising:
- comparing first security level information and second security level information,whereinsaid first security level information is stored in a security label of a packet received at a network node of a network,said first security level information represents a first security level,said first security level is a security level of a source of said packet,said second security level information is stored at said network node,said second security level information is received from another network node of said network as a result of said second security level information being registered in a context,said second security level information is configured to be updated by virtue of said second security level information being configured to be combined with third security level information,said second security level information represents a second security level,said second security level is a security level of a destination of said packet,said network comprises a plurality of network nodes,said network nodes comprise said network node and said another network node, andsaid network nodes are configured to convey packets to one another via others of said network nodes; and
  
  indicating processing to be performed on said packet based on said comparing,whereinsaid processing comprisesdetermining whether to forward said packet from said network node to one of said network nodes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 2. The method of claim 1, whereinsaid another network node is coupled to said destination of said packet.
  - 3. The method of claim 1, whereinsaid first security level and said second security level implement one of a multi -level security paradigm and a multi-lateral security paradigm.
  - 4. The method of claim 1, whereinsaid security label is one of an enumerated security label and a bitmap security label.
  - 5. The method of claim 1, whereinsaid second security level is a security level of a port of said network node.
  - 6. The method of claim 5, further comprising:
    - setting said security level of said port.
  - 7. The method of claim 6, wherein said setting said security level of said port comprises:
    - storing said second security level in a security label information field of an access control list entry.
  - 8. The method of claim 6, wherein said setting said security level of said port comprises:
    - storing said second security level in a label range information field of a forwarding table entry.
  - 9. The method of claim 1, wherein said processing comprises:
    - dropping said packet, if said comparing indicates that said first security level is less than said second security level.
  - 10. The method of claim 1, whereinsaid processing comprises at least one of dropping said packet, redirecting said packet and rewriting said security label.
  - 11. The method of claim 1, whereinsaid second security level information represents a plurality of security levels, and said security levels comprise said second security level.
  - 12. The method of claim 11, whereinsaid security levels are a range of security levels.
  - 13. The method of claim 12, wherein said processing comprises:
    - dropping said packet, if said comparing indicates that said first security level is not within said range of security levels.
  - 14. The method of claim 1, further comprising:
    - storing said second security level information at said network node.
  - 15. The method of claim 14, wherein said storing comprises:
    - storing said second security level in a security label information field of an access control list entry.
  - 16. The method of claim 14, wherein said storing comprises:
    - storing said second security level in a label range information field of a forwarding table entry.
  - 17. The method of claim 14, whereinsaid storing comprisesreceiving said second security level information from said another network node, andsaid receiving occurs as a result of said second security level being registered in said context.
  - 18. The method of claim 17, wherein said second security level information is configured to be combined with said third security level information by virtue of said second security level information being configured to belogically OR'"'"'d with said third security level information.
  - 19. The method of claim 17, whereinsaid context is a generic attribute registration protocol information propagation context, andsaid registering said second security level is accomplished by said first network node issuing a join request.
  - 20. The method of claim 14, wherein said storing comprises:
    - storing said second security level in a label range information field of forwarding table.
  - 21. The method of claim 14, wherein said storing comprises:
    - storing said second security level in a port of said network node.
  - 22. The method of claim 21, wherein said port is an egress port.
  - 23. The method of claim 1, further comprising:
    - determining said first security level.
  - 24. The method of claim 23, wherein said determining comprises:
    - determining if an ingress port is marked as an access port; and
      
      setting a security level of said ingress port to said first security level, if said ingress port is marked as an access port.
  - 25. The method of claim 24, further comprising:
    - setting said first security level information to said security level of said ingress port.
  - 26. The method of claim 23, further comprising:
    - authenticating a user having said first security level, whereinsaid determining is performed only if said user is authenticated.
  - 27. The method of claim 1, further comprising:
    - performing said processing on said packet based on said comparing.
  - 28. The method of claim 27, wherein said performing said processing comprises:
    - performing said forwarding of said packet, if said indicating indicates that said packet is allowed to be forwarded; and
      
      dropping said packet, otherwise.
  - 29. The method of claim 27, wherein said performing said processing comprises:
    - forwarding said packet to a firewall, if said indicating indicates that said packet should be forwarded to said firewall.
  - 30. The method of claim 1, further comprising:
    - stripping network security information from said packet; and
      
      adding subnetwork security information to said packet.
  - 31. The method of claim 30, whereinsaid network security information comprises said first security level information.
  - 32. The method of claim 30, whereinsaid subnetwork security information comprises said first security level information.

33. A computer system comprising:
- a processor;
  
  a tangible, non-transitory computer-readable storage medium coupled to said computer, andcomputer instructions, encoded in said computer-readable storage medium, configured to cause said processor to;
  
  compare first security level information and second security level information, whereinsaid first security level information is stored in a security label of a packet received at a network node of a network,said first security level information represents a first security level,said first security level is a security level of a source of said packet,said second security level information is stored at said network node,said second security level information is received from another network node of said network as a result of said second security level information being registered in a context,said second security level information is configured to be updated by virtue of said second security level information being configured to be combined with third security level information,said second security level information represents a second security level,said second security level is a security level of a destination of said packet,said network comprises a plurality of network nodes,said network nodes comprise said network node and said another network node, andsaid network nodes are configured to convey packets to one another via others of said network nodes; and
  
  indicate processing to be performed on said packet based on said comparing, whereinsaid processing comprisesdetermining whether to forward said packet from said network node to one of said network nodes.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
- - 34. The computer system of claim 33, wherein said another network node is coupled to said destination of said packet.
  - 35. The computer system of claim 33, wherein said computer instructions are further configured to cause said processor to:
    - set said security level of a port, whereinsaid second security level is a security level of said port of said network node.
  - 36. The computer system of claim 35, wherein said computer instructions configured to cause said processor to set said security level of said port is further configured to cause said processor to:
    - store said second security level in a security label information field of an access control list entry.
  - 37. The computer system of claim 35, wherein said computer instructions configured to cause said processor to set said security level of said port is further configured to cause said processor to:
    - store said second security level in a label range information field of a forwarding table entry.
  - 38. The computer system of claim 33, wherein said computer instructions are further configured to cause said processor to:
    - store said second security level information at said network node.
  - 39. The computer system of claim 38, wherein said computer instructions configured to cause said processor to store is further configured to cause said processor to:
    - store said second security level in a security label information field of an access control list entry.
  - 40. The computer system of claim 38, wherein said computer instructions configured to cause said processor to store is further configured to cause said processor to:
    - store said second security level in a label range information field of a forwarding table entry.
  - 41. The computer system of claim 38, wherein said computer instructions configured to cause said processor to store is further configured to cause said processor to:
    - receive said second security level information from said another network node by virtue of being configure to cause said processor to register said second security level in said context.
  - 42. The computer system of claim 41, wherein said computer instructions configured to cause said processor to register are further configured to cause said processor to:
    - logically OR said third security level information with said second security level information.
  - 43. The computer system of claim 42, whereinsaid context is a generic attribute registration protocol information propagation context, andsaid computer instructions configured to cause said processor to register said second security level is configured to cause said processor to cause said first network node to issue a join request.
  - 44. The computer system of claim 33, wherein said computer instructions are further configured to cause said processor to:
    - determine said first security level.
  - 45. The computer system of claim 44, wherein said computer instructions are further configured to cause said processor to:
    - authenticate a user having said first security level, whereinsaid computer instructions configured to cause said processor to determine said first security level causes said processor to determine said first security level only if said user is authenticated.
  - 46. The computer system of claim 44, wherein said computer instructions configured to cause said processor to determine said first security level is further configured to cause said processor to:
    - determine if an ingress port is marked as an access port; and
      
      set a security level of said ingress port to said first security level, if said ingress port is marked as an access port.
  - 47. The computer system of claim 46, wherein said computer instructions are further configured to cause said processor to:
    - set said first security level information to said security level of said ingress port.
  - 48. The computer system of claim 33, wherein said computer instructions are further configured to cause said processor to:
    - perform said processing on said packet based on a result generated by said computer instructions configured to cause said processor to compare.
  - 49. The computer system of claim 48, wherein said computer instructions configured to cause said processor to perform said processing on said packet is further configured to cause said processor to:
    - perform said forwarding of said packet, if said computer instructions configured to cause said processor to indicate indicates that said packet is allowed to be forwarded; and
      
      drop said packet, otherwise.
  - 50. The computer system of claim 33, wherein said computer instructions are further configured to cause said processor to:
    - strip network security information from said packet; and
      
      add subnetwork security information to said packet.

51. A computer program product comprising:
- a non-transitory computer-readable storage medium, whereina plurality of sets of instructions are encoded in said tangible computer-readable medium, andsaid plurality of sets of instructions comprise a first set of instructions, executable on a computer system,configured to compare first security level information and second security level information, whereinsaid first security level information is stored in a security label of a packet received at a network node of a network,said first security level information represents a first security level,said first security level is a security level of a source of said packet,said second security level information is stored at said network node,said second security level information is received from another network node of said network as a result of said second security level information being registered in a context,said second security level information is configured to be updated by virtue of said second security level information being configured to be combined with third security level information,said second security level information represents a second security level,said second security level is a security level of a destination of said packet,said network comprises a plurality of network nodes,said network nodes comprise said network node and said another network node, andsaid network nodes are configured to convey packets to one another via others of said network nodes, anda second set of instructions, executable on said computer system, configured to indicate processing to be performed on said packet based on said comparing, whereinsaid processing comprisesdetermining whether to forward said packet from said network node to one of said network nodes.
- View Dependent Claims (52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68)
- - 52. The computer program product of claim 51, whereinsaid another network node is coupled to a destination of said packet.
  - 53. The computer program product of claim 51, further comprising:
    - a third set of instructions, executable on said computer system, configured to set said security level of a port, whereinsaid second security level is a security level of said port of said network node.
  - 54. The computer program product of claim 53, wherein said third set of instructions comprises:
    - a first subset of instructions, executable on said computer system, configured to store said second security level in a security label information field of an access control list entry.
  - 55. The computer program product of claim 53, wherein said third set of instructions comprises:
    - a first subset of instructions, executable on said computer system, configured to store said second security level in a label range information field of a forwarding table entry.
  - 56. The computer program product of claim 51, further comprising:
    - a third set of instructions, executable on said computer system, configured to store said second security level information at said network node.
  - 57. The computer program product of claim 56, wherein said third set of instructions comprises:
    - a first subset of instructions, executable on said computer system, configured to store said second security level in a security label information field of an access control list entry.
  - 58. The computer program product of claim 56, wherein said third set of instructions comprises:
    - a first subset of instructions, executable on said computer system, configured to store said second security level in a label range information field of a forwarding table entry.
  - 59. The computer program product of claim 56, wherein said third set of instructions comprises:
    - a first subset of instructions, executable on said computer system, configured to receive said second security level from said another network node comprises a first sub-subset of instructions, executable on said computer system, configured to cause said processor to register said second security level in said context.
  - 60. The computer program product of claim 59, wherein said first sub-subset of instructions comprises:
    - a first sub-sub-subset of instructions, executable on said computer system, configured to logically OR said third security level information with said second security level information.
  - 61. The computer program product of claim 60, whereinsaid context is a generic attribute registration protocol information propagation context, andsaid first sub-subset of instructions is further configured to cause said first network node to issue a join request.
  - 62. The computer program product of claim 51, further comprising:
    - a third set of instructions, executable on said computer system, configured to determine said first security level.
  - 63. The computer program product of claim 62, further comprising:
    - a fourth set of instructions, executable on said computer system, configured to authenticate a user having said first security level, whereinsaid third set of instructions is further configured to cause said processor to determine said first security level only if said user is authenticated.
  - 64. The computer program product of claim 62, wherein said third set of instructions comprises:
    - a first subset of instructions, executable on said computer system, configured to determine if an ingress port is marked as an access port; and
      
      a second subset of instructions, executable on said computer system, configured to set a security level of said ingress port to said first security level, if said ingress port is marked as an access port.
  - 65. The computer program product of claim 64, further comprising:
    - a fifth set of instructions, executable on said computer system, configured to set said first security level information to said security level of said ingress port.
  - 66. The computer program product of claim 51, further comprising:
    - a third set of instructions, executable on said computer system, configured to perform said processing on said packet based on a result generated by said first set of instructions.
  - 67. The computer program product of claim 66, wherein said third set of instructions comprises:
    - a first subset of instructions, executable on said computer system, configured to perform said forwarding of said packet, if said second set of instructions indicates that said packet is allowed to be forwarded; and
      
      a second subset of instructions, executable on said computer system, configured to drop said packet, otherwise.
  - 68. The computer program product of claim 51, further comprising:
    - a third set of instructions, executable on said computer system, configured to strip network security information from said packet; and
      
      a fourth set of instructions, executable on said computer system, configured to add subnetwork security information to said packet.

69. A network device comprising:
- a network interface, whereinsaid network interface is configured to receive a packet, andsaid network device is configured to store first security level information,compare said first security level information and second security level information, whereinsaid first security level information is stored in a security label of a packet received at a network node of a network,said first security level information represents a first security level,said first security level is a security level of a source of said packet,said second security level information is stored at said network node,said second security level information is received from another network node of said network as a result of said second security level information being registered in a context,said second security level information is configured to be updated by virtue of said second security level information being configured to be combined with third security level information,said second security level information represents a second security level,said second security level is a security level of a destination of said packet,said network comprises a plurality of network nodes,said network nodes comprise said network node and said another network node, andsaid network nodes are configured to convey packets to one another via others of said network nodes, andindicate processing to be performed on said packet based on said comparing, whereinsaid processing comprises
  
  determining whether to forward said packet from said network node to one of said network nodes, andperform said processing of said packet.
- View Dependent Claims (70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80)
- - 70. The network device of claim 69, whereinsaid network interface comprises a port, andsaid port is configured to store said first security level information.
  - 71. The network device of claim 70, whereinsaid port is an egress port.
  - 72. The network device of claim 70, whereinsaid network device is further configured to set a security level of said port.
  - 73. The network device of claim 69, whereinsaid network device is further configured to process said packet based on said comparing.
  - 74. The network device of claim 69, whereinsaid network device is further configured to strip network security information from said packet and add subnetwork security information to said packet.
  - 75. The network device of claim 69, whereinsaid first security level is a security level of a port of said network device.
  - 76. The network device of claim 69, whereinsaid second security level information represents a second security level, andsaid first security level information represents a plurality of security levels.
  - 77. The network device of claim 76, whereinsaid security levels are a range of security levels.
  - 78. The network device of claim 69, whereinsaid network device is further configured to store said first security level information at said network device.
  - 79. The network device of claim 78, whereinsaid network device is further configured to communicate said first security level from a second network device by registering said first security level in a context.
  - 80. The network device of claim 79, whereinsaid context is a generic attribute registration protocol information propagation context, andsaid registering said first security level is accomplished by said second network device issuing a join request.

81. A network device comprising:
- a content-addressable memory; and
  
  an access control list, whereinsaid content-addressable memory is configured to store said access control list,said access control list comprises an access control list entry,said access control list entry comprises a label information field,said label information field is configured to store a security label, andsaid network device is configured tocompare first security level information and second security level information, whereinsaid first security level information is stored in a security label of a packet received at a network node of a network,said first security level information represents a first security level,said first security level is a security level of a source of said packet,said second security level information is stored at said network node,said second security level information is received from another network node of said network as a result of said second security level information being registered in a context,said second security level information is configured to be updated by virtue of said second security level information being configured to be combined with third security level information,said second security level information represents a second security level,said second security level is a security level of a destination of said packet,said network comprises a plurality of network nodes,said network nodes comprise said network node and said another network node, and said network nodes are configured to convey packets to one another via others of said network nodes; and
  
  indicate processing to be performed on said packet based on said comparing, whereinsaid processing comprises
  
  determining whether to forward said packet from said network node to one of said network nodes.
- View Dependent Claims (82, 83, 84, 85, 86, 87, 88)
- - 82. The network device of claim 81, whereinsaid security label implements a multi-level security paradigm.
  - 83. The network device of claim 81, whereinsaid security label implements a multi-lateral security paradigm.
  - 84. The network device of claim 81, wherein said access control list entry further comprises:
    - a flow label field, whereinsaid flow label field allows said access control list entry to be identified as a security labeled access control list entry.
  - 85. The network device of claim 84, wherein said access control list entry further comprises:
    - a plurality of flow specification fields, whereinsaid flow specification fields comprise information identifying processing to be performed on at least one flow.
  - 86. The network device of claim 81, wherein said security label is configured to be compared to a security label of a packet.
  - 87. The network device of claim 86, wherein said access control list entry further comprises:
    - a flow specification field, whereinsaid flow specification field comprise information identifying processing to be performed on said packet.
  - 88. The network device of claim 87, wherein said access control list entry further comprises:
    - a flow label field, whereinsaid flow label field allows said access control list entry to be identified as a security labeled access control list entry.

89. A network device comprising:
- a forwarding table, whereinsaid forwarding table comprises a plurality of forwarding table entries,at least one forwarding table entry of said forwarding table entries comprises a label range field, andsaid network device is configured to compare first security level information and second security level information, whereinsaid first security level information is stored in a security label of a packet received at a network node of a network,said first security level information represents a first security level,said first security level is a security level of a source of said packet,said second security level information is stored at said network node,said second security level information is received from another network node of said network as a result of said second security level information being registered in a context,said second security level information is configured to be updated by virtue of said second security level information being configured to be combined with third security level information,said second security level information represents a second security level,said second security level is a security level of a destination of said packet,said network comprises a plurality of network nodes,said network nodes comprise said network node and said another network node, andsaid network nodes are configured to convey packets to one another via others of said network nodes; and
  
  indicate processing to be performed on said packet based on said comparing, whereinsaid processing comprisesdetermining whether to forward said packet from said network node to one of said network nodes.
- View Dependent Claims (90, 91, 92, 93, 94, 95)
- - 90. The network device of claim 89, wherein said at least one forwarding table entry further comprises:
    - a port identifier field, whereina port identifier stored in said port identifier field identifies a port.
  - 91. The network device of claim 90, whereina security label stored in said label range field is associated with said port.
  - 92. The network device of claim 90, wherein said at least one forwarding table entry further comprises:
    - a media access control (MAC) address field; and
      
      a virtual local area network (VLAN) identifier field, whereina combination of said MAC address field and said VLAN identifier field are associated with said port identifier field and said label range field.
  - 93. The network device of claim 92, whereinsaid address field is configured to store a MAC address,said VLAN identifier field is configured to store a VLAN identifier,said VLAN identifier identifies a VLAN, anda combination of said MAC address and said VLAN identifier identify said port and said security label.
  - 94. The network device of claim 91, wherein said at least one forwarding table entry further comprises:
    - a media access control (MAC) address field configured to store a MAC address,whereinsaid MAC address is associated with a security label stored in said label range field.
  - 95. The network device of claim 89, wherein said at least one forwarding table entry further comprises:
    - a virtual local area network (VLAN) identifier field, whereina VLAN identifier stored in said VLAN identifier field identifies a VLAN, andsaid VLAN is associated with a security label stored in said label range field.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Smith, Michael R.
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
Nobahar; Abdulhakim

Application Number

US10/696,629
Publication Number

US 20050097357A1
Time in Patent Office

2,575 Days
Field of Search

726/3, 726/6, 726/11, 726/13, 726/4, 370/392, 707/1, 707/9, 707/10, 709/238
US Class Current

726/4
CPC Class Codes

H04L 63/083   using passwords cryptograph...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

Method and apparatus for providing network security using security labeling

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

103 Citations

95 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing network security using security labeling

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

95 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links