Method and system for including security information with a packet

US 7,877,601 B2
Filed: 11/30/2004
Issued: 01/25/2011
Est. Priority Date: 11/23/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining whether a packet is to be sent from a first network node to a second network node, whereinthe determining whether the packet is to be sent is performed at the first network node,the first network node is configured to support a network security technique, andthe second network node is not configured to support the network security technique;

in response to determining that the packet is to be sent from the first network node to the second network node, determining whether the packet will traverse a network node capable of processing packet security information after traversing the second network node, whereinthe determining whether the packet will traverse is performed at the first network node;

including packet security information with the packet, if it is determined that the packet will traverse the network node capable of processing packet security information after traversing the second network node, whereinthe packet security information is associated with the network security technique; and

forwarding the packet to the second network node, whereinthe forwarding the packet is performed regardless of whether the packet will traverse the network node capable of processing packet security information.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for including security information with a packet is disclosed. A packet is detected as it exits a first network and enters a second network. The first network is configured to support a network security technique, and the second network is not configured to support the network security technique. Network security information associated with the network security technique is included with the packet. A network device is configured to include network security information in overhead of a packet. A method for identifying a first network device in a network is also disclosed. Identification information of the first network is communicated to a second network device.

83 Citations

View as Search Results

45 Claims

1. A method comprising:
- determining whether a packet is to be sent from a first network node to a second network node, whereinthe determining whether the packet is to be sent is performed at the first network node,the first network node is configured to support a network security technique, andthe second network node is not configured to support the network security technique;
  
  in response to determining that the packet is to be sent from the first network node to the second network node, determining whether the packet will traverse a network node capable of processing packet security information after traversing the second network node, whereinthe determining whether the packet will traverse is performed at the first network node;
  
  including packet security information with the packet, if it is determined that the packet will traverse the network node capable of processing packet security information after traversing the second network node, whereinthe packet security information is associated with the network security technique; and
  
  forwarding the packet to the second network node, whereinthe forwarding the packet is performed regardless of whether the packet will traverse the network node capable of processing packet security information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising at least one of:
    - encrypting the packet; and
      
      including a digital signature with the packet.
  - 3. The method of claim 1, further comprising:
    - detecting the packet being sent from the second network node to a third network node, whereinthe third network node employs the network security technique; and
      
      processing the packet security information.
  - 4. The method of claim 1, whereinthe including includes the packet security information in a location within overhead of the packet such that the packet security information does not affect forwarding of the packet from the second network node to a third network node.
  - 5. The method of claim 4, whereinthe first, second, and third network nodes are layer-2 network nodes,the first network node and the second network node are coupled by a first layer-3 router, andthe second network node and the third network node are coupled by a second layer-3 router.
  - 6. The method of claim 5, whereinthe second layer-3 router is not configured to perform packet security processing, andthe packet security information in the overhead of the packet does not affect an ability of the second layer-3 router to process the packet.
  - 7. The method of claim 6, whereinthe packet security information comprises at least one of:
    - a group key, anda digital signature.
  - 8. The method of claim 4, further comprising:
    - determining whether a perimeter device of a network is capable of processing the packet security information.
  - 9. The method of claim 8, further comprising:
    - determining whether identification information of the network matches routing information of the packet.
  - 10. The method of claim 9, further comprising:
    - obtaining the identification information, whereinthe obtaining the identification information comprises a least one of;
      
      configuring an egress node of the first network node to recognize the identification information,using a network protocol to distribute the identification information, andstoring the identification information at a management station.
  - 11. The method of claim 10, whereinthe identification information is included in a forwarding table.
  - 12. The method of claim 10, whereinthe storing the identification information at the management station further comprises:
    - including the identification information in an identification information list.
  - 13. The method of claim 12, whereinthe identification information is a destination prefix, andthe routing information of the packet is a portion of a destination address of the packet.
  - 14. The method of claim 12, whereinthe identification information list is an access control list.
  - 15. The method of claim 1, whereinthe packet security information is inaccessible to the second network node.

16. An apparatus comprising:
- a processor;
  
  hardware configured to determine whether a packet is to be sent from a first network node to a second network node, whereinthe first network node comprises the hardware configured to determine,the first network node is configured to support a network security technique, andthe second network node is not configured to support the network security technique;
  
  second hardware configured to determine whether the packet will traverse a network node capable of processing packet security information after traversing the second network node, if the hardware configured to determine determines that the packet is to be sent from the first network node to the second network node, whereinthe second hardware configured to determine is coupled to the hardware configured to determine hardware configured to include packet security information with the packet, if the second hardware configured to determine determines that the packet will traverse the network node capable of processing packet security information after traversing the second network node, whereinthe processor is coupled to control the hardware configured to include,the hardware configured to include is coupled to the second hardware configured to determine, andthe packet security information is associated with the network security technique; and
  
  hardware configured to forward the packet, whereinthe hardware configured to forward is coupled to the hardware configured to include, andthe forwarding the packet is performed regardless of whether the packet will traverse the network node capable of processing packet security information.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The apparatus of claim 16, further comprising at least one of:
    - hardware configured to encrypt the packet; and
      
      second hardware configured to include a digital signature with the packet.
  - 18. The apparatus of claim 16, further comprising:
    - hardware configured to detect the packet being sent from the second network node to a third network node, whereinthe third network node employs the network security technique; and
      
      hardware configured to process the packet security information.
  - 19. The apparatus of claim 16, whereinthe hardware configured to include is configured to include the packet security information in a location within overhead of the packet such that the packet security information does not affect forwarding of the packet from the second network node to a third network node.
  - 20. The apparatus of claim 19, whereinthe first, second, and third network nodes are layer-2 network nodes,the first network node and the second network node are coupled by a first layer-3 router, andthe second network node and the third network node are coupled by a second layer-3 router.
  - 21. The apparatus of claim 20, whereinthe second layer-3 router is not configured to perform packet security processing, andthe packet security information in the overhead of the packet does not affect an ability of the second layer-3 router to process the packet.
  - 22. The apparatus of claim 21, whereinthe packet security information comprises at least one of:
    - a group key, anda digital signature.
  - 23. The apparatus of claim 19, further comprising:
    - third hardware configured to determine whether a perimeter device of a network is capable of processing the packet security information.
  - 24. The apparatus of claim 23, further comprising:
    - fourth hardware configured to determine whether identification information of the network matches routing information of the packet.
  - 25. The apparatus of claim 24, further comprising:
    - hardware configured to obtain the identification information, whereinthe hardware configured to obtain the identification information comprises a least one of;
      
      hardware configured to configure an egress node of the first network node to recognize the identification information,hardware configured to use a network protocol to distribute the identification information, andhardware configured to store the identification information at a management station.
  - 26. The apparatus of claim 25, whereinthe identification information is included in a forwarding table.
  - 27. The apparatus of claim 25, whereinthe hardware configured to store the identification information at the management station further comprises:
    - second hardware configured to include the identification information in an identification information list.
  - 28. The apparatus of claim 27, whereinthe identification information is a destination prefix, andthe routing information of the packet is a portion of a destination address of the packet.
  - 29. The apparatus of claim 27, whereinthe identification information list is an access control list.
  - 30. The apparatus of claim 16, whereinthe packet security information is inaccessible to the second network node.

31. A computer program product comprising:
- a first set of instructions, executable on a processor, configured to determine whether a packet is to be sent from a first network node to a second network node, whereinthe determining whether the packet is to be sent is performed at the first network node,the first network node comprises the processor,the first network node is configured to support a network security technique, andthe second network node is not configured to support the network security technique;
  
  a second set of instructions, executable on the processor, configured to determine whether the packet will traverse a network node capable of processing packet security information after traversing the second network node, if the first set of instructions indicates that the packet is to be sent from the first network node to the second network node, whereinthe determining whether the packet is to be sent is performed at the first network node;
  
  a third set of instructions, executable on the processor, configured to include packet security information with the packet, if the second set of instructions indicates that the packet will traverse the network node capable of processing packet security information after traversing the second network node, whereinthe packet security information is associated with the network security technique;
  
  a fourth set of instructions, executable on the processor, configured to forward the packet to the second network node, whereinthe fourth set of instructions is configured to forward the packet regardless of whether the packet will traverse the network node capable of processing packet security information; and
  
  computer readable media, wherein the computer program product is encoded in the computer readable media.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 32. The computer program product of claim 31, further comprising at least one of:
    - a fifth set of instructions, executable on the processor, configured to encrypt the packet; and
      
      a sixth set of instructions, executable on the processor, configured to include a digital signature with the packet.
  - 33. The computer program product of claim 31, further comprising:
    - a fifth set of instructions, executable on the processor, configured to detect the packet being sent from the second network node to a third network node, whereinthe third network node employs the network security technique; and
      
      a sixth set of instructions, executable on the processor, configured to process the packet security information.
  - 34. The computer program product of claim 31, whereinthe third set of instructions is further configured to include the packet security information in a location within overhead of the packet such that the packet security information does not affect forwarding of the packet from the second network node to a third network node.
  - 35. The computer program product of claim 34, whereinthe first, second, and third network nodes are layer-2 network nodes,the first network node and the second network node are coupled by a first layer-3 router, andthe second network node and the third network node are coupled by a second layer-3 router.
  - 36. The computer program product of claim 35, whereinthe second layer-3 router is not configured to perform packet security processing, andthe packet security information in the overhead of the packet does not affect an ability of the second layer-3 router to process the packet.
  - 37. The computer program product of claim 36, whereinthe packet security information comprises at least one of:
    - a group key, anda digital signature.
  - 38. The computer program product of claim 34, further comprising:
    - a fifth set of instructions, executable on the processor, configured todetermine whether a perimeter device of a network is capable of processing the packet security information.
  - 39. The computer program product of claim 38, further comprising:
    - a sixth set of instructions, executable on the processor, configured to determine whether identification information of the network matches routing information of the packet.
  - 40. The computer program product of claim 39, further comprising:
    - a seventh set of instructions, executable on the processor, configured to obtain the identification information, whereinthe seventh set of instructions comprises a least one of;
      
      a first subset of instructions, executable on the processor, configured to configure an egress node of the first network node to recognize the identification information,a second subset of instructions, executable on the processor, configured to use a network protocol to distribute the identification information, anda third subset of instructions, executable on the processor, configured to store the identification information at a management station.
  - 41. The computer program product of claim 40, whereinthe identification information is included in a forwarding table.
  - 42. The computer program product of claim 40, wherein the third subset of instructions further comprises:
    - a fourth subset of instructions, executable on the processor, configured to include the identification information in an identification information list.
  - 43. The computer program product of claim 42, whereinthe identification information is a destination prefix, andthe routing information of the packet is a portion of a destination address of the packet.
  - 44. The computer program product of claim 42, whereinthe identification information list is an access control list.
  - 45. The computer program product of claim 31, whereinthe packet security information is inaccessible to the second network node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Fine, Michael, Nallur, Padmanabha, Smith, Michael R., Kok, Wilson
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Kaplan; Benjamin A

Application Number

US10/999,343
Publication Number

US 20060112426A1
Time in Patent Office

2,247 Days
Field of Search

713/160, 726/13, 726/14, 726/15, 726/22
US Class Current

713/160
CPC Class Codes

H04L 63/20 for managing network securi...

Method and system for including security information with a packet

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

83 Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for including security information with a packet

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links