Secure transport of multicast traffic

US 8,132,000 B2
Filed: 07/30/2009
Issued: 03/06/2012
Est. Priority Date: 10/31/2003
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, by a device, a join request from a downstream router, the join request being associated with a multicast group and being received via a tunnel established between the device and the downstream router;

determining, by the device and in response to the join request, whether another join request had previously been received for the multicast group;

exchanging, by the device, security association parameters with the downstream router, in response to the join request, based on the determining;

exchanging, by the device and via the tunnel, group keys with the downstream router;

encrypting, by the device, a multicast packet using the group keys;

encapsulating, by the device, the encrypted multicast packet to form an encapsulated payload;

appending, by the device, a header to the encapsulated payload to form an encapsulated packet; and

forwarding, by the device, the encapsulated packet to the downstream router.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure tunneled multicast transmission and reception through a network is provided. A join request may be received from a second tunnel endpoint, the join request indicating a multicast group to be joined. Group keys may be transmitted to the second tunnel endpoint, where the group keys are based at least on the multicast group. A packet received at the first tunnel endpoint may be cryptographically processed to generate an encapsulated payload. A header may be appended to the encapsulated payload to form an encapsulated packet, wherein the header includes information associated with the second tunnel endpoint. A tunnel may be established between the first tunnel endpoint and the second tunnel endpoint based on the appended header. The encapsulated packet may be transmitted through the tunnel to the second tunnel endpoint. The second tunnel endpoint may receive the encapsulated packet. Cryptographic processing of the encapsulated packet may reveal the packet having a second header. The packet may then be forwarded on an interface toward at least one multicast recipient identified in the second header.

21 Citations

View as Search Results

20 Claims

1. A method, comprising:
- receiving, by a device, a join request from a downstream router, the join request being associated with a multicast group and being received via a tunnel established between the device and the downstream router;
  
  determining, by the device and in response to the join request, whether another join request had previously been received for the multicast group;
  
  exchanging, by the device, security association parameters with the downstream router, in response to the join request, based on the determining;
  
  exchanging, by the device and via the tunnel, group keys with the downstream router;
  
  encrypting, by the device, a multicast packet using the group keys;
  
  encapsulating, by the device, the encrypted multicast packet to form an encapsulated payload;
  
  appending, by the device, a header to the encapsulated payload to form an encapsulated packet; and
  
  forwarding, by the device, the encapsulated packet to the downstream router.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, where exchanging group keys with the downstream router comprises:
    - determining that another join request had previously not been received for the multicast group; and
      
      generating the group keys based on determining that another join request had previously not been received for the multicast group.
  - 3. The method of claim 1, where the group keys are generated based on the multicast group.
  - 4. The method of claim 3, where the groups keys are based on, a type of key and the multicast group.
  - 5. The method of claim 1, further comprising:
    - determining whether one or more other downstream routers are to receive the encapsulated packet.
  - 6. The method of claim 5, where the determining whether one or more other downstream routers are to receive the encapsulated packet comprises:
    - determining that the one or more other downstream routers are to receive the encapsulated packet; and
      
      determining a destination address of at least one of the one or more other downstream routers in response to determining that the one or more other downstream routers are to receive the encapsulated packet,where the encapsulated packet is forwarded to the at least one of the one or more other downstream routers based on the determined destination address.
  - 7. The method of claim 1, where encrypting the multicast packet using the group keys further comprises:
    - authenticating the multicast packet using the group keys.

8. A system comprising:
- a network device to;
  
  receive, via a tunnel established between the network device and a downstream router, a join request from the downstream router, the join request being associated with a multicast group;
  
  determine that another join request had previously not been received for the multicast group;
  
  exchange security association parameters with the downstream router in response to determining that another join request had previously not been received;
  
  generate group keys in response to determining that another join request had previously not been received;
  
  forward, via the tunnel, the generated group keys to the downstream router;
  
  encapsulate a packet, encrypted using the generated group keys, to form an encapsulated payload;
  
  append a header to the encapsulated payload to form an encapsulated packet; and
  
  forward, the encapsulated packet to the downstream router.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The system of claim 8, where the network device is further to:
    - encrypt the packet using the group keys prior to the encapsulation; and
      
      authenticate the encrypted packet using the group keys prior to the encapsulation.
  - 10. The system of claim 8, where, when encapsulating the packet, the network device is to:
    - generate an authentication trailer; and
      
      append the generated authentication trailer to the encapsulated payload.
  - 11. The system of claim 8, where, when encapsulating the packet, the network device is to:
    - generate an encapsulating security payload (ESP); and
      
      append the generated ESP to the encapsulated payload.
  - 12. The system of claim 8, where the join request comprises one of:
    - a Protocol Independent Multicast—
      
      Sparse Mode (PIM-SM) join request, oran Internet Group Management Protocol (IGMP) join request.

13. A system comprising:
- a device to;
  
  receive a first join request from a first downstream router via a first tunnel established between the device and the first downstream router;
  
  receive a second join request from a second downstream router via a second tunnel established between the device and the second downstream router, where the first join request and the second join request indicate a multicast group to be joined;
  
  generate group keys based on the multicast group;
  
  transmit the group keys to the first downstream router via the first tunnel;
  
  transmit the group keys to the second downstream router via the second tunnel;
  
  process a first multicast packet, using the group keys, to generate an encapsulated payload;
  
  append a first Internet Protocol (IP) header to the encapsulated payload to form a first encapsulated packet, where the first IP header is associated with the first downstream router;
  
  establish a first group keying tunnel with the first downstream router based on the appended first IP header;
  
  copy the encapsulated payload;
  
  append a second IP header to the copied encapsulated payload to form a second encapsulated packet, where the second IP header is associated with the second downstream router;
  
  establish a second group keying tunnel with the second downstream router based on the appended second IP header;
  
  transmit the first encapsulated packet using the first group keying tunnel to the first downstream router; and
  
  transmit the second encapsulated packet using the second group keying tunnel to the second downstream router.
- View Dependent Claims (14)
- - 14. The system of claim 13, where the device is further to:
    - determine, in response to the received first join request, whether the group keys had been previously generated for the multicast group; and
      
      generate the group keys based at least on the multicast group when the group keys had notbeen previously generated for the multicast group.

15. A non-transitory computer-readable medium including instructions, executable by at least one processor of a first device, the instructions comprising:
- one or more instructions to receive, from a second device, a join request associated with a multicast group, the join request being received via a tunnel established between the first device and the second device;
  
  one or more instructions to determine, in response to the join request, whether another join request had previously been received for the multicast group;
  
  one or more instructions to exchange, via the tunnel, group keys with the second device when another join request had previously been received for the multicast group;
  
  one or more instructions to encapsulate a packet, encrypted using the group keys, to form an encapsulated payload;
  
  one or more instructions to append a header to the encapsulated payload to form an encapsulated packet; and
  
  one or more instructions to forward the encapsulated packet to the second device.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable medium of claim 15, where the one or more instructions to exchange the group keys with the second device comprises:
    - one or more instructions to determine that another join request had previously not been received for the multicast group; and
      
      one or more instructions to generate the group keys when another join request had previously not been received for the multicast group.
  - 17. The non-transitory computer-readable medium of claim 15, where the instructions further comprise:
    - one or more instructions to generate the group keys based on the multicast group.
  - 18. The non-transitory computer-readable medium of claim 15, where the join request comprises one of:
    - a Protocol Independent Multicast—
      
      Sparse Mode (PIM-SM) join request, oran Internet Group Management Protocol (IGMP) join request.
  - 19. The non-transitory computer-readable medium of claim 15, where the instructions further comprise:
    - one or more instructions to determine whether one or more other devices are to receive the encapsulated packet; and
      
      one or more instructions to determine a destination address of at least one of the one or more other devices based on the one or more instructions to determine whether the one or more other devices are to receive the encapsulated packet,where the encapsulated packet are forward to the at least one of the one or more other devices based on the determined destination address.
  - 20. The non-transitory computer-readable medium of claim 15,where the one or more instructions to encapsulate the packet include:
    - one or more instructions to generate an encapsulating security payload (ESP); and
      
      one or more instructions to append the generated ESP to the encapsulated payload.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Liu, Changming, Shieh, Choung-Yaw, Lebovitz, Gregory M
Primary Examiner(s)
SHAN, APRIL YING

Application Number

US12/512,098
Publication Number

US 20090292917A1
Time in Patent Office

950 Days
Field of Search

713/150, 713/160, 713/162, 713/163, 713/153, 380/34, 709/240, 370/239, 370/366, 726/3
US Class Current

713/163
CPC Class Codes

H04L 12/185   with management of multicas...

H04L 12/4633   Interconnection of networks...

H04L 63/065   for group communications cr...

H04L 63/08   for authentication of entit...

Secure transport of multicast traffic

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure transport of multicast traffic

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links