Secure transport of multicast traffic
First Claim
1. A method, comprising:
- receiving, by a device, a join request from a downstream router, the join request being associated with a multicast group and being received via a tunnel established between the device and the downstream router;
determining, by the device and in response to the join request, whether another join request had previously been received for the multicast group;
exchanging, by the device, security association parameters with the downstream router, in response to the join request, based on the determining;
exchanging, by the device and via the tunnel, group keys with the downstream router;
encrypting, by the device, a multicast packet using the group keys;
encapsulating, by the device, the encrypted multicast packet to form an encapsulated payload;
appending, by the device, a header to the encapsulated payload to form an encapsulated packet; and
forwarding, by the device, the encapsulated packet to the downstream router.
0 Assignments
0 Petitions
Accused Products
Abstract
Secure tunneled multicast transmission and reception through a network is provided. A join request may be received from a second tunnel endpoint, the join request indicating a multicast group to be joined. Group keys may be transmitted to the second tunnel endpoint, where the group keys are based at least on the multicast group. A packet received at the first tunnel endpoint may be cryptographically processed to generate an encapsulated payload. A header may be appended to the encapsulated payload to form an encapsulated packet, wherein the header includes information associated with the second tunnel endpoint. A tunnel may be established between the first tunnel endpoint and the second tunnel endpoint based on the appended header. The encapsulated packet may be transmitted through the tunnel to the second tunnel endpoint. The second tunnel endpoint may receive the encapsulated packet. Cryptographic processing of the encapsulated packet may reveal the packet having a second header. The packet may then be forwarded on an interface toward at least one multicast recipient identified in the second header.
21 Citations
20 Claims
-
1. A method, comprising:
-
receiving, by a device, a join request from a downstream router, the join request being associated with a multicast group and being received via a tunnel established between the device and the downstream router; determining, by the device and in response to the join request, whether another join request had previously been received for the multicast group; exchanging, by the device, security association parameters with the downstream router, in response to the join request, based on the determining; exchanging, by the device and via the tunnel, group keys with the downstream router; encrypting, by the device, a multicast packet using the group keys; encapsulating, by the device, the encrypted multicast packet to form an encapsulated payload; appending, by the device, a header to the encapsulated payload to form an encapsulated packet; and forwarding, by the device, the encapsulated packet to the downstream router. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system comprising:
a network device to; receive, via a tunnel established between the network device and a downstream router, a join request from the downstream router, the join request being associated with a multicast group; determine that another join request had previously not been received for the multicast group; exchange security association parameters with the downstream router in response to determining that another join request had previously not been received; generate group keys in response to determining that another join request had previously not been received; forward, via the tunnel, the generated group keys to the downstream router; encapsulate a packet, encrypted using the generated group keys, to form an encapsulated payload; append a header to the encapsulated payload to form an encapsulated packet; and forward, the encapsulated packet to the downstream router. - View Dependent Claims (9, 10, 11, 12)
-
13. A system comprising:
a device to; receive a first join request from a first downstream router via a first tunnel established between the device and the first downstream router; receive a second join request from a second downstream router via a second tunnel established between the device and the second downstream router, where the first join request and the second join request indicate a multicast group to be joined; generate group keys based on the multicast group; transmit the group keys to the first downstream router via the first tunnel; transmit the group keys to the second downstream router via the second tunnel; process a first multicast packet, using the group keys, to generate an encapsulated payload; append a first Internet Protocol (IP) header to the encapsulated payload to form a first encapsulated packet, where the first IP header is associated with the first downstream router; establish a first group keying tunnel with the first downstream router based on the appended first IP header; copy the encapsulated payload; append a second IP header to the copied encapsulated payload to form a second encapsulated packet, where the second IP header is associated with the second downstream router; establish a second group keying tunnel with the second downstream router based on the appended second IP header; transmit the first encapsulated packet using the first group keying tunnel to the first downstream router; and transmit the second encapsulated packet using the second group keying tunnel to the second downstream router. - View Dependent Claims (14)
-
15. A non-transitory computer-readable medium including instructions, executable by at least one processor of a first device, the instructions comprising:
-
one or more instructions to receive, from a second device, a join request associated with a multicast group, the join request being received via a tunnel established between the first device and the second device; one or more instructions to determine, in response to the join request, whether another join request had previously been received for the multicast group; one or more instructions to exchange, via the tunnel, group keys with the second device when another join request had previously been received for the multicast group; one or more instructions to encapsulate a packet, encrypted using the group keys, to form an encapsulated payload; one or more instructions to append a header to the encapsulated payload to form an encapsulated packet; and one or more instructions to forward the encapsulated packet to the second device. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification