Network infrastructure validation of network management frames
First Claim
Patent Images
1. A method for validating network management frames, comprising:
- receiving, by a validating device, a management frame that is not addressed to the validating device from a first device, the management frame comprising a source address identifying a purported source device of the management frame and a destination address identifying at least one destination device on a first interface;
obtaining a key by the validating device for the purported source device of the management frame from an authentication server accessible via a second interface in response to receiving the management frame not addressed to the validating device; and
validating, by the validating device, the management frame using the key obtained from the authentication server for the purported source device.
0 Assignments
0 Petitions
Accused Products
Abstract
A detection-based defense to a wireless network. Elements of the infrastructure, e.g., access points or scanning-only access points, detect intruders by detecting spoofed frames, such as from rogue access points. Access points include a signature, such as a message integrity check, with their management frames in a manner that enables neighboring access points to be able to validate the management frames, and to detect spoofed frames. When a neighboring access point receives a management frame, obtains a key for the access point sending the frame, and validates the management frame using the key.
28 Citations
14 Claims
-
1. A method for validating network management frames, comprising:
-
receiving, by a validating device, a management frame that is not addressed to the validating device from a first device, the management frame comprising a source address identifying a purported source device of the management frame and a destination address identifying at least one destination device on a first interface; obtaining a key by the validating device for the purported source device of the management frame from an authentication server accessible via a second interface in response to receiving the management frame not addressed to the validating device; and validating, by the validating device, the management frame using the key obtained from the authentication server for the purported source device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. An access point, comprising:
-
a wireless transceiver; a controller coupled to the wireless transceiver for controlling the wireless transceiver; and a second transceiver coupled to a network; wherein the controller is responsive to the wireless transceiver receiving a management frame not addressed to the wireless transceiver from a first device, the management frame comprising a source address of a purported second access point and is addressed to a wireless client; wherein the controller is responsive to receiving the management frame to communicate with an authentication device via the second transceiver to obtain a key for the purported second access point for validating management frames sent by the second access point in response to receiving the management frame not addressed to the wireless transceiver; and wherein the controller is configured for determining whether the first device is a rogue device pretending to be the purported second access point by attempting to validate the management frame with the key. - View Dependent Claims (13, 14)
-
Specification