Network device authentication

US 8,312,275 B2
Filed: 01/06/2010
Issued: 11/13/2012
Est. Priority Date: 01/06/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

generating, via a first optical network device of an optical network, a notification message indicating that the first optical network device requires authentication to access the optical network;

transmitting, via the first optical network device, the notification message to a second optical network device in the optical network;

receiving, via the first optical network device, a first authentication message from the second optical network device in response to the notification message, wherein the first authentication message comprises first message data and a first authentication code generated by the second optical network device based on the first message data and a first key;

generating, via the first optical network device, a second authentication message comprising second message data and a second authentication code generated based on the second message data and a second key;

transmitting, via the first optical network device, the second authentication message to the second optical network device; and

receiving, via the first optical network device, an authentication complete message from the second optical network device indicating that the first optical network device has been authenticated based on the second authentication message and is able to access the optical network.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, this disclosure relates to maintaining security between an optical network terminal (ONT) and an optical network aggregation device in an Active Ethernet network. An optical network aggregation device includes one or more optical Ethernet switches that can be adaptively configured to support authentication of one or more ONTs. For example, the optical network aggregation device may include a controller with an authentication unit for managing ONT authentication and an optical Ethernet interface for transmitting and receiving data over the optical network. The authentication unit may exchange authentication request messages via the optical Ethernet interface with an ONT and grant the ONT access to the provider network based on the exchange, thereby preventing rogue devices from gaining access to the provider network.

Citations

29 Claims

1. A method comprising:
- generating, via a first optical network device of an optical network, a notification message indicating that the first optical network device requires authentication to access the optical network;
  
  transmitting, via the first optical network device, the notification message to a second optical network device in the optical network;
  
  receiving, via the first optical network device, a first authentication message from the second optical network device in response to the notification message, wherein the first authentication message comprises first message data and a first authentication code generated by the second optical network device based on the first message data and a first key;
  
  generating, via the first optical network device, a second authentication message comprising second message data and a second authentication code generated based on the second message data and a second key;
  
  transmitting, via the first optical network device, the second authentication message to the second optical network device; and
  
  receiving, via the first optical network device, an authentication complete message from the second optical network device indicating that the first optical network device has been authenticated based on the second authentication message and is able to access the optical network.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the first optical network device comprises one or more ports for sending and receiving network data to a set of client devices, and wherein the first optical network device, in response to receiving the authentication complete message, unblocks at least one of the one or more ports.
  - 3. The method of claim 1, wherein generating the second authentication code comprises:
    - applying the first key to a client ID in order to generate the second key; and
      
      applying the second key to the second message data.
  - 4. The method of claim 1, wherein generating the second authentication code comprises applying the first key and a message digest algorithm to the second message data.
  - 5. The method of claim 1, wherein the first message data comprises a message type field, a server identification field, a server opaque data field, a first client type field, a first client identification field, and a client configuration field, and wherein the second message data comprises the message type field, the server identification field, the server opaque data field, a second client type field, a second client identification field, and the client configuration field.
  - 6. The method of claim 5, wherein generating the second authentication message further comprises:
    - setting, via the first optical network device, the second client type field to the client type of the first optical network device; and
      
      setting, via the first optical network device, the second client identification field to at least one of a serial number of the first optical network device, a Media Access Control (MAC) address of the first optical network device, and a programmable value that uniquely identifies the first optical network device.
  - 7. The method of claim 1, wherein the first optical network device is an optical network termination device, and wherein the second optical network device is an optical network aggregation device.

8. An optical network device of an optical network comprising a processor configured to:
- generate a notification message indicating that the optical network device requires authentication to access the optical network;
  
  transmit the notification message to a second optical network device in the optical network;
  
  receive a first authentication message from the second optical network device in response to the notification message, wherein the first authentication message comprises first message data and a first authentication code, wherein the first authentication code is generated by the second optical network device based on the first message data and a first key;
  
  generate a second authentication message comprising second message data and a second authentication code generated based on the second message data and a second key;
  
  transmit the second authentication message to the second optical network device; and
  
  receive an authentication complete message from the second optical network device indicating that the optical network device has been authenticated based on the second authentication message and is able to access the optical network.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The optical network device of claim 8, wherein the optical network device comprises one or more ports for sending and receiving network data to a set of client devices, and wherein the optical network device, in response to receiving the authentication complete message, unblocks at least one of the one or more ports.
  - 10. The optical network device of claim 8, wherein the processor that is configured to generate the second authentication code is further configured to:
    - apply the first key to a client ID in order to generate the second key; and
      
      apply the second key to the second message data.
  - 11. The optical network device of claim 8, wherein the processor that is configured togenerate the second authentication code is further configured to apply the first key and a message digest algorithm to the second message data.
  - 12. The optical network device of claim 8, wherein the first message data comprises a message type field, a server identification field, a server opaque data field, a first client type field, a first client identification field, and a client configuration field, and wherein the second message data comprises the message type field, the server identification field, the server opaque data field, a second client type field, a second client identification field, and the client configuration field.
  - 13. The optical network device of claim 12, wherein the processor that is configured to generate the second authentication code is further configured to:
    - set the second client type field to the client type of the optical network device; and
      
      set the second client identification field to at least one of a serial number of the optical network device, a Media Access Control (MAC) address of the optical network device, and a programmable value that uniquely identifies the optical network device.
  - 14. The optical network device of claim 8, wherein the optical network device is an optical network termination device, and wherein the second optical network device is an optical network aggregation device.

15. A non-transitory computer-readable storage medium comprising instructions that, upon execution, cause one or more processors to:
- generate, via a first optical network device of an optical network, a notification message indicating that the first optical network device requires authentication to access the optical network;
  
  transmit, via the first optical network device, the notification message to a second optical network device in the optical network;
  
  receive, via the first optical network device, a first authentication message from the second optical network device in response to the notification message, wherein the first authentication message comprises first message data and a first authentication code generated by the second optical network device based on the first message data and a first key;
  
  generate, via the first optical network device, a second authentication message comprising second message data and a second authentication code generated based on the second message data and a second key;
  
  transmit, via the first optical network device, the second authentication message to the second optical network device; and
  
  receive, via the first optical network device, an authentication complete message from the second optical network device indicating that the first optical network device has been authenticated based on the second authentication message and is able to access the optical network.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transitory computer-readable storage medium of claim 15,wherein the first optical network device comprises one or more ports for sending and receiving network data to a set of client devices, andwherein the instructions that, upon execution, cause the one or more processors to receive the authentication complete message further comprise instructions that cause the one or more processors to unblock at least one of the one or more ports.
  - 17. The non-transitory computer-readable storage medium of claim 15, wherein the instructions that, upon execution, cause the one or more processors to generate the second authentication code further comprise instructions that cause the one or more processors to:
    - apply the first key to a client ID in order to generate the second key; and
      
      apply the second key to the second message data.
  - 18. The non-transitory computer-readable storage medium of claim 15, wherein the instructions that, upon execution, cause the one or more processors to generate the second authentication code further comprise instructions that cause the one or more processors to apply the first key and a message digest algorithm to the second message data.
  - 19. The non-transitory computer-readable storage medium of claim 15, wherein the first message data comprises a message type field, a server identification field, a server opaque data field, a first client type field, a first client identification field, and a client configuration field, and wherein the second message data comprises the message type field, the server identification field, the server opaque data field, a second client type field, a second client identification field, and the client configuration field.
  - 20. The non-transitory computer-readable storage medium of claim 19, wherein the instructions that, upon execution, cause the one or more processors to generate the second authentication message further comprise instructions that cause the one or more processors to:
    - set, via the first optical network device, the second client type field to the client type of the first optical network device; and
      
      set, via the first optical network device, the second client identification field to at least one of a serial number of the first optical network device, a Media Access Control (MAC) address of the first optical network device, and a programmable value that uniquely identifies the first optical network device.
  - 21. The non-transitory computer-readable storage medium of claim 15, wherein the first optical network device is an optical network termination device, and wherein the second optical network device is an optical network aggregation device.

22. An optical network device of an optical network comprising:
- means for generating a notification message indicating that the optical network device requires authentication to access the optical network;
  
  means for transmitting the notification message to a second optical network device in the optical network;
  
  means for receiving a first authentication message from the second optical network device in response to the notification message, wherein the first authentication message comprises first message data and a first authentication code generated by the second optical network device based on the first message data and a first key;
  
  means for generating a second authentication message comprising second message data and a second authentication code generated based on the second message data and a second key;
  
  means for transmitting the second authentication message to the second optical network device; and
  
  means for receiving an authentication complete message from the second optical network device indicating that the optical network device has been authenticated based on the second authentication message and is able to access the optical network.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The optical network device of claim 22, further comprising one or more ports for sending and receiving network data to a set of client devices, wherein the optical network device comprises means for unblocking at least one of the one or more ports in response to receiving the authentication complete message.
  - 24. The optical network device of claim 22, wherein the means for generating the second authentication code comprises:
    - means for applying the first key to a client ID in order to generate the second key; and
      
      means for applying the second key to the second message data.
  - 25. The optical network device of claim 22, wherein the means for generating the second authentication code comprises means for applying the first key and a message digest algorithm to the second message data.
  - 26. The optical network device of claim 22, wherein the first message data comprises a message type field, a server identification field, a server opaque data field, a first client type field, a first client identification field, and a client configuration field, and wherein the second message data comprises the message type field, the server identification field, the server opaque data field, a second client type field, a second client identification field, and the client configuration field.
  - 27. The optical network device of claim 26, wherein the means for generating the second authentication message further comprises:
    - means for setting the second client type field to the client type of the first optical network device; and
      
      means for setting the second client identification field to at least one of a serial number of the first optical network device, a Media Access Control (MAC) address of the first optical network device, and a programmable value that uniquely identifies the first optical network device.
  - 28. The optical network device of claim 22, wherein the first optical network device is an optical network termination device, and wherein the second optical network device is an optical network aggregation device.

29. A system comprising:
- an optical network aggregation device included within an optical network; and
  
  an optical network termination device included within the optical network, wherein the optical network termination device comprises a processor configured to;
  
  generate a notification message indicating that the optical network termination device requires authentication to access the optical network;
  
  transmit the notification message to the optical network aggregation device;
  
  receive a first authentication message from the optical network aggregation device in response to the notification message, wherein the first authentication message comprises first message data and a first authentication code generated by the optical network aggregation device based on the first message data and a first key;
  
  generate a second authentication message comprising second message data and a second authentication code generated based on the second message data and a second key;
  
  transmit the second authentication message to the optical network aggregation device; and
  
  receive an authentication complete message from the optical network aggregation device indicating that the optical network termination device has been authenticated based on the second authentication message and is able to access the optical network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Calix Incorporated
Original Assignee
Calix Incorporated
Inventors
Baykal, Berkay, Missett, Shaun Noel
Primary Examiner(s)
Zee, Edward

Application Number

US12/652,957
Publication Number

US 20110167269A1
Time in Patent Office

1,042 Days
Field of Search

726 2- 4, 713/153, 713/169, 713/170, 713/181, 709/225, 709/250
US Class Current

713/170
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 2209/80   Wireless

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

H04L 9/3226   using a predetermined code,...

Network device authentication

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Network device authentication

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links