Security encapsulation of ethernet frames

US 8,379,638 B2
Filed: 09/25/2006
Issued: 02/19/2013
Est. Priority Date: 09/25/2006
Status: Active Grant

First Claim

Patent Images

1. A method for providing security functions to data packets at the data link layer of the Open Systems Interconnection Reference Model, the method comprising:

receiving, at the data link layer, a data packet having an Ethernet frame having an original header and original payload;

encrypting, at the data link layer, the original payload to provide an encrypted payload that is longer than the original payload;

fragmenting, at the data link layer, the encrypted payload into first and second output Ethernet frames if the size of the encrypted payload would result in the first output Ethernet frame exceeding a Path Maximum Transmission Unit limit for the data link layer;

determining an encapsulation header for each of the first and second output Ethernet frames, the encapsulation header including a non-encrypted fragmentation field containing information to enable, at the data link layer, reconstruction of the encrypted payload from the first and second output Ethernet frames;

constructing, at the data link layer, the first and second output Ethernet frames from the original header, the encapsulation header, and the encrypted payload, to provide security functions to the data packet at the data link layer.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for encapsulating data packets at a Data Link Layer to provide security functions. The technique first encrypts a payload to provide an encrypted payload. The encrypted payload is inserted in an output encapsulated frame. Also added to the output encapsulated frame is an encapsulation header that includes security information, such as a security packet index (SPI) value used to identify a security association (SA). Because the output encapsulated frame may now be longer than maximum allowed Ethernet Path Maximum Transmission Unit (PMTU), the encapsulation header also preferably includes a fragmentation field. The fragmentation field supports the ability to fragment the encrypted datagrams into smaller pieces.

69 Citations

View as Search Results

10 Claims

1. A method for providing security functions to data packets at the data link layer of the Open Systems Interconnection Reference Model, the method comprising:
- receiving, at the data link layer, a data packet having an Ethernet frame having an original header and original payload;
  
  encrypting, at the data link layer, the original payload to provide an encrypted payload that is longer than the original payload;
  
  fragmenting, at the data link layer, the encrypted payload into first and second output Ethernet frames if the size of the encrypted payload would result in the first output Ethernet frame exceeding a Path Maximum Transmission Unit limit for the data link layer;
  
  determining an encapsulation header for each of the first and second output Ethernet frames, the encapsulation header including a non-encrypted fragmentation field containing information to enable, at the data link layer, reconstruction of the encrypted payload from the first and second output Ethernet frames;
  
  constructing, at the data link layer, the first and second output Ethernet frames from the original header, the encapsulation header, and the encrypted payload, to provide security functions to the data packet at the data link layer.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 additionally comprising:
    - determining an integrity check value for the encrypted payload.
  - 3. The method of claim 1 additionally comprising:
    - appending the integrity check value to the encrypted payload.
  - 4. The method of claim 1 wherein the Ethernet frame further comprises:
    - a Virtual Network Identifier (VID); and
      
      the first and second output Ethernet frames further comprise the VID.
  - 5. The method of claim 1 wherein the encapsulation header includes a security association comprising a Security Parameters Index (SPI) value.

6. An apparatus operating at the data link layer of the Open Systems Interconnection Reference Model, the apparatus comprising:
- a receiver for receiving, at the data link layer, a data packet having an Ethernet frame having an original header and original payload;
  
  a packet processor communicatively coupled to the receiver, the packet processor configured to;
  
  encrypt, at the data link layer, the original payload to provide an encrypted payload that is longer than the original payload;
  
  fragment, at the data link layer, the encrypted payload into first and second output Ethernet frames if the size of the encrypted payload would result in the first output Ethernet frame exceeding a Path Maximum Transmission Unit limit for the data link layer;
  
  determine an encapsulation header for each of the first and second output Ethernet frames, the encapsulation header including a non-encrypted fragmentation field containing information to enable, at the data link layer, reconstruction of the encrypted payload from the first and second output Ethernet frames; and
  
  construct, at the data link layer, the first and second output Ethernet frames from the original header, the encapsulation header, and the encrypted payload, to provide security functions to the data packet at the data link layer.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The apparatus of claim 6 wherein the packet processor further determines an integrity check value for the encrypted payload.
  - 8. The apparatus of claim 7 wherein the packet processor additionally appends the integrity check value to the encrypted payload.
  - 9. The apparatus of claim 6 wherein the Ethernet frame further comprises a Virtual Network Identifier (VID), and the first and second output Ethernet frames further comprise the VID.
  - 10. The apparatus of claim 6 wherein the encapsulation header includes a security association comprising a Security Parameters Index (SPI) value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Certes Networks, Inc.
Original Assignee
Certes Networks, Inc.
Inventors
Swartz, Troy A.
Primary Examiner(s)
Phan, Man

Application Number

US11/526,840
Publication Number

US 20080075073A1
Time in Patent Office

2,339 Days
Field of Search

370/118, 370221-395, 380/256, 709218-238, 713150-171
US Class Current

370/389
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/123   received data contents, e.g...

H04L 63/162   at the data link layer

H04L 63/164   at the network layer

Security encapsulation of ethernet frames

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

69 Citations

10 Claims

Specification

Use Cases

Quick Links

Others

Security encapsulation of ethernet frames

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

10 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others