Network device authentication

US 8,495,371 B2
Filed: 01/06/2010
Issued: 07/23/2013
Est. Priority Date: 01/06/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

generating, via a first optical network device comprising one or more ports, a first authentication message comprising first message data and a first authentication code computed based on the first message data and a first key, without accessing a database storing unique credentials for subscribers;

transmitting, via the first optical network device, the first authentication message to a second optical network device;

receiving, via the first optical network device, a second authentication message comprising second message data and a second authentication code generated via the second optical network device based on the second message data and a second key;

generating, via the first optical network device, a third key based on the first key and a second client identification field of the second message data;

generating, via the first optical network device, a third authentication code by applying the third key and a message digest algorithm to the second message data;

authorizing, via the first optical network device, communication between the first optical network device and the second optical network device, at least in part by comparing the second authentication code with the third authentication code; and

when the second authentication code matches the third authentication code, transmitting, via the first optical network device, a third authentication message to the second optical network device, and unblocking at least one of the one or more ports.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, this disclosure relates to maintaining security between an optical network terminal (ONT) and an optical network aggregation device in an Active Ethernet network. An optical network aggregation device includes one or more optical Ethernet switches that can be adaptively configured to support authentication of one or more ONTs. For example, the optical network aggregation device may include a controller with an authentication unit for managing ONT authentication and an optical Ethernet interface for transmitting and receiving data over the optical network. The authentication unit may exchange authentication request messages via the optical Ethernet interface with an ONT and grant the ONT access to the provider network based on the exchange, thereby preventing rogue devices from gaining access to the provider network.

19 Citations

View as Search Results

33 Claims

1. A method comprising:
- generating, via a first optical network device comprising one or more ports, a first authentication message comprising first message data and a first authentication code computed based on the first message data and a first key, without accessing a database storing unique credentials for subscribers;
  
  transmitting, via the first optical network device, the first authentication message to a second optical network device;
  
  receiving, via the first optical network device, a second authentication message comprising second message data and a second authentication code generated via the second optical network device based on the second message data and a second key;
  
  generating, via the first optical network device, a third key based on the first key and a second client identification field of the second message data;
  
  generating, via the first optical network device, a third authentication code by applying the third key and a message digest algorithm to the second message data;
  
  authorizing, via the first optical network device, communication between the first optical network device and the second optical network device, at least in part by comparing the second authentication code with the third authentication code; and
  
  when the second authentication code matches the third authentication code, transmitting, via the first optical network device, a third authentication message to the second optical network device, and unblocking at least one of the one or more ports.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1,wherein computing the first authentication code comprises applying the first key and the message digest algorithm to the first message data, andwherein computing the second authentication code comprises applying the second key and the message digest algorithm to the second message data.
  - 3. The method of claim 1, wherein generating the first authentication message comprises:
    - generating the first authentication code by applying the first key and the message digest algorithm to the first message data; and
      
      applying a layer two header comprising a reserved media access control address to the first authentication message.
  - 4. The method of claim 1, wherein the first key is the same as the second key.
  - 5. The method of claim 1, wherein the first message data comprises a message type field, a server identification field, a server opaque data field, a first client type field, and a client configuration field, andwherein the second message data comprises the message type field, the server identification field, the server opaque data field, a second client type field, and the client configuration field.
  - 6. The method of claim 1, further comprising receiving, from an administration interface of the first optical network device, configuration information comprising a key corresponding to at least one of a model, a type, and a manufacturer of the second optical network device.
  - 7. The method of claim 1, wherein the first optical network device is an optical network aggregation device, and wherein the second optical network device is an optical network termination device.
  - 8. The method of claim 1, wherein the message digest algorithm is based on at least one of a model, a type, and a manufacturer of the second optical network device.

9. An optical network device comprising one or more ports and a processor configured to:
- generate a first authentication message comprising first message data and a first authentication code computed based on the first message data and a first key, without accessing a database storing unique credentials for subscribers;
  
  transmit the first authentication message to a second optical network device;
  
  receive a second authentication message comprising second message data and a second authentication code generated via the second optical network device based on the second message data and a second key;
  
  generate a third key based on the first key and a second client identification field of the second message data;
  
  generating a third authentication code by applying the third key and a message digest algorithm to the second message data;
  
  authorize communication between the optical network device and the second optical network device, at least in part by comparing the second authentication code with the third authentication code; and
  
  when the second authentication code matches the third authentication code, transmit a third authentication message to the second optical network device, and unblock at least one of the one or more ports.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The optical network device of claim 9, wherein the processor is further configured to:
    - compute the first authentication code by applying the first key and the message digest algorithm to the first message data; and
      
      receive the second authentication code, wherein the second authentication code is generated via the second optical network device by applying the second key and the message digest algorithm to the second message data.
  - 11. The optical network device of claim 9, wherein the processor is further configured to:
    - generate the first authentication message by applying the first key and the message digest algorithm to the first message data; and
      
      apply a layer two header comprising a reserved media access control address to the first authentication message.
  - 12. The optical network device of claim 9, wherein the first key is the same as the second key.
  - 13. The optical network device of claim 9,wherein the first message data comprises a message type field, a server identification field, a server opaque data field, a first client type field, and a client configuration field, andwherein the second message data comprises the message type field, the server identification field, the server opaque data field, a second client type field, and the client configuration field.
  - 14. The optical network device of claim 9, wherein the processor is further configured to receive, from an administration interface of the optical network device, configuration information comprising a key corresponding to at least one of a model, a type, and a manufacturer of the second optical network device.
  - 15. The optical network device of claim 9, wherein the optical network device is an optical network aggregation device, and wherein the second optical network device is an optical network termination device.
  - 16. The optical network device of claim 9, wherein the message digest algorithm is based on at least one of a model, a type, and a manufacturer of the second optical network device.

17. A non-transitory computer-readable storage medium comprising instructions that, upon execution, cause one or more processors of a first optical network device comprising one or more ports to:
- generate, a first authentication message comprising first message data and a first authentication code computed based on the first message data and a first key, without accessing a database storing unique credentials for subscribers;
  
  transmit the first authentication message to a second optical network device;
  
  receive a second authentication message comprising second message data and a second authentication code generated via the second optical network device based on the second message data and a second key;
  
  generate a third key based on the first key and a second client identification field of the second message data;
  
  generate a third authentication code by applying the third key and a message digest algorithm to the second message data; and
  
  authorize, via the first optical network device, communication between the first optical network device and the second optical network device, at least in part by comparing the second authentication code with the third authentication code; and
  
  when the second authentication code matches the third authentication code, transmit a third authentication message to the second optical network device, and unblock at least one of the one or more ports.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The non-transitory computer-readable storage medium of claim 17,wherein the instructions that, upon execution, cause the one or more processors to compute the first authentication code further comprise instructions that cause the one or more processor to apply the first key and the message digest algorithm to the first message data, andwherein the second authentication code generated via the second optical network device is generated by applying the second key and the message digest algorithm to the second message data.
  - 19. The non-transitory computer-readable storage medium of claim 17, wherein the instructions that, upon execution, cause the one or more processors to generate the first authentication message further comprise instructions that cause the one or more processors to:
    - generate the first authentication code by applying the first key and the message digest algorithm to the first message data; and
      
      apply a layer two header comprising a reserved media access control address to the first authentication message.
  - 20. The non-transitory computer-readable storage medium of claim 17, wherein the first key is the same as the second key.
  - 21. The non-transitory computer-readable storage medium of claim 17,wherein the first message data comprises a message type field, a server identification field, a server opaque data field, a first client type field, and a client configuration field, andwherein the second message data comprises the message type field, the server identification field, the server opaque data field, a second client type field, and the client configuration field.
  - 22. The non-transitory computer-readable storage medium of claim 17, further comprising instructions that, upon execution, cause the one or more processors to receive, from an administration interface of the first optical network device, configuration information comprising a key corresponding to at least one of a model, a type, and a manufacturer of the second optical network device.
  - 23. The non-transitory computer-readable storage medium of claim 17, wherein the first optical network device is an optical network aggregation device, and wherein the second optical network device is an optical network termination device.
  - 24. The non-transitory computer-readable storage medium of claim 17, wherein the message digest algorithm is based on at least one of a model, a type, and a manufacturer of the second optical network device.

25. An optical network device comprising:
- one or more ports;
  
  means for generating a first authentication message comprising first message data and a first authentication code computed based on the first message data and a first key, without accessing a database storing unique credentials for subscribers;
  
  means for transmitting the first authentication message to a second optical network device;
  
  means for receiving a second authentication message comprising second message data and a second authentication code generated via the second optical network device based on the second message data and a second key;
  
  means for generating a third key based on the first key and a second client identification field of the second message data;
  
  means for generating a third authentication code by applying the third key and a message digest algorithm to the second message data;
  
  means for authorizing communication between the optical network device and the second optical network device, at least in part by comparing the second authentication code with the third authentication code; and
  
  means for, when the second authentication code matches the third authentication code, transmitting a third authentication message to the second optical network device, and unblocking at least one of the one or more ports.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
- - 26. The optical network device of claim 25,wherein the means for computing the first authentication code comprises means for applying the first key and the message digest algorithm to the first message data, andwherein the second authentication code generated via the second optical network device is generated by applying the second key and the message digest algorithm to the second message data.
  - 27. The optical network device of claim 25, wherein the means for generating the first authentication message comprises:
    - means for generating the first authentication code by applying the first key and the message digest algorithm to the first message data; and
      
      means for applying a layer two header comprising a reserved media access control address to the first authentication message.
  - 28. The optical network device of claim 25, wherein the first key is the same as the second key.
  - 29. The optical network device of claim 25, wherein the first message data comprises a message type field, a server identification field, a server opaque data field, a first client type field, and a client configuration field, andwherein the second message data comprises the message type field, the server identification field, the server opaque data field, a second client type field, and the client configuration field.
  - 30. The optical network device of claim 25, further comprising means for receiving, from an administration interface of the optical network device, configuration information comprising a key corresponding to at least one of a model, a type, and a manufacturer of the second optical network device.
  - 31. The optical network device of claim 25, wherein the optical network device is an optical network aggregation device, and wherein the second optical network device is an optical network termination device.
  - 32. The optical network device of claim 25, wherein the message digest algorithm is based on at least one of a model, a type, and a manufacturer of the second optical network device.

33. A system comprising:
- an optical network termination device; and
  
  an optical network aggregation device, wherein the optical network aggregation device comprises one or more ports and one or more processors configured to;
  
  generate a first authentication message comprising first message data and a first authentication code computed based on the first message data and a first key, without accessing a database storing unique credentials for subscribers;
  
  transmit the first authentication message to the optical network termination device;
  
  receive a second authentication message comprising second message data and a second authentication code generated via the second optical network device based on the second message data and a second key;
  
  generate a third key based on the first key and a second client identification field of the second message data;
  
  generate a third authentication code by applying the third key and a message digest algorithm to the second message data;
  
  authorize communication between the optical network aggregation device and the optical network termination device, at least in part by comparing the second authentication code with the third authentication code; and
  
  when the second authentication code matches the third authentication code, transmit a third authentication message to the second optical network device, and unblock at least one of the one or more ports.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Calix Incorporated
Original Assignee
Calix Incorporated
Inventors
Baykal, Berkay, Missett, Shaun Noel
Primary Examiner(s)
Dada, Beemnet
Assistant Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US12/652,949
Publication Number

US 20110167268A1
Time in Patent Office

1,294 Days
Field of Search

713/169, 713/150, 713/155, 713/168, 726/2, 726/3, 726/5, 726/6, 726/7, 726/9, 726/17, 455/561, 340/5.8
US Class Current

713/169
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 2209/80   Wireless network architectu...

H04L 63/08   for authentication of entit...

H04L 63/126   the source of the received ...

H04L 9/3226   using a predetermined code,...

Network device authentication

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

19 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Network device authentication

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links