Network device authentication
First Claim
1. A method comprising:
- generating, via a first optical network device comprising one or more ports, a first authentication message comprising first message data and a first authentication code computed based on the first message data and a first key, without accessing a database storing unique credentials for subscribers;
transmitting, via the first optical network device, the first authentication message to a second optical network device;
receiving, via the first optical network device, a second authentication message comprising second message data and a second authentication code generated via the second optical network device based on the second message data and a second key;
generating, via the first optical network device, a third key based on the first key and a second client identification field of the second message data;
generating, via the first optical network device, a third authentication code by applying the third key and a message digest algorithm to the second message data;
authorizing, via the first optical network device, communication between the first optical network device and the second optical network device, at least in part by comparing the second authentication code with the third authentication code; and
when the second authentication code matches the third authentication code, transmitting, via the first optical network device, a third authentication message to the second optical network device, and unblocking at least one of the one or more ports.
9 Assignments
0 Petitions
Accused Products
Abstract
In general, this disclosure relates to maintaining security between an optical network terminal (ONT) and an optical network aggregation device in an Active Ethernet network. An optical network aggregation device includes one or more optical Ethernet switches that can be adaptively configured to support authentication of one or more ONTs. For example, the optical network aggregation device may include a controller with an authentication unit for managing ONT authentication and an optical Ethernet interface for transmitting and receiving data over the optical network. The authentication unit may exchange authentication request messages via the optical Ethernet interface with an ONT and grant the ONT access to the provider network based on the exchange, thereby preventing rogue devices from gaining access to the provider network.
19 Citations
33 Claims
-
1. A method comprising:
-
generating, via a first optical network device comprising one or more ports, a first authentication message comprising first message data and a first authentication code computed based on the first message data and a first key, without accessing a database storing unique credentials for subscribers; transmitting, via the first optical network device, the first authentication message to a second optical network device; receiving, via the first optical network device, a second authentication message comprising second message data and a second authentication code generated via the second optical network device based on the second message data and a second key; generating, via the first optical network device, a third key based on the first key and a second client identification field of the second message data; generating, via the first optical network device, a third authentication code by applying the third key and a message digest algorithm to the second message data; authorizing, via the first optical network device, communication between the first optical network device and the second optical network device, at least in part by comparing the second authentication code with the third authentication code; and when the second authentication code matches the third authentication code, transmitting, via the first optical network device, a third authentication message to the second optical network device, and unblocking at least one of the one or more ports. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An optical network device comprising one or more ports and a processor configured to:
-
generate a first authentication message comprising first message data and a first authentication code computed based on the first message data and a first key, without accessing a database storing unique credentials for subscribers; transmit the first authentication message to a second optical network device; receive a second authentication message comprising second message data and a second authentication code generated via the second optical network device based on the second message data and a second key; generate a third key based on the first key and a second client identification field of the second message data; generating a third authentication code by applying the third key and a message digest algorithm to the second message data; authorize communication between the optical network device and the second optical network device, at least in part by comparing the second authentication code with the third authentication code; and when the second authentication code matches the third authentication code, transmit a third authentication message to the second optical network device, and unblock at least one of the one or more ports. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable storage medium comprising instructions that, upon execution, cause one or more processors of a first optical network device comprising one or more ports to:
-
generate, a first authentication message comprising first message data and a first authentication code computed based on the first message data and a first key, without accessing a database storing unique credentials for subscribers; transmit the first authentication message to a second optical network device; receive a second authentication message comprising second message data and a second authentication code generated via the second optical network device based on the second message data and a second key; generate a third key based on the first key and a second client identification field of the second message data; generate a third authentication code by applying the third key and a message digest algorithm to the second message data; and authorize, via the first optical network device, communication between the first optical network device and the second optical network device, at least in part by comparing the second authentication code with the third authentication code; and when the second authentication code matches the third authentication code, transmit a third authentication message to the second optical network device, and unblock at least one of the one or more ports. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
-
25. An optical network device comprising:
-
one or more ports; means for generating a first authentication message comprising first message data and a first authentication code computed based on the first message data and a first key, without accessing a database storing unique credentials for subscribers; means for transmitting the first authentication message to a second optical network device; means for receiving a second authentication message comprising second message data and a second authentication code generated via the second optical network device based on the second message data and a second key; means for generating a third key based on the first key and a second client identification field of the second message data; means for generating a third authentication code by applying the third key and a message digest algorithm to the second message data; means for authorizing communication between the optical network device and the second optical network device, at least in part by comparing the second authentication code with the third authentication code; and means for, when the second authentication code matches the third authentication code, transmitting a third authentication message to the second optical network device, and unblocking at least one of the one or more ports. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
-
-
33. A system comprising:
-
an optical network termination device; and an optical network aggregation device, wherein the optical network aggregation device comprises one or more ports and one or more processors configured to; generate a first authentication message comprising first message data and a first authentication code computed based on the first message data and a first key, without accessing a database storing unique credentials for subscribers; transmit the first authentication message to the optical network termination device; receive a second authentication message comprising second message data and a second authentication code generated via the second optical network device based on the second message data and a second key; generate a third key based on the first key and a second client identification field of the second message data; generate a third authentication code by applying the third key and a message digest algorithm to the second message data; authorize communication between the optical network aggregation device and the optical network termination device, at least in part by comparing the second authentication code with the third authentication code; and when the second authentication code matches the third authentication code, transmit a third authentication message to the second optical network device, and unblock at least one of the one or more ports.
-
Specification