Network infrastructure validation of network management frames

US 8,533,832 B2
Filed: 04/25/2012
Issued: 09/10/2013
Est. Priority Date: 10/16/2003
Status: Expired due to Term

First Claim

Patent Images

1. A method for validating network management frames, comprising:

receiving, by a validating device, a management frame that is not addressed to the validating device from a first device via a first interface, the management frame comprising a source address identifying a purported source device of the management frame and a destination address identifying at least one destination device on a first interface;

obtaining a key by the validating device for the purported source device of the management frame from the purported source device via a second interface in response to receiving the management frame not addressed to the validating device;

wherein the obtaining further comprises;

establishing, via the second interface, a secure communication session with the purported source device and sending a request to the purported source device for a key to validate management frames of the purported source device;

and validating, by the validating device, the management frame using the key obtained from the purported source device.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A detection-based defense to a wireless network. Elements of the infrastructure, e.g., access points or scanning-only access points, detect intruders by detecting spoofed frames, such as from rogue access points. Access points include a signature, such as a message integrity check, with their management frames in a manner that enables neighboring access points to be able to validate the management frames, and to detect spoofed frames. When a neighboring access point receives a management frame, obtains a key for the access point sending the frame, and validates the management frame using the key.

Citations

16 Claims

1. A method for validating network management frames, comprising:
- receiving, by a validating device, a management frame that is not addressed to the validating device from a first device via a first interface, the management frame comprising a source address identifying a purported source device of the management frame and a destination address identifying at least one destination device on a first interface;
  
  obtaining a key by the validating device for the purported source device of the management frame from the purported source device via a second interface in response to receiving the management frame not addressed to the validating device;
  
  wherein the obtaining further comprises;
  
  establishing, via the second interface, a secure communication session with the purported source device and sending a request to the purported source device for a key to validate management frames of the purported source device;
  
  and validating, by the validating device, the management frame using the key obtained from the purported source device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - authenticating with a security server on the network;
      
      and receiving a key from the security server.
  - 3. The method of claim 1, further comprising:
    - obtaining a new key for the purported source device after a rekey request;
      
      and validating subsequent management frames having the source address identifying the purported source device received via the first interface using the new key.
  - 4. The method of claim 1, the management frame further comprising a signature, and wherein the validating further comprising validating the signature.
  - 5. The method of claim 4, the signature further comprising a time stamp.
  - 6. The method of claim 4, the signature further comprising a sequence number.
  - 7. The method of claim 4, the signature further comprising a time stamp and a sequence number.
  - 8. The method of claim 7, wherein validating further comprises determining the management frame is invalid when the timestamp is older than a predetermined criteria.
  - 9. The method of claim 4, wherein the signature is contained within an information element appended to the management frame.
  - 10. The method of claim 1, wherein the management frame is one of a beacon, a probe request, a probe response, an association request, an association response, Deauthentication, Authentication and Disassociation.
  - 11. The method of claim 1, wherein the purported source device is a neighboring access point.

12. An access point, comprising:
- a wireless transceiver;
  
  a controller coupled to the wireless transceiver for controlling the wireless transceiver;
  
  a second transceiver coupled to a network;
  
  and a memory comprising programmed instructions, executed by the controller, to cause the access point to;
  
  receive a management frame that is not addressed to the access point from a first device via the wireless transceiver, the management frame comprising a source address identifying a purported second access point and is addressed to a wireless client;
  
  obtain a key for the purported second access point via the second transceiver in response to receiving the management frame not addressed to the access point;
  
  wherein the access point establishes, via the second transceiver, a secure communication session with the purported second access point and sends a request to the purported second access point for a key to validate management frames of the purported second access point;
  
  and determine whether the first device is a rogue device pretending to be the purported second access point by attempting to validate the management frame with the key.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The access point set forth in claim 12, wherein the programmed instructions cause the access point to authenticate with a security server on the network;
    - and to receive the key from the security server via the second transceiver.
  - 14. The access point set forth in claim 12, wherein the programmed instructions cause the access point to validates the management frame by validating an information element comprising a message integrity check within the management frame with the key for validating management frames.
  - 15. The access point set forth in claim 14, wherein the information element further comprises a timestamp;
    - and wherein the access point further validates the management frame by validating the timestamp.
  - 16. The access point set forth in claim 14, wherein the information element further comprises a sequence number;
    - and wherein the access point further validates the management frame by validating the sequence number.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Cam Winget, Nancy, Krischer, Mark, Yang, Sheausong, Sanzgiri, Ajit, Olson, Timothy, Shuen, Pauline
Primary Examiner(s)
WILLIAMS, JEFFERY L

Application Number

US13/455,474
Publication Number

US 20120210395A1
Time in Patent Office

503 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

H04L 41/00   Arrangements for maintenanc...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 63/1408   by monitoring network traff...

H04W 12/04   Key management, e.g. using ...

H04W 12/10   Integrity

H04W 12/12   Detection or prevention of ...

H04W 12/122   Counter-measures against at...

H04W 12/61   Time-dependent

H04W 84/12   WLAN [Wireless Local Area N...

H04W 88/08   Access point devices

Network infrastructure validation of network management frames

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Network infrastructure validation of network management frames

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links