Network infrastructure validation of network management frames
First Claim
Patent Images
1. A method for validating network management frames, comprising:
- receiving, by a validating device, a management frame that is not addressed to the validating device from a first device via a first interface, the management frame comprising a source address identifying a purported source device of the management frame and a destination address identifying at least one destination device on a first interface;
obtaining a key by the validating device for the purported source device of the management frame from the purported source device via a second interface in response to receiving the management frame not addressed to the validating device;
wherein the obtaining further comprises;
establishing, via the second interface, a secure communication session with the purported source device and sending a request to the purported source device for a key to validate management frames of the purported source device;
and validating, by the validating device, the management frame using the key obtained from the purported source device.
0 Assignments
0 Petitions
Accused Products
Abstract
A detection-based defense to a wireless network. Elements of the infrastructure, e.g., access points or scanning-only access points, detect intruders by detecting spoofed frames, such as from rogue access points. Access points include a signature, such as a message integrity check, with their management frames in a manner that enables neighboring access points to be able to validate the management frames, and to detect spoofed frames. When a neighboring access point receives a management frame, obtains a key for the access point sending the frame, and validates the management frame using the key.
-
Citations
16 Claims
-
1. A method for validating network management frames, comprising:
-
receiving, by a validating device, a management frame that is not addressed to the validating device from a first device via a first interface, the management frame comprising a source address identifying a purported source device of the management frame and a destination address identifying at least one destination device on a first interface; obtaining a key by the validating device for the purported source device of the management frame from the purported source device via a second interface in response to receiving the management frame not addressed to the validating device; wherein the obtaining further comprises; establishing, via the second interface, a secure communication session with the purported source device and sending a request to the purported source device for a key to validate management frames of the purported source device; and validating, by the validating device, the management frame using the key obtained from the purported source device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. An access point, comprising:
-
a wireless transceiver; a controller coupled to the wireless transceiver for controlling the wireless transceiver; a second transceiver coupled to a network; and a memory comprising programmed instructions, executed by the controller, to cause the access point to; receive a management frame that is not addressed to the access point from a first device via the wireless transceiver, the management frame comprising a source address identifying a purported second access point and is addressed to a wireless client; obtain a key for the purported second access point via the second transceiver in response to receiving the management frame not addressed to the access point; wherein the access point establishes, via the second transceiver, a secure communication session with the purported second access point and sends a request to the purported second access point for a key to validate management frames of the purported second access point; and determine whether the first device is a rogue device pretending to be the purported second access point by attempting to validate the management frame with the key. - View Dependent Claims (13, 14, 15, 16)
-
Specification