Method and apparatus for providing network security using security labeling

US 8,539,571 B2
Filed: 11/15/2010
Issued: 09/17/2013
Est. Priority Date: 10/29/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

issuing a join request, whereinthe join request is issued using a generic security label registration protocol (GSRP),the join request is a request to join a context within a network, andthe context is a GSRP information propagation (GIP) context;

receiving a packet at a network node of the network;

comparing first security level information and second security level information, whereinthe packet comprises the first security level information by virtue of the first security level information being stored in a GSRP security label of the packet,the join request comprises the second security level information,the second security level information is stored at said network node, andthe second security level information is associated with a port of the network node; and

indicating processing to be performed on the packet based on a result of the comparing.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for providing network security using security labeling is disclosed. The method includes comparing first security level information and second security level information, and indicating processing to be performed on the packet based on the comparing. The first security level information is stored in a security label of a packet received at a network node, while the second security level information is stored at the network node.

Citations

21 Claims

1. A method comprising:
- issuing a join request, whereinthe join request is issued using a generic security label registration protocol (GSRP),the join request is a request to join a context within a network, andthe context is a GSRP information propagation (GIP) context;
  
  receiving a packet at a network node of the network;
  
  comparing first security level information and second security level information, whereinthe packet comprises the first security level information by virtue of the first security level information being stored in a GSRP security label of the packet,the join request comprises the second security level information,the second security level information is stored at said network node, andthe second security level information is associated with a port of the network node; and
  
  indicating processing to be performed on the packet based on a result of the comparing.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising:
    - associating the second security level information with the port of the network node, whereinthe second security level information comprises at least one ofa minimum security level,a maximum security level, ora range of security levels, andthe range of security levels comprisesthe minimum security level, andthe maximum security level.
  - 3. The method of claim 1, whereinthe join request is configured to be issued from an applicant to a registrar,the network comprises the applicant and the registrar, andthe applicant is a GSRP client.
  - 4. The method of claim 3, whereinthe GIP context is associated with a spanning tree.
  - 5. The method of claim 4, whereinthe GSRP is configured to act as a security label pruning protocol.
  - 6. The method of claim 4, further comprising:
    - issuing a plurality of join requests, whereinthe plurality of join requests are issued by the GSRP client,the GIP context is one of a plurality of GIP contexts,the spanning tree is one of a plurality of spanning trees,each of the GIP contexts is associated with a corresponding one of the spanning trees, andeach of the join requests is a request to join a corresponding one of the GIP contexts.
  - 7. The method of claim 4, further comprising:
    - issuing a plurality of join requests, whereinthe plurality of join requests are issued by the GSRP client,the GIP context is one of a plurality of GIP contexts,the spanning tree is one of a plurality of spanning trees,each of the GIP contexts is associated with a corresponding one of the spanning trees,each of the spanning trees is bound to a virtual local area network (VLAN), andeach of the join requests is issued on a corresponding one of the VLANs.
  - 8. The method of claim 7, whereinthe applicant is associated with a GSRP information declaration (GID), andthe issuing of the join requests results in a single GID registration.
  - 9. The method of claim 3, whereinthe applicant is associated with a GSRP information declaration (GID).
  - 10. The method of claim 1, whereinthe first security level information and the second security level information are one ofenumerated security labels, orbitmap security labels.
  - 11. The method of claim 1, whereinthe first security level and the second security level implement one of a multi-level security paradigm and a multi-lateral security paradigm.
  - 12. The method of claim 1, whereinthe security label is one of an enumerated security label and a bitmap security label.
  - 13. The method of claim 3, whereinthe issuing is performed only ifthe minimum security level of the GSRP client is lower than an existing minimum security level stored by the registrar, orthe maximum security level of the GSRP client is higher than an existing maximum security level stored by the registrar.
  - 14. The method of claim 3, whereinthe applicant and the registrar are associated with one another.
  - 15. The method of claim 4, whereinthe applicant is an applicant in the spanning tree.

16. A network device comprising:
- a processor;
  
  a network interface, coupled to the processor and configured to communicatively couple the network device to a network;
  
  a non-transitory computer-readable storage medium coupled to the processor; and
  
  computer instructions, encoded in the non-transitory computer-readable storage medium, and configured to cause said processor toissue a join request, whereinthe join request is issued using a generic security label registration protocol (GSRP),the join request is a request to join a context within the network, andthe context is a GSRP information propagation (GIP) context, receive a packet at the network device,compare first security level information and second security level information, whereinthe packet comprises the first security level information by virtue of the first security level information being stored in a GSRP security label of the packet,the join request comprises the second security level information,the second security level information is stored at said network node, andthe second security level information is associated with a port of the network node, andindicate processing to be performed on the packet based on a result of the comparing.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The network device of claim 16, whereinthe join request is configured to be issued from an applicant to a registrar,the network comprises the applicant and the registrar, andthe applicant is a GSRP client.
  - 18. The network device of claim 17, whereinthe GIP context is associated with a spanning tree.
  - 19. The network device of claim 17, wherein the computer instructions are further configured to cause said processor to:
    - issue a plurality of join requests, whereinthe GIP context is associated with a spanning tree,the plurality of join requests are issued by the GSRP client,the GIP context is one of a plurality of GIP contexts,the spanning tree is one of a plurality of spanning trees,each of the GIP contexts is associated with a corresponding one of the spanning trees, andeach of the join requests is a request to join a corresponding one of the GIP contexts.
  - 20. The network device of claim 17, wherein the computer instructions are further configured to cause said processor to:
    - associate the second security level information with the port of the network node, whereinthe second security level information comprises at least one ofa minimum security level,a maximum security level, ora range of security levels,the range of security levels comprisesthe minimum security level, andthe maximum security level, andthe computer instructions are further configured to cause said processor to issue the plurality of join requests are configured to issue the plurality of join requests only ifthe minimum security level of the GSRP client is lower than an existing minimum security level stored by the registrar, orthe maximum security level of the GSRP client is higher than an existing maximum security level stored by the registrar.

21. A computer program product comprising:
- a plurality of instructions, comprisinga first set of instructions, executable on a network device, configured to issue a join request, whereinthe join request is issued using a generic security label registration protocol (GSRP),the join request is a request to join a context within a network, andthe context is a GSRP information propagation (GIP) context,a second set of instructions, executable on the network device, configured to receive a packet at the network device,a third set of instructions, executable on the network device, configured to compare first security level information and second security level information, whereinthe packet comprises the first security level information by virtue of the first security level information being stored in a GSRP security label of the packet,the join request comprises the second security level information,the second security level information is stored at said network node, andthe second security level information is associated with a port of the network node, anda fourth set of instructions, executable on the network device, configured to indicate processing to be performed on the packet based on a result of the comparing; and
  
  a non-transitory computer-readable storage medium, wherein the instructions are encoded in the non-transitory computer-readable storage medium.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Smith, Michael R.
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Nobahar, Abdulhakim

Application Number

US12/946,427
Publication Number

US 20110283339A1
Time in Patent Office

1,037 Days
Field of Search

726/3, 726/4, 726/6, 726/11, 726/13, 370/392, 707/1, 707/9, 707/10, 709/238
US Class Current

726/13
CPC Class Codes

H04L 63/083   using passwords cryptograph...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

Method and apparatus for providing network security using security labeling

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing network security using security labeling

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links