Method and system for including security information with a packet

US 8,555,056 B2
Filed: 01/24/2011
Issued: 10/08/2013
Est. Priority Date: 11/23/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

identifying a first set of network devices, whereinthe identifying comprises determining that each network device of the first set of network devices is configured to process network security information,the first set of network devices are network devices at a perimeter of a first network,the first network does not support a network security technique, andthe network security information is associated with the network security technique;

maintaining a list at a first network device, whereinthe list comprises information identifying the first set of network devices; and

communicating the list from the first network device to a second network device, whereinthe second network device is configured to process the network security information associated with the network security technique, andthe second network device is at the perimeter of the first network.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for including security information with a packet is disclosed. A packet is detected as it exits a first network and enters a second network. The first network is configured to support a network security technique, and the second network is not configured to support the network security technique. Network security information associated with the network security technique is included with the packet. A network device is configured to include network security information in overhead of a packet. A method for identifying a first network device in a network is also disclosed. Identification information of the first network is communicated to a second network device.

91 Citations

View as Search Results

22 Claims

1. A method comprising:
- identifying a first set of network devices, whereinthe identifying comprises determining that each network device of the first set of network devices is configured to process network security information,the first set of network devices are network devices at a perimeter of a first network,the first network does not support a network security technique, andthe network security information is associated with the network security technique;
  
  maintaining a list at a first network device, whereinthe list comprises information identifying the first set of network devices; and
  
  communicating the list from the first network device to a second network device, whereinthe second network device is configured to process the network security information associated with the network security technique, andthe second network device is at the perimeter of the first network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 22)
- - 2. The method of claim 1, whereinthe information identifying the first set of network devices comprises a prefix and a network address for the each network device of the first set of network devices.
  - 3. The method of claim 1, whereinthe information identifying the first set of network devices comprisesan interface of the each network device of the first set of network devices.
  - 4. The method of claim 1, further comprising:
    - adding information identifying the each network device to the list.
  - 5. The method of claim 1, further comprising:
    - updating the list by adding information identifying a second set of network devices to the list, whereinthe second set of network devices are at a perimeter of a second network,the second network does not support the network security technique, andeach network device of the second set of network devices is configured to process the network security information.
  - 6. The method of claim 5, further comprising:
    - reconfiguring the second network such that the second network supports the network security technique.
  - 7. The method of claim 1, further comprising:
    - obtaining the list;
      
      determining whether to include the network security information in a packet by comparing a destination address of the packet with the information in the list; and
      
      if the packet is addressed to a network device listed in the first set of network devices, including the network security information with the packet.
  - 8. The method of claim 7, further comprising:
    - receiving the packet at the network device that is configured to process the network security information;
      
      determining whether the packet includes the network security information; and
      
      if the packet does not include the network security information, dropping the packet.
  - 22. The method of claim 1, wherein the first set of network devices comprises the first network device and the second network device.

9. An apparatus comprising:
- a first network device, whereinthe first network device comprisesa processor,a computer-readable storage medium, coupled to the processor, anda network interface, coupled to the processor, andthe first network device is configured toidentify a first set of network devices, whereinthe first set of network devices is identified by determining that each network device of the first set of network devices is configured to process network security information,the first set of network devices are network devices at a perimeter of a first network,the first network does not support a network security technique, andthe network security information is associated with the network security technique,maintain a list in the computer-readable storage medium of the first network device, whereinthe list comprises information identifying the first set of network devices, andcommunicate the list to a second network device via the network interface of the first network device, whereinthe second network device is configured to process network security information associated with the network security technique, andthe second network device is at the perimeter of the first network.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The apparatus of claim 9, whereinthe information identifying the first set of network devices comprises a prefix and a network address for the each network device of the first set of network devices.
  - 11. The apparatus of claim 9, whereinthe information identifying the first set of network devices comprisesan interface of the each network device of the first set of network devices.
  - 12. The apparatus of claim 9, wherein the first network device is further configured to:
    - add information identifying the each network device to the list.
  - 13. The apparatus of claim 9, wherein the first network device is further configured to:
    - update the list, whereinthe list is updated by adding information identifying a second set of network devices to the list,the second set of network devices are at a perimeter of a second network,the second network does not support the network security technique, andeach network device of the second set of network devices is configured to process the network security information.
  - 14. The apparatus of claim 13, wherein the first network device is further configured to:
    - reconfigure the second network such that the second network supports the network security technique.

15. A non-transitory computer program product comprising:
- a first set of instructions, executable by a processor, configured to identify a first set of network devices, whereinthe first set of network devices is identified by determining that each network device of the first set of network devices is configured to process network security information,the first set of network devices are network devices at a perimeter of a first network,the first network does not support a network security technique, andthe network security information is associated with the network security technique;
  
  a second set of instructions, executable by the processor, configured to maintain a list at a first network device, whereinthe list comprises information identifying the first set of network devices;
  
  a third set of instructions, executable by the processor, configured to communicate the list from the first network device to a second network device, whereinthe second network device is configured to process the network security information associated with the network security technique, andthe second network device is at the perimeter of the first network; and
  
  computer readable media, wherein the non-transitory computer program product is encoded in the computer readable media.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer program product method of claim 15, whereinthe information identifying the first set of network devices comprises a prefix and network address for the each network device of the first set of network devices.
  - 17. The non-transitory computer program product of claim 15, further comprising:
    - a fourth set of instructions, executable by the processor, configured toadd information identifying the each network device to the list.
  - 18. The non-transitory computer program product of claim 15, further comprising:
    - a fourth set of instructions, executable by the processor, configured to update the list by adding information identifying a second set of network devices to the list, whereinthe second set of network devices are at a perimeter of a second network,the second network does not support the network security technique, andeach network device of the second set of network devices is configured to process the network security information.
  - 19. The non-transitory computer program product of claim 18, further comprising:
    - a fifth set of instructions, executable by the processor, configured to reconfigure the second network such that the second network supports the network security technique.
  - 20. The non-transitory computer program product of claim 15, further comprising:
    - a fourth set of instructions, executable by the processor, configured to obtain the list;
      
      a fifth set of instructions, executable by the processor, configured to determine whether to include the network security information in a packet by comparing a destination address of the packet with the information in the list; and
      
      a sixth set of instructions, executable by the processor, configured to include the network security information with the packet, if the packet is addressed to a network device of the first set of network devices.

21. A method comprising:
- receiving a packet with network security information, whereinthe packet is configured to support a packet security technique,the packet is received by a network device that is configured to support a network security technique,the network security information is associated with the network security technique,the network security information is included in a section of the packet, andthe section of the packet is configured to be accessed only by network devices that are configured to support the network security technique; and
  
  processing the network security information, whereinthe processing comprises processing the packet using role based access control.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Smith, Michael R., Nallur, Padmanabha, Kok, Wilson, Fine, Michael
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
KAPLAN, BENJAMIN A

Application Number

US13/012,432
Publication Number

US 20110119752A1
Time in Patent Office

988 Days
Field of Search

713/160, 726/13, 726/14, 726/15, 726/22
US Class Current

713/160
CPC Class Codes

H04L 63/20 for managing network securi...

Method and system for including security information with a packet

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

91 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for including security information with a packet

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

91 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links