Packet authentication and encryption in virtual networks
First Claim
1. A computer-implemented method for cryptographic key distribution in a physical network having a plurality of physical nodes, the method comprising:
- receiving, by one or more computing systems configured to provide a mapping service, information mapping a virtual network address of a virtual node to a physical network address of a physical node, the virtual node being associated with a virtual network, and the received information identifying the virtual network address of the virtual node and the physical network address of the physical node; and
transmitting, by the one or more configured computing systems, a current version of a cryptographic key from the mapping service to the physical node,wherein;
a destination node receives from the physical node a packet generated by the virtual node, a hash value of a header of the packet, the hash value being computed using the current version of the cryptographic key, and an identifier of the current version of the cryptographic key;
the destination node selects a local version of the cryptographic key based on the received identifier; and
the destination node authenticates the received packet when a hash value that is computed locally using the local version of the cryptographic key matches the received hash value.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods provide logic for distributing cryptographic keys in a physical network comprising a plurality of physical nodes. In one implementation, a computer-implemented method is provided for distributing cryptographic keys in a physical network. The method includes receiving information mapping a virtual network address of a virtual node to a physical network address of a physical node. The virtual node may be associated with a virtual network hosted by the physical node, and the received mapping information identifies a virtual network address of the node and the physical network address of the node. The mapping service transmits a current version of a cryptographic key and an identifier of the current version to the physical node.
18 Citations
44 Claims
-
1. A computer-implemented method for cryptographic key distribution in a physical network having a plurality of physical nodes, the method comprising:
-
receiving, by one or more computing systems configured to provide a mapping service, information mapping a virtual network address of a virtual node to a physical network address of a physical node, the virtual node being associated with a virtual network, and the received information identifying the virtual network address of the virtual node and the physical network address of the physical node; and transmitting, by the one or more configured computing systems, a current version of a cryptographic key from the mapping service to the physical node, wherein; a destination node receives from the physical node a packet generated by the virtual node, a hash value of a header of the packet, the hash value being computed using the current version of the cryptographic key, and an identifier of the current version of the cryptographic key; the destination node selects a local version of the cryptographic key based on the received identifier; and the destination node authenticates the received packet when a hash value that is computed locally using the local version of the cryptographic key matches the received hash value. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-implemented method for distributing cryptographic keys in a physical network having a plurality of physical nodes, the method comprising:
under the control of one or more mapping server devices, and for each of multiple virtual networks; receiving, by the one or more mapping server devices, information mapping a virtual network address of a virtual node of the virtual network to a physical network address of a physical node, the received mapping information identifying the virtual network address of the virtual node within the virtual network and the physical network address of the physical node; and transmitting, by the one or more mapping server devices and based at least in part on the received mapping information, a cryptographic key associated with the virtual network to the physical node, to enable the physical node to use the cryptographic key with one or more packets generated by the virtual node. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
25. A system for key distribution within a physical network, comprising:
-
a physical node; and a mapping server in communication with the node, the mapping server comprising a processor and a storage device, wherein the mapping server is configured to; receive first information mapping a first virtual network address of a first virtual node associated with a first virtual network to a physical network address of a physical node, the received mapping information identifying the virtual network address of the virtual node and the physical network address of the physical node; and based at least in part on the received mapping information, transmit a first cryptographic key associated with the first virtual network to the physical node, to enable the physical node to use the first cryptographic key with one or more generated packets on behalf of the first virtual node. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 44)
-
-
41. A non-transitory computer-readable medium storing program instructions providing key distribution in a physical network, the program instructions being executed by a processor to perform a process comprising:
for each of multiple virtual networks; receiving information mapping a virtual network address of a virtual node of the virtual network to a physical network address of a physical node, the received mapping information identifying the virtual network address of the virtual node within the virtual network and the physical network address of the physical node; and transmitting, based at least in part on the received mapping information, a current version of a cryptographic key associated with the virtual network to the physical node, to enable the physical node to use the current version of the cryptographic key with one or more generated packets on behalf of the virtual node. - View Dependent Claims (42, 43)
Specification