Methods and devices for packet tagging using IP indexing via dynamic-length prefix code
First Claim
1. A method for packet tagging, the method comprising the steps of:
- obtaining, by a sender module, a sender identity for a sender of said IP packet, upon sending an internet-protocol (IP) packet;
tagging, by said sender module, said IP packet with said sender identity, to enable a receiver to authenticate the sender identity after receiving said IP packet, wherein said IP packet includes a plurality of fixed-length fields, wherein two of said fixed-length fields are concatenated into a single fixed-length virtual field, wherein said virtual field is shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint, and wherein tagging is performed using an identification field and a time-to-live (TTL) field; and
prior to said step of tagging, dynamically partitioning, by said sender module, said virtual field between said cryptographic hash and said identity index, to support a dynamically changing number of said multiple distinct identities for said IP endpoint, wherein said dynamically changing number differs among a plurality of IP endpoints, and wherein the said partitioning is effected in response to a change in a number of multiple distinct identities.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods including the steps of: upon sending an IP packet, obtaining, by a sender, a sender identity for a sender of the packet; securely tagging, by a sender, the packet with the sender identity, the packet having a plurality of fixed-length fields concatenated into a single fixed-length virtual field shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint; determining, by a receiver, the sender identity by extracting it from the packet; checking, by the receiver, the packet to ensure the packet has been appropriately tagged; and enforcing a security policy, by the receiver, according to the sender identity. Preferably, the step of obtaining includes: accessing, by the sender, a server for obtaining the sender identity; and associating, by the server, the sender identity with the endpoint. Most preferably, the associating is performed using a prefix code for encoding the identities.
27 Citations
18 Claims
-
1. A method for packet tagging, the method comprising the steps of:
-
obtaining, by a sender module, a sender identity for a sender of said IP packet, upon sending an internet-protocol (IP) packet; tagging, by said sender module, said IP packet with said sender identity, to enable a receiver to authenticate the sender identity after receiving said IP packet, wherein said IP packet includes a plurality of fixed-length fields, wherein two of said fixed-length fields are concatenated into a single fixed-length virtual field, wherein said virtual field is shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint, and wherein tagging is performed using an identification field and a time-to-live (TTL) field; and prior to said step of tagging, dynamically partitioning, by said sender module, said virtual field between said cryptographic hash and said identity index, to support a dynamically changing number of said multiple distinct identities for said IP endpoint, wherein said dynamically changing number differs among a plurality of IP endpoints, and wherein the said partitioning is effected in response to a change in a number of multiple distinct identities. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer-readable storage medium having computer-readable code embodied on the computer-readable storage medium, the computer-readable code comprising:
-
program code for obtaining, by a sender module, a sender identity for a sender of said IP packet, upon sending an internet-protocol (IP) packet; program code for securely tagging, by said sender module, said IP packet with said sender identity, to enable a receiver to authenticate the sender identity after receiving said IP packet, wherein said IP packet includes a plurality of fixed-length fields, wherein two of said fixed-length fields are concatenated into a single fixed-length virtual field, wherein said virtual field is shared between a cryptographic hash and an identity index for supporting multiple distinct identities residing on an IP endpoint, and wherein tagging is performed using an identification field and a time-to-live (TTL) field; and program code for, prior to said step of tagging, dynamically partitioning, by said sender module, said virtual field between said cryptographic hash and said identity index, to support a dynamically changing number of said multiple distinct identities for said IP endpoint, wherein said dynamically changing number differs among a plurality of IP endpoints, and wherein the said partitioning is effected in response to a change in a number of multiple distinct identities. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification