Method and system for dynamic secured group communication

US 8,625,599 B2
Filed: 09/19/2011
Issued: 01/07/2014
Est. Priority Date: 06/14/2004
Status: Expired due to Fees

First Claim

Patent Images

1. One or more non-transitory computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:

obtain a first packet that includes a first Internet Protocol (IP) header and a first payload, wherein the first IP header includes a first source address of a first source node of a first private network and a first destination address of a first destination node of the first private network, and the first payload includes a second packet that has a second IP header and a second payload, the second IP header having a second source address of a second source node of a second virtual private network partitioned from resources of, formed over, established within or via, the first private network and a second destination address of a second destination node of the second virtual private network;

encrypt the first packet to form an encrypted-subnet packet;

encapsulate the encrypted-subnet packet with a group-security association formed in accordance with a group-security policy to generate a group-encrypted packet using a tunneling protocol for tunneling the group-encrypted packet between the first source node of the first network and the first destination node of the first private network such that only the first source node of the first private network and the first destination node of the first private network are able to decipher the encrypted-subnet packet that is encapsulated in the group-encrypted packet with a message-authentication code identified for the encrypted-subnet packet, wherein the encrypted-subnet packet comprises a first security-encapsulating header configured with identifiers of the first source node, the first destination node, the second source node, and the second destination node;

replicate the group-encrypted packet at the first source node of the first private network such that the group-encrypted packet follows a multicast distribution tree in the first private network; and

transmit the group-encrypted packet into the second virtual private network from the second source node for delivery to the second destination node.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method directed to carrying out dynamic secured group communication is provided. The method includes: obtaining a first packet that includes a first header; forming a frame that includes the first header in encrypted form; combining the first header and the frame to form a second packet and forming a second header; encapsulating the second packet with the second header to form a third packet, and communicating the third packet into the second network from the second source node for termination to the second-destination node. The first header includes a first source address of a first source node of a first network, and a first destination address of a first destination node of the first network. The second header includes a second source address of a second source node of a second network, and a second destination address of a second destination node of the second network.

22 Citations

View as Search Results

22 Claims

1. One or more non-transitory computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
- obtain a first packet that includes a first Internet Protocol (IP) header and a first payload, wherein the first IP header includes a first source address of a first source node of a first private network and a first destination address of a first destination node of the first private network, and the first payload includes a second packet that has a second IP header and a second payload, the second IP header having a second source address of a second source node of a second virtual private network partitioned from resources of, formed over, established within or via, the first private network and a second destination address of a second destination node of the second virtual private network;
  
  encrypt the first packet to form an encrypted-subnet packet;
  
  encapsulate the encrypted-subnet packet with a group-security association formed in accordance with a group-security policy to generate a group-encrypted packet using a tunneling protocol for tunneling the group-encrypted packet between the first source node of the first network and the first destination node of the first private network such that only the first source node of the first private network and the first destination node of the first private network are able to decipher the encrypted-subnet packet that is encapsulated in the group-encrypted packet with a message-authentication code identified for the encrypted-subnet packet, wherein the encrypted-subnet packet comprises a first security-encapsulating header configured with identifiers of the first source node, the first destination node, the second source node, and the second destination node;
  
  replicate the group-encrypted packet at the first source node of the first private network such that the group-encrypted packet follows a multicast distribution tree in the first private network; and
  
  transmit the group-encrypted packet into the second virtual private network from the second source node for delivery to the second destination node.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer readable storage media of claim 1, further comprising computer executable instructions operable to:
    - encrypt the second packet in the first payload; and
      
      encapsulate the second packet with a security policy to create a second security-encapsulating header configured with identifiers of the second source node and the second destination node.
  - 3. The computer readable storage media of claim 1, wherein the instructions operable to encrypt comprise instructions operable to encrypt the first packet with a security association for securing the first packet using a cipher, wherein the cipher is pre-negotiated to be associated to (i) a security credential established by at least one node of the first network and (ii) an indicator that indicates that the first source node and the first destination node belong to the first private network.
  - 4. The computer readable storage media of claim 3, wherein the instructions operable to encrypt comprise instructions operable to encrypt the second IP header with a security association for authenticating the second source node.
  - 5. The computer readable storage media of claim 3, wherein the instructions operable to encrypt comprise instructions operable to encrypt the second IP header with the security association that comprises a token used for authenticating the group-encrypted packet by the tunneling protocol.
  - 6. The computer readable storage media of claim 5, wherein the instructions operable to encrypt comprise instructions operable to encrypt the second IP header using the token that is based on (i) a time system maintained by the second destination node, and (ii) a shared secret maintained by the second destination node.

7. One or more non-transitory computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
- obtain a first packet that includes a first Internet Protocol (IP) header, a security-encapsulating header and a first payload, wherein the first IP header includes a first source address of a first source node of a first private network and a first destination address of a first destination node of the first network, the first payload includes a second packet that has a second IP header and a second payload, the second IP header having a second source address of a second source node of a second virtual private network partitioned from resources of, formed over, established within or via, the first private network and an encrypted second destination address of a second destination node of the second virtual private network;
  
  encrypt the first packet to form an encrypted-subnet packet;
  
  encapsulate the encrypted-subnet packet with a group-security association formed in accordance with a group-security policy to generate a group-encrypted packet using a tunneling protocol for tunneling the group-encrypted packet between the first source node of the first network and the first destination node of the first private network such that only the first source node of the first private network and the first destination node of the first private network are able to decipher the encrypted-subnet packet that is encapsulated in the group-encrypted packet with a message-authentication code identified for the encrypted-subnet packet, wherein the encrypted-subnet packet comprises a first security-encapsulating header configured with identifiers of the first source node, the first destination node, the second source node, and the second destination node;
  
  replicate the group-encrypted packet at the first source node of the first private network such that the group-encrypted packet follows a multicast distribution tree in the first private network; and
  
  transmit the group-encrypted packet into the second virtual private network from the first private network for delivery to the second destination node.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The computer readable storage media of claim 7, further comprising computer executable instructions operable to:
    - encrypt the second packet in the first payload; and
      
      encapsulate the second packet with a security policy to create a second security-encapsulating header configured with identifiers of the second source node and the second destination node.
  - 9. The computer readable storage media of claim 7, further comprising computer executable instructions operable to:
    - authenticate the group-encrypted packet based on the identifiers in the security-encapsulating header;
      
      extract the encrypted-subnet packet from the group-encrypted packet; and
      
      obtain the first packet from the encrypted-subnet packet.
  - 10. The computer readable storage media of claim 7, wherein the instructions operable to encrypt comprise instructions operable to encrypt the first packet with a security association for securing the first packet using a cipher, wherein the cipher is pre-negotiated to be associated to (i) a security credential established by at least one node of the second network and (ii) an indicator that indicates that the second source node and the second destination node belong to the first private network.
  - 11. The computer readable storage media of claim 9, wherein the instructions operable to encrypt comprise instructions operable to encrypt the second IP header with a security association for authenticating the second source node.
  - 12. The computer readable storage media of claim 10, wherein the instructions operable to encrypt comprise instructions operable to encrypt the second IP header with the security association that comprises a token used for authenticating the group-encrypted packet by the tunneling protocol.
  - 13. The computer readable storage media of claim 12, wherein the instructions operable to encrypt comprise instructions operable to encrypt the second IP header with a security association for authenticating the second source node.
  - 14. The computer readable storage media of claim 12, wherein the instructions operable to encrypt comprise instructions operable to encrypt the second IP header using the token that is based on (i) a time system maintained by the first source node, and (ii) a shared secret maintained by the first source node.

15. One or more non-transitory computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
- obtain a first packet that includes a first Internet Protocol (IP) header and a first payload, wherein the first IP header includes a first source address of a first source node of a first private network and a first destination address of a first destination node of the first network, the first payload includes a second packet that has a second IP header and a second payload, the second IP header having a second source address of a second source node of a second virtual private network partitioned from resources of, formed over, established within or via, the first private network and a second destination address of a second destination node of the second network;
  
  encrypt the second packet to form a first encrypted-subnet packet;
  
  encapsulate the first encrypted-subnet packet with a first group-security association formed in accordance with a first group-security policy to form a first group-encrypted packet using a tunneling protocol for tunneling the group-encrypted packet between the first source node of the first network and the first destination node of the first private network such that only the first source node of the first private network and the first destination node of the first private network are able to decipher the encrypted-subnet packet that is encapsulated in the group-encrypted packet with a message-authentication code identified for the encrypted-subnet packet, wherein the first encrypted-subnet packet comprises a first security-encapsulating header configured with identifiers of the first source node, the first destination node, the second source node, and the second destination node;
  
  encrypt the first group-encrypted packet to form a second encrypted-subnet packet;
  
  encapsulate the second encrypted-subnet packet with a second group-security association formed in accordance with a second group-security policy to form a second group-encrypted packet using a tunneling protocol for tunneling the second group-encrypted packet between the second source node of the second private network and the second destination node of the second virtual private network such that only the second source node of the second virtual private network and the second destination node of the second virtual private network are able to decipher the second encrypted-subnet packet that is encapsulated in the second group-encrypted packet with a message-authentication code identified for the second encrypted-subnet packet, wherein the second encrypted-subnet packet comprises a security-encapsulating header configured with identifiers of the second source node, the second destination node, the second source node, and the second destination node;
  
  replicate the first group-encrypted packet at the first source node of the first private network such that the first group-encrypted packet follows a multicast distribution tree in the first private network; and
  
  transmit the second group-encrypted packet for delivery to the second destination node of the second virtual private network.
- View Dependent Claims (16)
- - 16. The one or more computer readable storage media of claim 15, further comprising computer instructions operable to:
    - encrypt the second packet in the first payload; and
      
      encapsulate the second packet with a security policy to create a second security-encapsulating header configured with identifiers of the second source node and the second destination node.

17. An apparatus comprising:
- an input-output (I/O) interface unit;
  
  a memory; and
  
  a processor coupled to the I/O interface unit and the memory and configured to;
  
  obtain a first packet that includes a first Internet Protocol (IP) header and a first payload, wherein the first IP header includes a first source address of a first source node of a first private network and a first destination address of a first destination node of the first private network, and the first payload includes a second packet that has a second IP header and a second payload, the second IP header having a second source address of a second source node of a second virtual private network partitioned from resources of, formed over, established within or via, the first private network and a second destination address of a second destination node of the second virtual private network;
  
  encrypt the first packet to form an encrypted-subnet packet;
  
  encapsulate the encrypted-subnet packet with a group-security association formed in accordance with a group-security policy to generate a group-encrypted packet using a tunneling protocol for tunneling the group-encrypted packet between the first source node of the first network and the first destination node of the first private network such that only the first source node of the first private network and the first destination node of the first private network are able to decipher the encrypted-subnet packet that is encapsulated in the group-encrypted packet with a message-authentication code identified for the encrypted-subnet packet, wherein the encrypted-subnet packet comprises a first security-encapsulating header configured with identifiers of the first source node, the first destination node, the second source node, and the second destination node;
  
  replicate the group-encrypted packet at the first source node of the first private network such that the group-encrypted packet follows a multicast distribution tree in the first private network; and
  
  transmit the group-encrypted packet into the second virtual private network from the second source node for delivery to the second destination node.
- View Dependent Claims (18)
- - 18. The apparatus of claim 17, wherein the processor is further configured to:
    - encrypt the second packet in the first payload; and
      
      encapsulate the second packet with a security policy to create a second security-encapsulating header configured with identifiers of the second source node and the second destination node.

19. An apparatus comprising:
- an input-output (I/O) interface unit;
  
  a memory; and
  
  a processor coupled to the I/O interface unit and the memory and configured to;
  
  obtain a first packet that includes a first Internet Protocol (IP) header, a security-encapsulating header and a first payload, wherein the first IP header includes a first source address of a first source node of a first private network and a first destination address of a first destination node of the first network, the first payload includes a second packet that has a second IP header and a second payload, the second IP header having a second source address of a second source node of a second virtual private network partitioned from resources of, formed over, established within or via, the first private network and an encrypted second destination address of a second destination node of the second virtual private network;
  
  encrypt the first packet to form an encrypted-subnet packet;
  
  encapsulate the encrypted-subnet packet with a group-security association formed in accordance with a group-security policy to generate a group-encrypted packet using a tunneling protocol for tunneling the group-encrypted packet between the first source node of the first network and the first destination node of the first private network such that only the first source node of the first private network and the first destination node of the first private network are able to decipher the encrypted-subnet packet that is encapsulated in the group-encrypted packet with a message-authentication code identified for the encrypted-subnet packet, wherein the encrypted-subnet packet comprises a first security-encapsulating header configured with identifiers of the first source node, the first destination node, the second source node, and the second destination node;
  
  replicate the group-encrypted packet at the first source node of the first private network such that the group-encrypted packet follows a multicast distribution tree in the first private network; and
  
  transmit the group-encrypted packet into the second virtual private network from the first private network for delivery to the second destination node.
- View Dependent Claims (20)
- - 20. The apparatus of claim 19, wherein the processor is further configured to:
    - authenticate the group-encrypted packet based on the identifiers in the security-encapsulating header;
      
      extract the encrypted-subnet packet from the group-encrypted packet; and
      
      obtain the first packet from the encrypted-subnet packet.

21. An apparatus comprising:
- an input-output (I/O) interface unit;
  
  a memory; and
  
  a processor coupled to the I/O interface unit and the memory and configured to;
  
  obtain a first packet that includes a first Internet Protocol (IP) header and a first payload, wherein the first IP header includes a first source address of a first source node of a first private network and a first destination address of a first destination node of the first network, the first payload includes a second packet that has a second IP header and a second payload, the second IP header having a second source address of a second source node of a second virtual private network partitioned from resources of, formed over, established within or via, the first private network and a second destination address of a second destination node of the second network;
  
  encrypt the second packet to form a first encrypted-subnet packet;
  
  encapsulate the first encrypted-subnet packet with a first group-security association formed in accordance with a first group-security policy to form a first group-encrypted packet using a tunneling protocol for tunneling the group-encrypted packet between the first source node of the first network and the first destination node of the first private network such that only the first source node of the first private network and the first destination node of the first private network are able to decipher the encrypted-subnet packet that is encapsulated in the group-encrypted packet with a message-authentication code identified for the encrypted-subnet packet, wherein the first encrypted-subnet packet comprises a first security-encapsulating header configured with identifiers of the first source node, the first destination node, the second source node, and the second destination node;
  
  encrypt the first group-encrypted packet to form a second encrypted-subnet packet;
  
  encapsulate the second encrypted-subnet packet with a second group-security association formed in accordance with a second group-security policy to form a second group-encrypted packet using a tunneling protocol for tunneling the second group-encrypted packet between the second source node of the second private network and the second destination node of the second virtual private network such that only the second source node of the second virtual private network and the second destination node of the second virtual private network are able to decipher the second encrypted-subnet packet that is encapsulated in the second group-encrypted packet with a message-authentication code identified for the second encrypted-subnet packet, wherein the second encrypted-subnet packet comprises a security-encapsulating header configured with identifiers of the second source node, the second destination node, the second source node, and the second destination node;
  
  replicate the first group-encrypted packet at the first source node of the first private network such that the first group-encrypted packet follows a multicast distribution tree in the first private network; and
  
  transmit the second group-encrypted packet for delivery to the second destination node of the second virtual private network.
- View Dependent Claims (22)
- - 22. The apparatus of claim 21, wherein the processor is further configured to:
    - encrypt the second packet in the first payload; and
      
      encapsulate the second packet with a security policy to create a second security-encapsulating header configured with identifiers of the second source node and the second destination node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Fluhrer, Scott, Wainner, Warren Scott, Rowles, Sheela, Kamarthy, Kavitha, Khalid, Mohamed, Niazi, Haseeb, Sethi, Pratima
Primary Examiner(s)
Ngo, Ricky
Assistant Examiner(s)
KAO, WEI PO ERIC

Application Number

US13/235,598
Publication Number

US 20120060029A1
Time in Patent Office

841 Days
Field of Search

370/389, 370/392, 370/393, 370/396, 370/397, 370/400, 370/409, 370/471, 370/473, 370/474, 370/475, 370/476
US Class Current

370/392
CPC Class Codes

H04L 41/08   Configuration management of...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

Method and system for dynamic secured group communication

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for dynamic secured group communication

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links