Method and apparatus for providing replay protection in systems using group security associations
First Claim
1. A method comprising:
- processing packets received at an edge device in a network, where the edge device is a member of a group of devices using a group security association such that packets sent by members of the group of devices utilize uncorrelated sequence numbers that are not unique within the group, by;
receiving a unique transform identifier for each member of the group;
receiving both a first packet from a first one of the members of the group and a second packet from a second one of the members of the group within a predefined window, the first packet and the second packet utilizing identical sequence numbers;
decoding the first packet;
using the unique transform identifier associated with the first one of the members to associate the first packet with the first one of the members of the group;
extracting the sequence number from the first packet;
comparing the extracted sequence number against an expected sequence number for the first one of the members associated with the packetdecoding the second packet;
using the unique transform identifier associated with the second one of the members to associate the second packet with the second one of the members of the group;
extracting the sequence number from the second packet;
andcomparing the extracted sequence number against an expected sequence number for the second one of the members associated with the packet; and
determining that the sequence number of the first packet and the sequence number of the second packet are both valid.
8 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus is disclosed which enables detection of undesired packets received at a device in a network, where the device is a member of a group of devices in the network. A registration table stores transform identifiers for each member of a group and controls the forwarding of the transform identifiers to the members of the group as members are added and deleted. A transform identifier indicates a format or transformation of a packet transmitted by an associated member. The transform identifier can therefore be used at a receiving device to distinguish between transmissions by different members of the group, thereby enabling the receiving device to extract sequence information associated with the member from the packet. The sequence information can be compared against an expected sequence number for the member to determine whether the packet is an undesirable or rogue packet.
32 Citations
22 Claims
-
1. A method comprising:
-
processing packets received at an edge device in a network, where the edge device is a member of a group of devices using a group security association such that packets sent by members of the group of devices utilize uncorrelated sequence numbers that are not unique within the group, by; receiving a unique transform identifier for each member of the group; receiving both a first packet from a first one of the members of the group and a second packet from a second one of the members of the group within a predefined window, the first packet and the second packet utilizing identical sequence numbers; decoding the first packet; using the unique transform identifier associated with the first one of the members to associate the first packet with the first one of the members of the group; extracting the sequence number from the first packet; comparing the extracted sequence number against an expected sequence number for the first one of the members associated with the packet decoding the second packet; using the unique transform identifier associated with the second one of the members to associate the second packet with the second one of the members of the group; extracting the sequence number from the second packet; and comparing the extracted sequence number against an expected sequence number for the second one of the members associated with the packet; and determining that the sequence number of the first packet and the sequence number of the second packet are both valid. - View Dependent Claims (2, 3)
-
-
4. A network device comprising:
-
a first table for storing a plurality of transform identifiers, each one of the plurality of transform identifiers uniquely associated with a different one of a plurality of members of a group of which the network device is also a member; a second table for storing a sequence number for each one of the plurality of members of the group; and logic which processes communications received from another device which is a member of a group of devices including the network device that use a group security association such that communications sent by members of the group of devices utilize uncorrelated sequence numbers that are not unique within the group by; receiving both a first communication from a first one of the members of the group and a second communication from a second one of the members of the group within a predefined window, the first communication and the second communication utilizing identical sequence numbers; transforming the first communication received from the first one of the members of the group using the corresponding transform identifier in the first table and extracting a sequence number from the first communication; transforming the second communication received from the second one of the members of the group using the corresponding transform identifier in the first table and extracting a sequence number from the second communication; and determining whether the extracted sequence numbers correlate to expected sequence numbers as indicated in the second table by using the transform identifiers associated with the first and second ones of the members to associate the first and second communications with the first and second ones of the members. - View Dependent Claims (5, 6, 7)
-
-
8. A network device comprising:
logic which processes packets received from another device which is a member of a group of devices including the network device that use a group security association such that packets sent by members of the group of devices utilize uncorrelated sequence numbers that are not unique within the group, including; means for receiving both a first packet from a first one of the members of the group and a second packet from a second one of the members of the group within a predefined window, the first packet and the second packet utilizing identical sequence numbers; means for storing, for each group in which the device is a member, a unique transform identifier for each member of each group and an expected sequence number for each member of each group; means for decoding the first and second packets; means for using the unique transform identifiers associated with the first and second members to associate the first and second packets with the first and second members of the group; means for extracting the sequence numbers from the first and second packets; and means for comparing the extracted sequence numbers against expected sequence numbers for the first and second members associated with the first and second packets; and means for determining that the sequence number of the first packet and the sequence number of the second packet are both valid. - View Dependent Claims (9, 10)
-
11. A network comprising:
a device which processes packets received from another device which is a member of a group of devices including the network device that use a group security association such that packets sent by members of the group of devices utilize uncorrelated sequence numbers that are not unique within the group, including; a registration table for storing registration information associated with each member, the registration information including a different transform identifier for each member of the group, the transform identifier for use by the corresponding member of the group for transforming communications issued by the corresponding member and distinguishing between transmissions by different members of the group by; receiving both a first packet from a first one of the members of the group and a second packet from a second one of the members of the group within a predefined window, the first packet and the second packet utilizing identical sequence numbers; using the unique transform identifiers associated with the first and second members to associate the first and second packets with the first and second members of the group; extracting the sequence numbers from the first and second packets; comparing the extracted sequence numbers against expected sequence numbers for the first and second members associated with the first and second packets; and determining that the sequence number of the first packet and the sequence number of the second packet are both valid. - View Dependent Claims (12, 13, 14)
-
15. A method for detecting replayed packets in a network comprising:
-
registering each member of a group of members at a device in the network, including associating, with each member of the group that use a group security association such that packets sent by members of the group utilize uncorrelated sequence numbers that are not unique within the group, a different transform identifier to be used by the member of the group when transmitting communications to other members of the group; forwarding transform identifiers for each member of the group to all members of the group; receiving both a first packet from a first one of the members of the group and a second packet from a second one of the members of the group within a predefined window, the first packet and the second packet utilizing identical sequence numbers; using the unique transform identifiers associated with the first and second members to associate the first and second packets with the first and second members of the group; extracting the sequence numbers from the first and second packets; comparing the extracted sequence numbers against expected sequence numbers for the first and second members associated with the first and second packets; and determining that the sequence number of the first packet and the sequence number of the second packet are both valid. - View Dependent Claims (16, 17, 18)
-
-
19. A network comprising:
-
means for registering each member of a group of members that use a group security association such that packets sent by members of the group utilize uncorrelated sequence numbers that are not unique within the group at a device in the network, including means for associating each member of the group with a different transform identifier to be used by the member of the group when transmitting communications to other members of the group; means for forwarding transform identifiers for each member of the group to all members of the group; means for receiving both a first packet from a first one of the members of the group and a second packet from a second one of the members of the group within a predefined window, the first packet and the second packet utilizing identical sequence numbers; means for using the unique transform identifiers associated with the first and second members to associate the first and second packets with the first and second members of the group; means for extracting the sequence numbers from the first and second packets; means for comparing the extracted sequence numbers against expected sequence numbers for the first and second members associated with the first and second packets; and means for determining that the sequence number of the first packet and the sequence number of the second packet are both valid. - View Dependent Claims (20, 21, 22)
-
Specification