Method and apparatus for providing replay protection in systems using group security associations

US 8,687,485 B1
Filed: 06/09/2004
Issued: 04/01/2014
Est. Priority Date: 09/12/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

processing packets received at an edge device in a network, where the edge device is a member of a group of devices using a group security association such that packets sent by members of the group of devices utilize uncorrelated sequence numbers that are not unique within the group, by;

receiving a unique transform identifier for each member of the group;

receiving both a first packet from a first one of the members of the group and a second packet from a second one of the members of the group within a predefined window, the first packet and the second packet utilizing identical sequence numbers;

decoding the first packet;

using the unique transform identifier associated with the first one of the members to associate the first packet with the first one of the members of the group;

extracting the sequence number from the first packet;

comparing the extracted sequence number against an expected sequence number for the first one of the members associated with the packetdecoding the second packet;

using the unique transform identifier associated with the second one of the members to associate the second packet with the second one of the members of the group;

extracting the sequence number from the second packet;

andcomparing the extracted sequence number against an expected sequence number for the second one of the members associated with the packet; and

determining that the sequence number of the first packet and the sequence number of the second packet are both valid.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus is disclosed which enables detection of undesired packets received at a device in a network, where the device is a member of a group of devices in the network. A registration table stores transform identifiers for each member of a group and controls the forwarding of the transform identifiers to the members of the group as members are added and deleted. A transform identifier indicates a format or transformation of a packet transmitted by an associated member. The transform identifier can therefore be used at a receiving device to distinguish between transmissions by different members of the group, thereby enabling the receiving device to extract sequence information associated with the member from the packet. The sequence information can be compared against an expected sequence number for the member to determine whether the packet is an undesirable or rogue packet.

32 Citations

View as Search Results

22 Claims

1. A method comprising:
- processing packets received at an edge device in a network, where the edge device is a member of a group of devices using a group security association such that packets sent by members of the group of devices utilize uncorrelated sequence numbers that are not unique within the group, by;
  
  receiving a unique transform identifier for each member of the group;
  
  receiving both a first packet from a first one of the members of the group and a second packet from a second one of the members of the group within a predefined window, the first packet and the second packet utilizing identical sequence numbers;
  
  decoding the first packet;
  
  using the unique transform identifier associated with the first one of the members to associate the first packet with the first one of the members of the group;
  
  extracting the sequence number from the first packet;
  
  comparing the extracted sequence number against an expected sequence number for the first one of the members associated with the packetdecoding the second packet;
  
  using the unique transform identifier associated with the second one of the members to associate the second packet with the second one of the members of the group;
  
  extracting the sequence number from the second packet;
  
  andcomparing the extracted sequence number against an expected sequence number for the second one of the members associated with the packet; and
  
  determining that the sequence number of the first packet and the sequence number of the second packet are both valid.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein the transform identifier is a security association used to transform communications transmitted by an associated group member.
  - 3. The method of claim 1, wherein the transform identifier for each member is a Security Parameter Index (SPI) of the associated member.

4. A network device comprising:
- a first table for storing a plurality of transform identifiers, each one of the plurality of transform identifiers uniquely associated with a different one of a plurality of members of a group of which the network device is also a member;
  
  a second table for storing a sequence number for each one of the plurality of members of the group; and
  
  logic which processes communications received from another device which is a member of a group of devices including the network device that use a group security association such that communications sent by members of the group of devices utilize uncorrelated sequence numbers that are not unique within the group by;
  
  receiving both a first communication from a first one of the members of the group and a second communication from a second one of the members of the group within a predefined window, the first communication and the second communication utilizing identical sequence numbers;
  
  transforming the first communication received from the first one of the members of the group using the corresponding transform identifier in the first table and extracting a sequence number from the first communication;
  
  transforming the second communication received from the second one of the members of the group using the corresponding transform identifier in the first table and extracting a sequence number from the second communication; and
  
  determining whether the extracted sequence numbers correlate to expected sequence numbers as indicated in the second table by using the transform identifiers associated with the first and second ones of the members to associate the first and second communications with the first and second ones of the members.
- View Dependent Claims (5, 6, 7)
- - 5. The network device of claim 4, further including means for discarding the communication if it is determined that the extracted sequence number does not correlate with the expected sequence number.
  - 6. The network device of claim 4, wherein the transform identifier is a security association used to transform communications transmitted by an associated group member.
  - 7. The network device of claim 4, wherein the transform identifier for each member is a Security Parameter Index (SPI) of the associated member.

8. A network device comprising:
- logic which processes packets received from another device which is a member of a group of devices including the network device that use a group security association such that packets sent by members of the group of devices utilize uncorrelated sequence numbers that are not unique within the group, including;
  
  means for receiving both a first packet from a first one of the members of the group and a second packet from a second one of the members of the group within a predefined window, the first packet and the second packet utilizing identical sequence numbers;
  
  means for storing, for each group in which the device is a member, a unique transform identifier for each member of each group and an expected sequence number for each member of each group;
  
  means for decoding the first and second packets;
  
  means for using the unique transform identifiers associated with the first and second members to associate the first and second packets with the first and second members of the group;
  
  means for extracting the sequence numbers from the first and second packets; and
  
  means for comparing the extracted sequence numbers against expected sequence numbers for the first and second members associated with the first and second packets; and
  
  means for determining that the sequence number of the first packet and the sequence number of the second packet are both valid.
- View Dependent Claims (9, 10)
- - 9. The network device of claim 8, wherein the expected sequence number is different for each transmitting member of the group.
  - 10. The network device of claim 8, wherein the expected sequence number is different for each receiving member.

11. A network comprising:
- a device which processes packets received from another device which is a member of a group of devices including the network device that use a group security association such that packets sent by members of the group of devices utilize uncorrelated sequence numbers that are not unique within the group, including;
  
  a registration table for storing registration information associated with each member, the registration information including a different transform identifier for each member of the group, the transform identifier for use by the corresponding member of the group for transforming communications issued by the corresponding member and distinguishing between transmissions by different members of the group by;
  
  receiving both a first packet from a first one of the members of the group and a second packet from a second one of the members of the group within a predefined window, the first packet and the second packet utilizing identical sequence numbers;
  
  using the unique transform identifiers associated with the first and second members to associate the first and second packets with the first and second members of the group;
  
  extracting the sequence numbers from the first and second packets;
  
  comparing the extracted sequence numbers against expected sequence numbers for the first and second members associated with the first and second packets; and
  
  determining that the sequence number of the first packet and the sequence number of the second packet are both valid.
- View Dependent Claims (12, 13, 14)
- - 12. The network of claim 11, wherein the transform identifier is a security association used to transform communications transmitted by an associated group member.
  - 13. The network of claim 11, wherein the transform identifier for each member is a Security Parameter Index (SPI) of the associated member.
  - 14. The network of claim 11, the device further includes means for forwarding the different transform identifier information to each member of each group.

15. A method for detecting replayed packets in a network comprising:
- registering each member of a group of members at a device in the network, including associating, with each member of the group that use a group security association such that packets sent by members of the group utilize uncorrelated sequence numbers that are not unique within the group, a different transform identifier to be used by the member of the group when transmitting communications to other members of the group;
  
  forwarding transform identifiers for each member of the group to all members of the group;
  
  receiving both a first packet from a first one of the members of the group and a second packet from a second one of the members of the group within a predefined window, the first packet and the second packet utilizing identical sequence numbers;
  
  using the unique transform identifiers associated with the first and second members to associate the first and second packets with the first and second members of the group;
  
  extracting the sequence numbers from the first and second packets;
  
  comparing the extracted sequence numbers against expected sequence numbers for the first and second members associated with the first and second packets; and
  
  determining that the sequence number of the first packet and the sequence number of the second packet are both valid.
- View Dependent Claims (16, 17, 18)
- - 16. The method of claim 15, wherein the transform identifier is a security association used to transform communications transmitted by an associated group member.
  - 17. The method of claim 15, wherein the transform identifier for each member is a Security Parameter Index (SPI) of the associated member.
  - 18. The method of claim 15 further including the step of periodically updating the transform identifiers for each member of each group.

19. A network comprising:
- means for registering each member of a group of members that use a group security association such that packets sent by members of the group utilize uncorrelated sequence numbers that are not unique within the group at a device in the network, including means for associating each member of the group with a different transform identifier to be used by the member of the group when transmitting communications to other members of the group;
  
  means for forwarding transform identifiers for each member of the group to all members of the group;
  
  means for receiving both a first packet from a first one of the members of the group and a second packet from a second one of the members of the group within a predefined window, the first packet and the second packet utilizing identical sequence numbers;
  
  means for using the unique transform identifiers associated with the first and second members to associate the first and second packets with the first and second members of the group;
  
  means for extracting the sequence numbers from the first and second packets;
  
  means for comparing the extracted sequence numbers against expected sequence numbers for the first and second members associated with the first and second packets; and
  
  means for determining that the sequence number of the first packet and the sequence number of the second packet are both valid.
- View Dependent Claims (20, 21, 22)
- - 20. The network of claim 19, wherein the transform identifier is a security association used to transform communications transmitted by an associated group member.
  - 21. The network of claim 19, wherein the transform identifier for each member is a Security Parameter Index (SPI) of the associated member.
  - 22. The network of claim 19 further including means for periodically updating the transform identifiers for each member of each group.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Clearinghouse LLC (RPX Corporation)
Original Assignee
Rockstar Consortium US LP (Rockstar Consortium Inc.)
Inventors
Dondeti, Lakshminath, Fedyk, Donald, He, Haixiang
Primary Examiner(s)
MATTIS, JASON E

Application Number

US10/864,146
Time in Patent Office

3,583 Days
Field of Search

370/394, 370/230, 370/289, 370/474, 726/3, 726/14
US Class Current

370/230
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/104   Grouping of entities

H04L 63/1408   by monitoring network traff...

H04L 63/166   at the transport layer

Method and apparatus for providing replay protection in systems using group security associations

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing replay protection in systems using group security associations

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links