Dynamic host configuration and network access authentication
First Claim
1. A system for providing secure communication in an access network, comprising:
- networked computers configured to operate as;
an authenticator for authenticating access to said access network;
a dynamic host configuration protocol (DHCP) server for managing internet protocol (IP) address assignments for said access network;
a router for connecting said access network to other networks; and
a network bridge constituting a server port, a plurality of client ports and a forwarding database configured to communicate with each other, said forwarding database is configured to store connections as a relation between media access control address (MAC) and said client ports and includes at least an authorized forwarding database (AFD), an unauthorized forwarding database (UFD), and a penalty list database (PL),wherein said UFD is configured to store said connections, as the relation between said MAC addresses and said client ports, that have yet to be authenticated by said authenticator, for a time period specified by said network bridge or said authenticator prior to being moved to the AFD or removed from the UFD, and said UFD is configured to remove said connections from the UFD if said connections fail in the authentication or the time period specified expires;
wherein the connections that are authenticated are moved to said AFD, which is configured to store said authenticated connections as the relation between said MAC addresses and said client ports for a time period specified by said network bridge or said authenticator and said AFD is configured to remove said authenticated connections from the AFD based on a predetermined policy of the access network or physical disconnection of said authenticated connections from the respective client ports;
wherein the network bridge is configured to prohibit communication exchanges from the client ports other than those that comport with said connections as the relation between said MAC addresses and said client ports stored in either of the AFD and the UFD for the time period specified; and
wherein the penalty list database (PL) configured to store said connections removed from the UFD and remove the stored connections automatically at the expiration of a life time timer assigned to each of the stored connections in the PL and in which a length of said life time timer is configured to increase at an increasing rate or exponentially each time the same combination of the MAC address and the client port is added to the PL repeatedly in order to prevent denial of service attack (DoS) from the client ports other than the client ports that comport with said connections as the relation between said MAC addresses and said client ports stored in either of the AFD and the UFD.
3 Assignments
0 Petitions
Accused Products
Abstract
According to some embodiments, systems and methods for binding dynamic host configuration and network access authentication are provided related to, inter alia, interactions between a PAA (PANA Authentication Agent) and a DHCP (Dynamic Host Configuration Protocol) server, such as, e.g., for synchronization between the PANA SA state and the DHCP SA state, such as, e.g., maintaining synchronization when a connection is lost. In some embodiments, systems and methods for binding network bridge and network access authentication are also provided related to, inter alia, interactions between a PAA and a layer-2 switch, such as, e.g., for avoiding service thefts and the like (such as, e.g., MAC address and/or IP address spoofing) in the context of, e.g., the above. In some other embodiments, systems and methods for bootstrapping multicast security from network access authentication protocol are also provided related to, inter alia, key management for protected IP multicast streams, such as, e.g., to avoid IP multicast streams unnecessarily received and/or processed by unauthorized receivers connected to the same layer 2 segment as authorized receivers in the context of, e.g., the above.
-
Citations
12 Claims
-
1. A system for providing secure communication in an access network, comprising:
-
networked computers configured to operate as; an authenticator for authenticating access to said access network; a dynamic host configuration protocol (DHCP) server for managing internet protocol (IP) address assignments for said access network; a router for connecting said access network to other networks; and a network bridge constituting a server port, a plurality of client ports and a forwarding database configured to communicate with each other, said forwarding database is configured to store connections as a relation between media access control address (MAC) and said client ports and includes at least an authorized forwarding database (AFD), an unauthorized forwarding database (UFD), and a penalty list database (PL), wherein said UFD is configured to store said connections, as the relation between said MAC addresses and said client ports, that have yet to be authenticated by said authenticator, for a time period specified by said network bridge or said authenticator prior to being moved to the AFD or removed from the UFD, and said UFD is configured to remove said connections from the UFD if said connections fail in the authentication or the time period specified expires; wherein the connections that are authenticated are moved to said AFD, which is configured to store said authenticated connections as the relation between said MAC addresses and said client ports for a time period specified by said network bridge or said authenticator and said AFD is configured to remove said authenticated connections from the AFD based on a predetermined policy of the access network or physical disconnection of said authenticated connections from the respective client ports; wherein the network bridge is configured to prohibit communication exchanges from the client ports other than those that comport with said connections as the relation between said MAC addresses and said client ports stored in either of the AFD and the UFD for the time period specified; and wherein the penalty list database (PL) configured to store said connections removed from the UFD and remove the stored connections automatically at the expiration of a life time timer assigned to each of the stored connections in the PL and in which a length of said life time timer is configured to increase at an increasing rate or exponentially each time the same combination of the MAC address and the client port is added to the PL repeatedly in order to prevent denial of service attack (DoS) from the client ports other than the client ports that comport with said connections as the relation between said MAC addresses and said client ports stored in either of the AFD and the UFD. - View Dependent Claims (2, 3, 4)
-
-
5. A computer network system having a network bridge for providing secure communication in an access network, comprising:
-
networked computers in said access network that includes at least an authenticator, a dynamic host configuration protocol (DHCP) server and a router, wherein said network bridge includes; a server port that communicates with said access network; a plurality of client ports that connect clients to said access network; a forwarding database configured to store connections as a relation between media access control address (MAC) and said client ports, said forwarding database includes at least an authorized forwarding database (AFD), an unauthorized forwarding database (UFD), and a penalty list database (PL), wherein said UFD is configured to store said connections, as the relation between said MAC addresses and said client ports, that have yet to be authenticated by said authenticator, for a time period specified by said network bridge or said authenticator prior to being moved to the AFD or removed from the UFD, and said UFD is configured to remove said connections from the UFD if said connections fail in the authentication or the time period specified expires; wherein the connections that are authenticated are moved to said AFD, which is configured to store said connections as the relation between said MAC addresses and said client ports, authenticated by said authenticator, for a time period specified by said network bridge or said authenticator and said AFD is configured to remove said authenticated connections from the AFD based on a predetermined policy of the access network or physical disconnection of said authenticated connections from the respective client ports; wherein the network bridge is configured to prohibit communication exchanges from the client ports other than those that comport with said connections as the relation between said MAC addresses and said client ports stored in either of the AFD and the UFD for the time period specified; and wherein the penalty list database (PL) configured to store said connections removed from the UFD and remove the stored connections automatically at the expiration of a life time timer assigned to each of the stored connections in the PL and in which a length of said life time timer is configured to increase at an increasing rate or exponentially each time the same combination of the MAC address and the client port is added to the PL repeatedly in order to prevent denial of service attack (DoS) from the client ports other than the client ports that comport with said connections as the relation between said MAC addresses and said client ports stored in either of the AFD and the UFD. - View Dependent Claims (6, 7, 8)
-
-
9. A method for securely communicating in an access network, comprising:
-
authenticating access to said access network using an authenticator; managing internet protocol (IP) address assignments for said access network using a dynamic host configuration protocol (DHCP) server; connecting said access network to other networks using a router; storing connections as a relation between media access control address (MAC) and client ports in a forwarding database provided in a network bridge including a server port, wherein said forwarding database includes at least an authorized forwarding database (AFD) an unauthorized forwarding database (UFD), and a penalty list database (PL); storing in said UFD said connections, as the relation between said MAC addresses and said client ports, that have yet to be authenticated by said authenticator, for a time period specified by said network bridge or said authenticator prior to being moved to the AFD or removed from the UFD; removing from said UFD said connections if said connections fail to authenticate or the time period specified expires; moving the connections that are authenticated to the AFD and storing in said AFD said connections as the relation between said MAC addresses and said client ports for a time period specified by said network bridge or said authenticator; removing from said AFD said authenticated connections based on a predetermined policy of the access network or physical disconnection of said authenticated connections from the respective client ports; configuring the network bridge to prohibit communication exchanges from the client ports other than those that comport with said connections as the relation between said MAC addresses and said client ports stored in either of the AFD and the UFD for the time period specified; storing in the penalty list database (PL) said connections removed from the UFD and removing the stored connections automatically at the expiration of a life time timer assigned to each of the stored connections in the PL; and increasing a length of said life time timer at an increasing rate or exponentially each time the same combination of the MAC address and the client port is added to the PL repeatedly in order to prevent denial of service attack (DoS) from the client ports other than the client ports that comport with said connections as the relation between said MAC addresses and said client ports stored in either of the AFD and the UFD. - View Dependent Claims (10, 11, 12)
-
Specification