Dynamic host configuration and network access authentication

US 8,688,834 B2
Filed: 10/29/2004
Issued: 04/01/2014
Est. Priority Date: 07/09/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A system for providing secure communication in an access network, comprising:

networked computers configured to operate as;

an authenticator for authenticating access to said access network;

a dynamic host configuration protocol (DHCP) server for managing internet protocol (IP) address assignments for said access network;

a router for connecting said access network to other networks; and

a network bridge constituting a server port, a plurality of client ports and a forwarding database configured to communicate with each other, said forwarding database is configured to store connections as a relation between media access control address (MAC) and said client ports and includes at least an authorized forwarding database (AFD), an unauthorized forwarding database (UFD), and a penalty list database (PL),wherein said UFD is configured to store said connections, as the relation between said MAC addresses and said client ports, that have yet to be authenticated by said authenticator, for a time period specified by said network bridge or said authenticator prior to being moved to the AFD or removed from the UFD, and said UFD is configured to remove said connections from the UFD if said connections fail in the authentication or the time period specified expires;

wherein the connections that are authenticated are moved to said AFD, which is configured to store said authenticated connections as the relation between said MAC addresses and said client ports for a time period specified by said network bridge or said authenticator and said AFD is configured to remove said authenticated connections from the AFD based on a predetermined policy of the access network or physical disconnection of said authenticated connections from the respective client ports;

wherein the network bridge is configured to prohibit communication exchanges from the client ports other than those that comport with said connections as the relation between said MAC addresses and said client ports stored in either of the AFD and the UFD for the time period specified; and

wherein the penalty list database (PL) configured to store said connections removed from the UFD and remove the stored connections automatically at the expiration of a life time timer assigned to each of the stored connections in the PL and in which a length of said life time timer is configured to increase at an increasing rate or exponentially each time the same combination of the MAC address and the client port is added to the PL repeatedly in order to prevent denial of service attack (DoS) from the client ports other than the client ports that comport with said connections as the relation between said MAC addresses and said client ports stored in either of the AFD and the UFD.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to some embodiments, systems and methods for binding dynamic host configuration and network access authentication are provided related to, inter alia, interactions between a PAA (PANA Authentication Agent) and a DHCP (Dynamic Host Configuration Protocol) server, such as, e.g., for synchronization between the PANA SA state and the DHCP SA state, such as, e.g., maintaining synchronization when a connection is lost. In some embodiments, systems and methods for binding network bridge and network access authentication are also provided related to, inter alia, interactions between a PAA and a layer-2 switch, such as, e.g., for avoiding service thefts and the like (such as, e.g., MAC address and/or IP address spoofing) in the context of, e.g., the above. In some other embodiments, systems and methods for bootstrapping multicast security from network access authentication protocol are also provided related to, inter alia, key management for protected IP multicast streams, such as, e.g., to avoid IP multicast streams unnecessarily received and/or processed by unauthorized receivers connected to the same layer 2 segment as authorized receivers in the context of, e.g., the above.

Citations

12 Claims

1. A system for providing secure communication in an access network, comprising:
- networked computers configured to operate as;
  
  an authenticator for authenticating access to said access network;
  
  a dynamic host configuration protocol (DHCP) server for managing internet protocol (IP) address assignments for said access network;
  
  a router for connecting said access network to other networks; and
  
  a network bridge constituting a server port, a plurality of client ports and a forwarding database configured to communicate with each other, said forwarding database is configured to store connections as a relation between media access control address (MAC) and said client ports and includes at least an authorized forwarding database (AFD), an unauthorized forwarding database (UFD), and a penalty list database (PL),wherein said UFD is configured to store said connections, as the relation between said MAC addresses and said client ports, that have yet to be authenticated by said authenticator, for a time period specified by said network bridge or said authenticator prior to being moved to the AFD or removed from the UFD, and said UFD is configured to remove said connections from the UFD if said connections fail in the authentication or the time period specified expires;
  
  wherein the connections that are authenticated are moved to said AFD, which is configured to store said authenticated connections as the relation between said MAC addresses and said client ports for a time period specified by said network bridge or said authenticator and said AFD is configured to remove said authenticated connections from the AFD based on a predetermined policy of the access network or physical disconnection of said authenticated connections from the respective client ports;
  
  wherein the network bridge is configured to prohibit communication exchanges from the client ports other than those that comport with said connections as the relation between said MAC addresses and said client ports stored in either of the AFD and the UFD for the time period specified; and
  
  wherein the penalty list database (PL) configured to store said connections removed from the UFD and remove the stored connections automatically at the expiration of a life time timer assigned to each of the stored connections in the PL and in which a length of said life time timer is configured to increase at an increasing rate or exponentially each time the same combination of the MAC address and the client port is added to the PL repeatedly in order to prevent denial of service attack (DoS) from the client ports other than the client ports that comport with said connections as the relation between said MAC addresses and said client ports stored in either of the AFD and the UFD.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein:
    - said authenticator is configured so that none of the client ports are assigned with the same MAC address to prevent a user attached to one client port to act like a user attached to another client port in order to gain access to the AFD by spoofing the MAC address assigned to the user attached to the another client port.
  - 3. The system of claim 2, wherein:
    - for each of the client ports that are authenticated by the authenticator, a record of a client attached to each of the client ports is added to the AFD such that any packet exchange to and from the MAC address via the client ports other than the authenticated client ports will be prohibited in order to prevent at least a theft by spoofing and denial of service attacks.
  - 4. The system of claim 1, wherein:
    - said network bridge is configured to tag a packet with port identifier tag (PIT) when forwarding the packet to said authenticator and DHCP server, in which said authenticator and said DHCP server are configured to distinguish sessions not only by the MAC address assigned to each of the client ports but also by identifiers assigned to each of the client ports.

5. A computer network system having a network bridge for providing secure communication in an access network, comprising:
- networked computers in said access network that includes at least an authenticator, a dynamic host configuration protocol (DHCP) server and a router, wherein said network bridge includes;
  
  a server port that communicates with said access network;
  
  a plurality of client ports that connect clients to said access network;
  
  a forwarding database configured to store connections as a relation between media access control address (MAC) and said client ports, said forwarding database includes at least an authorized forwarding database (AFD), an unauthorized forwarding database (UFD), and a penalty list database (PL),wherein said UFD is configured to store said connections, as the relation between said MAC addresses and said client ports, that have yet to be authenticated by said authenticator, for a time period specified by said network bridge or said authenticator prior to being moved to the AFD or removed from the UFD, and said UFD is configured to remove said connections from the UFD if said connections fail in the authentication or the time period specified expires;
  
  wherein the connections that are authenticated are moved to said AFD, which is configured to store said connections as the relation between said MAC addresses and said client ports, authenticated by said authenticator, for a time period specified by said network bridge or said authenticator and said AFD is configured to remove said authenticated connections from the AFD based on a predetermined policy of the access network or physical disconnection of said authenticated connections from the respective client ports;
  
  wherein the network bridge is configured to prohibit communication exchanges from the client ports other than those that comport with said connections as the relation between said MAC addresses and said client ports stored in either of the AFD and the UFD for the time period specified; and
  
  wherein the penalty list database (PL) configured to store said connections removed from the UFD and remove the stored connections automatically at the expiration of a life time timer assigned to each of the stored connections in the PL and in which a length of said life time timer is configured to increase at an increasing rate or exponentially each time the same combination of the MAC address and the client port is added to the PL repeatedly in order to prevent denial of service attack (DoS) from the client ports other than the client ports that comport with said connections as the relation between said MAC addresses and said client ports stored in either of the AFD and the UFD.
- View Dependent Claims (6, 7, 8)
- - 6. The network bridge as set forth in claim 5, wherein:
    - said authenticator is configured so that none of the client ports are assigned with the same MAC address to prevent a user attached to one client port to act like a user attached to another client port in order to gain access to the AFD by spoofing the MAC address assigned to the user attached to the another client port.
  - 7. The network bridge as set forth in claim 5, wherein:
    - said network bridge is configured to tag a packet with port identifier tag (PIT) when forwarding the packet to said authenticator and DHCP server, in which said authenticator and said DHCP server are configured to distinguish sessions not only by the MAC address assigned to each of the client ports but also by identifiers assigned to each of the client ports.
  - 8. The network bridge as set forth in claim 7, wherein:
    - for each of the client ports that are authenticated by the authenticator, a record of a client attached to each of the client ports is added to the AFD such that any packet exchange to and from the MAC address via the client ports other than the authenticated client ports will be prohibited in order to prevent at least a theft by spoofing and denial of service attacks.

9. A method for securely communicating in an access network, comprising:
- authenticating access to said access network using an authenticator;
  
  managing internet protocol (IP) address assignments for said access network using a dynamic host configuration protocol (DHCP) server;
  
  connecting said access network to other networks using a router;
  
  storing connections as a relation between media access control address (MAC) and client ports in a forwarding database provided in a network bridge including a server port, wherein said forwarding database includes at least an authorized forwarding database (AFD) an unauthorized forwarding database (UFD), and a penalty list database (PL);
  
  storing in said UFD said connections, as the relation between said MAC addresses and said client ports, that have yet to be authenticated by said authenticator, for a time period specified by said network bridge or said authenticator prior to being moved to the AFD or removed from the UFD;
  
  removing from said UFD said connections if said connections fail to authenticate or the time period specified expires;
  
  moving the connections that are authenticated to the AFD and storing in said AFD said connections as the relation between said MAC addresses and said client ports for a time period specified by said network bridge or said authenticator;
  
  removing from said AFD said authenticated connections based on a predetermined policy of the access network or physical disconnection of said authenticated connections from the respective client ports;
  
  configuring the network bridge to prohibit communication exchanges from the client ports other than those that comport with said connections as the relation between said MAC addresses and said client ports stored in either of the AFD and the UFD for the time period specified;
  
  storing in the penalty list database (PL) said connections removed from the UFD and removing the stored connections automatically at the expiration of a life time timer assigned to each of the stored connections in the PL; and
  
  increasing a length of said life time timer at an increasing rate or exponentially each time the same combination of the MAC address and the client port is added to the PL repeatedly in order to prevent denial of service attack (DoS) from the client ports other than the client ports that comport with said connections as the relation between said MAC addresses and said client ports stored in either of the AFD and the UFD.
- View Dependent Claims (10, 11, 12)
- - 10. The method according to claim 9, wherein:
    - a step of configuring said authenticator so that none of the client ports are assigned with the same MAC address to prevent a user attached to one client port to act like a user attached to another client port in order to gain access to the AFD by spoofing the MAC address assigned to the user attached to the another client port.
  - 11. The method according to claim 9, wherein:
    - a step of configuring said network bridge to tag a packet with port identifier tag (PIT) when forwarding the packet to said authenticator and DHCP server, in which said authenticator and said DHCP server are configured to distinguish sessions not only by the MAC address assigned to each of the client ports but also by identifiers assigned to each of the client ports.
  - 12. The method according to claim 11, wherein:
    - for each of the client ports that are authenticated by the authenticator, adding a record of a client attached to each of the client ports to the AFD such that any packet exchange to and from the MAC address via the client ports other than the authenticated client ports will be prohibited in order to prevent at least a theft by spoofing and a denial of service attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Four Batons Wireless LLC (Two Gold Capital LLC)
Original Assignee
Telcordia Technologies Incorporated (Telefonaktiebolaget LM Ericsson), Toshiba America Research Inc (Toshiba Corporation)
Inventors
Fujimoto, Kensaku, Katsube, Yasuhiro, Oba, Yoshihiro
Primary Examiner(s)
TODD, GREGORY G

Application Number

US10/975,497
Publication Number

US 20060036733A1
Time in Patent Office

3,441 Days
Field of Search

709220-222, 709/225, 709227-230, 709/237, 709/245, 709/248, 709/223, 375354-357, 713/155, 726 11- 14
US Class Current

709/225
CPC Class Codes

H04L 61/5014   using dynamic host configur...

H04L 63/08   for authentication of entit...

H04L 67/14   Session management for real...

Dynamic host configuration and network access authentication

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic host configuration and network access authentication

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links