Selective exposure of feature tags in a MACSec packet

US 8,707,020 B1
Filed: 05/13/2010
Issued: 04/22/2014
Est. Priority Date: 05/13/2010
Status: Expired due to Fees

First Claim

Patent Images

1. A method of using MACSec tags and layer 2 encryption with legacy devices that do not understand MACSec tags, while preserving features controlled by tags supported by the legacy devices when the tags are unencrypted and accessible to the legacy devices, including:

exposing selected tags in a partially encrypted packet, including;

positioning a MACSec tag in the partially encrypted packet after a source and destination MAC tag and the selected tags; and

responsive to a TCP payload of a TCP tag being changed by the repositioned MACSec tag, recomputing a TCP checksum of the TCP tag;

encrypting tags and payload of the packet at positions that follow the MACSec tag, and not encrypting the source and destination MAC tag and the selected tags at positions that are before the MACSec tag,performing a calculation of a secured data integrity checksum of the partially encrypted packet, the calculation including the selected tags positioned before the MACSec tag; and

forwarding the partially encrypted packet via a network path that includes at least one network device that does not support IEEE MACSec standard 802.1AE.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A MACSec packet exposes selected tags in front of the MACSec tag. Different embodiments are directed to methods and apparatuses of various network nodes, that send, forward, and receive packets. Anther embodiment is the MACSec data structure on a computer readable medium. Another embodiment is the upgrade process of a legacy network.

15 Citations

View as Search Results

19 Claims

1. A method of using MACSec tags and layer 2 encryption with legacy devices that do not understand MACSec tags, while preserving features controlled by tags supported by the legacy devices when the tags are unencrypted and accessible to the legacy devices, including:
- exposing selected tags in a partially encrypted packet, including;
  
  positioning a MACSec tag in the partially encrypted packet after a source and destination MAC tag and the selected tags; and
  
  responsive to a TCP payload of a TCP tag being changed by the repositioned MACSec tag, recomputing a TCP checksum of the TCP tag;
  
  encrypting tags and payload of the packet at positions that follow the MACSec tag, and not encrypting the source and destination MAC tag and the selected tags at positions that are before the MACSec tag,performing a calculation of a secured data integrity checksum of the partially encrypted packet, the calculation including the selected tags positioned before the MACSec tag; and
  
  forwarding the partially encrypted packet via a network path that includes at least one network device that does not support IEEE MACSec standard 802.1AE.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein despite the legacy devices not understanding MACSec tags, the legacy devices support processing the features corresponding to the selected tags positioned before the MACSec tag in the partially encrypted packet.
  - 3. The method of claim 1, further including:
    - presenting to a user a graphical user interface with a user selectable list of tags to be exposed to, and supported by, the intermediate devices that do not support MACSec tags and layer 2 encryption;
      
      receiving, from the user via the graphical user interface with the user selectable list of tags to be exposed, user preferences about the one or more selected tags; and
      
      determining the one or more selected tags responsive to the user preferences.
  - 4. The method of claim 1, further including:
    - presenting to a user a graphical user interface with a user selectable list of tags to be exposed to, and supported by, the intermediate devices that do not support MACSec tags and layer 2 encryption;
      
      receiving, from the user via the graphical user interface with the user selectable list of tags to be exposed, user preferences about the one or more selected tags; and
      
      notifying the user via the graphical user interface of an inconsistency between the user preferences and a dependency between multiple tags.
  - 5. The method of claim 1, further including:
    - presenting to a user a graphical user interface with a user selectable list of tags to be exposed to, and supported by, the intermediate devices that do not support MACSec tags and layer 2 encryption;
      
      receiving, from the user via the graphical user interface with the user selectable list of tags to be exposed, user preferences about the one or more selected tags; and
      
      responsive to inconsistency between the user preferences and a dependency between a first tag selected by the user and a second tag not selected by the user, notifying the user via the graphical user interface of a modification to the user preferences to resolve the inconsistency, the modified user preferences positioning the MACSec tag after the second tag for the partially encrypted packet that includes the first tag.
  - 6. The method of claim 1, further including:
    - presenting to a user a graphical user interface with a user selectable list of tags to be exposed to, and supported by, the intermediate devices that do not support MACSec tags and layer 2 encryption;
      
      receiving, from the user via the graphical user interface with the user selectable list of tags to be exposed, user preferences about the one or more selected tags; and
      
      identifying an inconsistency between the user preferences and a dependency between multiple tags, wherein the user preferences indicated exposure of a TCP tag but not an IP tag.
  - 7. The method of claim 1, further including:
    - presenting to a user a graphical user interface with a user selectable list of tags to be exposed to, and supported by, the intermediate devices that do not support MACSec tags and layer 2 encryption;
      
      receiving, from the user via the graphical user interface with the user selectable list of tags to be exposed, user preferences about the one or more selected tags; and
      
      responsive to inconsistency between the user preferences and a dependency between multiple tags, wherein the user preferences indicated exposure of a TCP tag but not an IP tag, notifying the user via the graphical user interface of a modification to the user preferences to resolve the inconsistency, the modified user preferences positioning the MACSec tag after the IP tag for the partially encrypted packet that includes the TCP tag.
  - 8. The method of claim 1, further including:
    - presenting to a user a graphical user interface with a user selectable list of tags to be exposed to, and supported by, the intermediate devices that do not support MACSec tags and layer 2 encryption;
      
      receiving, from the user via the graphical user interface with the user selectable list of tags to be exposed, user preferences about the one or more selected tags; and
      
      identifying an inconsistency between the user preferences and a dependency between multiple tags, wherein the user preferences indicated exposure of a UDP tag but not an IP tag.
  - 9. The method of claim 1, further including:
    - presenting to a user a graphical user interface with a user selectable list of tags to be exposed to, and supported by, the intermediate devices that do not support MACSec tags and layer 2 encryption;
      
      receiving, from the user via the graphical user interface with the user selectable list of tags to be exposed, user preferences about the one or more selected tags; and
      
      responsive to inconsistency between the user preferences and a dependency between multiple tags, wherein the user preferences indicated exposure of a UDP tag but not an IP tag, notifying the user via the graphical user interface of a modification to the user preferences to resolve the inconsistency, the modified user preferences positioning the MACSec tag after the IP tag for the partially encrypted packet that includes the UDP tag.
  - 10. The method of claim 1, further including:
    - presenting to a user a graphical user interface with a user selectable list of tags to be exposed to, and supported by, the intermediate devices that do not support MACSec tags and layer 2 encryption;
      
      receiving, from the user via the graphical user interface with the user selectable list of tags to be exposed, user preferences about the one or more selected tags; and
      
      identifying an inconsistency between the user preferences and a dependency between multiple tags, wherein the user preferences indicated exposure of a DHCP tag but not both an IP tag and a UDP tag.
  - 11. The method of claim 1, further including:
    - presenting to a user a graphical user interface with a user selectable list of tags to be exposed to, and supported by, the intermediate devices that do not support MACSec tags and layer 2 encryption;
      
      receiving, from the user via the graphical user interface with the user selectable list of tags to be exposed, user preferences about the one or more selected tags; and
      
      responsive to inconsistency between the user preferences and a dependency between multiple tags, wherein the user preferences indicated exposure of a DHCP tag but not both an IP tag and a UDP tag, notifying the user via the graphical user interface of a modification to the user preferences to resolve the inconsistency, the modified user preferences positioning the MACSec tag after the IP tag and the UDP tag for the partially encrypted packet that includes the DHCP tag.
  - 12. The method of claim 1, further including:
    - performing shared 802.1X key management among multiple layer 2 networks that are separated by an intermediate network, the intermediate network propagating packets through the intermediate network at a higher layer of at least layer 3.
  - 13. The method of claim 1, further including:
    - performing shared 802.1X key management among multiple layer 2 networks that are separated by an intermediate network, the intermediate network propagating packets through the intermediate network at a higher layer of at least layer 3, including;
      
      encapsulating a layer 2 802.1X key management packet of a first layer 2 network, to include a header of the higher layer to form a higher layer key management packet;
      
      propagating the higher layer key management packet from a first layer 2 network through the intermediate network to a second layer 2 network; and
      
      deencapsulating the higher layer key management packet to form the layer 2 802.1X key management packet.
  - 14. The method of claim 1, further including:
    - performing shared 802.1X key management among wired and wireless layer 2 networks.

15. A method of using MACSec tags and layer 2 encryption with legacy devices that do not understand MACSec tags, while preserving features controlled by tags supported by the legacy devices when the tags are unencrypted and accessible to the legacy devices, including:
- receiving a partially encrypted packet via a network path that includes at least one network device that does not support IEEE MACSec standard 802.1AE; and
  
  decrypting at least a payload of the partially encrypted packet, including;
  
  identifying a MACSec tag positioned after the source and destination MAC tag and after selected tags that are supported by the network devices that do not support MACSec tags; and
  
  decrypting at least the payload of the partially encrypted packet positioned after the MACSec tag,wherein the partially encrypted packet includes a TCP checksum based on a TCP payload with the MACSec tag being positioned after the source and destination MAC tag and selected tags and,wherein the partially encrypted packet includes a secured data integrity checksum, and calculation of the secured data integrity checksum included the selected tags positioned before the MACSec tag.

16. A method of using MACSec tags and layer 2 encryption with legacy devices that do not understand MACSec tags, while preserving features controlled by tags supported by the legacy devices when the tags are unencrypted and accessible to the legacy devices, including:
- receiving a partially encrypted packet at a legacy network device that does not support IEEE MACSec standard 802.1AE;
  
  performing one or more of the features at the legacy network device, wherein the features are controlled by one or more selected tags positioned after the source and destination MAC tag and before a MACSec tag in the partially encrypted packet; and
  
  forwarding the partially encrypted packet from the legacy network device,wherein the partially encrypted packet includes a TCP checksum based on a TCP payload with the MACSec tag being positioned after the source and destination MAC tag and selected tags and,wherein the partially encrypted packet includes a secured data integrity checksum, and calculation of the secured data integrity checksum included the selected tags positioned before the MACSec tag.

17. A method of supporting migration from intermediate network devices that support features controlled by tags but do not support MACSec tags and layer 2 encryption, to intermediate devices that support MACSec tags and layer 2 encryption, the method including:
- deploying configurable MACSec logic components on endpoint network devices, wherein the configurable MACSec logic components are adapted to position a MACSec tag in partially encrypted packets so that the MACSec tag follows the source and destination MAC tag and one or more selected tags;
  
  initially operating the configurable MACSec logic components with a configuration that positions one or more selected tags to appear before the MACSec tag in an unencrypted part of the partially encrypted packets, so that the selected tags are accessible to legacy network devices that do not support MACSec tags and layer 2 encryption;
  
  andreconfiguring the configurable MACSec logic components, to change the positions of the selected tags, so that the selected tags appear after the MACSec tag in an encrypted part of the partially encrypted packets and are accessible to intermediate network devices that support MACSec; and
  
  operating the configurable MACSec logic components using the reconfigured positions of the selected tags,wherein the partially encrypted packets include a TCP checksum based on a TCP payload with the MACSec tag being positioned after the source and destination MAC tag and selected tags and,wherein the partially encrypted packet includes a secured data integrity checksum, and calculation of the secured data integrity checksum included the selected tags positioned before the MACSec tag.
- View Dependent Claims (18, 19)
- - 18. The method of claim 17, further including assigning meaningful data to the selected tags for processing by intermediate network devices.
  - 19. The method of claim 17, further including replacing the legacy network devices with intermediate network devices that do support MACSec and that are capable of line speed decryption and retrieval of tags from encrypted portions of packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ClearCrypt, Inc.
Original Assignee
ClearCrypt, Inc.
Inventors
Devarapalli, Ramana, Yuan, Liang-Chih, Lengyel, Gabor
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Anderson, Michael D

Application Number

US12/779,803
Time in Patent Office

1,440 Days
Field of Search

713/150, 713/151, 713/154, 370/252
US Class Current

713/150
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/12   Applying verification of th...

H04L 63/162   at the data link layer

H04L 63/164   at the network layer

Selective exposure of feature tags in a MACSec packet

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Selective exposure of feature tags in a MACSec packet

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links