Selective exposure of feature tags in a MACSec packet
First Claim
Patent Images
1. A method of using MACSec tags and layer 2 encryption with legacy devices that do not understand MACSec tags, while preserving features controlled by tags supported by the legacy devices when the tags are unencrypted and accessible to the legacy devices, including:
- exposing selected tags in a partially encrypted packet, including;
positioning a MACSec tag in the partially encrypted packet after a source and destination MAC tag and the selected tags; and
responsive to a TCP payload of a TCP tag being changed by the repositioned MACSec tag, recomputing a TCP checksum of the TCP tag;
encrypting tags and payload of the packet at positions that follow the MACSec tag, and not encrypting the source and destination MAC tag and the selected tags at positions that are before the MACSec tag,performing a calculation of a secured data integrity checksum of the partially encrypted packet, the calculation including the selected tags positioned before the MACSec tag; and
forwarding the partially encrypted packet via a network path that includes at least one network device that does not support IEEE MACSec standard 802.1AE.
1 Assignment
0 Petitions
Accused Products
Abstract
A MACSec packet exposes selected tags in front of the MACSec tag. Different embodiments are directed to methods and apparatuses of various network nodes, that send, forward, and receive packets. Anther embodiment is the MACSec data structure on a computer readable medium. Another embodiment is the upgrade process of a legacy network.
15 Citations
19 Claims
-
1. A method of using MACSec tags and layer 2 encryption with legacy devices that do not understand MACSec tags, while preserving features controlled by tags supported by the legacy devices when the tags are unencrypted and accessible to the legacy devices, including:
-
exposing selected tags in a partially encrypted packet, including; positioning a MACSec tag in the partially encrypted packet after a source and destination MAC tag and the selected tags; and responsive to a TCP payload of a TCP tag being changed by the repositioned MACSec tag, recomputing a TCP checksum of the TCP tag; encrypting tags and payload of the packet at positions that follow the MACSec tag, and not encrypting the source and destination MAC tag and the selected tags at positions that are before the MACSec tag, performing a calculation of a secured data integrity checksum of the partially encrypted packet, the calculation including the selected tags positioned before the MACSec tag; and forwarding the partially encrypted packet via a network path that includes at least one network device that does not support IEEE MACSec standard 802.1AE. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method of using MACSec tags and layer 2 encryption with legacy devices that do not understand MACSec tags, while preserving features controlled by tags supported by the legacy devices when the tags are unencrypted and accessible to the legacy devices, including:
-
receiving a partially encrypted packet via a network path that includes at least one network device that does not support IEEE MACSec standard 802.1AE; and decrypting at least a payload of the partially encrypted packet, including; identifying a MACSec tag positioned after the source and destination MAC tag and after selected tags that are supported by the network devices that do not support MACSec tags; and decrypting at least the payload of the partially encrypted packet positioned after the MACSec tag, wherein the partially encrypted packet includes a TCP checksum based on a TCP payload with the MACSec tag being positioned after the source and destination MAC tag and selected tags and, wherein the partially encrypted packet includes a secured data integrity checksum, and calculation of the secured data integrity checksum included the selected tags positioned before the MACSec tag.
-
-
16. A method of using MACSec tags and layer 2 encryption with legacy devices that do not understand MACSec tags, while preserving features controlled by tags supported by the legacy devices when the tags are unencrypted and accessible to the legacy devices, including:
-
receiving a partially encrypted packet at a legacy network device that does not support IEEE MACSec standard 802.1AE; performing one or more of the features at the legacy network device, wherein the features are controlled by one or more selected tags positioned after the source and destination MAC tag and before a MACSec tag in the partially encrypted packet; and forwarding the partially encrypted packet from the legacy network device, wherein the partially encrypted packet includes a TCP checksum based on a TCP payload with the MACSec tag being positioned after the source and destination MAC tag and selected tags and, wherein the partially encrypted packet includes a secured data integrity checksum, and calculation of the secured data integrity checksum included the selected tags positioned before the MACSec tag.
-
-
17. A method of supporting migration from intermediate network devices that support features controlled by tags but do not support MACSec tags and layer 2 encryption, to intermediate devices that support MACSec tags and layer 2 encryption, the method including:
-
deploying configurable MACSec logic components on endpoint network devices, wherein the configurable MACSec logic components are adapted to position a MACSec tag in partially encrypted packets so that the MACSec tag follows the source and destination MAC tag and one or more selected tags; initially operating the configurable MACSec logic components with a configuration that positions one or more selected tags to appear before the MACSec tag in an unencrypted part of the partially encrypted packets, so that the selected tags are accessible to legacy network devices that do not support MACSec tags and layer 2 encryption; and reconfiguring the configurable MACSec logic components, to change the positions of the selected tags, so that the selected tags appear after the MACSec tag in an encrypted part of the partially encrypted packets and are accessible to intermediate network devices that support MACSec; and operating the configurable MACSec logic components using the reconfigured positions of the selected tags, wherein the partially encrypted packets include a TCP checksum based on a TCP payload with the MACSec tag being positioned after the source and destination MAC tag and selected tags and, wherein the partially encrypted packet includes a secured data integrity checksum, and calculation of the secured data integrity checksum included the selected tags positioned before the MACSec tag. - View Dependent Claims (18, 19)
-
Specification