Method and system for the assignment of security group information using a proxy

US 8,713,201 B2
Filed: 05/27/2010
Issued: 04/29/2014
Est. Priority Date: 08/13/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving address information regarding a network device and security group information regarding said network device, whereinsaid address information and said security group information are configured to be received from a first network device,said address information and said security group information are received at a second network device,said address information identifies an address of said network device,said security group information identifies a security group of said network device, andsaid security group information indicates said network device is a member of said security group;

associating said address information and said security group information, whereinsaid second network device is configured to perform said associating,said associating comprisesstoring said address information and said security group information such that said address information and said security group information are associated with one another, andsaid address information and said security group information are configured to allow said security group information to be used in performing access control processing of a packet;

receiving another packet at said second network device, whereinsaid another packet is received from said first network device;

determining whether said security group information should be associated with said another packet, whereinsaid another packet comprises packet address information,said packet address information is address information associated with said network device, andsaid determining uses said packet address information; and

in response to an indication that said security group information should be associated with said another packet, associating said security group information with said another packet, whereinsaid associating said security group information with said another packet comprisesadding said security group information to said another packet.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for the assignment of security group information using a proxy is disclosed. The method includes receiving an address of a network device at a first network device, receiving a security group of the network device at the first network device and associating the address information and the security group information with one another at the first network device. The first network device is coupled to a second network device. The address is represented by address information, which is received from the second network device. The security group is identified using the security group information, which indicates the network device is a member of the security group. The address information and the security group information are associated with one another by storing the address information and the security group information at the first network device.

Citations

13 Claims

1. A method comprising:
- receiving address information regarding a network device and security group information regarding said network device, whereinsaid address information and said security group information are configured to be received from a first network device,said address information and said security group information are received at a second network device,said address information identifies an address of said network device,said security group information identifies a security group of said network device, andsaid security group information indicates said network device is a member of said security group;
  
  associating said address information and said security group information, whereinsaid second network device is configured to perform said associating,said associating comprisesstoring said address information and said security group information such that said address information and said security group information are associated with one another, andsaid address information and said security group information are configured to allow said security group information to be used in performing access control processing of a packet;
  
  receiving another packet at said second network device, whereinsaid another packet is received from said first network device;
  
  determining whether said security group information should be associated with said another packet, whereinsaid another packet comprises packet address information,said packet address information is address information associated with said network device, andsaid determining uses said packet address information; and
  
  in response to an indication that said security group information should be associated with said another packet, associating said security group information with said another packet, whereinsaid associating said security group information with said another packet comprisesadding said security group information to said another packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - sending said address information and said security group information from said first network device to said second network device, whereinsaid second network device is configured to associate said address information and said security group information with one another, by virtue of being configured to perform said associating said address information and said security group information.
  - 3. The method of claim 1, wherein said sending comprises:
    - receiving an install message from said first network device at a second network device, whereinsaid install message comprisessaid address information, andsaid security group information, andsaid install message is configured to cause said second network device to perform said associating said address information and said security group information.
  - 4. The method of claim 3, further comprising:
    - determining whether said security group is valid; and
      
      in response to a determination that said security group is invalid, awaiting a delete message from said first network device, whereinsaid associating said address information and said security group information creates an association between said address information and said security group information, andsaid delete message is configured to cause said second network device to delete said association.
  - 5. The method of claim 4, whereinsaid delete message comprisessaid address information, andsaid security group information.
  - 6. The method of claim 1, further comprising:
    - associating an address and said security group information with one another, whereinsaid address allows said security group information to be associated with said another packet.
  - 7. The method of claim 6, whereinsaid address is at least one of a media access control address, an internet protocol address, or a transport layer port address.
  - 8. The method of claim 1, wherein said adding comprises one of:
    - inserting said security group information in said another packet; and
      
      encapsulating said another packet, whereinsaid encapsulating comprises one of prepending or appending said security group information to said another packet.

9. An apparatus comprising:
- a distribution layer network device, whereinsaid distribution layer network device is configured to be communicatively coupled to an access layer network device, andsaid distribution layer network device is configured toreceive address information regarding a network device and security group information regarding said network device, whereinsaid address information and said security group information are received from said access layer network device,associate said address information and said security group information, whereinsaid address information identifies an address of said network device,said security group information identifies a security group of said network device,said security group information indicates said network device is a member of said security group,said distribution layer network device is configured to associate said address information and said security group information by virtue of being configured to
  
  store said address information and said security group information such that said address information and said security group information are associated with one another, andsaid address information and said security group information are configured to allow said security group information to be used in performing access control processing of packet,receive another packet from said access layer network device, whereinsaid another packet is received from said first network device,determine whether said security group information is associated with said another packet, whereinsaid another packet comprises packet address information,said packet address information is address information associated with said network device, andsaid determining uses said packet address information, andin response to an indication that said security group information should be associated with said another packet, associate said security group information with said another packet, whereinsecurity group information is associated with said another packet, at least in part, by
  
  adding said security group information to said another packet.
- View Dependent Claims (10)
- - 10. The apparatus of claim 9, further comprising:
    - a first network device, whereinsaid first network device is said access layer network device,said first network device is configured toidentify said address of said network device, whereinsaid address is identified using address information,identify said security group of said network device, andsend said address information and said security group information to said distribution layer network device.

11. An apparatus comprising:
- means for receiving address information regarding a network device and security group information regarding said network device, whereinsaid address information and said security group information are configured to be received from a first network device,said address information and said security group information are received at a second network device comprising said means for receiving,said address information identifies an address of said network device,said security group information identifies a security group of said network device, andsaid security group information indicates said network device is a member of said security group;
  
  means for associating said address information and said security group information, whereinsaid second network device comprises said means for associating,said means for associating comprisesmeans for storing said address information and said security group information such that said address information and said security group information are associated with one another, andsaid address information and said security group information are configured to allow said security group information to be used in performing access control processing of a packet;
  
  means for receiving another packet at said second network device, whereinsaid another packet is received from said first network device;
  
  means for determining whether said security group information should be associated with said another packet, whereinsaid another packet comprises packet address information,said packet address information is address information associated with said network device, andsaid means for determining is configured to use said packet address information to determine whether said security group information should be associated with said another packet; and
  
  means, responsive to an indication that said security group information should be associated with said another packet, for associating said security group information with said another packet, whereinsaid means for associating said security group information with said another packet comprisesmeans for adding said security group information to said another packet.
- View Dependent Claims (12, 13)
- - 12. The apparatus of claim 11, wherein said sending comprises:
    - means for receiving an install message from said first network device at a second network device, whereinsaid install message comprisessaid address information, andsaid security group information, andsaid install message is configured to cause said second network device to create an association between said address information and said security group information.
  - 13. The apparatus of claim 12, further comprising:
    - means for determining whether said security group is valid; and
      
      means, responsive to a determination that said security group is invalid, for awaiting a delete message from said first network device, whereinsaid delete message is configured to cause said second network device to delete said association.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Smith, Michael R., Nemat, Awais B., Fine, Michael
Primary Examiner(s)
Patel, Haresh N

Application Number

US12/788,467
Publication Number

US 20100235544A1
Time in Patent Office

1,433 Days
Field of Search

709/245, 709/246, 709217-228, 726/5, 726/28, 711/118, 713/171, 707/1
US Class Current

709/246
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/104   Grouping of entities

Method and system for the assignment of security group information using a proxy

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for the assignment of security group information using a proxy

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links