Enabling packet handling information in the clear for MACSEC protected frames

US 8,966,240 B2
Filed: 10/05/2011
Issued: 02/24/2015
Est. Priority Date: 10/05/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a network device, unsecured data from a source device to be sent through a network to a destination device;

generating, at the network device, packet handling information from a portion of the unsecured data received from the source device, wherein the packet handling information comprises Quality of Service (QoS) information;

generating, at the network device using techniques according to the Media Access Control Security (MACSEC) standard of IEEE 802.1AE, encrypted payload data from the data received from the source device;

generating a MACSEC security tag;

inserting, at the network device, the encrypted payload data and the MACSEC security tag in an encrypted and authenticated portion of a packet that is to be used to transport the encrypted payload data to a destination device;

appending, at the network device, the packet handling information to the encrypted payload data and the MACSEC security tag, wherein the packet handling information is in an unencrypted and unauthenticated portion of the packet so as to be used by network devices for controlled handling of the packet in the network; and

sending, at the network device, the packet to the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided to append packet handling information “in the clear” ahead of security related information in a packet to be routed over a network to optimize wide area network deployments of security-configured equipment. In one form, at a network device that performs connectionless secure communication and network routing of packets, data is received from a source device to be sent through a network to a destination device. Packet handling information is inserted in a packet that is to be used to transport the data. The packet handling information is configured to enable controlled handling of the packet in the network and is inserted in an unprotected portion of the packet. Encrypted payload data is generated from the data received from the source device. The encrypted payload data and security information are inserted in a protected portion of the packet and the packet is sent to the network.

27 Citations

View as Search Results

27 Claims

1. A method comprising:
- receiving, at a network device, unsecured data from a source device to be sent through a network to a destination device;
  
  generating, at the network device, packet handling information from a portion of the unsecured data received from the source device, wherein the packet handling information comprises Quality of Service (QoS) information;
  
  generating, at the network device using techniques according to the Media Access Control Security (MACSEC) standard of IEEE 802.1AE, encrypted payload data from the data received from the source device;
  
  generating a MACSEC security tag;
  
  inserting, at the network device, the encrypted payload data and the MACSEC security tag in an encrypted and authenticated portion of a packet that is to be used to transport the encrypted payload data to a destination device;
  
  appending, at the network device, the packet handling information to the encrypted payload data and the MACSEC security tag, wherein the packet handling information is in an unencrypted and unauthenticated portion of the packet so as to be used by network devices for controlled handling of the packet in the network; and
  
  sending, at the network device, the packet to the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein inserting the packet handling information comprises inserting one or more virtual local area network (VLAN) identifiers.
  - 3. The method of claim 1, wherein inserting the packet handling information comprises inserting one or more Multiprotocol Label Switching (MPLS) labels.
  - 4. The method of claim 1, wherein inserting the packet handling information comprises inserting a value into a Priority Code Point field of a virtual local area network (VLAN) tag.
  - 5. The method of claim 4, and further comprising setting a value for the Priority Code Point field in the VLAN tag to indicate a priority level of the packet.
  - 6. The method of claim 1, wherein inserting packet handling information comprises inserting a value for a Traffic Class field in a Multiprotocol Label Switching label header in the unencrypted portion of the packet.
  - 7. The method of claim 1, wherein sending comprises sending to the network that employs emulation of a Layer 2 point-to-point connection-oriented service over a packet-switching network.
  - 8. The method of claim 1, wherein inserting the MACSEC security tag comprises inserting the MACSEC security tag at a position in the packet to be used to transport the data that is determined from one or more of a source address, destination address, encapsulation type, virtual local area network identifier and Multiprotocol Label Switching label.
  - 9. The method of claim 1, wherein inserting the packet handling information comprises inserting data that is relevant to the destination device of the packet.
  - 10. The method of claim 1, wherein inserting the packet handling information comprises inserting data that is useful solely for routing the packet through the network.
  - 11. The method of claim 1, wherein inserting comprises inserting a plurality of different packet handling information for the packet.
  - 12. The method of claim 11, wherein inserting comprises inserting some of the plurality of packet handling information in an authenticated portion of the packet and a remainder of the plurality of packet handling information in an unauthenticated portion of the packet.

13. An apparatus comprising:
- a first computer processing subsystem that;
  
  receives unsecured data from a source device to be sent through a network to a destination device,generates packet handling information from a portion of the unsecured data received from the source device, wherein the packet handling information comprises Quality of Service (QoS) information,inserts the packet handling information in an unencrypted and unauthenticated portion of a packet that is to be used to transport the data received from the source device, wherein the packet handling information enables controlled handling of the packet in the network;
  
  a second computer processing subsystem coupled to the first processing subsystem that generates, using techniques according to the Media Access Control Security (MACSEC) standard of IEEE 802.1AE, encrypted payload data from the data received from the source device, generates a MACSEC security tag, and inserts the encrypted payload data and the MACSEC security tag in an encrypted and authenticated portion of the packet; and
  
  a network interface unit that supplies packets output by the second processing subsystem to the network.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The apparatus of claim 13, wherein the first processing subsystem inserts the packet handling information comprising one or more virtual local area network (VLAN) identifiers.
  - 15. The apparatus of claim 13, wherein the first processing subsystem inserts the packet handling information comprising one or more Multiprotocol Label Switching (MPLS) labels.
  - 16. The apparatus of claim 13, wherein the first processing subsystem inserts packet handling information comprising a value in a Priority Code point field of a virtual local area network (VLAN) tag.
  - 17. The apparatus of claim 13, wherein first processing subsystem inserts packet handling information comprising a value in a Traffic Class field of a Multiprotocol Label Switching label header in the unencrypted portion of the packet.
  - 18. The apparatus of claim 13, wherein the second processing subsystem determines a position in the packet to insert the MACSEC security tag based on one or more of a source address, destination address, encapsulation type, virtual local area network identifier and Multiprotocol Label Switching label.

19. An apparatus comprising:
- a hardware network interface unit to send and receive packets from a network;
  
  a processor coupled to the network interface unit, wherein the processor;
  
  receives unsecured data from a source device to be sent through the network to a destination device;
  
  generates packet handling information from a portion of the unsecured data received from the source device;
  
  generates, using techniques according to the Media Access Control Security (MACSEC) standard of IEEE 802.1AE, encrypted payload data from the data received from the source device;
  
  generates a MACSEC security tag;
  
  inserts the encrypted payload data and the MACSEC security tag in an encrypted and authenticated portion of the packet that is to be used to transport the encrypted payload data to a destination device;
  
  appends the packet handling information to the encrypted payload data and the MACSEC security tag by inserting a value into a Priority Code Point field of a virtual local area network (VLAN) tag, wherein the packet handling information is in an unencrypted and unauthenticated portion of the packet so as to be used by network devices for controlled handling of the packet in the network;
  
  couples the packet to the network interface unit for transmission in the network; and
  
  sets a value for the Priority Code Point field in the VLAN tag to indicate a priority level of the packet.
- View Dependent Claims (20, 21, 22)
- - 20. The apparatus of claim 19, wherein the processor inserts the packet handling information comprising a value for a Traffic Class field in a Multiprotocol Label Switching label header in the unencrypted portion of the packet.
  - 21. The apparatus of claim 19, wherein the processor inserts the packet handling information by inserting one or more virtual local area network (VLAN) identifiers.
  - 22. The apparatus of claim 19, wherein the processor inserts the packet handling information by inserting one or more Multiprotocol Label Switching (MPLS) labels.

23. One or more non-transitory computer readable storage media encoded with software comprising computer executable instructions and when the software is executed at a single network device that performs connectionless secure communication in accordance with the Media Access Control Security (MACSEC) standard of IEEE 802.1AE and network routing of packets in a network using a tunneling protocol the software:
- receives unsecured data from a source device to be sent through the network to a destination device;
  
  generates packet handling information from a portion of the unsecured data in received from the source device, wherein the packet handling information comprises Quality of Service (Qos) information;
  
  generates, using techniques according to the MACSEC security standard, encrypted payload data from the data received from the source device;
  
  generates a MACSEC security tag;
  
  inserts the encrypted payload data and the MACSEC security tag in an encrypted and authenticated portion of the packet;
  
  appends the packet handling information to the encrypted payload data and the MACSEC security tag, wherein the packet handling information is in an unencrypted and unauthenticated portion of the packet so as to be used by network devices for controlled handling of the packet in the network; and
  
  causes the packet to be sent to the network.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The non-transitory computer readable storage media of claim 23, and further comprising instructions that, when executed, insert the packet handling information following the MACSEC security tag such that both are in an authenticated portion of the packet.
  - 25. The non-transitory computer readable storage media of claim 24, wherein the instructions that determine a position in the packet for inserting the MACSEC security tag utilize one or more of a source address, destination address, encapsulation type, virtual local area network identifier and Multiprotocol Label Switching label.
  - 26. The non-transitory computer readable storage media of claim 23, wherein the instructions operable to insert the packet handling information comprise instructions operable to insert one or more virtual local area network (VLAN) identifiers.
  - 27. The non-transitory computer readable storage media of claim 23, wherein the instructions operable to insert the packet handling information comprise instructions operable to insert one or more Multiprotocol Label Switching (MPLS) labels.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Chopra, Rakesh
Primary Examiner(s)
Holder, Bradley
Assistant Examiner(s)
MOHAMMADI, FAHIMEH M

Application Number

US13/253,329
Publication Number

US 20130091349A1
Time in Patent Office

1,238 Days
Field of Search

713150-201, 380/229, 709225-226, 705/67, 370/389, 370/392
US Class Current

713/150
CPC Class Codes

H04L 12/462   LAN interconnection over a ...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 12/4645   Details on frame tagging ro...

H04L 2209/80   Wireless network architectu...

H04L 45/50   using label swapping, e.g. ...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/162   at the data link layer

H04L 9/32   including means for verifyi...

H04W 12/088   using filters or firewalls

Enabling packet handling information in the clear for MACSEC protected frames

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Enabling packet handling information in the clear for MACSEC protected frames

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links