Enabling packet handling information in the clear for MACSEC protected frames
First Claim
1. A method comprising:
- receiving, at a network device, unsecured data from a source device to be sent through a network to a destination device;
generating, at the network device, packet handling information from a portion of the unsecured data received from the source device, wherein the packet handling information comprises Quality of Service (QoS) information;
generating, at the network device using techniques according to the Media Access Control Security (MACSEC) standard of IEEE 802.1AE, encrypted payload data from the data received from the source device;
generating a MACSEC security tag;
inserting, at the network device, the encrypted payload data and the MACSEC security tag in an encrypted and authenticated portion of a packet that is to be used to transport the encrypted payload data to a destination device;
appending, at the network device, the packet handling information to the encrypted payload data and the MACSEC security tag, wherein the packet handling information is in an unencrypted and unauthenticated portion of the packet so as to be used by network devices for controlled handling of the packet in the network; and
sending, at the network device, the packet to the network.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are provided to append packet handling information “in the clear” ahead of security related information in a packet to be routed over a network to optimize wide area network deployments of security-configured equipment. In one form, at a network device that performs connectionless secure communication and network routing of packets, data is received from a source device to be sent through a network to a destination device. Packet handling information is inserted in a packet that is to be used to transport the data. The packet handling information is configured to enable controlled handling of the packet in the network and is inserted in an unprotected portion of the packet. Encrypted payload data is generated from the data received from the source device. The encrypted payload data and security information are inserted in a protected portion of the packet and the packet is sent to the network.
27 Citations
27 Claims
-
1. A method comprising:
-
receiving, at a network device, unsecured data from a source device to be sent through a network to a destination device; generating, at the network device, packet handling information from a portion of the unsecured data received from the source device, wherein the packet handling information comprises Quality of Service (QoS) information; generating, at the network device using techniques according to the Media Access Control Security (MACSEC) standard of IEEE 802.1AE, encrypted payload data from the data received from the source device; generating a MACSEC security tag; inserting, at the network device, the encrypted payload data and the MACSEC security tag in an encrypted and authenticated portion of a packet that is to be used to transport the encrypted payload data to a destination device; appending, at the network device, the packet handling information to the encrypted payload data and the MACSEC security tag, wherein the packet handling information is in an unencrypted and unauthenticated portion of the packet so as to be used by network devices for controlled handling of the packet in the network; and sending, at the network device, the packet to the network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. An apparatus comprising:
-
a first computer processing subsystem that; receives unsecured data from a source device to be sent through a network to a destination device, generates packet handling information from a portion of the unsecured data received from the source device, wherein the packet handling information comprises Quality of Service (QoS) information, inserts the packet handling information in an unencrypted and unauthenticated portion of a packet that is to be used to transport the data received from the source device, wherein the packet handling information enables controlled handling of the packet in the network; a second computer processing subsystem coupled to the first processing subsystem that generates, using techniques according to the Media Access Control Security (MACSEC) standard of IEEE 802.1AE, encrypted payload data from the data received from the source device, generates a MACSEC security tag, and inserts the encrypted payload data and the MACSEC security tag in an encrypted and authenticated portion of the packet; and a network interface unit that supplies packets output by the second processing subsystem to the network. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. An apparatus comprising:
-
a hardware network interface unit to send and receive packets from a network; a processor coupled to the network interface unit, wherein the processor; receives unsecured data from a source device to be sent through the network to a destination device; generates packet handling information from a portion of the unsecured data received from the source device; generates, using techniques according to the Media Access Control Security (MACSEC) standard of IEEE 802.1AE, encrypted payload data from the data received from the source device; generates a MACSEC security tag; inserts the encrypted payload data and the MACSEC security tag in an encrypted and authenticated portion of the packet that is to be used to transport the encrypted payload data to a destination device; appends the packet handling information to the encrypted payload data and the MACSEC security tag by inserting a value into a Priority Code Point field of a virtual local area network (VLAN) tag, wherein the packet handling information is in an unencrypted and unauthenticated portion of the packet so as to be used by network devices for controlled handling of the packet in the network; couples the packet to the network interface unit for transmission in the network; and sets a value for the Priority Code Point field in the VLAN tag to indicate a priority level of the packet. - View Dependent Claims (20, 21, 22)
-
-
23. One or more non-transitory computer readable storage media encoded with software comprising computer executable instructions and when the software is executed at a single network device that performs connectionless secure communication in accordance with the Media Access Control Security (MACSEC) standard of IEEE 802.1AE and network routing of packets in a network using a tunneling protocol the software:
-
receives unsecured data from a source device to be sent through the network to a destination device; generates packet handling information from a portion of the unsecured data in received from the source device, wherein the packet handling information comprises Quality of Service (Qos) information; generates, using techniques according to the MACSEC security standard, encrypted payload data from the data received from the source device; generates a MACSEC security tag; inserts the encrypted payload data and the MACSEC security tag in an encrypted and authenticated portion of the packet; appends the packet handling information to the encrypted payload data and the MACSEC security tag, wherein the packet handling information is in an unencrypted and unauthenticated portion of the packet so as to be used by network devices for controlled handling of the packet in the network; and causes the packet to be sent to the network. - View Dependent Claims (24, 25, 26, 27)
-
Specification