Reduced authentication times in constrained computer networks

US 8,984,277 B2
Filed: 09/28/2012
Issued: 03/17/2015
Est. Priority Date: 09/28/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

monitoring an authentication time for one or more nodes in a low power and lossy network (LLN);

dynamically correlating the authentication time with a location of the one or more nodes in the LLN to identify one or more authentication-delayed nodes;

selecting, based on the location of the one or more authentication-delayed nodes, one or more key-delegation nodes to receive one or more network keys for localized authentication of one or more of the authentication-delayed nodes;

distributing the one or more network keys to the one or more key-delegation nodes; and

authenticating one or more authentication delayed nodes via the one or more key delegation nodes.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a capable node in a low power and lossy network (LLN) may monitor the authentication time for one or more nodes in the LLN. The capable node may dynamically correlate the authentication time with the location of the one or more nodes in the LLN in order to identify one or more authentication-delayed nodes. The node may then select, based on the location of the one or more authentication-delayed nodes, one or more key-delegation nodes to receive one or more network keys so that the key-delegation nodes may perform localized authentication of one or more of the authentication-delayed nodes. The capable node may then distribute the one or more network keys to the one or more key-delegation nodes.

Citations

13 Claims

1. A method, comprising:
- monitoring an authentication time for one or more nodes in a low power and lossy network (LLN);
  
  dynamically correlating the authentication time with a location of the one or more nodes in the LLN to identify one or more authentication-delayed nodes;
  
  selecting, based on the location of the one or more authentication-delayed nodes, one or more key-delegation nodes to receive one or more network keys for localized authentication of one or more of the authentication-delayed nodes;
  
  distributing the one or more network keys to the one or more key-delegation nodes; and
  
  authenticating one or more authentication delayed nodes via the one or more key delegation nodes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as in claim 1, wherein authenticating further comprises:
    - receiving an authentication request from the one or more authentication-delayed nodes;
      
      forwarding, over a backhaul connection, the authentication request to an authentication server for authentication;
      
      receiving, over the backhaul connection, an authentication result from the authentication server; and
      
      forwarding the authentication result to the one or more key-delegation nodes.
  - 3. The method as in claim 2, further comprising:
    - determining that the backhaul connection is disrupted; and
      
      in response,dynamically buffering, for a period of time, the authentication request from the one or more authentication-delayed nodes; and
      
      forwarding the authentication request when the backhaul connection is restored.
  - 4. The method as in claim 3, wherein the period of time is proportional to the location of the one or more authentication-delayed nodes in the LLN.
  - 5. The method as in claim 3, further comprising:
    - communicating to the one or more authentication-delayed nodes that the authentication request has been dynamically buffered to prevent the one or more authentication-delayed nodes from re-transmitting a new authentication request.
  - 6. The method as in claim 1, further comprising:
    - limiting a number of authentication-delayed nodes to which a particular key-delegation node is allowed to distribute the network key.
  - 7. The method as in claim 1, wherein the location is measured as a number of hops the authentication request must travel between the authentication-delayed node and a backhaul connection to the LLN.
  - 8. The method as in claim 1, further comprising:
    - communicating a migration message to the one or more authentication-delayed nodes, the migration message instructing the one or more authentication-delayed nodes to seek and join an alternate network if available.
  - 9. The method as in claim 8, wherein communicating the migration message to the one or more authentication-delayed nodes is in response to a backhaul parameter, the backhaul parameter selected from a group consisting of:
    - backhaul connection duration per unit of time, average duration of backhaul connection, number of failed authentication requests, and number of pending authentication requests.

10. An apparatus, comprising:
- one or more network interfaces to communicate with a low power and lossy network (LLN); and
  
  a processor coupled to the network interfaces and adapted to execute one or more processes;
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  monitor an authentication time for one or more nodes in a low power and lossy network (LLN);
  
  dynamically correlate the authentication time with a location of the one or more nodes in the LLN to identify one or more authentication-delayed nodes;
  
  select, based on the location of the one or more authentication-delayed nodes, one or more key-delegation nodes to receive one or more network keys for localized authentication of one or more of the authentication-delayed nodes;
  
  distribute the one or more network keys to the one or more key-delegation nodes; and
  
  authenticating one or more authentication delayed nodes via the one or more key delegation nodes.
- View Dependent Claims (11, 12, 13)
- - 11. The apparatus as in claim 10, wherein the process of authenticating when executed is further operable to:
    - receive an authentication request from the one or more authentication-delayed nodes;
      
      forward, over a backhaul connection, the authentication request to an authentication server for authentication;
      
      receive, over the backhaul connection, an authentication result from the authentication server; and
      
      forward the authentication result to the one or more key-delegation nodes.
  - 12. The apparatus as in claim 11, wherein the process when executed is further operable to:
    - determine that the backhaul connection is disrupted; and
      
      in response,dynamically buffer, for a period of time, the authentication request from the one or more authentication-delayed nodes; and
      
      forward the authentication request when the backhaul connection is restored.
  - 13. The apparatus as in claim 12, wherein the process when executed is further operable to:
    - communicate to the one or more authentication-delayed nodes that the authentication request has been dynamically buffered to prevent the one or more authentication-delayed nodes from re-transmitting a new authentication request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Dasgupta, Sukrit, Vasseur, Jean-Philippe
Primary Examiner(s)
Patel, Nirav B
Assistant Examiner(s)
Waliullah, Mohammed

Application Number

US13/631,106
Publication Number

US 20140095864A1
Time in Patent Office

900 Days
Field of Search

None
US Class Current

713/155
CPC Class Codes

H04L 45/64   using an overlay routing layer

H04L 47/2475   for supporting traffic char...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0853   using an additional device,...

H04L 63/0884   by delegation of authentica...

H04L 67/12   specially adapted for propr...

Reduced authentication times in constrained computer networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Reduced authentication times in constrained computer networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links