Dynamic group creation and traffic flow registration under a group in a group key infrastructure

US 9,009,302 B2
Filed: 02/21/2012
Issued: 04/14/2015
Est. Priority Date: 02/21/2012
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a registration request to dynamically register a traffic flow, whereinthe registration request is sent from a registration node,the registration request is received at a key server policy manager,the key server policy manager and the registration node are communicatively coupled via a network, andthe registration request comprises a group identifier (ID);

determining whether to accept the registration request; and

performing the registration request, in response to a determination to accept the registration request, wherein the performing the registration request comprisesdetermining whether the group ID identifies a new security group that does not presently exist in the network, andin response to determining that the group ID identifies the new security group that does not presently exist in the network, creating the new security group identified by the group ID.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Upon detection of a new traffic flow, a registration node can dynamically register the new traffic flow with a key server policy manager by sending a registration request on behalf of the new traffic flow. A registration request indicates the new traffic flow should be protected by a security group. A registration request may also include a request to dynamically generate a new security group to protect the traffic flow. The registration request is received by a key server policy manager, which performs authentication and authorization checks of the requesting registration node, and determines whether to accept or reject the registration request. If accepted, the key server policy manager registers the new traffic flow by including a description of the traffic flow in a group policy of an existing security group or a newly created security group, depending on the registration request.

25 Citations

View as Search Results

21 Claims

1. A method, comprising:
- receiving a registration request to dynamically register a traffic flow, whereinthe registration request is sent from a registration node,the registration request is received at a key server policy manager,the key server policy manager and the registration node are communicatively coupled via a network, andthe registration request comprises a group identifier (ID);
  
  determining whether to accept the registration request; and
  
  performing the registration request, in response to a determination to accept the registration request, wherein the performing the registration request comprisesdetermining whether the group ID identifies a new security group that does not presently exist in the network, andin response to determining that the group ID identifies the new security group that does not presently exist in the network, creating the new security group identified by the group ID.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, whereinthe registration request comprises a traffic flow identifier,the traffic flow identifier identifies the traffic flow, andthe registration request indicates that the new security group should protect the traffic flow.
  - 3. The method of claim 1, wherein the determining whether to accept the registration request is based on administrative decisions implemented in an encryption scheme that is implemented in the network.
  - 4. The method of claim 1, wherein the performing the registration request further comprises:
    - generating a new group policy for the new security group, whereinthe new group policy protects the traffic flow, andthe creating the new security group comprisesstoring the new group policy in a new entry in a group policy data store.
  - 5. The method of claim 4, further comprising:
    - registering the registration node as a default group member of the new security group, subsequent to the performing the registration request; and
      
      publishing the new group policy to one or more group members of the new security group, subsequent to the performing the registration request.
  - 6. The method of claim 1, further comprising:
    - authenticating the registration node using a registration node identifier; and
      
      verifying authorization of the registration node to make the registration request.

7. A method, comprising:
- detecting a new traffic flow at a registration node, whereinthe new traffic flow is identified by a new traffic flow identifier (ID), andthe new traffic flow ID does not match any traffic flow IDs present in existing group policies configured at the registration node; and
  
  sending a registration request to a key server policy manager, whereinthe registration request comprisesa request to dynamically register the new traffic flow,the new traffic flow identifier, anda group ID that identifies a security group that should protect the new traffic flow.
- View Dependent Claims (8, 9, 21)
- - 8. The method of claim 7, further comprising:
    - receiving an acknowledgement from the key server policy manger, whereinthe acknowledgement indicates acceptance or rejection of the registration request.
  - 9. The method of claim 7, further comprising:
    - receiving publication of a group policy, wherein the group policy comprises the new traffic flow identifier; and
      
      refreshing the group policy, wherein the refreshing renews an expiration period associated with the group policy.
  - 21. The method of claim 7, whereinthe registration node and the key server policy manager are communicatively coupled via a network, andthe group ID identifies one ofa new security group that does not presently exist in the network, andan existing security group.

10. A system comprising:
- one or more processors; and
  
  one or more memories coupled to the one or more processors and configured tostore instructions executable by the one or more processors, the instructions configured to implementa policy manager configured toreceive a registration request to dynamically register a traffic flow, whereinthe registration request is sent from a registration node,the policy manager and the registration node are communicatively coupled via a network, andthe registration request comprises a group identifier (ID),determine whether to accept the registration request, andperform the registration request, in response to a determination to accept the registration request, wherein the policy manager is further configured todetermine whether the group ID identifies a new security group that does not presently exist in the network, andin response to a determination that the group ID identifies the new security group that does not presently exist in the network, create the new security group identified by the group ID.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, whereinthe registration request comprises a traffic flow identifier,the traffic flow identifier identifies the traffic flow, andthe registration request indicates that the new security group should protect the traffic flow.
  - 12. The system of claim 10, whereinthe policy manager is further configured to accept the registration request based on administrative decisions implemented in an encryption scheme that is implemented in the network.
  - 13. The system of claim 10, whereinthe policy manager is further configured togenerate a new group policy for the new security group, whereinthe new group policy protects the traffic flow, andstore the new group policy in a new entry in a group policy data store.
  - 14. The system of claim 13, wherein the instructions are further configured to implementa key server configured toregister the registration node as a default group member of the new security group, subsequent to performance of the registration request, andpublish the new group policy to one or more group members of the new security group, subsequent to performance of the registration request.
  - 15. The system of claim 10, whereinthe policy manager is further configured toauthenticate the registration node using a registration node identifier, andverify authorization of the registration node to make the registration request.
  - 16. The system of claim 10, wherein the instructions are further configured to implementa registration node module configured todetect a new traffic flow, whereinthe new traffic flow is identified by a new traffic flow identifier (ID), andthe new traffic flow ID does not match any traffic flow IDs present in existing group policies configured at the registration node;
    - andsend the registration request to the policy manager, whereinthe registration request comprisesthe traffic flow identifier, andthe group ID.
  - 17. The system of claim 16, whereinthe registration node module is further configured toreceive an acknowledgement from the policy manger, whereinthe acknowledgement indicates acceptance or rejection of the registration request.
  - 18. The system of claim 16, whereinthe registration node module is further configured toreceive publication of a group policy, wherein the group policy comprises the new traffic flow identifier;
    - andrefresh the group policy, wherein the refreshing renews an expiration period associated with the group policy.

19. An apparatus comprising:
- a line card configured to receive a registration request to dynamically register a traffic flow, whereinthe registration request is sent from a registration node,the registration node and the line card are communicatively coupled via a network, andthe registration request comprises a group identifier (ID); and
  
  a control module coupled to the line card, the control module configured todetermine whether to accept the registration request, andperform the registration request, in response to a determination to accept the registration request, wherein the control module is further configured todetermine whether the group ID identifies a new security group that does not presently exist in the network, andin response to a determination that the group ID identifies the new security group that does not presently exist in the network, create the new security group identified by the group ID.

20. An apparatus comprising:
- a line card configured to receive packets; and
  
  a control module coupled to the line card, the control module configured todetect packets of a new traffic flow, whereinthe new traffic flow is identified by a new traffic flow identifier (ID), andthe new traffic flow ID does not match any traffic flow IDs present in existing group policies configured at a registration node, andsend a registration request to a key server policy manager, whereinthe registration request comprisesa request to dynamically register the new traffic flow,the new traffic flow identifier, anda group identifier (ID) that identifies a security group that should protect the new traffic flow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Detienne, Frederic R. P., Sethi, Pratima, Wijnands, Ijsbrand
Primary Examiner(s)
KIM, EDWARD J

Application Number

US13/400,841
Publication Number

US 20130219035A1
Time in Patent Office

1,148 Days
Field of Search

709/223, 709/224, 709/225, 709/230, 709/232, 709/237, 709/231
US Class Current

709/224
CPC Class Codes

H04L 63/065   for group communications cr...

H04L 9/0833   involving conference or gro...

H04L 9/3268   using certificate validatio...

Dynamic group creation and traffic flow registration under a group in a group key infrastructure

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Dynamic group creation and traffic flow registration under a group in a group key infrastructure

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others