Authentication for software defined networks

US 9,038,151 B1
Filed: 03/15/2013
Issued: 05/19/2015
Est. Priority Date: 09/20/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

programming, by a controller device for a software defined network (SDN), interconnected network devices forming the SDN to identify and forward packets to the controller device when the packets include credentials from client devices in accordance with a public key infrastructure (PKI)-based authentication protocol;

receiving, by the controller device, a packet including credentials from one of the client devices in accordance with the PKI-based authentication protocol via one of the network devices forming the SDN;

determining, by the controller device, one or more policies that are applicable to the one of the client devices based on the received credentials; and

programming, by the controller device, one or more of the network devices of the SDN to enforce the determined policies on a per-packet-flow basis for packet flows including the one of the client devices.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one example, a controller device for a software defined network (SDN) includes one or more network interfaces configured to communicate with network devices of the SDN, and one or more processors configured to receive credentials from a client device in accordance with a public key infrastructure (PKI)-based authentication protocol, determine one or more policies that are applicable to the client device based on the received credentials, and program network devices of the SDN to enforce the determined policies on a per-packet-flow basis for packet flows including the client device.

Citations

19 Claims

1. A method comprising:
- programming, by a controller device for a software defined network (SDN), interconnected network devices forming the SDN to identify and forward packets to the controller device when the packets include credentials from client devices in accordance with a public key infrastructure (PKI)-based authentication protocol;
  
  receiving, by the controller device, a packet including credentials from one of the client devices in accordance with the PKI-based authentication protocol via one of the network devices forming the SDN;
  
  determining, by the controller device, one or more policies that are applicable to the one of the client devices based on the received credentials; and
  
  programming, by the controller device, one or more of the network devices of the SDN to enforce the determined policies on a per-packet-flow basis for packet flows including the one of the client devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the PKI-based authentication protocol comprises 802.1X.
  - 3. The method of claim 2, wherein receiving the credentials comprises terminating an 802.1X session after receiving the credentials via the 802.1X session.
  - 4. The method of claim 1, wherein programming the network devices to enforce the determined policies on a per-packet-flow basis comprises programming the network devices to enforce the determined policies based on at least one of a user identity, an identity of the client device, an application being executed by the one of the client devices associated with one of the packet flows, time of day, and a geographic location of the one of the client devices.
  - 5. The method of claim 4, further comprising determining the geographic location of the one of the client devices based on at least one of an Internet protocol (IP) address of the client device, global positioning system (GPS) information for the client device, and domain name service (DNS) information for the one of the client devices.
  - 6. The method of claim 1, further comprising performing deep packet inspection of one or more packets of a packet flow that includes the one of the client devices in accordance with the determined policies.
  - 7. The method of claim 1, wherein programming the network devices to identify and forward packets comprises programming the network devices to identify Extensible Authentication Protocol (EAP) over Local Area Network (EAPOL) packets and forward the EAPOL packets to the controller device.

8. A controller device for a software defined network (SDN), the controller device comprising:
- one or more network interfaces configured to communicate with interconnected network devices forming the SDN; and
  
  one or more processors configured to program the network devices forming the SDN to identify and forward packets to the controller device when the packets include credentials from client devices in accordance with a public key infrastructure (PKI)-based authentication protocol, receive a packet including credentials from one of the client devices in accordance with the PKI-based authentication protocol via one of the network devices forming the SDN, determine one or more policies that are applicable to the one of the client devices based on the received credentials, and program one or more of the network devices of the SDN to enforce the determined policies on a per-packet-flow basis for packet flows including the one of the client devices.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The controller device of claim 8, wherein the PKI-based authentication protocol comprises 802.1X.
  - 10. The controller device of claim 9, wherein the one or more processors are further configured to terminate an 802.1X session after receiving the credentials via the 802.1X session.
  - 11. The controller device of claim 8, wherein the one or more processors are further configured to program the network devices to enforce the determined policies based on at least one of a user identity, a device identity, an application being executed by the one of the client devices associated with one of the packet flows, time of day, and a geographic location of the one of the client devices.
  - 12. The controller device of claim 11, wherein the one or more processors are further configured to determine the geographic location of the one of the client devices based on at least one of an Internet protocol (IP) address of the client device, global positioning system (GPS) information for the client device, and domain name service (DNS) information for the one of the client devices.
  - 13. The controller device of claim 8, wherein the one or more processors are further configured to perform deep packet inspection of one or more packets of a packet flow that includes the one of the client devices in accordance with the determined policies.

14. A non-transitory computer-readable storage medium having stored thereon instructions that, when executed, cause a processor of a controller device for a software defined network (SDN) to:
- program interconnected network devices forming the SDN to identify and forward packets to the controller device when the packets include credentials from client devices in accordance with a public key infrastructure (PKI)-based authentication protocol;
  
  receive a packet including credentials from one of the client devices in accordance with the PKI-based authentication protocol via one of the network devices forming the SDN;
  
  determine one or more policies that are applicable to the one of the client devices based on the received credentials; and
  
  program network devices of the SDN to enforce the determined policies on a per-packet-flow basis for packet flows including the one of the client devices.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein the PKI-based authentication protocol comprises 802.1X.
  - 16. The non-transitory computer-readable storage medium of claim 15, wherein the instructions that cause the processor to receive the credentials comprise instructions that cause the processor to terminate an 802.1X session after receiving the credentials via the 802.1X session.
  - 17. The non-transitory computer-readable storage medium of claim 14, wherein the instructions that cause the processor to program the network devices to enforce the determined policies on a per-packet-flow basis comprise instructions that cause the processor to program the network devices to enforce the determined policies based on at least one of a user identity, a device identity, an application being executed by the one of the client devices associated with one of the packet flows, time of day, and a geographic location of the one of the client devices.
  - 18. The non-transitory computer-readable storage medium of claim 17, further comprising instructions that cause the processor to determine the geographic location of the one of the client devices based on at least one of an Internet protocol (IP) address of the client device, global positioning system (GPS) information for the client device, and domain name service (DNS) information for the one of the client devices.
  - 19. The non-transitory computer-readable storage medium of claim 14, further comprising instructions that cause the processor to perform deep packet inspection of one or more packets of a packet flow that includes the one of the client devices in accordance with the determined policies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Wiretap Ventures, LLC
Inventors
Palmer, Matthew, Pearce, Andrew Keith, Chua, Roy Liang
Primary Examiner(s)
Henning, Matthew

Application Number

US13/842,264
Time in Patent Office

795 Days
Field of Search
US Class Current

726/6
CPC Class Codes

G06F 21/31   User authentication

H04L 41/0668   by dynamic selection of rec...

H04L 45/00   Routing or path finding of ...

H04L 45/02   Topology update or discovery

H04L 45/036   Updating the topology betwe...

H04L 45/22   Alternate routing

H04L 45/28   using route fault recovery

H04L 45/38   Flow based routing

H04L 45/42   Centralised routing

H04L 45/64   using an overlay routing layer

H04L 47/10   Flow control; Congestion co...

H04L 47/11   Identifying congestion

H04L 49/15   Interconnection of switchin...

H04L 63/02   for separating internal fro...

H04L 63/0209   Architectural arrangements,...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/107   wherein the security polici...

H04L 63/20   for managing network securi...

H04L 67/63   Routing a service request d...

H04W 12/069 : using certificates or pre-s...

View All

Authentication for software defined networks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication for software defined networks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links