Anti-replay mechanism for group virtual private networks

US 9,246,876 B1
Filed: 11/17/2011
Issued: 01/26/2016
Est. Priority Date: 10/13/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, with a first virtual private network (VPN) device from a second VPN device, a packet having an encryption header, wherein the first and the second VPN devices are members of a group VPN having a plurality of VPN devices, wherein the encryption header comprises an encapsulating security payload header having a sequence number field, wherein the sequence number field comprises thirty-two sequential bits and only includes a first portion that specifies a group VPN member identifier and a second portion that specifies a sequence number, wherein the first portion of the sequence number field comprises a first five bits of the sequence number field and immediately precedes the second portion of the sequence number field, wherein the second portion of the sequence number field comprises twenty-seven bits immediately following the first five bits of the sequence number field, and wherein the group VPN member identifier is associated with the second VPN device;

identifying a window of sequence numbers maintained by the first VPN device for the second VPN device based on the group VPN member identifier, wherein the window of sequence numbers defines a range of sequence numbers;

determining whether the specified sequence number of the header is included in the window of sequence numbers; and

responsive to determining that the specified sequence number of the header is included in the window of sequence numbers;

determining, with the first VPN device, whether the specified sequence number was previously received by the first VPN device;

when the specified sequence number was not previously received, accepting the packet and marking the specified sequence number as received; and

when the specified sequence number was previously received, dropping the packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A virtual private network (VPN) device is described that provides a strict anti-replay mechanism for packets in a group VPN. An example first VPN device includes one or more processors, one or more network interfaces configured to receive a packet having an encryption header that includes a group VPN member identifier association with a second VPN device and a sequence number, wherein the first and second VPN devices are members of a group VPN, a data repository configured to store a window of sequence numbers maintained by the first VPN device for the second VPN device, and a VPN session management module operable by the one or more processors to identify the window of sequence numbers based on the group VPN member identifier, determine whether the sequence number of the header is included in the window of sequence numbers, and process the packet based on the determination.

44 Citations

View as Search Results

17 Claims

1. A method comprising:
- receiving, with a first virtual private network (VPN) device from a second VPN device, a packet having an encryption header, wherein the first and the second VPN devices are members of a group VPN having a plurality of VPN devices, wherein the encryption header comprises an encapsulating security payload header having a sequence number field, wherein the sequence number field comprises thirty-two sequential bits and only includes a first portion that specifies a group VPN member identifier and a second portion that specifies a sequence number, wherein the first portion of the sequence number field comprises a first five bits of the sequence number field and immediately precedes the second portion of the sequence number field, wherein the second portion of the sequence number field comprises twenty-seven bits immediately following the first five bits of the sequence number field, and wherein the group VPN member identifier is associated with the second VPN device;
  
  identifying a window of sequence numbers maintained by the first VPN device for the second VPN device based on the group VPN member identifier, wherein the window of sequence numbers defines a range of sequence numbers;
  
  determining whether the specified sequence number of the header is included in the window of sequence numbers; and
  
  responsive to determining that the specified sequence number of the header is included in the window of sequence numbers;
  
  determining, with the first VPN device, whether the specified sequence number was previously received by the first VPN device;
  
  when the specified sequence number was not previously received, accepting the packet and marking the specified sequence number as received; and
  
  when the specified sequence number was previously received, dropping the packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - receiving, with the first VPN device from a VPN key server of the group VPN, a message, wherein the message includes a unique group VPN member identifier that identifies each VPN device of the plurality of VPN devices as members of the group VPN; and
      
      initiating a different sequence number window for each member of the group VPN, wherein each of the different sequence number windows is associated with the respective member VPN device by at least the unique group VPN member identifier of the respective member VPN device.
  - 3. The method of claim 1, further comprising:
    - receiving, from a VPN key server of the group VPN, a rekey message; and
      
      resetting the sequence number window to an initial value based on the rekey message.
  - 4. The method of claim 1, further comprising:
    - determining that a highest value of the sequence number window has reached a maximum value; and
      
      sending, to a VPN key server of the group VPN, a rekey request.
  - 5. The method of claim 1, further comprising:
    - maintaining a plurality of sequence number windows, wherein each sequence number window of the plurality of sequence number windows is associated with one of the plurality of VPN devices.
  - 6. The method of claim 1, further comprising:
    - when the specified sequence number is determined to be lower than the window of sequence numbers, dropping the packet.
  - 7. The method of claim 1, further comprising:
    - when the specified sequence number is determined to be higher than the window of sequence numbers, adjusting the window of sequence numbers to include the specified sequence number of the packet header.
  - 8. The method of claim 7, wherein adjusting the window of sequence numbers comprises:
    - calculating an amount of difference between a highest sequence number of the window of sequence numbers and the specified sequence number of the header;
      
      increasing a lowest sequence number of the window of sequence number by the calculated amount of difference; and
      
      setting the highest sequence number of the window of sequence numbers to be equal to the specified sequence number of the header.

9. A first virtual private network (VPN) device comprising:
- one or more processors;
  
  one or more network interfaces configured to receive a packet having an encryption header from a second VPN device, wherein the first and the second VPN devices are members of a group VPN having a plurality of VPN devices, wherein the encryption header comprises an encapsulating security payload header having a sequence number field, wherein the sequence number field comprises thirty-two sequential bits and only includes a first portion that specifies a group VPN member identifier and a second portion that specifies a sequence number, wherein the first portion of the sequence number field comprises a first five bits of the sequence number field and immediately precedes the second portion of the sequence number field, wherein the second portion of the sequence number field comprises twenty-seven bits immediately following the first five bits of the sequence number field, and wherein the group VPN member identifier is associated with the second VPN device; and
  
  a memory configured to store a data repository and a VPN session management module,wherein the data repository is configured to store a window of sequence numbers maintained by the first VPN device for the second VPN device, andwherein the VPN session management module is operable by the one or more processors to identify the window of sequence numbers based on the group VPN member identifier, wherein the window of sequence numbers defines a range of sequence numbers, determine whether the specified sequence number of the header is included in the window of sequence numbers, and, responsive to determining that the specified sequence number of the header is included in the window of sequence numbers;
  
  determine whether the specified sequence number was previously received by the first VPN device, when the specified sequence number was not previously received, accepting the packet and marking the specified sequence number as received, and when the specified sequence number was previously received, drop the packet.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The first VPN device of claim 9,wherein the one or more network interfaces is configured to receive, from a VPN key server of the group VPN, a message, wherein the message includes a unique group VPN member identifier that identifies each VPN device of the plurality of VPN devices as members of the group VPN, andwherein the VPN session management module is operable by the one or more processors to store, in the data repository, a different sequence number window for each member of the group VPN, wherein each of the different sequence number windows is associated with the respective member VPN device by at least the unique group VPN member identifier of the respective member VPN device.
  - 11. The first VPN device of claim 9,wherein the one or more network interfaces is configured to receive, from a VPN key server of the group VPN, a rekey message, andwherein the VPN session management module is operable by the one or more processors to reset the sequence number window to an initial value based on the rekey message.
  - 12. The first VPN device of claim 9,wherein the VPN session management module is operable by the one or more processors to determine that a highest value of the sequence number window has reached a maximum value, andwherein the one or more network interfaces is configured to send, to a VPN key server of the group VPN, a rekey request.
  - 13. The first VPN device of claim 9, wherein the VPN session management module is operable by the one or more processors to maintain a plurality of sequence number windows stored in the data repository, wherein each sequence number window of the plurality of sequence number windows is associated with one of the plurality of VPN devices.
  - 14. The first VPN device of claim 9, wherein the VPN session management module is operable by the one or more processors to drop the packet when the specified sequence number is determined to be lower than the window of sequence numbers.
  - 15. The first VPN device of claim 9, wherein the VPN session management module is operable by the one or more processors to adjust the window of sequence numbers to include the specified sequence number of the packet header when the specified sequence number is determined to be higher than the window of sequence numbers.
  - 16. The first VPN device of claim 15, wherein the VPN session management module is operable by the one or more processors to calculate an amount of difference between a highest sequence number of the window of sequence numbers and the sequence number of the header, adjust the window of sequence numbers by at least being operable to increase a lowest sequence number of the window of sequence number by the calculated amount of difference, and set the highest sequence number of the window of sequence numbers to be equal to the sequence number of the header.

17. A computer-readable storage medium encoded with instructions that, when executed, cause one or more programmable processors of a first virtual private network (VPN) device to:
- receive a packet having an encryption header from a second VPN device, wherein the first and the second VPN devices are members of a group VPN having a plurality of VPN devices, wherein the encryption header comprises an security payload header having a sequence number field, wherein the sequence number field comprises thirty-two sequential bits and only includes a first portion that specifies a group VPN member identifier and a second portion that specifies a sequence number, wherein the first portion of the sequence number field comprises a first five bits of the sequence number field and immediately precedes the second portion of the sequence number field, wherein the second portion of the sequence number field comprises twenty-seven bits immediately following the first five bits of the sequence number field, and wherein the group VPN member identifier is associated with the second VPN device;
  
  identify a window of sequence numbers maintained by the first VPN device for the second VPN device based on the group VPN member identifier, wherein the window of sequence numbers defines a range of sequence numbers;
  
  determine whether the specified sequence number of the header is included in the window of sequence numbers; and
  
  responsive to determining that the specified sequence number of the header is included in the window of sequence numbers;
  
  determine whether the specified sequence number was previously received by the first VPN device;
  
  when the specified sequence number was not previously received, accept the packet and marking the specified sequence number as received; and
  
  when the specified sequence number was previously received, drop the packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Melam, Nagavenkata Suresh, Gupta, Mukesh
Primary Examiner(s)
Abyaneh, Ali
Assistant Examiner(s)
Victoria, Narciso

Application Number

US13/298,951
Time in Patent Office

1,531 Days
Field of Search

726/15
US Class Current

1/1
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/104   Grouping of entities

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

H04L 67/14   Session management for real...

Anti-replay mechanism for group virtual private networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

44 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Anti-replay mechanism for group virtual private networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links