Two factor authentication of ICR transport and payload for interchassis redundancy

US 9,319,222 B2
Filed: 04/08/2014
Issued: 04/19/2016
Est. Priority Date: 04/08/2014
Status: Expired due to Fees

First Claim

Patent Images

1. A method in a first network device of an inter-chassis redundancy (ICR) system, the ICR system comprising the first network device communicatively coupled to a second network device of the ICR system, the method comprising:

in response to determining to transmit an ICR message to the second network device, generating the ICR message by;

generating an application header and application data,generating a first authentication digest based on the application header and the application data, wherein the first authentication digest is used by the second network device to perform a first level authentication of the ICR message,generating a second authentication digest based on an Internet Protocol (IP) header and a common header, wherein the second authentication digest is used by the second network device to perform a second level authentication of the ICR message, andincluding the first authentication digest and the second authentication digest in the ICR message;

transmitting the ICR message that includes the first authentication digest, the second authentication digest, the application header, and the application data to the second network device;

performing, by the second network device, the first level authentication by generating a third authentication digest and comparing the third authentication digest against the first authentication digest received in the ICR message; and

if the first level authentication is successful, performing, by the second network device, the second level authentication by generating a fourth authentication digest and comparing the fourth authentication digest against the second authentication digest received in the ICR message.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Exemplary methods for performing authentication by a first network device of an inter-chassis redundancy (ICR) system, the ICR system comprising the first network device communicatively coupled to a second network device of the ICR system, includes in response to determining to transmit an ICR message to the second network device, generating the ICR message by generating a first and second authentication digest. In one embodiment, the methods include encrypting a payload of the ICR message, and transmitting the ICR message that includes the first and second authentication digest to the second network device. In another aspect of the invention, the methods include receiving an ICR message from the second network device and performing a first level authentication of the received ICR message. The methods further include in response to determining the first level authentication is successful, performing a second level authentication of the received ICR message.

8 Citations

33 Claims

1. A method in a first network device of an inter-chassis redundancy (ICR) system, the ICR system comprising the first network device communicatively coupled to a second network device of the ICR system, the method comprising:
- in response to determining to transmit an ICR message to the second network device, generating the ICR message by;
  
  generating an application header and application data,generating a first authentication digest based on the application header and the application data, wherein the first authentication digest is used by the second network device to perform a first level authentication of the ICR message,generating a second authentication digest based on an Internet Protocol (IP) header and a common header, wherein the second authentication digest is used by the second network device to perform a second level authentication of the ICR message, andincluding the first authentication digest and the second authentication digest in the ICR message;
  
  transmitting the ICR message that includes the first authentication digest, the second authentication digest, the application header, and the application data to the second network device;
  
  performing, by the second network device, the first level authentication by generating a third authentication digest and comparing the third authentication digest against the first authentication digest received in the ICR message; and
  
  if the first level authentication is successful, performing, by the second network device, the second level authentication by generating a fourth authentication digest and comparing the fourth authentication digest against the second authentication digest received in the ICR message.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein generating the first authentication digest comprises applying a hash-based message authentication code (HMAC) function to a key, the application header included in the ICR message, and the application data included in the ICR message.
  - 3. The method of claim 1, wherein generating the second authentication digest comprises applying a hash-based message authentication code (HMAC) function to a key, the IP header included in the ICR message, and the common header included in the ICR message.
  - 4. The method of claim 1, wherein generating the ICR message further comprises encrypting die application data of the ICR message, and wherein the transmitted ICR message includes the encrypted application data.
  - 5. The method of claim 1, wherein the first authentication digest and the second authentication digest are contiguously located in the ICR message.
  - 6. The method of claim 1, wherein the first authentication digest and the second authentication digest are different in size.

7. A first network device of an inter-chassis redundancy (ICR) system, the ICR system comprising the first network device communicatively coupled to a second network device of the ICR system, the first network device comprising:
- a set of one or more processors; and
  
  a non-transitory machine-readable storage medium containing instructions, which when executed by the set of one or more processors, cause the first network device to;
  
  in response to determining to transmit an ICR message to the second network device;
  
  generate an application header and application data,generate a first authentication digest based on the application header and the application data, wherein the first authentication digest is used by the second network device to perform a first level authentication of the ICR message,generate a second authentication digest based on an Internet Protocol (IP) header and a common header, wherein the second authentication digest is used by the second network device to perform a second level authentication of the ICR message, and include the first authentication digest and the second authentication digest in the ICR message; and
  
  transmit the ICR message that includes the first authentication digest, the second authentication digest, the application header, and the application data to the second network device, wherein the second network device performs the first level authentication by generating a third authentication digest and comparing the third authentication digest against the first authentication digest received in the ICR message, and if the first level authentication is successful, the second network device performs the second level authentication by generating a fourth authentication digest and comparing the fourth authentication digest against the second authentication digest received in the ICR message.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The first network device of claim 7, wherein generating the first authentication digest comprises applying a hash-based message authentication code (HMAC) function to a key, the application header included in the ICR message, and the application data included in the ICR message.
  - 9. The first network device of claim 7, wherein generating the second authentication digest comprises applying a hash-based message authentication code (HMAC) function to a key, the IP header included in the ICR message, and the common header included in the ICR message.
  - 10. The first network device of claim 7, wherein generating the ICR message further comprises encrypting the application data of the ICR message, and wherein the transmitted ICR message includes the encrypted application data.
  - 11. The first network device of claim 7, wherein the first authentication digest and the second authentication digest are contiguously located in the ICR message.
  - 12. The first network device of claim 7, wherein the first authentication digest and the second authentication digest are different in size.

13. A non-transitory computer-readable medium having computer instructions stored therein, which when executed by a processor of a first network device of an inter-chassis redundancy (ICR) system, the ICR system comprising the first network device communicatively coupled to a second network device of the ICR system, cause the processor to perform operations comprising:
- in response to determining to transmit an ICR message to the second network device, generating the ICR message by;
  
  generating an application header and application data,generating a first authentication digest based on the application header and the application data, wherein the first authentication digest is used by the second network device to perform a first level authentication of the ICR message,generating a second authentication digest based on an Internet Protocol (IP) header and a common header, wherein the second authentication digest is used by the second network device to perform a second level authentication of the ICR message, andincluding the first authentication digest and the second authentication digest in the ICR message;
  
  transmitting the ICR message that includes the first authentication digest, the second authentication digest, the application header, and the application data to the second network device;
  
  performing, by the second network device, the first level authentication by generating a third authentication digest and comparing the third authentication digest against the first authentication digest received in the ICR message; and
  
  if the first level authentication is successful, performing, by the second network device, the second level authentication by generating a fourth authentication digest and comparing the fourth authentication digest against the second authentication digest received in the ICR message.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory computer-readable medium of claim 13, wherein generating the first authentication digest comprises applying a hash-based message authentication code (HMAC) function to a key, the application header included in the ICR message, and the application data included in the ICR message.
  - 15. The non-transitory computer-readable medium of claim 13, wherein generating the second authentication digest comprises applying a hash-based message authentication code (HMAC) function to a key, the IP header included in the ICR message, and the common header included in the ICR message.
  - 16. The non-transitory computer-readable medium of claim 13, wherein generating the ICR message further comprises encrypting the application data of the ICR message, and wherein the transmitted ICR message includes the encrypted application data.
  - 17. The non-transitory computer-readable medium of claim 13, wherein the first authentication digest and the second authentication digest are contiguously located in the ICR message.
  - 18. The non-transitory computer-readable medium of claim 13, wherein the first authentication digest and the second authentication digest are different in size.

19. A method in a first network device of an inter-chassis redundancy (ICR) system, the ICR system comprising the first network device communicatively coupled to a second network device of the ICR system, the method comprising:
- receiving an ICR message from the second network device;
  
  performing a first level authentication of the received ICR message based on a first authentication digest included in the received ICR message, wherein the first level authentication uses an Internet Protocol (IP) header included in the received ICR message and a common header included in the received ICR message;
  
  in response to determining the first level authentication is successful, performing a second level authentication of the received ICR message based on a second authentication digest included in the received ICR message, wherein the second level authentication uses an application header included in the received ICR message and application data in the received ICR message;
  
  in response to determining the first level authentication is successful, processing the ICR message based on the application header and application data in the ICR message;
  
  wherein performing the first level authentication comprises generating a third authentication digest and comparing the third authentication digest against the first authentication digest received in the ICR message; and
  
  wherein performing the second level authentication comprises generating a fourth authentication digest and comparing the fourth authentication digest against the second authentication digest received in the ICR message.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The method of claim 19, wherein performing the first level authentication of the received ICR message comprises:
    - generating the third authentication digest by applying a hash-based message authentication code (HMAC) function to a key, the IP header included in the received ICR message, and the common header included in the received ICR message; and
      
      comparing the generated third authentication digest against the first authentication digest included in the received ICR message, wherein the first level authentication of the ICR message is successful if the generated third authentication digest matches the first authentication digest included in the received ICR message.
  - 21. The method of claim 19, wherein performing the second level authentication of the received ICR message comprises:
    - generating fourth authentication digest by applying a hash-based message authentication code (HMAC) function to a key, the application header included in the received ICR message, and the application data included in the received ICR message; and
      
      comparing the generated fourth authentication digest against the second authentication digest included in the received ICR message, wherein the second level authentication of the ICR message is successful if the generated fourth authentication digest matches the second authentication digest included in the received ICR message.
  - 22. The method of claim 19, further comprising decrypting the application data included in the received ICR message.
  - 23. The method of claim 19, wherein the first level authentication and the second level authentication of the received ICR message are performed in a distributed manner.

24. A first network device of an inter-chassis redundancy (ICR) system, the ICR system comprising the first network device communicatively coupled to a second network device of the ICR system, the first network device comprising:
- a set of one or more processors; and
  
  a non-transitory machine-readable storage medium containing instructions, which when executed by the set of one or more processors, cause the first network device toreceive an ICR message from the second network device;
  
  perform a first level authentication of the received ICR message based on a first authentication digest included in the received ICR message, wherein the first level authentication uses an Internet Protocol (IP) header included in the received ICR message and a common header included in the received ICR message;
  
  in response to determining the first level authentication is successful, perform a second level authentication of the received ICR message based on a second authentication digest included in the received ICR message, wherein the second level authentication uses an application header included in the received ICR message and application data in the received ICR message;
  
  in response to determining the first level authentication is successful, processing the ICR message based on the application header and application data in the ICR message;
  
  wherein performing the first level authentication comprises generating a third authentication digest and comparing the third authentication digest against the first authentication digest received in the ICR message; and
  
  wherein performing the second level authentication comprises generating a fourth authentication digest and comparing the fourth authentication digest against the second authentication digest received in the ICR message.
- View Dependent Claims (25, 26, 27, 28)
- - 25. The first network device of claim 24, wherein performing the first level authentication of the received ICR message comprises:
    - generating the third authentication digest by applying a hash-based message authentication code (HMAC) function to a key, the IP header included in the received ICR message, and the common header included in the received ICR message; and
      
      comparing the generated third authentication digest against the first authentication digest included in the received ICR message, wherein the first level authentication of the ICR message is successful if the generated third authentication digest matches the first authentication digest included in the received ICR message.
  - 26. The first network device of claim 24, wherein performing the second level authentication of the received ICR message comprises:
    - generating the fourth authentication digest by applying a hash-based message authentication code (HMAC) function to a key, the application header included in the received ICR message, and the application data included in the received ICR message; and
      
      comparing the generated fourth authentication digest against the second authentication digest included in the received ICR message, wherein the second level authentication of the ICR message is successful if the generated fourth authentication digest matches the second authentication digest included in the received ICR message.
  - 27. The first network device of claim 24, wherein the instructions further cause the first network device to decrypt the application data included in the received ICR message.
  - 28. The first network device of claim 24, wherein the first level authentication and the second level authentication of the received ICR message are performed in a distributed manner.

29. A non-transitory computer-readable medium having computer instructions stored therein, which when executed by a processor of a first network device of an inter-chassis redundancy (ICR) system, the ICR system comprising the first network device communicatively coupled to a second network device of the ICR system, cause the processor to perform operations comprising:
- receiving an ICR message from the second network device;
  
  performing a first level authentication of the received ICR message based on a first authentication digest included in the received ICR message, wherein the first level authentication uses an Internet Protocol (IP) header included in the received ICR message and a common header included in the received ICR message;
  
  in response to determining the first level authentication is successful, performing a second level authentication of the received ICR message based on a second authentication digest included in the received ICR message, wherein the second level authentication uses an application header included in the received ICR message and application data in the received ICR message; and
  
  in response to determining the first level authentication is successful, processing the ICR message based on the application header and application data in the ICR message;
  
  wherein performing the first level authentication comprises generating a third authentication digest and comparing the third authentication digest against the first authentication digest received in the ICR message; and
  
  wherein performing the second level authentication comprises generating a fourth authentication digest and comparing the fourth authentication digest against the second authentication digest received in the ICR message.
- View Dependent Claims (30, 31, 32, 33)
- - 30. The non-transitory computer-readable medium of claim 29, wherein performing the first level authentication of the received ICR message comprises:
    - generating the third authentication digest by applying a hash-based message authentication code (HMAC) function to a key, the IP header included in the received ICR message, and the common header included in the received ICR message; and
      
      comparing the generated third authentication digest against the first authentication digest included in the received ICR message, wherein the first level authentication of the ICR message is successful if the generated third authentication digest matches the first authentication digest included in the received ICR message.
  - 31. The non-transitory computer-readable medium of claim 29, wherein performing the second level authentication of the received ICR message comprises:
    - generating the fourth authentication digest by applying a hash-based message authentication code (HMAC) function to a key, an application header included in the received ICR message, and application data included in the received ICR message; and
      
      comparing the generated fourth authentication digest against the second authentication digest included in the received ICR message, wherein the second level authentication of the ICR message is successful if the generated fourth authentication digest matches the second authentication digest included in the received ICR message.
  - 32. The non-transitory computer-readable medium of claim 29, further comprising decrypting the application data included in the received ICR message.
  - 33. The non-transitory computer-readable medium of claim 29, wherein the first level authentication and the second level authentication of the received ICR message are performed in a distributed manner.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Pal, Yogendra
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
PLECHA, THADDEUS J

Application Number

US14/247,518
Publication Number

US 20150288690A1
Time in Patent Office

742 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/64   Protecting data integrity, ...

H04L 63/08   for authentication of entit...

H04L 63/12   Applying verification of th...

H04L 63/123   received data contents, e.g...

H04L 9/3242   involving keyed hash functi...

Two factor authentication of ICR transport and payload for interchassis redundancy

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

8 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Two factor authentication of ICR transport and payload for interchassis redundancy

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links