Method and system for including network security information in a frame

US 9,461,979 B2
Filed: 10/11/2013
Issued: 10/04/2016
Est. Priority Date: 11/23/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving an authentication request at an authentication server, whereinthe authentication server is configured to receive the authentication request from a network device by virtue of comprising a network interface configured to be communicatively coupled to the network device,the authentication request comprisesan identifier, andthe identifier is configured to identify an entity requesting authentication via the network device;

authenticating the entity, whereinthe authenticating comprisesdetermining network security information for the entity, wherein the determining uses the identifier,the network security information comprises a user group identifier,the user group identifier is configured to be used to maintain security of a network to which the network device is communicatively coupled, by virtue of being configured to be included in a secure portion of a frame, andthe secure portion of the frame is secured using frame security information of the frame; and

sending a response to the network device via the network interface, whereinthe response comprisesthe network security information.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for including network security information in a frame is disclosed. Network security information is included in a secure portion of overhead of a frame. The network security information is configured to facilitate network security. A network device configured to process a frame is also disclosed. The frame includes frame security information and network security information. The frame security information is configured to facilitate securing a portion of overhead of the frame, and the network security information is located in the secure portion of the overhead of the frame and is configured to facilitate network security.

97 Citations

20 Claims

1. A method comprising:
- receiving an authentication request at an authentication server, whereinthe authentication server is configured to receive the authentication request from a network device by virtue of comprising a network interface configured to be communicatively coupled to the network device,the authentication request comprisesan identifier, andthe identifier is configured to identify an entity requesting authentication via the network device;
  
  authenticating the entity, whereinthe authenticating comprisesdetermining network security information for the entity, wherein the determining uses the identifier,the network security information comprises a user group identifier,the user group identifier is configured to be used to maintain security of a network to which the network device is communicatively coupled, by virtue of being configured to be included in a secure portion of a frame, andthe secure portion of the frame is secured using frame security information of the frame; and
  
  sending a response to the network device via the network interface, whereinthe response comprisesthe network security information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising:
    - including the network security information in the frame, whereinthe entity is a host computer,the frame is sourced by the host computer, andthe host computer is communicatively coupled to the network device.
  - 3. The method of claim 2, whereinthe network security information is included in the secure portion of the frame by virtue of being included in a first portion of the frame, whereinthe first portion is within an overhead portion of the frame.
  - 4. The method of claim 1, whereinthe network security information is determined based on a result of accessing a forwarding table.
  - 5. The method of claim 1, whereinthe entity is one of a user or a host computer.
  - 6. The method of claim 1, whereinthe authentication request further comprisesthe entity is a host computer, andan address of the host computer, andthe method further comprisesassigning the network security information to a combination of the address and the identifier.
  - 7. The method of claim 6, further comprising:
    - receiving the frame at thenetwork device;
      
      accessing forwarding information, whereinthe forwarding information is stored at the network device, andthe forwarding information comprisesthe network security information,the address, andthe identifier; and
      
      determining that the network security information is to be associated with the frame, whereinthe network security information is determined based on a result of the accessing.
  - 8. The method of claim 7, whereinthe forwarding information is a forwarding table,the accessing comprisessearching a plurality of entries of the forwarding table, andidentifying an entry of the entries, andthe entry comprises the network security information.
  - 9. The method of claim 6, further comprising:
    - authenticating the combination of the address and the identifier, wherein the identifier is a logical network identifier; and
      
      retrieving the network security information using the combination of the address and the identifier.
  - 10. The method of claim 9, further comprising:
    - determining the frame security information, whereinthe frame security information is configured to facilitate security of an overhead portion of the frame,the overhead portion of the frame comprises the network security information, andthe frame security information is configured to prevent access to the overhead portion of the frame.
  - 11. The method of claim 10, whereinthe address is a media access control (MAC) address,the logical network identifier is a virtual local area network (VLAN) identifier,the combination of the address and the identifier identifies the entity as being coupled to a port of the network device,the network security information is retrieved from a host computer, andthe assigning assigns the network security information to a combination of the MAC address and the VLAN identifier.
  - 12. The method of claim 10, further comprising:
    - including the network security information in the frame, whereinthe network security information is included in the overhead portion of the frame; and
      
      including the frame security information in the frame.
  - 13. The method of claim 12, further comprising:
    - sending the frame with the network security information to another network device, whereinthe another network device is comprised in or coupled to the network.
  - 14. The method of claim 13, further comprising:
    - processing the frame byaccessing the network security information; and
      
      determining network access permitted to the frame, whereinthe network access permitted to the frame is determined by accessing security policies for the frame, andthe security policies for the frame are defined in a user group permissions list associated with the network security information of the frame.

15. A computer networking system comprising:
- an authentication server, comprisinga processor,a network interface, coupled to the processor,a non-transitory computer-readable storage medium, coupled to the processor, anda plurality of instructions, encoded in the non-transitory computer-readable storage medium and configured to cause the processor toreceive an authentication request at an authentication server, wherein
  
  the authentication server is configured to receive the authentication request from a network device by virtue of comprising a network interface configured to be communicatively coupled to the network device,
  
  the authentication request comprisesan identifier, and
  
  the identifier is configured to identify an entity requesting authentication via the network device,authenticate the entity, wherein
  
  the authenticating comprisesdetermining network security information for the entity, wherein
  
  the determining uses the identifier,
  
  the network security information comprises a user group identifier,
  
  the user group identifier is configured to be used to maintain security of a network to which the network device is communicatively coupled, by virtue of being configured to be included in a secure portion of a frame, and
  
  the secure portion of the frame is secured using frame security information of the frame, andsend a response to the network device via the network interface, wherein
  
  the response comprisesthe network security information.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer networking system of claim 15, whereinthe authentication request further comprisesthe entity is a host computer, andan address of the host computer, andthe plurality of instructions is further configured to cause the processor toassign the network security information to a combination of the address and the identifier.
  - 17. The computer networking system of claim 16, wherein the plurality of instructions is further configured to cause the processor to:
    - receive the frame at the network device;
      
      access forwarding information, whereinthe forwarding information is stored at the network device, andthe forwarding information comprisesthe network security information,the address, andthe identifier; and
      
      determine that the network security information is to be associated with the frame, whereinthe network security information is determined based on a result of the accessing.
  - 18. The computer networking system of claim 16, wherein the plurality of instructions is further configured to cause the processor to:
    - authenticate the combination of the address and the identifier, wherein the identifier is a logical network identifier; and
      
      retrieve the network security information using the combination of the address and the identifier.
  - 19. The computer networking system of claim 18, further comprising:
    - determining the frame security information, whereinthe frame security information is configured to facilitate security of an overhead portion of the frame,the overhead portion of the frame comprises the network security information, andthe frame security information is configured to prevent access to the overhead portion of the frame.

20. A computer program product comprising:
- a plurality of instructions, comprisinga first set of instructions, executable on a network device, configured to receive an authentication request at an authentication server, whereinthe authentication server is configured to receive the authentication request from a network device by virtue of comprising a network interface configured to be communicatively coupled to the network device,the authentication request comprisesan identifier, andthe identifier is configured to identify an entity requesting authentication via the network device,a second set of instructions, executable on the network device, configured to authenticate the entity, whereinthe authenticating comprisesdetermining network security information for the entity, wherein the determining uses the identifier,
  
  the network security information comprises a user group identifier,
  
  the user group identifier is configured to be used to maintain security of a network to which the network device is communicatively coupled, by virtue of being configured to be included in a secure portion of a frame, and
  
  the secure portion of the frame is secured using frame security information of the frame,a third set of instructions, executable on the network device, configured to send a response to the network device via the network interface, whereinthe response comprises
  
  the network security information; and
  
  a non-transitory computer-readable storage medium, wherein the instructions are encoded in the non-transitory computer-readable storage medium.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Finn, Norman W., Smith, Michael R.
Primary Examiner(s)
SHEHNI, GHAZAL B

Application Number

US14/051,854
Publication Number

US 20150106896A1
Time in Patent Office

1,089 Days
Field of Search

713155-159
US Class Current

1/1
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 63/104 Grouping of entities

Method and system for including network security information in a frame

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

97 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Method and system for including network security information in a frame

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

97 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others