Verifying data plane paths based on a validated secure control plane

US 9,641,430 B2
Filed: 01/22/2014
Issued: 05/02/2017
Est. Priority Date: 01/22/2014
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

sending, from an origin device in a computer network, a plurality of packets along a communication path toward a destination device in the computer network, each packet including a lifespan indicator;

receiving, at the origin device, a plurality of response messages from a plurality of intermediate devices, respectively, each intermediate device being located along the communication path, wherein a response message communicated by an intermediate device when the intermediate device receives a packet of the plurality of packets and the lifespan indicator of the received packet has expired;

determining, by the origin device, a plurality of secure path objects included in the plurality of response messages, respectively, each secure path object defining a path from a corresponding intermediate device to the destination device, in accordance with control plane information associated with the corresponding intermediate device and derived from a BGP-based path attribute;

validating, by the origin device, the plurality of secure path objects based on validation information accessible by the origin device and derived from a Resource Public Key Infrastructure (RPKI) validation server or cache; and

checking, by the origin device, validation results of the plurality of secure path objects to determine whether a packet that is sent from the origin device and received by the destination device travels along a particular communication path as dictated by control plane information, wherein the origin device, the destination device, and the plurality of intermediate devices are each part of a respective autonomous system (AS),wherein when multiple communication paths exist between a first AS and a second AS, the plurality of packets are sent by the origin device such that at least one packet is sent along each of the multiple communication paths, respectively.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a plurality of packets is sent from an origin device along a communication path toward a destination device. Each packet includes a lifespan indicator which is incrementally increased for each subsequently sent packet. A plurality of response messages are received at the origin device from a plurality of intermediate devices, respectively. A plurality of secure path objects included in the plurality of response messages, respectively, is determined. Additionally, the plurality of secure path objects are validated based on validation information accessible by the origin device. Validation results of the plurality of secure path objects are checked to determine whether a packet that is sent from the origin device and received by the destination device travels along a particular communication path as dictated by control plane information.

21 Citations

19 Claims

1. A method, comprising:
- sending, from an origin device in a computer network, a plurality of packets along a communication path toward a destination device in the computer network, each packet including a lifespan indicator;
  
  receiving, at the origin device, a plurality of response messages from a plurality of intermediate devices, respectively, each intermediate device being located along the communication path, wherein a response message communicated by an intermediate device when the intermediate device receives a packet of the plurality of packets and the lifespan indicator of the received packet has expired;
  
  determining, by the origin device, a plurality of secure path objects included in the plurality of response messages, respectively, each secure path object defining a path from a corresponding intermediate device to the destination device, in accordance with control plane information associated with the corresponding intermediate device and derived from a BGP-based path attribute;
  
  validating, by the origin device, the plurality of secure path objects based on validation information accessible by the origin device and derived from a Resource Public Key Infrastructure (RPKI) validation server or cache; and
  
  checking, by the origin device, validation results of the plurality of secure path objects to determine whether a packet that is sent from the origin device and received by the destination device travels along a particular communication path as dictated by control plane information, wherein the origin device, the destination device, and the plurality of intermediate devices are each part of a respective autonomous system (AS),wherein when multiple communication paths exist between a first AS and a second AS, the plurality of packets are sent by the origin device such that at least one packet is sent along each of the multiple communication paths, respectively.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method as in claim 1, further comprising:
    - tracking the validation results of the plurality of secure path objects with respect to each of the multiple communication paths.
  - 3. The method as in claim 1, wherein each of the plurality of packets is encoded with information related to the topology of the computer network.
  - 4. The method as in claim 1, wherein each of the plurality of intermediate devices is a forwarding device.
  - 5. The method as in claim 1, wherein each of the plurality of intermediate devices is configured according to a border gateway protocol (BGP).
  - 6. The method as in claim 1, wherein a first subset of the plurality of intermediate devices is configured according to a border gateway protocol (BGP), and a second subset of the plurality of intermediate devices is not configured according to BGP.
  - 7. The method as in claim 6, further comprising:
    - sending a query to the intermediate devices of the second subset to request identification of those intermediate devices.
  - 8. The method as in claim 1, wherein the lifespan indicator is a time-to-live (TTL) attribute or a hop limit attribute.
  - 9. The method as in claim 1, further comprising:
    - storing the validation results of the plurality of secure path objects in a storage device.
  - 10. The method as in claim 1, wherein the checking of the validation results of the plurality of secure path objects occurs in a reverse order from an order in which each response message is received.
  - 11. The method as in claim 1, further comprising:
    - receiving, at the origin device, a response message from the destination device indicating that a packet of the plurality of packets has been received at the destination device, wherein the sending of the plurality of packets ceases upon receiving the response message from the destination device.

12. An apparatus, comprising:
- one or more network interfaces that communicate with a computer network;
  
  a processor coupled to the one or more network interfaces and configured to execute a process; and
  
  a memory configured to store program instructions which contain the process executable by the processor, the process comprising;
  
  sending, as an origin device in the computer network, a plurality of packets along a communication path toward a destination device in the computer network, each packet including a lifespan indicator which is incrementally increased for each subsequently sent packet;
  
  receiving a plurality of response messages from a plurality of intermediate devices, respectively, each intermediate device being located along the communication path between the origin device and the destination device, wherein a response message is received from an intermediate device when the intermediate device receives a packet of the plurality of packets and the lifespan indicator of the received packet has expired;
  
  determining a plurality of secure path objects included in the plurality of response messages, respectively, each secure path object defining a hop-by-hop path from a corresponding intermediate device to the destination device, in accordance with control plane information associated with the corresponding intermediate device, wherein the secure path object is a dump of a control secure option of the corresponding intermediate device and derived from a BGP-based path attribute;
  
  validating the plurality of secure path objects based on validation information accessible by the origin device and derived from a Resource Public Key Infrastructure (RPKI) validation server or cache; and
  
  verifying whether a packet that is sent from the origin device and received by the destination device travels along a particular communication path as dictated by control plane information, based on validation results of the plurality of secure path objects, wherein the origin device, the destination device, and the plurality of intermediate devices are each part of a respective autonomous system (AS),wherein when multiple communication paths exist between a first AS and a second AS, the plurality of packets are sent by the origin device such that at least one packet is sent along each of the multiple communication paths, respectively.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The apparatus as in claim 12, wherein the process further comprises:
    - tracking the validation results of the plurality of secure path objects with respect to each of the multiple communication paths.
  - 14. The apparatus as in claim 12, wherein each of the plurality of packets is encoded with information related to the topology of the computer network.
  - 15. The apparatus as in claim 12, wherein each of the plurality of intermediate devices is configured according to a border gateway protocol (BGP).
  - 16. The apparatus as in claim 12, wherein a first subset of the plurality of intermediate devices is configured according to a border gateway protocol (BGP), and a second subset of the plurality of intermediate devices is not configured according to BGP.
  - 17. The apparatus as in claim 16, wherein the process further comprises:
    - sending a query to the intermediate devices of the second subset to request identification of those intermediate devices.
  - 18. The apparatus as in claim 12, wherein the lifespan indicator is a time-to-live (TTL) attribute or a hop limit attribute.

19. A tangible, non-transitory, computer-readable media having software encoded thereon, the software when executed by a processor operable to perform a process comprising:
- sending, as an origin device in the computer network, a plurality of packets along a communication path toward a destination device in the computer network, each packet including a lifespan indicator which is incrementally increased for each subsequently sent packet;
  
  receiving a plurality of response messages from a plurality of intermediate devices, respectively, each intermediate device being located along the communication path between the origin device and the destination device, wherein a response message is received from an intermediate device when the intermediate device receives a packet of the plurality of packets and the lifespan indicator of the received packet has expired;
  
  determining a plurality of secure path objects included in the plurality of response messages, respectively, each secure path object defining a hop-by-hop path from a corresponding intermediate device to the destination device, in accordance with control plane information associated with the corresponding intermediate device, wherein the secure path object is a dump of a control secure option of the corresponding intermediate device and derived from a BGP-based path attribute;
  
  validating the plurality of secure path objects based on validation information accessible by the origin device and derived from a Resource Public Key Infrastructure (RPKI) validation server or cache; and
  
  verifying whether a packet that is sent from the origin device and received by the destination device travels along a particular communication path as dictated by control plane information, based on validation results of the plurality of secure path objects, wherein the origin device, the destination device, and the plurality of intermediate devices are each part of a respective autonomous system (AS),wherein when multiple communication paths exist between a first AS and a second AS, the plurality of packets are sent by the origin device such that at least one packet is sent along each of the multiple communication paths, respectively.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Gagliano, Roque, Retana, Alvaro E., Patel, Keyur P., Pignataro, Carlos M.
Primary Examiner(s)
Cho, Un C
Assistant Examiner(s)
RAHMAN, SHAH M

Application Number

US14/160,736
Publication Number

US 20150207728A1
Time in Patent Office

1,196 Days
Field of Search

370254, 370410
US Class Current
CPC Class Codes

H04L 41/12   Discovery or management of ...

H04L 43/10   Active monitoring, e.g. hea...

H04L 45/04   Interdomain routing, e.g. h...

H04L 45/44   Distributed routing

H04L 9/3265   using certificate chains, t...

Verifying data plane paths based on a validated secure control plane

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Verifying data plane paths based on a validated secure control plane

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links