Apparatus and Method for Using Certificate Data to Route Data

US 20160277446A1
Filed: 03/17/2015
Published: 09/22/2016
Est. Priority Date: 03/17/2015
Status: Active Grant

First Claim

Patent Images

1. A method of routing data across a network, the method comprising:

receiving a session request from a client node to access at least one node in a local network having a plurality of nodes;

receiving a client certificate from the client node, the client certificate having client information specifying at least one node to receive packets from the client node;

executing an authentication process using the client certificate;

retrieving the client information from the client certificate; and

if the authentication process authenticates the client node, routing data packets received from the client node to at least one node in the local network as specified by the client information in the client certificate.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of routing data across a network receives a session request from a client node to access at least one node in a local network having a plurality of nodes. The method also receives a client certificate (e.g., a digital certificate at least partially specified by known standards, such as the “X509 Standard”) from the client node. The client certificate has client information specifying at least one node to receive packets from the client node. Next, the method uses the client certificate to execute an authentication process. If the authentication process authenticates the client node, then the method routes data packets from the client node to at least one node in the local network as specified by the client information in the client certificate.

10 Citations

View as Search Results

39 Claims

1. A method of routing data across a network, the method comprising:
- receiving a session request from a client node to access at least one node in a local network having a plurality of nodes;
  
  receiving a client certificate from the client node, the client certificate having client information specifying at least one node to receive packets from the client node;
  
  executing an authentication process using the client certificate;
  
  retrieving the client information from the client certificate; and
  
  if the authentication process authenticates the client node, routing data packets received from the client node to at least one node in the local network as specified by the client information in the client certificate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method as defined by claim 1 further comprising rejecting the client node if the authentication process does not authenticate the client node.
  - 3. The method as defined by claim 2 wherein rejecting comprises blocking packets of the client node from access to other nodes in the local network.
  - 4. The method as defined by claim 1 wherein the client information comprises identifying information identifying the client node.
  - 5. The method as defined by claim 1 wherein routing data packets comprises:
    - using the client information to determine the identity of the at least one node in the local network to receive the data packets from the client node; and
      
      routing data packets from the client node to the identified at least one node.
  - 6. The method as defined by claim 5 wherein routing permits access to the at least one node by the client node if authenticated, the client information including policy information for enabling a set of privileges for the client node when accessing the at least one node in the local network.
  - 7. The method as defined by claim 1 wherein the client information includes a) identifying information identifying the client node, b) policy information for enabling a set of privileges for the client node when accessing the at least one node in the local network, or c) both (a) and (b).
  - 8. The method as defined by claim 7 wherein routing data packets comprises routing data packets as specified by one or both identifying information and the policy information.
  - 9. The method as defined by claim 1 wherein the local network includes an edge router, the edge router executing at least one of receiving a session request, receiving a client certificate, retrieving, and routing.
  - 10. The method as defined by claim 1 wherein the at least one node comprises an application server and the local network includes a local area network.
  - 11. The method as defined by claim 1 wherein a receiving node in the local network receives the session request, the method further comprising maintaining a static connection between the receiving node and the at least one node in the local network, routing comprising routing data packets from the client along the static connection.
  - 12. The method as defined by claim 11 wherein handshake processes are not performed between the client node and the at least one node in the local network during the session.
  - 13. The method as defined by claim 1 further comprising:
    - permitting initial handshake processes between the client node and the at least one node before receiving the certificate; and
      
      permitting completion of final handshake processes between the client node and at least one node if the authentication process authenticates the client node.
  - 14. The method as defined by claim 1 wherein executing an authentication process comprises receiving a login ID and password for a guest user, and confirming the login ID and password are valid for access in the local network.
  - 15. The method as defined by claim 14 further comprising determining a client device identifier that identifies the client node device, and using the client device identifier and the client certificate to execute the authentication process.
  - 16. The method as defined by claim 15 wherein the client device identifier comprises a MAC address.

17. A network routing device for routing data received across a network, the network device comprising:
- an interface for receiving a) a session request from a client node to access at least one node in a local network having a plurality of nodes, and b) a client certificate from the client node, the client certificate having client information specifying at least one node to receive packets from the client node;
  
  an authenticator operatively coupled with the interface, the authenticator being configured to retrieve the client certificate and execute an authentication process using the client certificate; and
  
  a router operatively coupled with the authenticator, the router being configured to determine, from the authenticator, if the authentication process authenticated the client node, the router further being configured to route data packets received from the client node to at least one node in the local network as specified by the client information in the client certificate if the client node is authenticated.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The network routing device as defined by claim 17 wherein the client information comprises identifying information identifying the client node.
  - 19. The network routing device as defined by claim 17 wherein the router is configured to use the client information to determine the identity of the at least one node in the local network to receive the data packets from the client node, the router further being configured to route client data packets from the client node to the identified at least one node.
  - 20. The network routing device as defined by claim 19 wherein the router is configured to permit access to the at least one node by the client node if authenticated, the client information including policy information for enabling a set of privileges for the client node when accessing the at least one node in the local network.
  - 21. The network routing device as defined by claim 17 wherein the client information includes a) identifying information identifying the client node, b) policy information for enabling a set of privileges for the client node when accessing the at least one node in the local network, or c) both (a) and (b).
  - 22. The network routing device as defined by claim 21 wherein the router is configured to route data packets as specified by one or both identifying information and the policy information.
  - 23. The networking device as defined by claim 17 wherein the router is configured as an edge router for the local network.

24. A computer program product for use on a computer system for routing data across a network, the computer program product comprising a tangible, non-transient computer usable medium having computer readable program code thereon, the computer readable program code comprising:
- program code for receiving a session request from a client node to access at least one node in a local network having a plurality of nodes;
  
  program code for receiving a client certificate from the client node, the client certificate having client information specifying at least one node to receive packets from the client node;
  
  program code for executing an authentication process using the client certificate;
  
  program code for retrieving the client information from the client certificate; and
  
  program code for routing data packets received from the client node to at least one node in the local network as specified by the client information in the client certificate if the authentication process authenticates the client node.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 25. The computer program product as defined by claim 24 further comprising program code for rejecting the client node if the authentication process cannot authenticate the client node.
  - 26. The computer program product as defined by claim 25 wherein the program code for rejecting comprises program code for blocking packets of the client node from access to other nodes in the local network.
  - 27. The computer program product as defined by claim 24 wherein the client information comprises identifying information identifying the client node.
  - 28. The computer program product as defined by claim 24 wherein the program code for routing data packets comprises:
    - program code for using the client information to determine the identity of the at least one node in the local network to receive the data packets from the client node; and
      
      program code for routing data packets from the client node to the identified at least one node.
  - 29. The computer program product as defined by claim 28 wherein the program code for routing permits access to the at least one node by the client node if authenticated, the client information including policy information for enabling a set of privileges for the client node when accessing the at least one node in the local network.
  - 30. The computer program product as defined by claim 24 wherein the client information includes a) identifying information identifying the client node, b) policy information for enabling a set of privileges for the client node when accessing the at least one node in the local network, or c) both (a) and (b).
  - 31. The computer program product as defined by claim 30 wherein the program code for routing data packets comprises program code for routing data packets as specified by one or both identifying information and the policy information.
  - 32. The computer program product as defined by claim 24 wherein the local network includes an edge router, the edge executing at least one of the program code for receiving a session request, the program code for receiving a client certificate, the program code for retrieving, and the program code for routing.
  - 33. The computer program product as defined by claim 24 wherein the at least one node comprises an application server and the local network includes a local area network.
  - 34. The computer program product as defined by claim 24 wherein a receiving node in the local network receives the session request, the computer program product further comprising program code for maintaining a static connection between the receiving node and the at least one node in the local network, the program code for routing comprising program code for routing data packets from the client along the static connection.
  - 35. The computer program product as defined by claim 34 wherein handshake processes are not performed between the client node and the at least one node in the local network during the session.
  - 36. The computer program product as defined by claim 24 further comprising:
    - program code for permitting initial handshake processes between the client node and the at least one node before receiving the certificate; and
      
      program code for permitting completion of final handshake processes between the client node and at least one node if the authentication process authenticates the client node.

37. A method of routing data across a network, the method comprising:
- receiving a session request from a client node to access at least one node in a local network having a plurality of nodes;
  
  receiving a client certificate from the client node, the client certificate having client information specifying at least one node to receive packets from the client node;
  
  retrieving the client information from the client certificate; and
  
  facilitating at least limited access to the at least one node based on the client information in the client certificate.
- View Dependent Claims (38, 39)
- - 38. The method as defined by claim 37 wherein the client information includes policy information.
  - 39. The method as defined by claim 38 wherein the at least one node has an associated set of access privileges, facilitating at least limited access comprising permitting the client node at least one of the associated set of access privileges.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
128 Technology, Inc. (Juniper Networks Incorporated)
Original Assignee
128 Technology, Inc. (Juniper Networks Incorporated)
Inventors
MeLampy, Patrick, Kumar, Prashant, Timmons, Patrick

Granted Patent

US 9,736,184 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 45/74   Address processing for routing

H04L 63/02   for separating internal fro...

H04L 63/0823   using certificates cryptogr...

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

Apparatus and Method for Using Certificate Data to Route Data

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

10 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and Method for Using Certificate Data to Route Data

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links