Method and apparatus for distributing group data in a tunneled encrypted virtual private network
First Claim
1. A method, comprising:
- receiving a packet from a sender at a data communication device, wherein the packet is to be multicast to a plurality of destinations;
identifying a multicast security association related to the packet based, at least in part, on a data stream associated with the packet and security information shared between the data communications device and the plurality of destinations;
in response to determining that the security association related to the packet is shared between the data communications device and the plurality of destinations;
creating a secure packet by applying the security association to the packet using a group key that is shared between the data communications device and the plurality of destinations;
replicating the secured packet into a plurality of replicated secured packets;
for one of the replicated secured packets destined to a particular destination of a multicast group;
appending, to that one of the replicated secured packets, a new header having a sender address location and a particular destination address location;
transmitting that one of the replicated secured packets to the particular destination;
in response to determining that the security association related to the packet is shared between the data communications device and a particular destination but not the plurality of destinations;
for the particular destination;
applying the security association to a copy of the packet using a pair-wise key that is shared between the data communications device and the particular destination to create a secured packet;
appending, to the secured packet, a new header having a sender address location and a particular destination location;
transmitting the secured packet to the particular destination, where the particular destination is a member of the multicast group;
wherein the method is performed by the data communication device.
1 Assignment
0 Petitions
Accused Products
Abstract
A packet forwarding process, on a data communications device, forwards a packet to a plurality of destinations within a network from that data communications device using an “encrypt then replicate” method. The packet forwarding process receives a packet that is to be transmitted to the plurality of destinations, and applies a security association to the packet using security information shared between the data communications device, and the plurality of destinations, to create a secured packet. The secured packet contains a header that has a source address and a destination address. The source address is inserted into the header, and then the packet forwarding process replicates the secured packet, once for each of the plurality of destinations. After replication, the destination address is inserted into the header, and the packet forwarding process transmits each replicated secured packet to each of the plurality of destinations authorized to maintain the security association.
19 Citations
12 Claims
-
1. A method, comprising:
-
receiving a packet from a sender at a data communication device, wherein the packet is to be multicast to a plurality of destinations; identifying a multicast security association related to the packet based, at least in part, on a data stream associated with the packet and security information shared between the data communications device and the plurality of destinations; in response to determining that the security association related to the packet is shared between the data communications device and the plurality of destinations; creating a secure packet by applying the security association to the packet using a group key that is shared between the data communications device and the plurality of destinations;
replicating the secured packet into a plurality of replicated secured packets;for one of the replicated secured packets destined to a particular destination of a multicast group;
appending, to that one of the replicated secured packets, a new header having a sender address location and a particular destination address location;
transmitting that one of the replicated secured packets to the particular destination;in response to determining that the security association related to the packet is shared between the data communications device and a particular destination but not the plurality of destinations; for the particular destination;
applying the security association to a copy of the packet using a pair-wise key that is shared between the data communications device and the particular destination to create a secured packet;
appending, to the secured packet, a new header having a sender address location and a particular destination location;
transmitting the secured packet to the particular destination, where the particular destination is a member of the multicast group;wherein the method is performed by the data communication device. - View Dependent Claims (2, 3, 4, 5, 6)
applying the shared encryption information to encrypt the packet once regardless of the number of destinations to which the packet is transmitted.
-
-
7. A computer-readable medium encoded with instructions, which when executed on a processor, cause the processor to perform:
-
receiving a packet from a sender at a data communication device, wherein the packet is to be multicast to a plurality of destinations; identifying a multicast security association related to the packet based, at least in part, on a data stream associated with the packet and security information shared between the data communications device and the plurality of destinations; in response to determining that the security association related to the packet is shared between the data communications device and the plurality of destinations; creating a secure packet by applying the security association to the packet using a group key that is shared between the data communications device and the plurality of destinations;
replicating the secured packet into a plurality of replicated secured packets;for one of the replicated secured packets destined to a particular destination of a multicast group;
appending, to that one of the replicated secured packets, a new header having a sender address location and a particular destination address location;
transmitting that one of the replicated secured packets to the particular destination;in response to determining that the security association related to the packet is shared between the data communications device and a particular destination but not the plurality of destinations; for the particular destination;
applying the security association to a copy of the packet using a pair-wise key that is shared between the data communications device and the particular destination to create a secured packet;
appending, to the secured packet, a new header having a sender address location and a particular destination location;
transmitting the secured packet to the particular destination, where the particular destination is a member of the multicast group. - View Dependent Claims (8, 9, 10, 11, 12)
-
Specification