Method and apparatus for distributing group data in a tunneled encrypted virtual private network

US 7,761,702 B2
Filed: 04/15/2005
Issued: 07/20/2010
Est. Priority Date: 04/15/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

receiving a packet from a sender at a data communication device, wherein the packet is to be multicast to a plurality of destinations;

identifying a multicast security association related to the packet based, at least in part, on a data stream associated with the packet and security information shared between the data communications device and the plurality of destinations;

in response to determining that the security association related to the packet is shared between the data communications device and the plurality of destinations;

creating a secure packet by applying the security association to the packet using a group key that is shared between the data communications device and the plurality of destinations;

replicating the secured packet into a plurality of replicated secured packets;

for one of the replicated secured packets destined to a particular destination of a multicast group;

appending, to that one of the replicated secured packets, a new header having a sender address location and a particular destination address location;

transmitting that one of the replicated secured packets to the particular destination;

in response to determining that the security association related to the packet is shared between the data communications device and a particular destination but not the plurality of destinations;

for the particular destination;

applying the security association to a copy of the packet using a pair-wise key that is shared between the data communications device and the particular destination to create a secured packet;

appending, to the secured packet, a new header having a sender address location and a particular destination location;

transmitting the secured packet to the particular destination, where the particular destination is a member of the multicast group;

wherein the method is performed by the data communication device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A packet forwarding process, on a data communications device, forwards a packet to a plurality of destinations within a network from that data communications device using an “encrypt then replicate” method. The packet forwarding process receives a packet that is to be transmitted to the plurality of destinations, and applies a security association to the packet using security information shared between the data communications device, and the plurality of destinations, to create a secured packet. The secured packet contains a header that has a source address and a destination address. The source address is inserted into the header, and then the packet forwarding process replicates the secured packet, once for each of the plurality of destinations. After replication, the destination address is inserted into the header, and the packet forwarding process transmits each replicated secured packet to each of the plurality of destinations authorized to maintain the security association.

19 Citations

View as Search Results

12 Claims

1. A method, comprising:
- receiving a packet from a sender at a data communication device, wherein the packet is to be multicast to a plurality of destinations;
  
  identifying a multicast security association related to the packet based, at least in part, on a data stream associated with the packet and security information shared between the data communications device and the plurality of destinations;
  
  in response to determining that the security association related to the packet is shared between the data communications device and the plurality of destinations;
  
  creating a secure packet by applying the security association to the packet using a group key that is shared between the data communications device and the plurality of destinations;
  
  replicating the secured packet into a plurality of replicated secured packets;
  
  for one of the replicated secured packets destined to a particular destination of a multicast group;
  
  appending, to that one of the replicated secured packets, a new header having a sender address location and a particular destination address location;
  
  transmitting that one of the replicated secured packets to the particular destination;
  
  in response to determining that the security association related to the packet is shared between the data communications device and a particular destination but not the plurality of destinations;
  
  for the particular destination;
  
  applying the security association to a copy of the packet using a pair-wise key that is shared between the data communications device and the particular destination to create a secured packet;
  
  appending, to the secured packet, a new header having a sender address location and a particular destination location;
  
  transmitting the secured packet to the particular destination, where the particular destination is a member of the multicast group;
  
  wherein the method is performed by the data communication device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising a key distribution management system that is located on a device other than the data communications device, and where identifying a security association further comprises:
    - registering with the key distribution management system by performing an authentication technique with the key distribution management system; and
      
      receiving notification from each of the plurality of destinations by utilizing a tunnel mapping protocol to determine which of the plurality of destinations indicate successful receipt of an encryption key.
  - 3. The method of claim 2, where utilizing a tunnel mapping protocol comprises:
    - identifying at least one destination that does not maintain a shared security association with the plurality of destinations;
      
      applying a security association exclusive to the identified destination to the packet to create an exclusive secured packet that is to be transmitted exclusively to the identified destination; and
      
      transmitting the exclusive secured packet to the identified destination;
      
      where the tunnel mapping protocol is a next-hop resolution protocol (NHRP).
  - 4. The method of claim 3, where applying a security association to the packet to create a secured packet comprises:
    - encapsulating the packet for transmission throughout a network;
      
      creating a header for the encapsulated packet, the header comprising a source address location for indicating an originating location of the packet, and a destination address location for indicating a final location of the packet; and
      
      inserting a source address into the source address location within the header of the packet, the source address indicating the origination location of the packet.
  - 5. The method of claim 4, where applying a security association to the packet to create a secured packet comprises:
    - creating a plurality of the secured packets, for the plurality of destinations; and
      
      inserting a respective destination address into the header within the plurality of the secured packets, the respective destination address indicating a network address of a respective one of the plurality of destinations.
  - 6. The method of claim 4, where the network is a Dynamic Multipoint Virtual Private Network (DMVPN), and is a non-broadcast multi-access (NBMA) network, andwhere the security associations include shared encryption information available to the plurality of destinations and to the data communications device andwhere applying the security association to the packet to create the secured packet comprises:

7. A computer-readable medium encoded with instructions, which when executed on a processor, cause the processor to perform:
- receiving a packet from a sender at a data communication device, wherein the packet is to be multicast to a plurality of destinations;
  
  identifying a multicast security association related to the packet based, at least in part, on a data stream associated with the packet and security information shared between the data communications device and the plurality of destinations;
  
  in response to determining that the security association related to the packet is shared between the data communications device and the plurality of destinations;
  
  creating a secure packet by applying the security association to the packet using a group key that is shared between the data communications device and the plurality of destinations;
  
  replicating the secured packet into a plurality of replicated secured packets;
  
  for one of the replicated secured packets destined to a particular destination of a multicast group;
  
  appending, to that one of the replicated secured packets, a new header having a sender address location and a particular destination address location;
  
  transmitting that one of the replicated secured packets to the particular destination;
  
  in response to determining that the security association related to the packet is shared between the data communications device and a particular destination but not the plurality of destinations;
  
  for the particular destination;
  
  applying the security association to a copy of the packet using a pair-wise key that is shared between the data communications device and the particular destination to create a secured packet;
  
  appending, to the secured packet, a new header having a sender address location and a particular destination location;
  
  transmitting the secured packet to the particular destination, where the particular destination is a member of the multicast group.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer-readable medium of claim 7, wherein the instructions operate with a key distribution management system that is located on a device other than the data communications device, and wherein the instructions that cause the operation of identifying a security association further comprise instructions, which when executed cause the operation of registering with the key distribution management system by performing an authentication technique with the key distribution management system;
    - and receiving notification from each of the plurality of destinations by utilizing a tunnel mapping protocol to determine which of the plurality of destinations indicate successful receipt of an encryption key.
  - 9. The computer-readable medium of claim 8, wherein the instructions that cause the operation of utilizing a tunnel mapping protocol further comprise instructions which when executed cause the operation of:
    - identifying at least one destination that does not maintain a shared security association with the plurality of destinations;
      
      applying a security association exclusive to the identified destination to the packet to create an exclusive secured packet that is to be transmitted exclusively to the identified destination; and
      
      transmitting the exclusive secured packet to the identified destination;
      
      wherein the tunnel mapping protocol is a next-hop resolution protocol (NHRP).
  - 10. The computer-readable medium of claim 9, wherein the instructions that cause the operation of applying a security association to the packet to create a secured packet further comprise instructions which when executed cause the operation of:
    - encapsulating the packet for transmission throughout a network;
      
      creating a header for the encapsulated packet, the header comprising a source address location for indicating an originating location of the packet, and a destination address location for indicating a final location of the packet; and
      
      inserting a source address into the source address location within the header of the packet, the source address indicating the origination location of the packet.
  - 11. The computer-readable medium of claim 10, wherein the instructions that cause the operation of applying a security association to the packet to create a secured packet further comprise instructions which when executed cause the operation of:
    - creating a plurality of secured packets, for the plurality of destinations; and
      
      inserting a respective destination address into the header within the plurality of the secured packets, the respective destination address indicating a network address of a respective one of the plurality of destinations.
  - 12. The computer-readable medium of claim 11, wherein the network is a Dynamic Multipoint Private Network (DMVPN), and is a non-broadcast multi-access (NBMA) network;
    - wherein the security associations include shared encryption information available to the plurality of destinations and to the data communications device;
      
      wherein the instructions that cause the operation of applying the security association to the packet to create the secured packet further comprise instructions which when executed cause applying the shared encryption information to encrypt the packet once regardless of the number of destinations to which the packet is transmitted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Sullenberger, Michael Lee, Vilhuber, Jan, Weis, Brian E., Detienne, Frederic R.P.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
BAYOU, YONAS A

Application Number

US11/107,532
Publication Number

US 20090083536A1
Time in Patent Office

1,922 Days
Field of Search

726/13, 713/153
US Class Current

713/153
CPC Class Codes

H04L 12/1886   with traffic restrictions f...

H04L 45/16   Multipoint routing

H04L 63/0428   wherein the data content is...

H04L 63/065   for group communications cr...

Method and apparatus for distributing group data in a tunneled encrypted virtual private network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

19 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for distributing group data in a tunneled encrypted virtual private network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links