Extensible authentication and authorization of identities in an application message on a network device

US 8,613,056 B2
Filed: 05/26/2006
Issued: 12/17/2013
Est. Priority Date: 05/26/2006
Status: Active Grant

First Claim

Patent Images

1. A data processing apparatus, comprising:

a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto;

one or more processors;

a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface;

a non-transitory computer-readable storage medium having stored thereon a plurality of authentication methods and a policy that associates the authentication methods with respective message types, and a plurality of user credential location definitions that specify locations of user credentials for various types of application messages;

authentication and authorization logic comprising one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform;

receiving, by the data processing apparatus, one or more packets containing an application message of OSI layer 5 or above, wherein the application message comprises one or more user credential elements and wherein the one or more packets containing the application message are addressed to an endpoint device other than the data processing apparatus;

determining a particular type of the application message;

identifying one or more user credential elements in the application message;

selecting, based on the policy and the particular type of the application message, a particular authentication method, and validating the application message using the one or more user credential elements and the particular authentication method;

wherein identifying the one or more user credential elements includes selecting a particular user credential location definition and performing the identifying based on the particular user credential location definition;

wherein the data processing apparatus is a router forwarding data packets below OSI layer 5.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

User credentials are validated within a network infrastructure element such as a packet data router or switch. The network element has authentication and authorization logic for receiving one or more packets representing an input application message logically associated with OSI network model Layer 5 or above; extracting user credentials from the one or more packets; authenticating an identity associated with the user credentials; authorizing privileges to the identity; and forwarding the application message to an intended destination if the identity is successfully authenticated and/or authorized. The authentication and authorization logic in the network element can invoke extension authentication and authorization methods that may be provisioned after the network element is deployed in a networked system.

19 Citations

30 Claims

1. A data processing apparatus, comprising:
- a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto;
  
  one or more processors;
  
  a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface;
  
  a non-transitory computer-readable storage medium having stored thereon a plurality of authentication methods and a policy that associates the authentication methods with respective message types, and a plurality of user credential location definitions that specify locations of user credentials for various types of application messages;
  
  authentication and authorization logic comprising one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform;
  
  receiving, by the data processing apparatus, one or more packets containing an application message of OSI layer 5 or above, wherein the application message comprises one or more user credential elements and wherein the one or more packets containing the application message are addressed to an endpoint device other than the data processing apparatus;
  
  determining a particular type of the application message;
  
  identifying one or more user credential elements in the application message;
  
  selecting, based on the policy and the particular type of the application message, a particular authentication method, and validating the application message using the one or more user credential elements and the particular authentication method;
  
  wherein identifying the one or more user credential elements includes selecting a particular user credential location definition and performing the identifying based on the particular user credential location definition;
  
  wherein the data processing apparatus is a router forwarding data packets below OSI layer 5.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The apparatus of claim 1, wherein the one or more packets comprise one or more protocol headers, and wherein a subset of the one or more user credential elements is located in the one or more protocol headers.
  - 3. The apparatus of claim 1, wherein the application message comprises an application message header, and wherein a subset of the one or more user credential elements is located in the application message header.
  - 4. The apparatus of claim 1, wherein the authentication and authorization logic further comprises sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform extracting an application message payload from the application message, and identifying a subset of the one or more user credential elements in the application message payload.
  - 5. The apparatus of claim 1, wherein the authentication and authorization logic further comprises sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform forwarding an outgoing message associated with the application message to a destination.
  - 6. The apparatus of claim 1, wherein the authentication and authorization logic further comprises sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform authenticating an identity associated with the one or more user credential elements.
  - 7. The apparatus of claim 6, wherein the authentication and authorization logic further comprises sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform executing the particular authentication method by sending the user credential elements to an authentication service provider and requesting authentication of the user credential elements.
  - 8. The apparatus of claim 6, wherein the authentication and authorization logic further comprises sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform authorizing one or more privileges associated with the identity.
  - 9. The apparatus of claim 8, wherein the non-transitory computer-readable medium has stored thereon a plurality of authorization methods, wherein the policy associates the authorization methods with the respective message types, and wherein the authentication and authorization logic further comprises sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform selecting, based on the policy and the particular type of the application message, a particular authorization method, and executing the particular authorization method by sending the identity to an authorization service provider and requesting authorization of the one or more privileges associated with the identity.
  - 10. The apparatus of claim 1, wherein the apparatus comprises any of a packet data router and a packet data switch in a packet-switched network.
  - 11. The apparatus of claim 1, wherein the one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform determining a particular type of the application message;
    - enabling a user to define an association between a particular authentication method with a corresponding message type.

12. A machine-implemented method, comprising:
- receiving, by a data processing apparatus, one or more packets containing an application message of OSI layer 5 or above, wherein the application message comprises one or more user credential elements and wherein the one or more packets are addressed to an endpoint device other than the data processing apparatus;
  
  determining a particular type of the application message;
  
  identifying one or more user credential elements in the application message;
  
  selecting, based on a policy and the particular type of the application message, a particular authentication method, wherein the policy associates a plurality of authentication methods with respective message types; and
  
  validating the application message using the one or more user credential elements and the particular authentication method;
  
  wherein identifying the one or more user credential elements includes selecting a particular user credential location definition and performing the identifying based on the particular user credential location definition, and wherein the particular user credential location definition specifies locations of user credentials for various types of application messages;
  
  wherein the data processing apparatus is a router forwarding data packets below OSI layer 5;
  
  wherein the machine-implemented method is performed by one or more computing devices comprising at least one processor.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The method of claim 12, wherein the one or more packets comprise one or more protocol headers, and wherein a subset of the one or more user credential elements is located in the one or more protocol headers.
  - 14. The method of claim 12, wherein the application message comprises an application message header, and wherein a subset of the one or more user credential elements is located in the application message header.
  - 15. The method of claim 12, further comprising the steps of extracting an application message payload from the application message and identifying a subset of the one or more user credential elements in the application message payload.
  - 16. The method of claim 12, further comprising the step of forwarding an outgoing message associated with the application message to a destination.
  - 17. The method of claim 12, further comprising the step of authenticating an identity associated with the one or more user credential elements.
  - 18. The method of claim 17, further comprising the step of executing the particular authentication method by sending the user credential elements to an authentication service provider and requesting authentication of the user credential elements.
  - 19. The method of claim 17, further comprising the step of authorizing one or more privileges associated with the identity.
  - 20. The method of claim 19, further comprising the steps of selecting, based on the policy and the particular type of the application message, a particular authorization method, and executing the particular authorization method by sending the identity to an authorization service provider and requesting authorization of the one or more privileges associated with the identity.
  - 21. The method of claim 12, wherein the step of determining a particular type of the application message further comprises enabling a user to define a plurality of message types and wherein the step of selecting a particular authentication method further comprises enabling a user to define an association between a particular authentication method with a corresponding message type.

22. A computer-readable storage device carrying one or more sequences of instructions, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- receiving, by a data processing apparatus, one or more packets containing an application message of OSI layer 5 or above, wherein the application message comprises one or more user credential elements and wherein the one or more packets are addressed to an endpoint device other than the data processing apparatus;
  
  determining a particular type of the application message;
  
  identifying one or more user credential elements in the application message;
  
  selecting, based on the policy and the particular type of the application message, a particular authentication method; and
  
  validating the application message using the one or more user credential elements and the particular authentication method;
  
  wherein identifying the one or more user credential elements includes selecting a particular user credential location definition and performing the identifying based on the particular user credential location definition, and wherein the particular user credential location definition specifies locations of user credentials for various types of application messages;
  
  wherein the data processing apparatus is a router forwarding data packets below OSI layer 5.

23. A data processing apparatus, comprising:
- a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto;
  
  one or more processors;
  
  a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface;
  
  a non-transitory computer-readable storage medium having stored thereon a plurality of authentication methods and a policy that associates the authentication methods with respective message types, and a plurality of user credential location definitions that specify locations of user credentials for various types of application messages;
  
  means for receiving, by the data processing apparatus, one or more packets containing an application message of OSI layer 5 or above, wherein the application message comprises one or more user credential elements and wherein the one or more packets containing the application message are addressed to an endpoint device other than the data processing apparatus;
  
  means for determining a particular type of the application message;
  
  means for identifying one or more user credential elements in the application message;
  
  means for selecting, based on the policy and the particular type of the application message, a particular authentication method; and
  
  means for validating the application message using the one or more user credential elements and the particular authentication method;
  
  wherein the means for identifying the one or more user credential elements includes selecting a particular user credential location definition and performing the identifying based on the particular user credential location definition;
  
  wherein the data processing apparatus is a router forwarding data packets below OSI layer 5.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. The apparatus of claim 23, wherein the one or more packets comprise one or more protocol headers, and wherein a subset of the one or more user credential elements is located in the one or more protocol headers.
  - 25. The apparatus of claim 23, wherein the application message comprises an application message header, and wherein a subset of the one or more user credential elements is located in the application message header.
  - 26. The apparatus of claim 23, further comprising means for extracting an application message payload from the application message, and means for identifying a subset of the one or more user credential elements in the application message payload.
  - 27. The apparatus of claim 23, further comprising means for forwarding an outgoing message associated with the application message to a destination.
  - 28. The apparatus of claim 23, further comprising means for authenticating an identity associated with the one or more user credential elements.
  - 29. The apparatus of claim 28, further comprising means for authorizing one or more privileges associated with the identity.
  - 30. The method of claim 23, wherein the means for determining a particular type of the application message further comprises means for enabling a user to define a plurality of message types and wherein the means for selecting a particular authentication method further comprises means for enabling a user to define an association between a particular authentication method with a corresponding message type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Kumar, Sandeep, Dashora, Vinod K., Iyer, Subramanian N., Jiang, Yuquan
Primary Examiner(s)
Zee, Edward
Assistant Examiner(s)
NGUY, CHI D

Application Number

US11/441,594
Publication Number

US 20070289005A1
Time in Patent Office

2,762 Days
Field of Search

713151-162, 726/5, 726 11- 15, 726 17- 21
US Class Current

726/5
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 63/104 Grouping of entities

Extensible authentication and authorization of identities in an application message on a network device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

19 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Extensible authentication and authorization of identities in an application message on a network device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links