Patent application number | Description | Published |
20080247392 | Validating Internal Routing Protocol Information Passed Through an External Routing Protocol - In one embodiment, a method includes receiving authenticated site data that includes site ID data and address data. The site ID data indicates a unique site ID for each site among multiple sites for a first network that uses an internal routing protocol. Multiple edge sites of those sites are separate from each other and connected to a second network that is under separate administrative control of at least one different party. The address data indicates network addresses associated with each site of the plurality of sites. An external routing protocol message is discounted based on the authenticated site data. | 10-09-2008 |
20090262941 | TECHNIQUES FOR MANAGING KEYS USING A KEY SERVER IN A NETWORK SEGMENT - The election of a key server is provided. The key server is a single device that broadcasts an encryption key to other devices in a network segment. Also, automatic reelection of a new key server is provided when a current key server becomes unavailable. Key receivers may separately detect that a new key server is needed and separately determine from state information which key receiver should be elected the new key server. The state information may have been received in previously sent messages. Thus, further messaging is not needed to elect a new key server. | 10-22-2009 |
20100034207 | ENFORCING THE PRINCIPLE OF LEAST PRIVILEGE FOR LARGE TUNNEL-LESS VPNs - Techniques for secure communication in a tunnel-less VPN are provided. A key server generates and provides, to each VPN gateway, different, yet mathematically-related keying material. A VPN gateway receives distinct keying material for each designated address block (e.g., subnet) behind the VPN gateway. In response to receiving a packet from one a source host whose address falls within one of the designated address blocks, the VPN gateway identifies the appropriate keying material. The VPN gateway determines an identifier for the address block that includes the destination address. The identifier and the identified keying material are used to generate a key. The VPN gateway encrypts the packet with the key and forwards the encrypted packet to the destination host. | 02-11-2010 |
20100142711 | GROUP KEY MANAGEMENT RE-REGISTRATION METHOD - In an embodiment, a fast group key management re-registration is described. One computer-implemented method comprises, at a key server: receiving a registration request from a network element to join a group of network elements managed by the key server; generating and storing a group member registration state comprising information identifying the network element within the group of network elements; generating a token using information from the group member registration state, wherein the token identifies the network element within the group; deleting the group member registration state for the network element at the key server; generating an encrypted token by encrypting the token using a secret key that is local to the key server; sending the encrypted token to the network element; receiving the encrypted token along with a re-registration request from the network element to re-join the group of network elements; and re-registering the network element using the encrypted token. | 06-10-2010 |
20100220856 | PRIVATE PAIRWISE KEY MANAGEMENT FOR GROUPS - In an example embodiment, a key generation system (KGS) is used to generate private pairwise keys between peers belonging to a group. Each member of the group is provisioned with a set of parameters which allows each member to generate a key with any other member of the group; however, no group member can derive a key for pairings involving other group members. The private pairwise keys may be used to derive session keys between peers belonging to the group. Optionally, an epoch value may be employed to derive the private pairwise keys. | 09-02-2010 |
20100318605 | APPROACH FOR MANAGING STATE INFORMATION BY A GROUP OF SERVERS THAT SERVICES A GROUP OF CLIENTS - An approach for managing state information by a group of servers that services a group of clients is disclosed. One server is designated as the primary server and is responsible for generating state information to be used by both the servers and the clients. The remaining servers are designated as secondary servers that help to manage the group, but which do not generate the state information. When the primary server fails or is not available due to a network partition event, one of the secondary servers changes role to become the primary server. With a network partition event, each partition can have a primary server, and when the network partition heals, one of the primary servers changes role back to being a secondary server. As a result, the group of servers maintains a consistent set of state information without being vulnerable to the single failure of a server. | 12-16-2010 |
20110087878 | ENABLING QoS FOR MACsec PROTECTED FRAMES - Embodiments associated with enabling Quality of Service (QoS) for MACsec protected frames are described. One example method includes identifying a security indicator in an encrypted network communication and selectively forwarding the encrypted network communication according to a QoS policy. The example method may also include selectively storing a control packet security indicator sniffed from a control packet network communication in response to determining that a match exists between a control packet identification field and a QoS database entry. | 04-14-2011 |
20110296044 | KEEP-ALIVE HIATUS DECLARATION - In an embodiment, a method is performed by one or more processors and comprises obtaining a hiatus declaration that indicates that a network device will be incommunicable; suspending communication with the network device until expiration of a hiatus time period during which the network device is expected to be incommunicable; resuming communication with the network device in response to any of: determining that the hiatus time period has expired; obtaining a keep-alive message from the network device; or obtaining other indication that the network device can communicate. | 12-01-2011 |
20120045063 | Techniques for Managing Keys Using a Key Server in a Network Segment - The election of a key server is provided. The key server is a single device that broadcasts an encryption key to other devices in a network segment. Also, automatic reelection of a new key server is provided when a current key server becomes unavailable. Key receivers may separately detect that a new key server is needed and separately determine from state information which key receiver should be elected the new key server. The state information may have been received in previously sent messages. Thus, further messaging is not needed to elect a new key server. | 02-23-2012 |
20120117248 | Restarting Network Reachability Protocol Sessions Based on Transport Layer Authentication - In an embodiment, a method comprises establishing a first data communications session with a first router. In response to receiving a first request to establish a second data communications session, a probe message that is configured to test whether the first data communications session or the first router is responsive is sent to the first router. In response to determining that the first router has not acknowledged the probe message before a probe timer has expired, and receiving a second request to establish the second data communications session, the second data communications session with the first router is established and a state for the first data communications session is deleted. | 05-10-2012 |
20140258532 | KEEP-ALIVE HIATUS DECLARATION - In an embodiment, a method is performed by one or more processors and comprises obtaining a hiatus declaration that indicates that a network device will be incommunicable; suspending communication with the network device until expiration of a hiatus time period during which the network device is expected to be incommunicable; resuming communication with the network device in response to any of: determining that the hiatus time period has expired; obtaining a keep-alive message from the network device; or obtaining other indication that the network device can communicate. | 09-11-2014 |
20140281508 | CHANGING GROUP MEMBER REACHABILITY INFORMATION - In an embodiment, a method comprises obtaining a second network address at a computer node, which has been already associated with a first network address and provided first keying information; sending, to a key server computer, an update message that comprises both the first network address and the second network address; using the first keying information to encrypt messages that the computer node sends from the second network address to one or more other members of a group. | 09-18-2014 |