Electrical computers and digital processing systems: multicomput – Computer-to-computer data routing
Reexamination Certificate
1999-04-13
2004-04-20
Caldwell, Andrew (Department: 2157)
Electrical computers and digital processing systems: multicomput
Computer-to-computer data routing
C713S153000, C713S170000
Reexamination Certificate
active
06725276
ABSTRACT:
FIELD OF THE INVENTION
The invention generally relates networks and, more particularly, the invention relates to message transmissions across multicast domains in a computer network.
BACKGROUND OF THE INVENTION
Multicasting is a well known method of transmitting messages to selected groups of users across a network, such as the Internet. One simple example of multicasting entails transmitting an E-mail message to a plurality of users that each are on a mailing list. Video conferencing and teleconferencing also use multicasting principles and thus, often are referred to as “multiconferencing.”
Messages transmitted during a multicast often include multicast control parameters that control the execution of the multicast (“control messages”). One exemplary type of control message enables nodes to end an ongoing multicast. Problems arise when an unauthorized network device transmits a control message to a multicast session. For example, an unauthorized network device undesirably may transmits a control message that prematurely ends a multicast session. One solution to this problem (recently proposed by the PIM Working Group of the Internet Engineering Task Force) utilizes well known key encryption techniques to authenticate control messages transmitted between routers within a single multicast domain. To that end, a symmetrical authentication key is provided to each router in the multicast to encrypt and decrypt control messages transmitted in the multicast. Accordingly, upon receipt of a control message from another router, a receiving router can confirm that the control message was transmitted from an authorized router in the multicast by decrypting the received control message with the authentication key.
As is known in the art, a group of network devices (e.g., routers) in a multicast that are administered as a unit with common rules and procedures (e.g., each router utilizing a common authentication key) are considered to be a single multicast domain. Problems therefore arise when members of one multicast domain attempt to communicate with members of another multicast domain. Specifically, network devices in a first multicast domain do not have the second multicast domain authentication key for authenticating messages received from second domain devices. Consequently, multicast messages transmitted from the second multicast domain to the first multicast domain are considered (by receiving devices in the first domain) to originate from devices not authorized to participate in the first domain multicast and thus, are dropped.
SUMMARY OF THE INVENTION
In accordance with one aspect of the invention, a border network device for transmitting messages between a first multicast domain and a second multicast domain includes a first interface that receives a first domain message from the first domain for delivery to the second domain, a first message converter that converts the received first domain message into a first intermediate message, and an output that forwards the first intermediate message to a receiving second network device in the second domain. The first multicast domain and second multicast domain each respectively have first network devices and second network devices. In preferred embodiments, the first domain message has first domain origin data. Messages with first domain origin data originate from at least one of the first network devices. In a similar manner, the intermediate message includes intermediate data indicating that the intermediate message originated from the border network device. A similar method also may be utilized to effectuate this aspect of the invention.
In preferred embodiments, the first intermediate message includes data that causes the receiving second network device to convert the first intermediate message into a second message. The second message includes data indicating that the second message originated from the receiving second network device. In other embodiments, the border network device further includes an intermediate interface that receives a second intermediate message from a given second network device, and a second message converter that converts the received second intermediate message into a converted first domain message with first domain data. The second intermediate message has origination data indicating that it originated from the given second network device. The output may forward the converted first domain message to at least one of the first network devices.
In other embodiments, the first multicast domain has an associated key for authenticating messages transmitted between first network devices. Accordingly, the first origin data may be associated with the first key. The first multicast domain may require that each message authorized to be forwarded to first network devises in a multicast include first domain origin data. In some embodiments, the border network device is one of the first network devices. The border network device also may include memory for storing an intermediate key. The first message converter may retrieve the intermediate key from memory to convert the received first domain message into the first intermediate message. The border network device also may include an authenticator operatively coupled with the first message converter. The authenticator may confirm that the first domain message includes the first domain origin data. In other embodiments, the receiving second network device is a border network device that converts the first intermediate message into a second domain message having data indicating that the message originated from one of the second network devices.
In accordance with another aspect of the invention, a border network device for transmitting messages between a first multicast domain and a second multicast domain includes an intermediate interface that receives a second intermediate message from the second domain, a first message converter that converts the received second intermediate message into a converted first domain message with first domain data, and a first output that forwards the converted first domain message to at least one of the first network devices. The received second intermediate message includes intermediate data indicating that the second intermediate message originated from at least one of the second network devices. In a manner similar to other embodiments, messages with first domain data originate from one of the first network devices. A similar method also may be utilized to effectuate this aspect of the invention.
In other embodiments, the border network device further includes a first interface that receives a first domain message (with first domain data) from at least one of the first network devices, a second message converter that converts the received first domain message into a first intermediate message, and a second output that forwards the first intermediate message to at least one of the second network devices. The first intermediate message has data indicating that it originated from the border router. In another embodiment, the first multicast domain has an associated first key for authenticating messages transmitted between first network devices, where the first domain data is associated with the first key. The first multicast domain may require that each first domain message authorized to participate in the multicast in the first domain include first domain origin data. The border network device also may include an authenticator operatively coupled with the first message converter. The authenticator may check the second intermediate message to determine if the intermediate message includes the second intermediate data.
In accordance with other aspects of the invention, an apparatus and method of transmitting messages between a first multicast domain and a second multicast receives a first message with first identification data from a first network device in the first domain, controls a confirming network device to analyze the first identification data to determine that the first message originated from the first network device, adds seco
Cain Bradley
Hardjono Thomas
Caldwell Andrew
Nortel Networks Limited
Steubing McGuinness & Manaras LLP
LandOfFree
Apparatus and method for authenticating messages transmitted... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Apparatus and method for authenticating messages transmitted..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Apparatus and method for authenticating messages transmitted... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3239617