Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Having particular address related cryptography
Reexamination Certificate
1999-06-04
2004-08-24
Barrón, Gilberto (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Having particular address related cryptography
C713S152000, C380S030000, C709S220000
Reexamination Certificate
active
06782474
ABSTRACT:
TECHNOLOGICAL FIELD
The present invention deals with a device to be connected to a network and especially its installation and configuration. Installation is a general concept that covers all the hardware operations needed to connect the device to a network. Similarly configuration is understood to cover all the software operations that enable controlled transmission of data in the network between the device concerned and other devices connected to the network. The invention does not limit the type of network in question: it can be the Internet, an intranet, a Local Area Network (LAN), a Wide Area Network (WAN) or any other network intended for transmission of data between electronic terminals. The physical form of the network may be Ethernet(, Token Ring(, cellular radio network or any other corresponding network known as such.
BACKGROUND OF THE INVENTION
Intelligent network devices, such as routers, VPN (Virtual Private Network) devices, print servers, network printers, network cameras, and telecommunications adapters, require detailed configuration data before they can transmit and receive information through the network in a controlled manner. For instance in an IP (Internet Protocol) network the device needs to know its own IP address and the address of the default gateway, and possibly lots of other configuration data.
Information travels through the network generally in the form of packets. As background information for the invention, two known addressing schemes for IP packets are described, namely the IPv4 (Internet Protocol version 4) and IPv6 (Internet Protocol version 6) packet headers. The layout of an IPv4 packet header is illustrated in
FIG. 1
, and the layout of an IPv6 packet header is illustrated in FIG.
2
. Column numbers in
FIGS. 1 and 2
correspond to bits.
In
FIG. 1
, the fields of the known IPv4 header are as follows: Version Number
101
, IHL
102
, Type of Service
103
, Total Length
104
, Identification
105
, Flags
106
, Fragment Offset
107
, Time to Live
108
, Protocol
109
, Header Checksum
110
, Source Address
111
, Destination Address
112
, Options
113
and Padding
114
. In
FIG. 2
, the fields of the known proposed IPv6 header are as follows: Version Number
201
, Traffic Class
202
, Flow Label
203
, Payload Length
204
, Next Header
205
, Hop Limit
206
, Source Address
207
and Destination Address
208
. The use of the fields in the headers is known to the person skilled in the art. An IP packet consists of a header like that of
FIG. 1
or
2
accompanied by a data portion. In IPv6, there may be a number of so-called Extension headers between the main header shown in FIG.
2
and the data portion.
In a network where security features are important, an authentication may be performed by computing a Message Authentication Code (MAC) using the contents of the packet and a shared secret key, and sending the computed MAC as a part of the packet in an AH (Authentication Header) or ESP (Encapsulating Security Payload) header. Privacy is typically implemented using encryption, and the ESP header is used. The AH header is illustrated in
FIG. 3
, where column numbers correspond to bits. The fields of the known AH header are as follows: Next Header
301
, Length
302
, Reserved
303
, Security Parameters
304
and Authentication Data
305
. The length of the last field
305
is a variable number of 32-bit words.
The Encapsulating Security Payload (ESP) may appear anywhere in an IP packet after the IP header and before the final transport-layer protocol. The Internet Assigned Numbers Authority has assigned Protocol Number
50
to ESP. The header immediately preceding an ESP header will always contain the value
50
in its Next Header (IPv6) or Protocol (IPv4) field. ESP consists of an unencrypted header followed by encrypted data. The encrypted data includes both the protected ESP header fields and the protected user data, which is either an entire IP datagram or an upper-layer protocol frame (e.g., TCP or UDP). A high-level diagram of a secure IP datagram is illustrated in
FIG. 4
a
, where the fields are IP Header
401
, optional other IP headers
402
, ESP header
403
and ecrypted data
404
.
FIG. 4
b
illustrates the two parts of an ESP header, which are the 32-bit Security Association Identifier (SPI)
405
and the Opaque Transform Data field
406
, whose length is variable.
Several existing solutions are being used to configure newly installed network devices. Some devices have a display and keyboard for entering configuration data. Others may have a serial port in the device so that it can be attached to a separate configuration terminal for configuration. There are also solutions where a broadcast network packet or a ping packet is used to configure the device.
Solutions based on having a display and keyboard are often too costly and cumbersome for users. Likewise, attaching a configuration terminal to the device is an extra burden for the user. Methods based on broadcast packets only work in the local network, and cannot be used to configure the device remotely. Remote configuration is becoming more and more desirable, as the number of installed network devices is growing much faster than the number of people skilled enough to configure them. Finally, methods based on a ping packet can be used to configure the device remotely, but are limited in the amount of configuration data. Also, such methods will not work if the device to be configured is behind a device that is also listening for several other configuration packets or if there are similar identical devices on the same network.
Growing use of networks, especially increasing use of the Internet for electronic commerce and corporate communications is making security ever more important. Attacks against the network infrastructure are increasingly common. One opportunity for performing such attacks is the moment when the network device is being configured. At that time, most devices do not provide any security, and the attacker will be able to load the device with his/her configuration and software. The compromised device can then be instrumental in furthering the attack.
SUMMARY OF THE INVENTION
The existing configuration methods for configuring network devices lack ease of use, robustness, and security. Problems during device configuration are often very. difficult for users to understand and solve. It is therefore desirable to provide a method and apparatus for loading configuration data into the network device in a reliable, easy-to-use manner from a network management station controlled by an employee skilled in configuration of new network devices. This allows physical installation of new network devices to be carried out by employees that are not as skilled in configuration of new network devices. This genus of methods and apparatus will be referred to as the unsecure, remote configuration class. Further, in some networks where security is an issue, it is desirable to be able to configure new network devices remotely and securely from a remote network management station. This allows remote configuration via network packets without fear that an interloper with intent to attack the network will be able to intercept and alter the configuration data or other information such as network address or device identifier. The object of this invention is to provide methods, as well as a network device which can carry out the disclosed methods.
The object of the unsecure, remote configuration methods of the invention is accomplished by installing the network device in a dummy mode, and sending a configuration packet, including a device-specific identifier, to the network device to be configured or reconfigured either by broadcasting a packet containing the new network device's device identifier or sending a configuration packet directly to the network device's network address with the packet containing the device identifier of the device to be configured. The new network device to be remotely configured then either recognizes its device identifier in the broadcast pack
Barrón Gilberto
Fish Ronald C.
Ronald C. Fish, A Law Corp.
SSH Communication Security Ltd.
Zand K
LandOfFree
Network connectable device and method for its installation... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Network connectable device and method for its installation..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Network connectable device and method for its installation... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3279703