Providing-replay protection in systems using group security associations

Abstract

A method and apparatus is disclosed which enables detection of undesired packets received at a device in a network, where the device is a member of a group of devices in the network. A registration table stores transform identifiers for each member of a group and controls the forwarding of the transform identifiers to the members of the group as members are added and deleted. A transform identifier indicates a format or transformation of a packet transmitted by an associated member. The transform identifier can therefore be used at a receiving device to distinguish between transmissions by different members of the group, thereby enabling the receiving device to extract sequence information associated with the member from the packet. The sequence information can be compared against an expected sequence number for the member to determine whether the packet is an undesirable or rogue packet.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS[0001]This application is a continuation of U.S. patent application Ser. No. 10 / 864,146, titled Method and Apparatus for Providing Replay Protection in Systems Using Group Security Associations, filed Jun. 9, 2004, which claims priority to provisionally filed U.S. application Ser. No. 60 / 502,537 filed Sep. 12, 2003.FIELD OF THE INVENTION[0002]This invention relates generally to the field of secure communications and more particularly to a method and apparatus for detecting undesired packets in a networked environment.BACKGROUND OF THE INVENTION[0003]As it is known in the art, Internet Protocol Security (IPsec) is a security protocol that provides security services at the IP layer by enabling a system to select required security protocols, determine the algorithm(s) to use for services, and put in place any cryptographic keys required to provide the requested services. IPsec can be used to protect one or more paths between a pair of hosts, betwe...

AI Technical Summary

Benefits of technology

The patent describes a method and device for detecting undesired packets in a network. The method involves assigning a unique transform identifier to each member of a group of devices in the network, and using the transform identifier to extract a sequence number from a packet received from a member of the group. The sequence number is then compared with an expected sequence number for the member to determine if the packet is valid. The device includes a storage medium and logic for implementing the method. The technical effect of this invention is to enable network devices to identify and discard undesired packets, thereby improving network security.

Problems solved by technology

While the IPSec anti-replay mechanism is effective in many peer to peer environments, there are network architectures that generally cannot benefit from its application.

However, the GSA architecture cannot easily support the use of sequence number for anti-replay handling, because multiple users share the same Security Association (SA), and the multiple users cannot easily synchronize the sequence number of the SA.

Images