[go: up one dir, main page]

HK1100111B - Bridged cryptographic vlan - Google Patents

Bridged cryptographic vlan Download PDF

Info

Publication number
HK1100111B
HK1100111B HK07107921.2A HK07107921A HK1100111B HK 1100111 B HK1100111 B HK 1100111B HK 07107921 A HK07107921 A HK 07107921A HK 1100111 B HK1100111 B HK 1100111B
Authority
HK
Hong Kong
Prior art keywords
vlan
port
frame
bridge
group
Prior art date
Application number
HK07107921.2A
Other languages
Chinese (zh)
Other versions
HK1100111A1 (en
Inventor
Dennis Michae Volpano
赵新华
Original Assignee
Microsoft Technology Licensing, Llc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US10/057,566 external-priority patent/US7188364B2/en
Priority claimed from US10/286,634 external-priority patent/US7120791B2/en
Application filed by Microsoft Technology Licensing, Llc filed Critical Microsoft Technology Licensing, Llc
Publication of HK1100111A1 publication Critical patent/HK1100111A1/en
Publication of HK1100111B publication Critical patent/HK1100111B/en

Links

Abstract

The invention comprises three extensions of the IEEE 802.1Q VLAN bridge model. The first extension is the cryptographic separation of VLANs over trunk links. A LAN segment type referred to as an encapsulated LAN segment is introduced. All frames on such a segment are encapsulated according to an encryption and authentication code scheme. The second extension is the division of a trunk port into inbound and outbound ports. The third extension is a protocol that automatically infers for each outbound port in a bridged VLAN, a set of LAN segment types for the port that minimizes the number of transfers between encapsulated and unencapsulated segments required to transport a frame in the bridged VLAN

Description

Bridging encrypted VLANs
Technical Field
The present invention relates to VLANs. In particular, the present invention relates to a bridged encrypted VLAN.
Background
Basic VLAN concept
Fig. 1 shows a simple port-based VLAN 10 that includes two VLANs, VLAN a 13 and VLAN b 15. The VLAN to which an unmarked frame received at a Port belongs is determined by the Port VLAN ID (PVID) assigned to the receiving Port, or by the VLAN ID (VID) associated with the link layer Protocol carried in the frame (see IEEE Std802.1 v-2001, Virtual bridge Local area networks-interpretation 2: VLAN Classification by Protocol and Port). There is a need for a method of transporting VLAN information between bridges 12, 14 because the bridges 12 and 14 are connected together via an aggregation link 16 that can carry frames from multiple VLANs. For this reason, a VLAN tag is added to each frame. Such frames are referred to as VLAN tagged type frames.
Convergence chaining
An aggregation link is a LAN segment used for VLAN multiplexing between VLAN bridges (see IEEE Std802.1 v-2001, Virtual bridge Local Area Networks-interpretation 2: VLANCLASSIFIcation by Protocol and Port). Each device connected to the aggregation link must be VLAN-aware. This means that it knows the membership of the VLAN and the VLAN frame format. All frames on the aggregation link (including end station frames) are VLAN tagged, meaning that they carry a non-null VID. There cannot be an end station on the aggregation link that cannot identify a VLAN.
The aggregation link 16 in fig. 1 is a multiplexed LAN segment shared by both bridges 12, 14. Generally, a number of VLAN-aware bridges may be connected to an aggregation link.
The access link 11 is a LAN segment in which the VLAN cannot be multiplexed. Instead, each access link carries an unmarked frame or a VLAN tagged frame belonging to a single VLAN. If the frames are tagged, all frames on the segment carry the same VID and the end stations on the LAN segment must be VLAN identifiable.
Various limitations are encountered in the current state of development of VLAN technology. One problem is VLAN encryption separation on the aggregation link. Introducing a solution to this problem itself provides an opportunity for efficient frame transfer between encrypted and unencrypted LAN segments representing a single VLAN.
Disclosure of Invention
The present invention encompasses three extensions of the IEEE802.1Q VLAN bridging model (see IEEE Std802.1Q-1998, IEEE Standard for Local and Metapolitan Area Networks: Virtual bridge Local Area Networks). The first extension is VLAN encryption separation over the aggregation link. A new LAN segment type, referred to herein as an encapsulation segment type, is introduced in the present invention. All frames on this segment are encapsulated according to an encryption and authentication code scheme. A second extension is to divide the aggregation ports into ingress and egress aggregation ports. A third extension is a protocol, referred to herein as the Transfer Point Protocol (TPP), that automatically infers a set of LAN segment types for a port for each outbound aggregation port in a bridged VLAN, which can minimize the number of transfers between encapsulated and unencapsulated segments required to pass a frame in the bridged VLAN.
Drawings
FIG. 1 is a block diagram showing a port-based VLAN;
FIG. 2 is a block diagram showing a bridged encrypted VLAN according to the present invention;
FIG. 3 is a flow chart showing the construction of a forwarding group according to the present invention;
fig. 4 is a block diagram showing a bridged encrypted VLAN with two wireless aggregation links in accordance with the present invention;
FIG. 5 is a block diagram showing a symmetric tag bridging outbound ports in an encrypted VLAN in accordance with the present invention;
FIG. 6 is a block diagram showing an asymmetric tag bridging outbound ports in an encrypted VLAN in accordance with the present invention;
fig. 7 is a block diagram showing a purely encapsulated aggregation link in a bridged encrypted VLAN according to the present invention.
Fig. 8 is a flow chart showing TPP message exchange when bridge 1 of fig. 7 initiates an announcement frame for the VLAN according to the present invention;
FIG. 9 is a block schematic diagram showing the labels of the outbound ports after swapping of the bridges 1 and 2 of FIG. 7 in accordance with the present invention; and
fig. 10 is a block schematic diagram showing the tags of outbound ports in a bridged encrypted VLAN having a bridge with three aggregation ports in accordance with the present invention.
Detailed Description
LAN segment type
The following three LAN segment types may each represent a Virtual Local Area Network (VLAN): an unmarked section, a marked section, and a packaged section. The IEEE802.1Q standard only discusses tagged and untagged segment types (see IEEE Std802.1Q-1998, IEEE Standard for Local and Metropolitan Area Networks: Virtual bridge Local Area Networks). The bridging semantics (bridging semantics) specified by the standard are only applicable to traffic passing between tagged and untagged segments representing the same VLAN. The present invention provides a way to extend bridging semantics to cover traffic transport between an unencapsulated section (tagged or untagged) and an encapsulated section of the same VLAN. In general, any number of LAN segment types may be introduced.
Each segment type representing a VLAN has a frame type. There are three types of frames in a bridged encrypted VLAN: untagged frames, VLAN tagged (also referred to as tagged) frames, and encapsulated frames. The first two frame types belong to the IEEE802.1Q standard (see IEEE Std802.1Q-1998, IEEE Standards for Local and metropolians Area Networks: Virtual bridge Local Area Networks). The encapsulated frame is cryptographically encapsulated. Each encapsulated frame also has a VLAN tag. However, the tag is different from the tag used in the tag type frame belonging to the VLAN. Two unique VLAN tags are associated with each VLAN: VID-T (for tagged-type frames of VLAN) and VID-E (for encapsulated-type frames of VLAN).
For each VLAN, there is a unique security association (security association) that contains a crypto-authenticator key to check (check) the integrity and authenticity of frames marked as belonging to the VLAN and a cryptographic key to ensure the privacy of all frames belonging to the VLAN.
The preferred encapsulation scheme is the "encrypt-then-MAC" scheme. In this scheme, the data payload of a frame is encrypted and then a message authentication code is calculated from the resulting ciphertext and the sequence number of the frame. This scheme has two main advantages: it can facilitate forward error correction (forwarder correction) when used with certain block ciphers and modes of operation; and it allows frame authentication without decryption.
One tagged port group, one untagged port group, and one encapsulated port group are associated with each VLAN. The security association of a VLAN may be used to verify the authenticity and integrity of each frame marked as belonging to the VLAN and received at a port in the encapsulated group of VLANs. The ingress-filtering rule of the port determines whether or not to validate. The association may also be used to cryptographically encapsulate tagged and untagged frames belonging to a VLAN before they are sent out from a port in the VLAN's encapsulation group.
Convergence port
Each aggregation port has an ingress port and an egress port. The aggregation link between the two aggregation ports P1 and P2 connects the ingress port of P1 to the egress port of P2 and connects the egress port of P1 to the ingress port of P2. Thus, the LAN segment type group to which an ingress port belongs is the LAN segment type group of the egress port to which it is connected. Thus, to assign all aggregation ports in a bridged VLAN to a LAN segment type group, only the egress ports need to be assigned to the LAN segment type group.
The ingress and egress ports of the aggregation port may belong to different sets of LAN segment types. For example, an egress port of an aggregation port may belong to a tagged group of VLANs and its ingress port may belong to an encapsulated group of VLANs, in which case only encapsulated frames of the VLANs are received on the ingress port and only tagged frames are sent from the egress port.
Unlike access ports, the ingress or egress ports of an aggregation port may belong to both the tag group and the encapsulation group of a VLAN.
The division of an aggregation port into ingress and egress ports is not provided in the 802.1Q standard (see IEEE Std802.1Q-1998, IEEE Standard for Local and metropolar Area Networks: virtual bridge Local Area Networks), in which the ingress and egress ports are actually the same port. Thus, for a given aggregation port in 802.1Q, the inbound and outbound frame types are always the same.
Fig. 2 illustrates a bridged encrypted VLAN. Ports P1(20) and P2(21) are access ports, one corresponding to VLAN a 28 and the other to VLAN B29, which have access links 30, 31. A aggregation link 16 connects the two bridges 12a, 14a together via aggregation ports P3(22) and P4 (23). P3 has ingress port P3iAnd an outbound port P3oP4 has an ingress port P4iAnd an outbound port P4o。P4iIs connected to P3oAnd P4oIs connected to P3i. Frames received at P4 arrive on ingress port P4iAnd frames from P4 are sent out via outbound port P4oAnd (4) leaving. Frames received at P3 arrive on ingress port P3iAnd frames from P3 are sent out via outbound port P3oAnd (4) leaving.
Ports P5(24) and P6(25) are connected to the wireless access link 30. In the preferred embodiment, it is actually a virtual port that shares a single radio interface (access point) over which the frames are sent and received via RF (radio frequency). Although VLANs a 28 and B29 share the same RF medium, they may be represented by different encapsulation sections. An end station in VLAN a, for example, may receive but cannot decipher (decaprapher) any frames belonging to VLAN B. Thus, distinct access links 32, 33 may be shown for a and B, although the physical distinction between the two links is only that of encryption.
Assume that P1 only receives unlabeled frames and P2 only receives labeled frames. Further, assume that the converged link transmits marker type frames in both directions and the wireless access link transmits only encapsulated type frames. Then, for VLAN A, the unlabeled set is { P1} and the labeled set is { P3 }o,P3i,P4o,P4iAnd the package set is { P5 }; and for B, the groups are { }, { P { }, respectively2,P3o,P3i,P4o,P4iAnd { P6 }.
If the ingress filtering rules at P5 specify that authenticity is to be checked, then the frame received at P5 is authenticated using VLAN A's security association. If the authentication is successful, the frame is determined to be a member of the encapsulation section of A (member). Assume that the frame must be forwarded to P4. The bridge 2 uses the same security association to decapsulate the frame. The bridge forwards the decapsulated frame to P4oAnd its tag is replaced with a tag a-T, thereby transferring the frame from the encapsulation section of a to its tag section. Conversely, a-use security association will reach P4iAnd the frame destined for P5 is encapsulated. The marker a-T is replaced with the marker a-E, which transfers the frame from the marker section of a to its encapsulation section.
There are many variations of the example of fig. 2. For example, it may only be necessary to protect traffic on VLAN B. In this case, P5 does not belong to the encapsulation group of a. Only the frames received at P6 (i.e., frames with labels B-E) need to be authenticated and only encapsulated in P4iA tagged frame received and destined for B of P6.
Bridging semantics
In the case of a VLAN bridge having multiple ports. Assume a frame is received at port P. Which is assigned to a VLAN in one of a number of ways. If P is an aggregation port, the frame must carry a VLAN tag, VID, in the form of VID-T or VID-E (each of which may identify a VLAN). Otherwise, the frame is discarded. If P is not an aggregation Port, Port-based or Protocol-based VLAN classification may be used to assign the frame to a VLAN (see IEEE Std802.1 v-2001, Virtual bridge Local Area Networks-interpretation 2: VLANCLASSIFIcation by Protocol and Port).
Inlet filtration
If P is an aggregation port and is not in the tag or encapsulation group of the VID, the frame is discarded. The ingress filtering rules for a port may specify authentication and integrity checks for certain VLANs. If P is a port whose ingress filtering rules require authentication and integrity checks against the VLAN VID, the frame received at P must have the VLAN tag VID-E. Otherwise, the frame is discarded. In a preferred embodiment, the authentication code is calculated from the ciphertext and the sequence number of the received frame by using the security association of the VID. If the computed authentication code does not match the authentication code received in the frame, the frame is discarded. Otherwise the frame is determined to belong to the encapsulation section of the VID.
If a P is not in the tag group of the VID but is connected to a VLAN tag access link, the received frame is discarded.
Forwarding procedure
The forwarding process begins by constructing a target port group Q. This is the port group to which frames belonging to a particular VLAN must be forwarded. Assume that the frame received at port P belongs to a VLAN VID. If a flood operation (flood) must be performed with the frame, Q contains any outbound or access port that is a member of the tag group, untagged group, or encapsulated group of the VID. The next step is: q is reduced if and only if P is the ingress port of the aggregation port belonging to both the tag group and the encapsulation group of the VID. In this case, each port in the package group of the VID that does not belong to the tag group of the VID is removed from Q if the received frame is a tag type frame, or each port in the package group of the VID that does not belong to the tag group or the untagged group is removed from Q if the received frame is a package type frame. Since the ingress port belongs to both of the LAN segment type groups of VIDs, the ingress port must receive frames of the respective LAN segment type, thus reasonably reducing the destination port group. The nature of the transfer point protocol ensures that the reduction process never results in an empty set of target ports. Shrinking to an empty target group means that the bridge receives frames that should not be received.
The next step in the forwarding process is to construct a forwarding group for the received frame. This is a set of frames to be forwarded due to frames belonging to the VID being received at port P. They are the frames necessary to transport traffic from one LAN segment of a VLAN to another. The table shown in fig. 3 is used to construct a forwarding group. The frame received at P belongs to a class K LAN segment (tagged, untagged, or encapsulated) of the VID. Similarly, each port in Q belongs to a class of LAN segments, i.e., the VID port group type to which it belongs. A convergence port may have two types of groups: marking and packaging. For each port Q in Q, a frame is added to the forwarding group according to the rule (K, K ') in the table of fig. 3, where K' is the class of VID port group to which Q belongs.
The rules for constructing a forwarding group for a received frame are as follows:
(1) the received frame is added to the forwarding group.
(2) Adding the VLAN tag VID-T to the received frame; the result is added to the forwarding group.
(3) Cryptographically encapsulating the received frame using a security association of the VID; the resulting frame is tagged with the VID-E VLAN and added to the forwarding group.
(4) Removing the VID-T from the received frame; unmarked frames are added to the forwarding group.
(5) Decrypting the ciphertext of the received frame using the security association of the VID; the resulting frame is unlabeled and added to the forwarding group.
(6) Decrypting the ciphertext of the received frame using the security association of the VID; the resulting frame is tagged with VID-T and added to the forwarding group.
In the presently preferred embodiment, there may be up to three frames in any forwarding group to correspond to three different types of LAN segments that may represent a VLAN. The forwarding process forwards the frames of the forwarding group as follows:
(1) the forwarding process queues the untagged frames in the forwarding group (if any) for transmission at each port in Q that belongs to the untagged group for the VID.
(2) The forwarding process queues the VLAN tagged-type frames in the forwarding group (if any) for transmission at each port of the tag group in Q that belongs to the VID.
(3) The forwarding process queues the encapsulated frame (if any) in the forwarding group for transmission at each port of the encapsulating group in Q that belongs to the VID.
Frame transmission
Within a bridged encrypted VLAN, measures are taken to eliminate redundant transfer processes between LAN segments representing the same VLAN. For example, in bridging VLANs it is desirable to avoid transmitting unencapsulated frames more than once to the encapsulation section of the VLAN, since encryption is required for each transmission. The encapsulation process should be done only once and shared by all egress ports (egress ports) of the encapsulation group belonging to the VLAN for all bridges. Similarly, it is desirable to avoid repeated unseals while passing through the bridge, since decryption is required each time.
For example, in the case of the bridged LAN of fig. 4. Assume that the ports of bridges 1(41) and 2(42) to which the wireless aggregation link 43 is connected belong to an encapsulated group of VLAN B44. If the aggregation link 45 only carries VLAN tagged type frames, frames belonging to VLAN B and received at bridge 1 must be encapsulated at bridges 1 and 2. However, if the converged link transmits encapsulated frames, then encapsulation need only be done at bridge 1 and bridge 2 can share it.
There are still situations where the encapsulation process in a bridged LAN proceeds too early to send encapsulated frames via the aggregation link unnecessarily. There is one encapsulation and decapsulation transfer point for each VLAN that minimizes encryption operations. The transfer point protocol (discussed below) infers this transfer point between the segments.
Transfer point protocol
The minimum spanning tree algorithm can reduce any bridged LAN to a spanning tree whose nodes are bridges and whose edges are aggregation links. The spanning tree derives the partial order (partial order) of the bridge. For example, assume the partial order is B1 < B2, where bridge B1 is the parent node of B2 in the spanning tree. The smallest bridge is the root of the spanning tree. The set of bridges together with the partial order define a complete partial ordered set. Each non-empty subset of bridges has a minimum upper bound.
As for the frame received at the root of the spanning tree, the minimum upper bound of all bridges that require the received VLAN frame to belong to one of the LAN segments representing the VLAN is the transfer point that converts the received frame into a frame for that LAN segment.
The Transfer Point Protocol (TPP) contains two link layer protocols, TPP-T for adding outbound aggregation ports to a tagged group of VLANs and TPP-E for adding outbound aggregation ports to an encapsulated group of VLANs. The aggregation ports are distributed throughout all bridges that bridge the VLAN. For example, TPP-E determines that the outbound aggregation port connecting bridge 1 to bridge 2 in fig. 4 must be a member of the encapsulation group for VLAN B. In this way, the wireless aggregation ports at bridge 2 may share the encapsulation performed by bridge 1 for its outbound wireless aggregation ports.
TPP assumes that each access link port has been assigned a tagged, untagged or encapsulated group of VLANs before execution because TPP is to use this information to infer the group to which the outbound aggregation port in the bridged VLAN belongs. TPP-E may assign an outbound aggregate port to an encapsulated group of VLANs, while TPP-T may assign the same outbound port to a tagged group of VLANs.
TPP has two frame types: announcement frames and response frames. Each of the frames contains a VLAN ID and a source bridge routing path, where each of the paths is a unique pair of one bridge MAC address and three bits, one for each LAN segment type, i.e., tagged, untagged, and encapsulated. The tag bit is high if and only if the bridge addressed to the pair has an access port in the tag group of the VLAN specifically indicated in the frame. The unmarked and encapsulated bits are set in a similar manner.
A bridge sends a TPP advertisement frame (e.g., GARP PDU) to a TPP group address (e.g., GARP application address) via each of its outbound aggregation ports for each VLAN it knows. When a bridge receives an advertisement frame, it appends its own set of groups on the received designated VLAN to the right side of the tunnel and forwards the frame to each of its enabled outbound aggregation ports except the receiving aggregation port. If it does not have other such ports, it sends the final routing path and the received VID in a TPP reply frame to the MAC address that precedes it in the routing path. The originating bridge of the announcement frame creates a path consisting of its own set of pairs only. When a bridge receives a TPP reply frame on an ingress aggregation port, it forwards the reply frame to the bridge MAC address that precedes it in the path. If not, the frame is discarded.
TPP-E
When a bridge receives a TPP reply frame on an aggregation port, it adds the egress port of the aggregation port to the encapsulated group of VIDs in the frame, conditioned on: if and only if the encapsulation bit of bridge B following it in the routing path is high, and
a) a receiving bridge has a tagged or untagged access port with the VID and no bridge has a high tagged or untagged bit after the bridge (up to and including B) in the routing path; or
b) The receiving bridge has an encapsulated access port with the VID or is preceded in the routing path by a bridge with a high encapsulation bit.
TPP-T
When a bridge receives a TPP reply frame on an aggregation port, it adds the egress port of the aggregation port to the tag group of the VID in the frame, conditioned on: if and only if the marked or unmarked bit of bridge B following it in the routing path is high, and
a) the receiving bridge has the VID's package access port and no bridge has a high package bit after the bridge (up to and including B) in the routing path; or
b) The receiving bridge has the VID tagged or untagged access port or is a bridge with a high tag or untagged bit before the receiving bridge in the routing path.
Examples of the invention
Example 1
To the extent that a single VLAN is bridged. It is assumed that each access port belongs to this VLAN. Thus, the VLAN tag of the port is omitted in the example. Instead, the outbound aggregation ports are labeled as LAN segment types, i.e., T (labeled), U (unlabeled), and E (encapsulated). If an outbound port is tagged as, for example, U, then the port belongs to an untagged group of VLANs.
Initially, each access port of a VLAN is tagged according to the group type to which it belongs (label). The aggregation port is initially untagged. The TPP is responsible for inferring the label for the aggregation port. Fig. 5 shows the bridging of VLANs 50, where two bridges 51, 52 are connected to each other by a convergence link 53. Each bridge has two access ports. Since each bridge has untagged and encapsulated access ports, the TPP infers that the outbound port of the aggregation link belongs to both tagged and encapsulated groups of VLANs. Each ingress port also belongs to these groups.
Each outbound port is a member of a tag group according to TPP-t (b) rules. When each bridge initiates a TPP announcement frame, it infers this fact. Thus, the encryption and decryption performed by each bridge may be shared with the other bridge.
Example 2
In FIG. 6, bridge 1(61) has an untagged access port and bridge 2(62) has a package access port. Thus, outbound port 63 of bridge 1 is a member of the encapsulation group according to the TPP-e (a) rule, while outbound port 64 of bridge 2 is a member of the tag group according to the TPP-t (a) rule.
Example 3
FIG. 7 illustrates a pure encapsulation aggregation link. All frames on the link are encapsulated, however, at either bridge 2 or 3 are not encrypted.
Fig. 8 shows TPP message exchanges between bridges 1(71), 2(72) and 3(73) when bridge 1(71) of fig. 7 initiates an advertisement frame to VLAN, which is assumed to be referred to as "B" in this example.
Example 4
If bridges 1(71) and 2(72) in fig. 7 are interchanged, the result is the bridged encrypted VLAN of fig. 9.
Example 5
Fig. 10 shows a bridge 82 with three aggregation ports, each connected to another bridge 81, 83, 84. The outbound port from the aggregation port of bridge 4(84) belongs to the tag and capsule group, while the outbound port of bridge 2(82) connected to the inbound port of bridge 4 is only a member of the capsule group.
The TPP may run repeatedly to infer changes in the transfer point. Its operating frequency and the number of bridges affected by it depends on the shift of the access link. For example, if an end station is wireless, movement of the end station relative to the bridged LAN may cause its encapsulating access link to be relocated. Until the TPP is re-run, the VLAN has redundant delivery.
A bridged VLAN may consist of bridges that do not participate in TPP. In general, there may be one or more encrypted VLAN bridges with aggregation ports connected to legacy VLAN bridges. If each such aggregation port is instead treated as a set of virtual tagged access ports (one port for each VLAN tag that can be sent over the aggregation link), TPP can still be run to infer transfer points between the participating bridges. However, there may be redundant transmissions across the bridged LAN. For example, if an untapped core switch separates two encrypted VLAN bridges (each having an access port in an encapsulated group of the same VLAN), the traffic between these encapsulated segments is decrypted once it enters the core switch and then re-encrypted after leaving. It can be observed that: if there are no access ports in the core switch belonging to any tagged or untagged group of VLANs, no encryption or decryption steps are required. In this case, the TPP may treat the virtual access port for each VLAN tag as an encapsulated access port rather than a tagged access port. All traffic between the two encapsulation sections can then pass transparently through the core switch as encapsulation frames, since each encapsulation frame is a VLAN-tagged frame.
Group security
An encrypted VLAN v is defined as a group of m stations with unique security associations. The association consists of:
a) an encryption key Kv
b) Authentication code key K'v
c) An assigned key K ″)v(ii) a And
d) m random values R1、R2、...Rm
The encryption key is a symmetric key used by v-aware bridges and v's stations to encrypt and decrypt frames belonging to v. All bridges that can identify v and stations of v use K'vThe encrypted frame of v is subject to authentication code calculation and verification.
Each of the m stations has a random value. The jth station of the group knows that R is excludedjAll m random values except. Its known m-1 random values are passed to it by bridges that can identify v. By using the distribution key K ″vIs encrypted to ensure privacy of the random value, while using an authentication code key K'vThe resulting ciphertext is subjected to a computed authentication code to ensure its authenticity.
Joining an encrypted VLAN
Adding an encrypted VLAN is achieved by a two-step procedure:
adding a new station to the group; and is
All other stations in the group are enabled to subsequently eliminate the new station.
A user's station joins an encrypted VLAN v through a mutual authentication protocol that is performed between the user (via the station) and an authenticator (authenticator) residing on a bridge that can identify v. If the mutual authentication is successful, a secure short channel (secure short channel) is created between the bridge and the new station to connect Kv、K′vAnd R1、R2...RmSecurely transmitted from the bridge to the station. Then, the second step of the joining procedure is performed. Otherwise, the procedure terminates immediately. In said second step, the same identifiable v bridge selects a new random value R for the new stationm+1And it is allocated to all bridges that can recognize v and stations that constitute v in one broadcast frame according to K ″vEncrypted and carrying K'vAnd calculating the cipher text to obtain the authentication code. The bridge then creates a new distribution key for v and places it in a broadcast frame that distributes to all bridges that can identify v and members of v (including the new station) according to KvEncrypted and carrying K'vAnd calculating the cipher text to obtain the authentication code.
Although the new station may verify that it contains its own random value Rm+1But since the new station does not possess the key K ″vAnd thus cannot decrypt the broadcast.
Leaving an encrypted VLAN
A subgroup of the stations (subgroup) may leave the encrypted VLAN v at the same time (possibly accidentally). Assume that a group of stations 1,. k leaves. When this occurs, a bridge that recognizes v detects this and then advertises the departure of station 1,.. K via a single broadcast frame that includes the use of K'vAnd calculating the authentication code obtained by the frame. This broadcast announces the departure of station 1,.. k to each identifiable v bridge and to each station in the group. Each such bridge and station then attempts to key update (rekey) the encryption key, the authentication code key and the distribution key of v, each as an old key and a random value R1,...RkAs a function of (c). As a result, each of v that can identify v's bridge and all remaining stations will share a new security association and include fewer k random values.
Unlike a station, each v-identifiable bridge always has v's current assigned key. Each such bridge will therefore always have any full set of random values leaving a subgroup of v, allowing it to always rekey the key of v. However, the situation is different for the stations. The key update is a function of the random value of the departing stations that these stations do not have. Therefore, it cannot perform key update. Furthermore, forward confidentiality is guaranteed. A station that has left cannot become part of v again due to the subsequent rekeying. The reason for this is that the key update is a function of the current key, which means that all keys arriving thereafter will always be a function of random values unknown to the station. This station can be made a member of v again only by adding v further.
Although the present invention has been described with reference to preferred embodiments, it will be readily apparent to those skilled in the art that: other applications may be substituted for those set forth herein without departing from the spirit and scope of the present invention. Accordingly, the invention should be limited only by the claims included above.

Claims (1)

1. A method for sending frames in a bridged encrypted VLAN, comprising the steps of:
providing an untagged frame and a tagged frame according to the ieee802.1q VLAN bridging model;
providing an encrypted encapsulated frame, said encapsulated frame being a tagged frame having a VLAN tag that is different from all tags used in unencrypted tagged frames belonging to said VLAN;
providing a convergence port, wherein the convergence port is divided into an inbound convergence port and an outbound convergence port;
providing each segment representing a bridged encrypted VLAN with one of the untagged, tagged and encapsulated frame types; and
traffic is communicated between an unencapsulated section and an encapsulated section of a same VLAN based on the respective VLAN tags of the unencapsulated section and the encapsulated section.
HK07107921.2A 2002-11-01 2007-07-21 Bridged cryptographic vlan HK1100111B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US10/057,566 US7188364B2 (en) 2001-12-20 2002-01-25 Personal virtual bridged local area networks
US10/286634 2002-11-01
US10/286,634 US7120791B2 (en) 2002-01-25 2002-11-01 Bridged cryptographic VLAN

Publications (2)

Publication Number Publication Date
HK1100111A1 HK1100111A1 (en) 2007-09-07
HK1100111B true HK1100111B (en) 2010-12-10

Family

ID=

Similar Documents

Publication Publication Date Title
US8347377B2 (en) Bridged cryptographic VLAN
US7703132B2 (en) Bridged cryptographic VLAN
US8386772B2 (en) Method for generating SAK, method for realizing MAC security, and network device
US7979693B2 (en) Relay apparatus for encrypting and relaying a frame
US7519834B1 (en) Scalable method and apparatus for transforming packets to enable secure communication between two stations
JP4407452B2 (en) Server, VPN client, VPN system, and software
JP2005513915A6 (en) Personal virtual bridge local area network
CN105611529A (en) Chip implementation method for encrypting and decrypting CAPWAP DTLS message
EP4436109B1 (en) Key distribution over ip/udp
HK1100111A1 (en) Bridged cryptographic vlan
HK1100111B (en) Bridged cryptographic vlan