公开(公告)号：US06510523B1

公开(公告)日：2003-01-21

申请号：US09253550

申请日：1999-02-22

申请人： Radia J. Perlman ,  Stephen R. Hanna

发明人： Radia J. Perlman ,  Stephen R. Hanna

IPC分类号： G06F1130

CPC分类号： H04L9/3213 ,  H04L9/3263 ,  H04L63/0823 ,  H04L63/105

摘要： A method and system for providing limited access privileges with an untrusted terminal allows a user to perform privileged operations between the untrusted terminal and a remote terminal in a controlled manner. The user can establish a secure communications channel between the untrusted terminal and a credentials server to receive credentials therefrom. Once the user receives the credentials, the secure communications channel is closed. The user can then use the credentials to perform privileged operations on a remote terminal through the untrusted terminal. The remote terminal knows to grant the user limited privileges based on information included in the credentials. The effects of malicious actions by the untrusted terminal are limited and controlled.

摘要翻译： 用不受信任的终端提供有限的访问权限的方法和系统允许用户以受控的方式在不信任的终端和远程终端之间执行特权操作。 用户可以在不信任的终端和凭证服务器之间建立安全通信信道，以从中接收凭据。 一旦用户收到凭证，安全通信通道就关闭了。 然后，用户可以使用凭证通过不可信终端在远程终端上执行特权操作。 远程终端知道基于凭证中包含的信息来授予用户有限权限。 不信任终端的恶意行为的影响受到限制和控制。

公开(公告)号：US06389532B1

公开(公告)日：2002-05-14

申请号：US09063630

申请日：1998-04-20

申请人： Amit Gupta ,  Radia J. Perlman

发明人： Amit Gupta ,  Radia J. Perlman

IPC分类号： G06F124

CPC分类号： H04L63/0227 ,  H04L63/0263 ,  H04L63/126

摘要： A method and apparatus for filtering packets uses digital signatures to filter packets in a network. A filter point, such as a router or firewall to an intranet, receives a packet including a header, detects the existence of a signature in the header, tests the validity of the signature using a public key, and forwards the packet in accordance with the validity of the signature. A sender uses a private key obtained from an owner to generate the signature, which is created by encrypting a fingerprint which corresponds to the data in the packet. Public keys are created by an owner which installs them in a domain name system or a certification server. Private keys are also created by the owner but are disseminated only to authorized senders. A method and apparatus for sending packets stores a private key in a memory of the data processor, generates a signature using the private key, installs the signature into a header of a packet; and sends the packet.

摘要翻译： 用于过滤分组的方法和装置使用数字签名来过​​滤网络中的分组。 诸如路由器或内部网的防火墙的过滤点接收包括头部的分组，检测报头中的签名的存在，使用公共密钥测试签名的有效性，并根据 签名的有效性。 发件人使用从所有者获得的私钥来生成通过加密与分组中的数据相对应的指纹而创建的签名。 公钥由所有者创建，将其安装在域名系统或认证服务器中。 私钥也由业主创建，但仅传播给授权的发件人。 用于发送分组的方法和装置将私钥存储在数据处理器的存储器中，使用私钥生成签名，将签名安装到分组的报头中; 并发送包。

公开(公告)号：US5983223A

公开(公告)日：1999-11-09

申请号：US852230

申请日：1997-05-06

申请人： Radia J. Perlman

发明人： Radia J. Perlman

IPC分类号： G06F7/02 ,  H04L12/56

CPC分类号： H04L45/00 ,  G06F7/02 ,  H04L45/745 ,  H04L45/7457 ,  Y10S707/99936

摘要： An arrangement efficiently renders forwarding decisions for a packet using a forwarding database dictionary of an intermediate node configured to optimize space consumed by addresses stored therein as well as to reduce time required to search those addresses. The arrangement generally includes a lookup mechanism comprising a search engine coupled to a set of registers and to the dictionary. The register set, in turn, comprises a number of registers operating in parallel to compare values specified by a number of bits with a predetermined starting point of an input string. The specified values are preferably representative of address prefixes stored in the dictionary and the input string is a destination address of the packet.

摘要翻译： 一种安排有效地使用中间节点的转发数据库字典对分组进行转发决策，中间节点的转发数据库字典被配置为优化存储在其中的地址消耗的空间以及减少搜索这些地址所需的时间。 该装置通常包括查找机构，其包括耦合到一组寄存器和字典的搜索引擎。 寄存器组又包括并行操作的多个寄存器，以将由多个位指定的值与输入串的预定起始点进行比较。 指定的值优选地表示存储在字典中的地址前缀，并且输入字符串是分组的目的地地址。

公开(公告)号：US5805818A

公开(公告)日：1998-09-08

申请号：US712476

申请日：1996-09-11

申请人： Radia J. Perlman ,  Neal D. Castagnoli

发明人： Radia J. Perlman ,  Neal D. Castagnoli

IPC分类号： H04L12/26 ,  H04L29/08 ,  G06F15/173

CPC分类号： H04L43/50 ,  H04L12/2697 ,  H04L69/325

摘要： A novel acknowledgment mechanism efficiently requests affirmation from a neighboring node coupled to a communication link of a network that the neighbor is "alive" and connected to that link. The acknowledgment mechanism comprises control information generated by a source node and generally stored in a network layer header of a data packet transmitted to the neighbor. This next-hop acknowledgement (or lack thereof) from the neighbor provides a fast and efficient indication of (lost) system connection between adjacent nodes of a network.

摘要翻译： 一种新颖的确认机制有效地从耦合到邻居“存活”并连接到该链路的网络的通信链路的相邻节点请求肯定。 确认机制包括由源节点生成并且通常存储在发送给邻居的数据分组的网络层报头中的控制信息。 来自邻居的该下一跳确认（或不存在）提供对网络的相邻节点之间的（丢失的）系统连接的快速和有效的指示。

公开(公告)号：US5687235A

公开(公告)日：1997-11-11

申请号：US548461

申请日：1995-10-26

申请人： Radia J. Perlman ,  Edwards E. Reed ,  Tammy G. Carter

发明人： Radia J. Perlman ,  Edwards E. Reed ,  Tammy G. Carter

IPC分类号： H04L9/32 ,  H04L9/00

CPC分类号： H04L9/3268

摘要： The present invention is an improved certificate revocation process that improves the efficiency of an authentication exchange in a public key distributed network system. Specifically, the present invention includes a novel revocation service (RS) that, in response to a unique request from a server node, selects certain revoked certificates from a current CRL to include in its reply so as to consume minimal system bandwidth. The unique request includes a number of parameters for consideration by the RS in generating its reply, including a maximum CRL size and/or a timestamp. The maximum CRL size indicates the largest number of revoked certificate serial numbers that the server node can process and thus receive in the revocation service reply, whereas the timestamp indicates the latest certificate revocation date of the certificates included in the CRL presently retained by the server node. Significantly, the RS generates an optimal CRL for its reply that contains all, part, or none of the current CRL revoked certificate serial numbers. Determination of the optimal CRL entails consideration of any number and combination of optimization factors, including the number of revoked certificates stored in the CRL storage facility and the time remaining before the current CRL is to be updated by a certificate authority (CA), the expiration date of the certificates, as well as the maximum CRL size and/or timestamp parameters provided to the RS in the server node request. The server node may control whether it will receive an optimal CRL and if so, what portion of the current CRL it will include by manipulating the parameters it provides to the RS. This enables each server node to request the CRL based upon its own specific security needs while optimizing the certificate revocation process. Further, the RS and/or server node may discard certificate serial numbers as their expiration dates come to pass.

摘要翻译： 本发明是一种改进的证书撤销过程，其提高了公共密钥分布式网络系统中的认证交换的效率。 具体地，本发明包括一种新颖的撤销服务（RS），其响应于来自服务器节点的唯一请求，从当前CRL中选择某些撤销的证书以在其应答中包括以消耗最小的系统带宽。 唯一的请求包括许多参数供RS考虑以生成其回复，包括最大CRL大小和/或时间戳。 最大CRL大小表示服务器节点可以处理并因此在撤销服务应答中接收的撤销证书序列号的最大数量，而时间戳表示包含在服务器节点当前保留的CRL中的证书的最新证书吊销日期 。 重要的是，RS为其回复生成包含当前CRL撤销的证书序列号的全部，部分或全部的最佳CRL。 确定最佳CRL需要考虑任何数量和优化因素的组合，包括存储在CRL存储设施中的撤销证书的数量以及由认证机构（CA）更新当前CRL之前剩余的时间，到期 证书的日期，以及在服务器节点请求中提供给RS的最大CRL大小和/或时间戳参数。 服务器节点可以控制是否接收到最佳CRL，如果是，则通过操作其提供给RS的参数将包括当前CRL中的哪一部分。 这使得每个服务器节点能够在优化证书吊销过程的同时，根据自己的特定安全需求来请求CRL。 此外，RS和/或服务器节点可以在其到期日期过去时丢弃证书序列号。

公开(公告)号：US5557745A

公开(公告)日：1996-09-17

申请号：US407802

申请日：1995-03-20

申请人： Radia J. Perlman ,  Ian M. C. Shand ,  Christopher W. Gunner

发明人： Radia J. Perlman ,  Ian M. C. Shand ,  Christopher W. Gunner

IPC分类号： H04L12/56 ,  H04L29/06 ,  G06F9/00 ,  G06F15/00

CPC分类号： H04L45/02 ,  H04L29/06 ,  H04L45/04 ,  H04L45/52

摘要： A method of transferring foreign protocol information across a hierarchical backbone network is disclosed. The hierarchical backbone network operates according to a first protocol and includes multiple areas, some of which have a destination that operates according to a second protocol. Additionally, each area has at least one router located therein. The locations of the destinations in each area are identified to the router in that area. Information that identifies the locations of the destinations in each area is transferred to a router in each of the other areas regardless of whether the destinations are located in the same area as the router. Finally, information formatted according to the second protocol is transferred among any of the destinations.

摘要翻译： 公开了一种跨分层骨干网传送外部协议信息的方法。 分层骨干网根据第一协议操作，并且包括多个区域，其中一些区域具有根据第二协议操作的目的地。 另外，每个区域至少有一个位于其中的路由器。 每个区域中的目的地的位置被识别到该区域中的路由器。 识别每个区域中目的地的位置的信息被传送到每个其他区域中的路由器，而不管目的地是否位于与路由器相同的区域中。 最后，根据第二协议格式化的信息在任何目的地之间传送。

公开(公告)号：US5450407A

公开(公告)日：1995-09-12

申请号：US255309

申请日：1994-06-07

申请人： Radia J. Perlman ,  William R. Hawe

发明人： Radia J. Perlman ,  William R. Hawe

IPC分类号： H04L12/18 ,  H04L12/46

CPC分类号： H04L45/742 ,  H04L12/1836 ,  H04L12/46 ,  H04L2212/00

摘要： A frame having a desired destination address written into the destination address field of the frame is transmitted onto a first communications system, the frame is received by the apparatus, the frame is transmitted by the apparatus onto a second communications system with a second destination address written into the destination address field of the second frame, and also the desired destination address is written into a predetermined field of the second frame along with an indicator. The indicator is capable if being interpreted by a receiving station to mean that the desired destination address is written into the predetermined field of the second frame.

摘要翻译： 将具有写入帧的目的地地址字段的期望目的地地址的帧发送到第一通信系统上，该帧由设备接收，该帧由该设备发送到具有写入的第二目的地地址的第二通信系统 进入第二帧的目的地地址字段，并且期望的目的地地址与指示符一起写入第二帧的预定字段。 如果由接收台解释，则指示符能够表示将期望的目的地地址写入第二帧的预定字段。

公开(公告)号：US5420862A

公开(公告)日：1995-05-30

申请号：US716041

申请日：1991-06-14

申请人： Radia J. Perlman

发明人： Radia J. Perlman

IPC分类号： H04L12/46

CPC分类号： H04L12/4604

摘要： A communications system is disclosed, having a first communications link, a second communications link, a first end station attached to said first communications link, a first packet forwarding apparatus attached to the first communications link, a second end station attached to the second communications link, and a second packet forwarding apparatus attached to the second communications link. Each packet forwarding apparatus routes packets it receives having destination address equal to a data link destination address of the apparatus, and bridges all other received packets. When the first end station wishes to send a packet to the second end station, it first transmits an ARP request message to learn the data link address of the second end station. The first apparatus receives the ARP (Address Resolution Protocol) request message, and determines that the end station for which a data link address is requested is attached to a remote communications link. The first apparatus requests the second apparatus to transmit an ARP request message to determine the second station's address, and to relay the ARP response back to the first apparatus. When the first apparatus receives the ARP response, it forwards the response to the first end station. The first end station transmits subsequent packets to the second end station, using the data link address of the second end station as a data link destination address. These subsequent packets can be bridged by any intermediary apparatus between the first end station and the second end station.

摘要翻译： 公开了一种通信系统，其具有第一通信链路，第二通信链路，附接到所述第一通信链路的第一终端站，附接到第一通信链路的第一分组转发装置，附接到第二通信链路的第二终端站 以及附接到第二通信链路的第二分组转发装置。 每个分组转发设备将其接收的分组路由到具有等于设备的数据链路目的地址的目的地址，并桥接所有其他所接收的分组。 当第一终端希望向第二终端站发送分组时，首先发送ARP请求消息来学习第二终端站的数据链路地址。 第一设备接收ARP（地址解析协议）请求消息，并确定请求了数据链路地址的终端站附加到远程通信链路。 第一设备请求第二设备发送ARP请求消息以确定第二站的地址，并将ARP响应中继回到第一设备。 当第一设备接收到ARP响应时，它将响应转发给第一终端站。 第一终端站使用第二终端站的数据链路地址作为数据链路目的地址将后续分组发送到第二终端站。 这些后续分组可以由第一终端站和第二终端站之间的任何中间设备桥接。

公开(公告)号：US5398242A

公开(公告)日：1995-03-14

申请号：US147914

申请日：1993-11-04

申请人： Radia J. Perlman

发明人： Radia J. Perlman

IPC分类号： H04L12/46 ,  H04L29/06 ,  H04L29/12

CPC分类号： H04L29/12254 ,  H04L12/462 ,  H04L29/06 ,  H04L29/12839 ,  H04L61/2038 ,  H04L61/6022

摘要： Methods and apparatus for automatically assigning LAN numbers to LANs in a network comprised of LANs and bridges connected to LANs. The bridges associate the LANs with LAN numbers and each LAN is related to one of the bridges. A central database links each LAN (identified by LAN number) to the identity of its related bridge and the port of that bridge which is connected to the LAN. To obtain a LAN number for a given LAN, the bridge related to the given LAN transmits a request identifying the related bridge and the port of the related bridge which is connected to the given LAN. In response, a LAN number which has not been associated with any LAN other than the given LAN is selected and included in a response which is sent back to the requesting bridge. The requesting bridge then transmits LAN number identification messages incorporating the selected LAN number to the other bridges on the given LAN.

摘要翻译： 用于将LAN号码自动分配到由连接到LAN的LAN和桥接器组成的网络中的LAN的方法和装置。 桥接器将LAN与LAN号码相关联，并且每个LAN与其中一个桥接器相关联。 中央数据库将每个LAN（由LAN号码标识）链接到其相关网桥的标识以及连接到LAN的该桥接器的端口。 为了获得给定LAN的LAN号码，与给定LAN相关的桥接器发送标识相关网桥的请求以及连接到给定LAN的相关网桥的端口。 作为响应，选择并未将与给定LAN之外的任何LAN相关联的LAN号码包括在发送回请求网桥的响应中。 然后，请求网桥将包含所选LAN号码的LAN号识别消息发送到给定LAN上的其他网桥。

公开(公告)号：US5321693A

公开(公告)日：1994-06-14

申请号：US968222

申请日：1992-10-29

申请人： Radia J. Perlman

发明人： Radia J. Perlman

IPC分类号： H04L12/18 ,  H04L12/46 ,  H04J3/02

CPC分类号： H04L45/742 ,  H04L12/1836 ,  H04L12/46 ,  H04L2212/00

摘要： Use of a multicast address in a LAN, where the LAN does not support an adequate multicast address space, is implemented. An apparatus is provided for delivering a multicast address to a station on a local area network, where the local area network does not support the multicast address. The frame is transmitted onto the local area network, where the frame has: a predetermined field containing a reference to the multicast address; an indicator, the indicator capable of being interpreted by a receiving station to mean that the multicast address may be recovered from the frame by parsing the frame; and an applications program may be executed in response to the multicast address. Also, the apparatus may have a receiving station capable of receiving the frame, and an applications program may be executed in the receiving station in response to the multicast address.

摘要翻译： 在LAN中不支持足够的多播地址空间的LAN中使用组播地址。 提供了一种用于将组播地址传送到局域网不支持组播地址的局域网上的站的装置。 帧被发送到局域网，其中帧具有：包含对多播地址的引用的预定字段; 指示符，能够由接收站解释的指示符意味着可以通过解析帧从帧中恢复多播地址; 并且可以响应于多播地址来执行应用程序。 此外，该装置可以具有能够接收该帧的接收站，并且响应于多播地址可以在接收站中执行应用程序。