公开(公告)号：US20090193506A1

公开(公告)日：2009-07-30

申请号：US12019541

申请日：2008-01-24

申请人： David A. McGrew ,  Melinda L. Shore

发明人： David A. McGrew ,  Melinda L. Shore

IPC分类号： G06F7/04

CPC分类号： H04L63/0263 ,  H04L63/029 ,  H04L63/0807

摘要： A method is disclosed for cryptographic peer discovery, authentication, and authorization. According to one embodiment, a data packet, which is addressed to a destination device other than an intermediary network device, is intercepted at the intermediary network device. The data packet contains a request and a group identifier. A shared secret cryptographic key, which is mapped to the group identifier, is selected. A challenge is sent toward an upstream device from whence the data packet came. A response is received. A verification value is generated based on the cryptographic key and the challenge. It is determined whether the response matches the verification value. If the response matches the verification value, then it is determined whether the request is allowed by an authorization set that is mapped to the group identifier. If the request is allowed, then a policy of the intermediary network device is configured based on the request.

摘要翻译： 公开了一种用于加密对等体发现，认证和授权的方法。 根据一个实施例，寻址到中继网络设备之外的目的地设备的数据分组在中间网络设备处被截取。 数据包包含请求和组标识符。 选择映射到组标识符的共享密钥加密密钥。 从数据包来自何时向上游设备发送一个挑战。 收到回复。 基于加密密钥和挑战生成验证值。 确定响应是否匹配验证值。 如果响应匹配验证值，则确定该映射到组标识符的授权集是否允许该请求。 如果允许请求，则根据请求配置中间网络设备的策略。

公开(公告)号：US07350227B2

公开(公告)日：2008-03-25

申请号：US11115542

申请日：2005-04-26

申请人： David A. McGrew ,  Melinda L. Shore

发明人： David A. McGrew ,  Melinda L. Shore

IPC分类号： H04L9/00 ,  G06F17/00 ,  G06F15/16 ,  H04K1/00 ,  G06F9/00

CPC分类号： H04L9/3273 ,  H04L63/0281 ,  H04L63/101

摘要： A method is disclosed for cryptographic peer discovery, authentication, and authorization. According to one embodiment, a data packet, which is addressed to a destination device other than an intermediary network device, is intercepted at the intermediary network device. The data packet contains a request and a group identifier. A shared secret cryptographic key, which is mapped to the group identifier, is selected. A challenge is sent toward an upstream device from whence the data packet came. A response is received. A verification value is generated based on the cryptographic key and the challenge. It is determined whether the response matches the verification value. If the response matches the verification value, then it is determined whether the request is allowed by an authorization set that is mapped to the group identifier. If the request is allowed, then a policy of the intermediary network device is configured based on the request.

摘要翻译： 公开了一种用于加密对等体发现，认证和授权的方法。 根据一个实施例，寻址到中继网络设备之外的目的地设备的数据分组在中间网络设备处被截取。 数据包包含请求和组标识符。 选择映射到组标识符的共享密钥加密密钥。 从数据包来自何时向上游设备发送一个挑战。 收到回复。 基于加密密钥和挑战生成验证值。 确定响应是否匹配验证值。 如果响应匹配验证值，则确定该映射到组标识符的授权集是否允许该请求。 如果允许请求，则根据请求配置中间网络设备的策略。

公开(公告)号：US08122482B2

公开(公告)日：2012-02-21

申请号：US12019541

申请日：2008-01-24

申请人： David A. McGrew ,  Melinda L. Shore

发明人： David A. McGrew ,  Melinda L. Shore

IPC分类号： G06F17/00 ,  H04L29/06

CPC分类号： H04L63/0263 ,  H04L63/029 ,  H04L63/0807

摘要： A method is disclosed for cryptographic peer discovery, authentication, and authorization. According to one embodiment, a data packet, which is addressed to a destination device other than an intermediary network device, is intercepted at the intermediary network device. The data packet contains a request and a group identifier. A shared secret cryptographic key, which is mapped to the group identifier, is selected. A challenge is sent toward an upstream device from whence the data packet came. A response is received. A verification value is generated based on the cryptographic key and the challenge. It is determined whether the response matches the verification value. If the response matches the verification value, then it is determined whether the request is allowed by an authorization set that is mapped to the group identifier. If the request is allowed, then a policy of the intermediary network device is configured based on the request.

摘要翻译： 公开了一种用于加密对等体发现，认证和授权的方法。 根据一个实施例，寻址到中继网络设备之外的目的地设备的数据分组在中间网络设备处被截取。 数据包包含请求和组标识符。 选择映射到组标识符的共享密钥加密密钥。 从数据包来自何时向上游设备发送一个挑战。 收到回复。 基于加密密钥和挑战生成验证值。 确定响应是否匹配验证值。 如果响应匹配验证值，则确定该映射到组标识符的授权集是否允许该请求。 如果允许请求，则根据请求配置中间网络设备的策略。

公开(公告)号：US07443849B2

公开(公告)日：2008-10-28

申请号：US11026891

申请日：2004-12-30

申请人： Kaushik P. Biswas ,  Senthil M. Sivakumar ,  Melinda L. Shore

发明人： Kaushik P. Biswas ,  Senthil M. Sivakumar ,  Melinda L. Shore

IPC分类号： H04L12/28 ,  H04L12/56 ,  H04J3/16 ,  H04J3/22

CPC分类号： H04L29/12009 ,  H04L29/12528 ,  H04L29/12537 ,  H04L61/2575 ,  H04L61/2578 ,  H04L69/40

摘要： Disclosed are methods and apparatus for facilitating translation of packet addresses (or ports) by one or more translation devices (e.g., Network Address Translation or NAT devices) using a specialized protocol to handle an address (or port) that is used to form part of a payload. In one implementation, this specialized protocol is referred to as Network Layer Signaling (NLS). As a packet traverses along a path containing one or more translation devices, each translation device is configured to translate an address (or port) of such packet's IP header if the packet is traversing between different domains (e.g., traversing between a private and public domain or between two different private domains). One or more of these translation devices may also be configured to implement the specialized protocol which includes translation device traversal mechanisms for detecting whether the traversal path contains a translation device that fails to implement such specialized protocol. When such a failure is detected, recovery mechanisms are also triggered.

摘要翻译： 公开了一种用于利用专用协议来利用一个或多个翻译设备（例如，网络地址转换或NAT设备）来转换分组地址（或端口）以处理用于形成部分的地址（或端口）的方法和装置 有效载荷 在一个实现中，该专用协议被称为网络层信令（NLS）。 当分组沿着包含一个或多个翻译设备的路径穿越时，如果分组在不同域之间遍历（例如，在私有域和公共域之间遍历），则每个翻译设备被配置为转换该分组的IP报头的地址（或端口） 或两个不同的私有域之间）。 这些翻译装置中的一个或多个还可以被配置为实现专用协议，其包括用于检测穿越路径是否包含不能实现这种专用协议的翻译装置的翻译装置遍历机制。 当检测到这种故障时，还会触发恢复机制。

公开(公告)号：US07680104B2

公开(公告)日：2010-03-16

申请号：US10985563

申请日：2004-11-09

申请人： Melinda L. Shore

发明人： Melinda L. Shore

IPC分类号： H04L12/56

CPC分类号： H04L61/00 ,  H04L29/12009

摘要： Disclosed are methods and apparatus for generating, as well as processing data that is traversing (or will be traversing) a translation device, such as a Network Address Translation (NAT) device. In one embodiment, a method of sending data from a first node to a second node is disclosed. The method includes sending a data packet having a header and a payload whereby the header includes (i) one or more fields which identify an application type that uses addresses and indicates that there is a tag present in the payload that serves as a substitute for an address and (ii) an address and whereby the payload includes a tag that is positioned so that it serves as a substitution for an address that is used the identified application. The one or more fields are associated with the address of the header.

摘要翻译： 公开了用于生成和处理正在（或将要遍历）诸如网络地址转换（NAT）设备的翻译设备的数据的方法和装置。 在一个实施例中，公开了一种从第一节点向第二节点发送数据的方法。 该方法包括发送具有报头和有效载荷的数据分组，其中报头包括（i）标识使用地址的应用类型的一个或多个字段，并且指示存在于有效载荷中的标签用作代替 地址和（ii）地址，并且由此有效载荷包括被定位成使得其被用于替代使用所识别的应用的地址的标签。 一个或多个字段与标题的地址相关联。