Client-driven randomized and changing media access control (mac) address (rcm) mechanism
US-2024422202-A1 · Dec 19, 2024 · US
On-demand security association management
US2021014285A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2021014285-A1 |
| Application number | US-202017034100-A |
| Country | US |
| Kind code | A1 |
| Filing date | Sep 28, 2020 |
| Priority date | Feb 23, 2018 |
| Publication date | Jan 14, 2021 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An ingress network element obtains data from a source endpoint associated with the ingress network element. The data identifies a destination endpoint remote from the ingress network element. The ingress network element provides a map request identifying the destination endpoint to a mapping server. The ingress network element obtains a map reply including a network address of an egress network element associated with the destination endpoint and a security association. The ingress network element encrypts the data for the destination endpoint with the security association according to a cryptographic policy based on the source endpoint, the destination endpoint, and the availability of cryptographic resources on the network. The ingress network element provides the encrypted data to the egress network element.
First claim
Opening claim text (preview).
What is claimed is: 1 . A method comprising: at a first network element among a plurality of network elements, obtaining data from a first endpoint associated with the first network element, the data identifying a destination of a second endpoint remote from the first network element; providing a map request to a mapping server, the map request identifying the second endpoint; obtaining a map reply from the mapping server, the map reply including a network address of a second network element associated with the second endpoint and a security association; generating encrypted data by encrypting the data for the second endpoint with the security association according to a cryptographic policy based on the first endpoint, the second endpoint, and an availability of cryptographic resources on the plurality of network elements; and providing the encrypted data to the second network element. 2 . The method of claim 1 , further comprising: obtaining an updated security association from the mapping server, the updated security association based on an updated cryptographic policy; generating updated encrypted data by encrypting subsequent data for the second endpoint with the updated security association; and providing the updated encrypted data to the second network element. 3 . The method of claim 2 , wherein the updated cryptographic policy is based on an update to the availability of cryptographic resources on the plurality of network elements. 4 . The method of claim 1 , further comprising: obtaining a network address of a third network element that is a re-encapsulation router interposed between the first network element and the second network element on a route from the first endpoint to the second endpoint; obtaining a new security association for communicating with the third network element; generating new encrypted data by encrypting the data for the second network element with the new security association; and providing the new encrypted data to the third network element. 5 . The method of claim 1 , wherein the second network element is a re-encapsulation router interposed between the first network element and a third network element on a route from the first endpoint to the second endpoint. 6 . The method of claim 1 , wherein the cryptographic policy is based on a group identity of the first endpoint and the second endpoint. 7 . The method of claim 6 , wherein the group identity of the first endpoint and the second endpoint is a Virtual Network Identifier (VNI) or a security group identifier. 8 . An apparatus comprising: a network interface configured to communicate with a plurality of network elements; and a processor coupled to the network interface and configured to: receive data via the network interface from a first endpoint associated with the apparatus, the data identifying a destination of a second endpoint remote from the apparatus; cause the network interface to send a map request to a mapping server, the map request identifying the second endpoint; receive a map reply from the mapping server via the network interface, the map reply including a network address of a remote network element associated with the second endpoint and a security association; generate encrypted data by encrypting the data for the second endpoint with the security association according to a cryptographic policy based on the first endpoint, the second endpoint, and an availability of cryptographic resources on the plurality of network elements; and cause the network interface to send the encrypted data to the remote network element. 9 . The apparatus of claim 8 , wherein the processor is further configured to: receive an updated security association from the mapping server via the network interface, the updated security association based on an updated cryptographic policy; generate updated encrypted data by encrypting subsequent data for the second endpoint with the updated security association; and cause the network interface to send the updated encrypted data to the remote network element. 10 . The apparatus of claim 9 , wherein the updated cryptographic policy is based on an update to the availability of cryptographic resources on the plurality of network elements. 11 . The apparatus of claim 8 , wherein the processor is further configured to: receive via the network interface, a network address of a re-encapsulation router interposed between the apparatus and the remote network element on a route from the first endpoint to the second endpoint; receive via the network interface, a new security association for communicating with the re-encapsulation router; generate new encrypted data by encrypting the data for the remote network element with the new security association; and cause the network interface to send the new encrypted data to the re-encapsulation router. 12 . The apparatus of claim 8 , wherein the remote network element is a re-encapsulation router interposed between the apparatus and an egress network element on a route from the first endpoint to the second endpoint. 13 . The apparatus of claim 8 , wherein the cryptographic policy is based on a group identity of the first endpoint and the second endpoint. 14 . The apparatus of claim 13 , wherein the group identity of the first endpoint and the second endpoint is a Virtual Network Identifier (VNI) or a security group identifier. 15 . One or more non-transitory computer readable storage media encoded with software comprising computer executable instructions and, when the software is executed by a processor on a first network element, operable to cause the processor to: obtain data from a first endpoint associated with the first network element, the data identifying a destination of a second endpoint remote from the first network element; provide a map request to a mapping server, the map request identifying the second endpoint; obtain a map reply from the mapping server, the map reply including a network address of a second network element associated with the second endpoint and a security association; generate encrypted data by encrypting the data for the second endpoint with the security association according to a cryptographic policy based on the first endpoint, the second endpoint, and an availability of cryptographic resources on a plurality of network elements including the first network element and the second network element; and provide the encrypted data to the second network element. 16 . The non-transitory computer readable storage media of claim 15 , further comprising instructions operable to cause the processor to: obtain an updated security association from the mapping server, the updated security association based on an updated cryptographic policy; generate updated encrypted data by encrypting subsequent data for the second endpoint with the updated security association; and provide the updated encrypted data to the second network element. 17 . The non-transitory computer readable storage media of claim 16 , wherein the updated cryptographic policy is based on an update to the availability of cryptographic resources on the plurality of network elements. 18 . The non-transitory computer readable storage media of claim 15 , further comprising instructions operable to cause the processor to: obtain a network address of a third network element that is a re-encapsulation router interposed between the first network element and the second network element on a route from the first endpoint to the second endpoint; obt
Assignees
Inventors
Classifications
- H04L63/205Primary
involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved (negotiation of communication capabilities H04L69/24) · CPC title
- H04L12/4633Primary
Interconnection of networks using encapsulation techniques, e.g. tunneling · CPC title
wherein the data content is protected, e.g. by encrypting or encapsulating the payload · CPC title
Virtual private networks · CPC title
Encapsulation of packets · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2021014285A1 cover?
- An ingress network element obtains data from a source endpoint associated with the ingress network element. The data identifies a destination endpoint remote from the ingress network element. The ingress network element provides a map request identifying the destination endpoint to a mapping server. The ingress network element obtains a map reply including a network address of an egress network…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/205. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu Jan 14 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).