US20040250072A1 - Network connectable device and method for its installation and configuration - Google Patents
Network connectable device and method for its installation and configuration Download PDFInfo
- Publication number
- US20040250072A1 US20040250072A1 US10/846,614 US84661404A US2004250072A1 US 20040250072 A1 US20040250072 A1 US 20040250072A1 US 84661404 A US84661404 A US 84661404A US 2004250072 A1 US2004250072 A1 US 2004250072A1
- Authority
- US
- United States
- Prior art keywords
- network device
- network
- configuration
- packet
- management station
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Definitions
- the present invention deals with a device to be connected to a network and especially its installation and configuration.
- Installation is a general concept that covers all the hardware operations needed to connect the device to a network.
- configuration is understood to cover all the software operations that enable controlled transmission of data in the network between the device concerned and other devices connected to the network.
- the invention does not limit the type of network in question: it can be the Internet, an intranet, a Local Area Network (LAN), a Wide Area Network (WAN) or any other network intended for transmission of data between electronic terminals.
- the physical form of the network may be Ethernet, Token Ring, cellular radio network or any other corresponding network known as such.
- Intelligent network devices such as routers, VPN (Virtual Private Network) devices, print servers, network printers, network cameras, and telecommunications adapters, require detailed configuration data before they can transmit and receive information through the network in a controlled manner. For instance in an P (Internet Protocol) network the device needs to know its own P address and the address of the default gateway, and possibly lots of other configuration data.
- P Internet Protocol
- IPv4 Internet Protocol version 4
- IPv6 Internet Protocol version 6
- the fields of the known IPv4 header are as follows: Version Number 101 , IHL 102 , Type of Service 103 , Total Length 104 , Identification 105 , Flags 106 , Fragment Offset 107 , Time to Live 108 , Protocol 109 , Header Checksum 110 , Source Address 111 , Destination Address 112 , Options 113 and Padding 114 .
- the fields of the known proposed IPv6 header are as follows: Version Number 201 , Traffic Class 202 , Flow Label 203 , Payload Length 204 , Next Header 205 , Hop Limit 206 , Source Address 207 and Destination Address 208 .
- An IP packet consists of a header like that of FIG. 1 or 2 accompanied by a data portion. In IPv6, there may be a number of so-called Extension headers between the main header shown in FIG. 2 and the data portion.
- an authentication may be performed by computing a Message Authentication Code (MAC) using the contents of the packet and a shared secret key, and sending the computed MAC as a part of the packet in an AH (Authentication Header) or ESP (Encapsulating Security Payload) header. Privacy is typically implemented using encryption, and the ESP header is used.
- the AH header is illustrated in FIG. 3, where column numbers correspond to bits. The fields of the known AH header are as follows: Next Header 301 , Length 302 , Reserved 303 , Security Parameters 304 and Authentication Data 305 . The length of the last field 305 is a variable number of 32-bit words.
- the Encapsulating Security Payload may appear anywhere in an IP packet after the IP header and before the final transport-layer protocol.
- the Internet Assigned Numbers Authority has assigned Protocol Number 50 to ESP.
- the header immediately preceding an ESP header will always contain the value 50 in its Next Header (IPv6) or Protocol (IPv4) field.
- IPv6 Next Header
- IPv4 Protocol
- ESP consists of an unencrypted header followed by encrypted data.
- the encrypted data includes both the protected ESP header fields and the protected user data, which is either an entire IP datagram or an upper-layer protocol frame (e.g., TCP or UDP).
- TCP Transmission Control Protocol
- UDP User Datagram
- FIG. 4 b illustrates the two parts of an ESP header, which are the 32-bit Security Association Identifier (SPI) 405 and the Opaque Transform Data field 406 , whose length is variable.
- SPI Security Association Identifier
- the object of this invention is to provide methods, as well as a network device which can carry out the disclosed methods.
- the object of the unsecure, remote configuration methods of the invention is accomplished by installing the network device in a dummy mode, and sending a configuration packet, including a device-specific identifier, to the network device to be configured or reconfigured either by broadcasting a packet containing the new network device's device identifier or sending a configuration packet directly to the network device's network address with the packet containing the device identifier of the device to be configured.
- the new network device to be remotely configured then either recognizes its device identifier in the broadcast packet or recognizes its device identifier in the packet sent directly to its network address, and uses the data therein to configure itself.
- the object of the secure, remote configuration methods of the invention is accomplished by: transmitting the configuration packet from a remote network management station to the network device to be configured or reconfigured either by broadcast or by direct transmission to the network address of the device to be configured, authenticating the configuration packet at the network device to be configured or reconfigured as being from the proper network management station and containing the proper device identifier or by at least verifying that the configuration packet conatains the properly encrypted device identifier which could only have been encrypted by the authentic network managment station or some other secure information derived from the device identifier which can serve as a reliable indicator of the source of the configuration packet, and then decrypting and using the contents of the authenticated packet to configure the new network device.
- the invention applies as well to a network device, of which it is characteristic that it comprises a computing block arranged to
- each new network device to be configured has a device identifier used to authenticate the device.
- a management station connected to the network and used to remotely configure freshly installed network devices.
- the invention does not limit the nature of the device identifier; on the contrary, it should be understood very generally as something that can be used to identify a network device.
- the management station knows the device identifier, IP address, default gateway, and other information needed to configure each new network device.
- the management station sends a specially formatted packet to the broadcast address of the network in which the new network device resides.
- the special packet contains an identifying code derived from the device identifier of the new network device and possibly other data.
- the new network device receives a packet, it checks whether the packet is a special packet with the identifying code matching its own device identifier. If the code matches, the device decodes the special packet, retrieves the configuration information from it and starts using its new configuration. It may also engage in a further information exchange with the management station to obtain further configuration data and to provide feedback to the management station user.
- the packet sent by the management station could also be a factory-configured (or generally preconfigured) address other than IP address, e.g. ethernet address, or some other kind of device identifier that the network will recognize.
- the network device has its IP address preconfigured manually before it is installed in the network. Thereafter, the management station may send a configuration packet directly to that address; the network device may even send a packet first to a preconfigured management station address to let know it is there and wants to be configured.
- the network device may obtain its IP address automatically from the network, e.g. using DHCP (Dynamic Host Configuration Protocol).
- the network device might respond to an ARP (Address Resolution Protocol) packet for IP addresses of some format, e.g. after a short delay to give a possible real owner of the address time to respond.
- ARP Address Resolution Protocol
- the device identifier is most advantageously derived from a cryptographic public key.
- the device identifier may also be the cryptographic key itself or a certificate accompanying it.
- Both the new network device and the management station may know the other device's device identifier beforehand so that they may recognise a received packet as coming from the correct sender. Alternatively each device may display the identifier computed from data received from the other party to the user and have the user confirm that the identifier is correct. This is called a (manual) verification of the device identifier.
- Both the new network device and the management station verifies that the cryptographic public key received from the other side matches the (manually) verified device identifier. Then, they cryptographically generate a shared secret using the authenticated cryptographic public keys.
- One implementation of this is to have each cryptographic public key be a Diffie-Heilman public value. After the authentication and verification stages the configuration may proceed safely.
- the present invention provides a method to remotely configure a network device in a reliable, easy-to-use manner from a separate management station (which can be another network device).
- a separate management station which can be another network device.
- the method can provide security.
- the method enables devices to be installed by fairly unskilled support personnel, and the technically more demanding configuration operation can be performed by an expert from a management station without needing to travel to the installation site.
- FIG. 1 illustrates a known IPv4 packet header
- FIG. 2 illustrates a known IPv6 packet header
- FIGS. 3, 4 a and 4 b illustrate other known packet headers
- FIG. 5 illustrates some features of a network and a network device
- FIG. 6 illustrates a method according to the invention
- FIG. 7 illustrates a network device according to the invention.
- the invention is here described in terms of a network device attached to an IP (Internet Protocol) network.
- IP Internet Protocol
- the present invention is equally applicable to other network protocols.
- a network device 500 in FIG. 5 is a device that has one or more network interfaces 501 .
- a network interface is a connection to the physical network 502 , such as an Ethernet(network, a mobile radio network or some other network.
- each network interface has one or more network addresses 503 that identify the network interface as the transmitter and/or receiver of packets.
- Network addresses are character strings; in FIG. 5 the characters are represented generally by X's.
- the network address 503 is an IP address. The network knows how to route packets from a transmitting network address to a receiving network address from anywhere in the network. Such routing may involve travelling through multiple network devices, each device sending the packet down a link that it thinks will bring the packet closer to its final destination.
- Configuration data is data that the network device needs to know before it can start normal operation. Typically, such data would include an IP address 503 , netmask 504 , default gateway address 505 , and operational parameters 506 for the network device 500 . Configuration data may also include new software to be downloaded to the device.
- a management station 507 is a network device that will provide the newly installed device with configuration data. It may, but need not, maintain communications with the new network device also after installation.
- the management station usually has a user interface (keyboard and display).
- each network device 500 (and management station 507 ) can have a device identifier 508 , which is a public character string that could e.g. be printed on a sticker and attached to the bottom of the device.
- the device identifier 508 serves two purposes. Firstly it identifies the device to be configured, so that if multiple devices using the same configuration method are attached to the same network, or there are other network devices on the path that the configuration packet needs to travel to reach its destination, the appropriate network device can be identified and other devices can ignore configuration data which is not intended for them.
- the other, more important purpose of the device identifier is that if it is derived from an appropriate cryptographic key, the device being configured and the management station can use it to authenticate each other, and to exchange cryptographic keys with each other securely.
- the device identifier is optional, but multiple configurable devices on the same network cannot be distinguished and security cannot be guaranteed without device identifiers.
- the device generate its own device identifier (e.g. when it is first powered on) by some method known as such, and e.g. display the device identifier on screen if the device has one. This may be desirable in some cases to make all devices be identical when they leave the factory.
- the device identifier is used for identifying the particular network device being configured by having the initial packet(s) sent to it contain either the device identifier directly, or some information derived from the device identifier (such as a hash of it and some other data). All receiving devices can then ignore configuration packets that are not destined to themself by checking the device identifier (or derived information) in each received configuration packet. To ease troubleshooting by users, the network device may display a warning if it sees a configuration packet that is not destined to itself. Device identifiers may also contain parity bits or other data that can be used to validate that a user has typed them in correctly.
- the device identifier is a value derived from a cryptographic public key.
- the public key can be a Diffie-Helman public value, an RSA (Rivest-Shamir-Adelman) key, a DSA key (Digital Signature Algorithm; US Government Digital Signature Standard), or some other public key.
- Diffie-Hellman public values is known from patents U.S. Pat. No. 4,218,582 and U.S. Pat. No. 4,200,770, and the use of RSA keys is known from patent U.S. Pat. No. 4,405,829.
- the device identifier should be derived from the public key in a way that makes it very hard to come up with another public key that would have the same identifier.
- One possible method is to use a cryptographic hash function (e.g. SHA1; Secure Hash Algorithm 1) to compress the public key, and then use an appropriate number of bits from the returned hash value.
- SHA1 hash function
- the use of the SHA1 algorithm is known from the publication “NIST, FIPS PUB 180-1, Secure Hash Standard, April 1995”.
- the management station sends at stage 601 a specially formatted configuration packet to the new network device.
- the packet will be addressed so that the new network device will be able to see it. The exact method of doing this depends on the network protocol that is used and on the embodiment of the invention that is applied.
- the configuration packet can be addressed to the broadcast address of the network containing the new device. This causes all devices on that physical network to see it, including the new device. Addressing directly to the new network device's IP address or some address behind it (for routers) will not work in this embodiment of the invention because the new network device has not yet been configured and consequently the ARP address resolving operation would fail.
- ARP Address Resolution Protocol
- ARP Address Resolution Protocol
- the configuration packet will typically contain the new device's device identifier (or derivation thereof), the device's IP address, netmask, default gateway, and the management station's IP address and device identifier and/or public key. It may also contain information for setting up a shared secret, such as the management station's Diffie-Hellman public value and/or a certificate that will be used to verify that the packet came from the correct management station.
- Each party needs to be assured that it is communicating directly with the other device and not with some intermediary (man-in-the-middle) that could modify the configuration data as it is transferred. If a single configuration packet is used without a further packet exchange, it may be sufficient to perform one-sided authentication, meaning that the new network device is assured that it receives the configuration packet directly from the management station without any intermediary tampering with the contents of the configuration packet.
- each party will send its public key to the other party.
- the management station sends its public key to the new network device along with the configuration packet.
- a new network device receives the configuration packet labelled with its own device identifier, it computes at stage 602 the transmitting party's device identifier from the public key (and whatever other data might be used in the computation in a particular implementation) included in the configuration packet. It verifies that the device identifier it got by computing matches the known device identifier of the correct management station.
- the invention does not limit the way how this check is accomplished. There are several possible ways, like the following:
- the network device displays the computed device identifier to a user, and the user verifies it using some out-of-band means (e.g. phone call or checking against written notes), and either accepts or rejects the identifier (e.g. by pressing the appropriate button),
- some out-of-band means e.g. phone call or checking against written notes
- the device identifier identifying the correct management station has been entered into the new network device beforehand, or a user types it in on location by using a keyboard, and the new network device compares the typed identifier electronically against the computed one, or
- the device identifier is verified using some other means, such as checking a certificate or using a value stored in tamper-resistant memory means to verify that the identifier is acceptable; if a certificate contained in the packet is to be used the network device will most likely have the public key or a certificate of a CA (Certification Authority) in memory.
- some other means such as checking a certificate or using a value stored in tamper-resistant memory means to verify that the identifier is acceptable; if a certificate contained in the packet is to be used the network device will most likely have the public key or a certificate of a CA (Certification Authority) in memory.
- CA Certification Authority
- the new network device may compute a shared secret at stage 603 using any method known as such, some of which are listed below, and set up whatever method will be used for further communication with the management station. With IPSEC, for instance, it could set up an AH or ESP security association with the management station.
- the network device sends a reply packet back to the management station, typically containing its own device identifier, its Diffie-Helman public value or other public key, and other information depending on the particular application.
- the management station Upon receiving the reply packet, the management station will verify at stage 605 that the received public key or corresponding value matches the correct device identifier. Same methods may be applied as the other way round at stage 602 . The management station may compute the shared secret at stage 606 before setting up whatever method will be used for further communication with the management station.
- Each public key is a Diffie-Hellman public value, and the device identifiers are derived from the public value (e.g. using the SHA1 hash); effectively, each party authenticates each other's public value, and computes the Diffie-Hellman shared secret. Because both public values were authenticated, the resulting shared secret is also authenticated.
- Each public key is a digital signature key (e.g. RSA or DSS), and the device identifiers are derived from the public key (e.g. using the SHA1 hash).
- the parties first obtain a shared secret (e.g. by a Diffie-Hellman exchange, public key encryption, or some equivalent method), and then digitally sign data used to derive it to prove to the other party that there was no man-in-the-middle.
- a shared secret Once a shared secret has been established using any method, it can be used to cryptographically authenticate and/or encrypt any further messages.
- the configuration process may continue with an arbitrary packet exchange 607 protected by the shared secret.
- One possibility is using the IPSEC AH and ESP headers for protecting the rest of the configuration exchange.
- a network device may want to disable listening for configuration packets once it has been configured. However, it cannot do so until after it knows the management station has received the reply packet. Alternatively the network device may accept any time a new configuration packet that correctly indicates the management station as the authenticated transmitting party. This way the operation of the network is easy to change online by reconfiguring the appropriate network devices when necessary.
- a user's view of the configuration process depends on the method used for verifying the other device's device identifier at stages 602 and 605 .
- the following installation process alternatives give an idea of the possible variations:
- Known peer device identifier is explicitly typed in at both management station and new network device.
- Known network device identifier is explicitly typed in at the managemement station but not at the new network device.
- the new network device will display the computed device identifier of the management station and wait for user confirmation. The user will need to verify the device identifier out-of-band (e.g. by telephone, or having previously written it on paper).
- FIG. 7 is a schematic block diagram of those parts of a network device or management station 700 that take part in the operation according to the invention.
- the following explanation of the block diagram refers to a new network device to be configured but the corresponding functions are equal in a management station, although during the remote configuration of a newly added network device they take place in different order in a management station than in the network device to be configured.
- Physical network interface 701 may be any prior art network interface known as such, adapted to receive and transmit packets through the network.
- Device identifier observation block 702 reads device identifiers from received packets to recognise those packets that are meant for this particular network device.
- a positive recognition occurs when the device identifier of the received packet coincides with the network device's own previously stored device identifier, read from the appropriate nonvolatile device identification memory 703 .
- a recognised packet will be written into a scratch pad storage 704 so that a computing block 705 may compute the device identifier of the transmitting device from the public key contained in the received and stored packet.
- the computing block 705 compares the device identifier it has computed against a known correct device identifier inputted by the user through a keypad 707 .
- the network device 700 may show the computed device identifier in a display 708 and wait for a positive or negative acknowledgement from the user through a keypad 707 .
- a positive comparison or positive acknowledgement causes the configuration parameters contained in the received and stored configuration message to be transferred from the scratch pad storage 704 to a nonvolatile configuration memory 709 . If the result of the comparison or acknowledgement is negative, the temporarily stored configuration message is discarded from the scratch pad storage 704 and the network device 700 returns to its original dummy state where it only reads device identifiers from received packets and waits for its own configuration message without processing any other data received from the network.
- a transmitter block 710 assembles a reply packet containing at least the network device's own public key read from the device identification memory 703 and the management station's network address read from the configuration memory 709 as the recipient's address.
- the reply packet is sent through the network interface 701 through the network to the management station.
- the computer 705 may be programmed to use the apparatus already described to carry out any of the various other configuration methods described herein or included within the scope of the claims.
- Memory blocks 703 , 704 , 706 and 709 may be any suitable memory circuits known as such.
- Keypad 707 may be any known keypad or keyboard and display 708 may be a LED display, a LCD screen, a cathode ray tube or any other suitable display known as such.
- the intelligent blocks 702 , 705 and 710 are most advantageously realised in a microprocessor by programming it to perform the necessary functions, which programming as such is within the normal ability of a person skilled in the art.
- a network device and a management station may naturally contain many other parts as those shown in FIG. 7.
- the configuration of FIG. 7 is exemplary in the sense that other arrangements may as well be used to reduce the invention into practice.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A network device (100, 300) is connected to a network (102) having also a management station (107) connected thereto. The method for configuring the network device comprises the steps of
transmitting from the management station a configuration packet to the network device (201),
authenticating at the network device the management station as the genuine transmitter of the configuration packet (202) and
decoding the configuration parameters contained in said configuration packet and storing them as the configuration parameters of the network device (203).
Description
- The present invention deals with a device to be connected to a network and especially its installation and configuration. Installation is a general concept that covers all the hardware operations needed to connect the device to a network. Similarly configuration is understood to cover all the software operations that enable controlled transmission of data in the network between the device concerned and other devices connected to the network. The invention does not limit the type of network in question: it can be the Internet, an intranet, a Local Area Network (LAN), a Wide Area Network (WAN) or any other network intended for transmission of data between electronic terminals. The physical form of the network may be Ethernet, Token Ring, cellular radio network or any other corresponding network known as such.
- Intelligent network devices, such as routers, VPN (Virtual Private Network) devices, print servers, network printers, network cameras, and telecommunications adapters, require detailed configuration data before they can transmit and receive information through the network in a controlled manner. For instance in an P (Internet Protocol) network the device needs to know its own P address and the address of the default gateway, and possibly lots of other configuration data.
- Information travels through the network generally in the form of packets. As background information for the invention, two known addressing schemes for P packets are described, namely the IPv4 (Internet Protocol version 4) and IPv6 (Internet Protocol version 6) packet headers. The layout of an IPv4 packet header is illustrated in FIG. 1, and the layout of an IPv6 packet header is illustrated in FIG. 2. Column numbers in FIGS. 1 and 2 correspond to bits. In FIG. 1, the fields of the known IPv4 header are as follows:
Version Number 101, IHL 102, Type ofService 103,Total Length 104,Identification 105,Flags 106,Fragment Offset 107, Time to Live 108,Protocol 109,Header Checksum 110,Source Address 111,Destination Address 112,Options 113 andPadding 114. In FIG. 2, the fields of the known proposed IPv6 header are as follows:Version Number 201,Traffic Class 202,Flow Label 203,Payload Length 204,Next Header 205,Hop Limit 206,Source Address 207 andDestination Address 208. The use of the fields in the headers is known to the person skilled in the art. An IP packet consists of a header like that of FIG. 1 or 2 accompanied by a data portion. In IPv6, there may be a number of so-called Extension headers between the main header shown in FIG. 2 and the data portion. - In a network where security features are important, an authentication may be performed by computing a Message Authentication Code (MAC) using the contents of the packet and a shared secret key, and sending the computed MAC as a part of the packet in an AH (Authentication Header) or ESP (Encapsulating Security Payload) header. Privacy is typically implemented using encryption, and the ESP header is used. The AH header is illustrated in FIG. 3, where column numbers correspond to bits. The fields of the known AH header are as follows:
Next Header 301,Length 302, Reserved 303,Security Parameters 304 andAuthentication Data 305. The length of thelast field 305 is a variable number of 32-bit words. - The Encapsulating Security Payload (ESP) may appear anywhere in an IP packet after the IP header and before the final transport-layer protocol. The Internet Assigned Numbers Authority has assigned Protocol Number 50 to ESP. The header immediately preceding an ESP header will always contain the value 50 in its Next Header (IPv6) or Protocol (IPv4) field. ESP consists of an unencrypted header followed by encrypted data. The encrypted data includes both the protected ESP header fields and the protected user data, which is either an entire IP datagram or an upper-layer protocol frame (e.g., TCP or UDP). A high-level diagram of a secure IP datagram is illustrated in FIG. 4a, where the fields are
IP Header 401, optionalother IP headers 402,ESP header 403 andecrypted data 404. FIG. 4b illustrates the two parts of an ESP header, which are the 32-bit Security Association Identifier (SPI) 405 and the OpaqueTransform Data field 406, whose length is variable. - Several existing solutions are being used to configure newly installed network devices. Some devices have a display and keyboard for entering configuration data. Others may have a serial port in the device so that it can be attached to a separate configuration terminal for configuration. There are also solutions where a broadcast network packet or a ping packet is used to configure the device.
- Solutions based on having a display and keyboard are often too costly and cumbersome for users. Likewise, attaching a configuration terminal to the device is an extra burden for the user. Methods based on broadcast packets only work in the local network, and cannot be used to configure the device remotely. Remote configuration is becoming more and more desirable, as the number of installed network devices is growing much faster than the number of people skilled enough to configure them. Finally, methods based on a ping packet can be used to configure the device remotely, but are limited in the amount of configuration data. Also, such methods will not work if the device to be configured is behind a device that is also listening for several other configuration packets or if there are similar identical devices on the same network.
- Growing use of networks, especially increasing use of the Internet for electronic commerce and corporate communications is making security ever more important. Attacks against the network infrastructure are increasingly common. One opportunity for performing such attacks is the moment when the network device is being configured. At that time, most devices do not provide any security, and the attacker will be able to load the device with his/her configuration and software. The compromised device can then be instrumental in furthering the attack.
- The existing configuration methods for configuring network devices lack ease of use, robustness, and security. Problems during device configuration are often very difficult for users to understand and solve. It is therefore desirable to provide a method and apparatus for loading configuration data into the network device in a reliable, easy-to-use manner from a network management station controlled by an employee skilled in configurration of new network devices. This allows physical installation of new network devices to be carried out by employees that are not as skilled in configuration of new network devices. This genus of methods and apparatus will be referred to as the unsecure, remote configuration class. Further, in some networks where security is an issue, it is desirable to be able to configure new network devices remotely and securely from a remote network management station. This allows remote configuration via network packets without fear that an interloper with intent to attack the network will be able to intercept and alter the configuration data or other information such as network address or device identifier. The object of this invention is to provide methods, as well as a network device which can carry out the disclosed methods.
- The object of the unsecure, remote configuration methods of the invention is accomplished by installing the network device in a dummy mode, and sending a configuration packet, including a device-specific identifier, to the network device to be configured or reconfigured either by broadcasting a packet containing the new network device's device identifier or sending a configuration packet directly to the network device's network address with the packet containing the device identifier of the device to be configured. The new network device to be remotely configured then either recognizes its device identifier in the broadcast packet or recognizes its device identifier in the packet sent directly to its network address, and uses the data therein to configure itself.
- The object of the secure, remote configuration methods of the invention is accomplished by: transmitting the configuration packet from a remote network management station to the network device to be configured or reconfigured either by broadcast or by direct transmission to the network address of the device to be configured, authenticating the configuration packet at the network device to be configured or reconfigured as being from the proper network management station and containing the proper device identifier or by at least verifying that the configuration packet conatains the properly encrypted device identifier which could only have been encrypted by the authentic network managment station or some other secure information derived from the device identifier which can serve as a reliable indicator of the source of the configuration packet, and then decrypting and using the contents of the authenticated packet to configure the new network device.
- It is characteristic of the secure, remote configuration method according to the invention that it comprises the steps of
- transmitting from the management station a configuration packet to the network device,
- authenticating at the network device the management station as the genuine transmitter of the configuration packet and
- decoding the configuration parameters contained in said configuration packet and storing them as the configuration parameters of the network device.
- The invention applies as well to a network device, of which it is characteristic that it comprises a computing block arranged to
- compute device identifiers from cryptographic keys derived from recognised packets and
- compare computed device identifiers against information used to verify known device identifiers for authentication of transmitting parties.
- According to the invention, each new network device to be configured has a device identifier used to authenticate the device. There is also a management station connected to the network and used to remotely configure freshly installed network devices. The invention does not limit the nature of the device identifier; on the contrary, it should be understood very generally as something that can be used to identify a network device. According to a first embodiment of the invention, the management station knows the device identifier, IP address, default gateway, and other information needed to configure each new network device. When a new network device has been installed into the network it operates initially in a dummy mode where it only reads device identifiers from the packets it receives but does not otherwise process any data transferred in the network (or processes data in a factory-configured manner). The management station sends a specially formatted packet to the broadcast address of the network in which the new network device resides. The special packet contains an identifying code derived from the device identifier of the new network device and possibly other data. Whenever the new network device receives a packet, it checks whether the packet is a special packet with the identifying code matching its own device identifier. If the code matches, the device decodes the special packet, retrieves the configuration information from it and starts using its new configuration. It may also engage in a further information exchange with the management station to obtain further configuration data and to provide feedback to the management station user. In place of the identifying code derived from the device identifier the packet sent by the management station could also be a factory-configured (or generally preconfigured) address other than IP address, e.g. ethernet address, or some other kind of device identifier that the network will recognize.
- According to a second embodiment of the invention the network device has its IP address preconfigured manually before it is installed in the network. Thereafter, the management station may send a configuration packet directly to that address; the network device may even send a packet first to a preconfigured management station address to let know it is there and wants to be configured.
- According to a third embodiment of the invention the network device may obtain its IP address automatically from the network, e.g. using DHCP (Dynamic Host Configuration Protocol). According to a fourth embodiment of the invention the network device might respond to an ARP (Address Resolution Protocol) packet for IP addresses of some format, e.g. after a short delay to give a possible real owner of the address time to respond.
- Security against any network-level attacks can be provided with the method. The device identifier is most advantageously derived from a cryptographic public key. The device identifier may also be the cryptographic key itself or a certificate accompanying it. Both the new network device and the management station may know the other device's device identifier beforehand so that they may recognise a received packet as coming from the correct sender. Alternatively each device may display the identifier computed from data received from the other party to the user and have the user confirm that the identifier is correct. This is called a (manual) verification of the device identifier. Both the new network device and the management station verifies that the cryptographic public key received from the other side matches the (manually) verified device identifier. Then, they cryptographically generate a shared secret using the authenticated cryptographic public keys. One implementation of this is to have each cryptographic public key be a Diffie-Heilman public value. After the authentication and verification stages the configuration may proceed safely.
- The present invention provides a method to remotely configure a network device in a reliable, easy-to-use manner from a separate management station (which can be another network device). Optionally, the method can provide security.
- The method enables devices to be installed by fairly unskilled support personnel, and the technically more demanding configuration operation can be performed by an expert from a management station without needing to travel to the installation site.
- The novel features which are considered as characteristic of the invention are set forth in particular in the appended Claims. The invention itself, however, both as to its construction and its method of operation, together with additional objects and advantages thereof, will be best understood from the following description of specific embodiments when read in connection with the accompanying drawings. Features well-known as such have not been described in detail so as not to obscure the invention.
- FIG. 1 illustrates a known IPv4 packet header,
- FIG. 2 illustrates a known IPv6 packet header,
- FIGS. 3, 4a and 4 b illustrate other known packet headers,
- FIG. 5 illustrates some features of a network and a network device,
- FIG. 6 illustrates a method according to the invention and
- FIG. 7 illustrates a network device according to the invention.
- The invention is here described in terms of a network device attached to an IP (Internet Protocol) network. However, the present invention is equally applicable to other network protocols.
- A
network device 500 in FIG. 5 is a device that has one or more network interfaces 501. A network interface is a connection to thephysical network 502, such as an Ethernet(network, a mobile radio network or some other network. In most networks, each network interface has one or more network addresses 503 that identify the network interface as the transmitter and/or receiver of packets. Network addresses are character strings; in FIG. 5 the characters are represented generally by X's. In an IP network thenetwork address 503 is an IP address. The network knows how to route packets from a transmitting network address to a receiving network address from anywhere in the network. Such routing may involve travelling through multiple network devices, each device sending the packet down a link that it thinks will bring the packet closer to its final destination. - As a network device comes from the manufacturer, it has normally no information about the network address or other configurable data it will have when it is installed in a network. Such configuration data needs to be entered into the device either before or after the device is physically connected to the network in the appropriate location.
- Configuration data is data that the network device needs to know before it can start normal operation. Typically, such data would include an
IP address 503,netmask 504,default gateway address 505, andoperational parameters 506 for thenetwork device 500. Configuration data may also include new software to be downloaded to the device. - A
management station 507 is a network device that will provide the newly installed device with configuration data. It may, but need not, maintain communications with the new network device also after installation. The management station usually has a user interface (keyboard and display). - Part of the present invention is that each network device500 (and management station 507) can have a
device identifier 508, which is a public character string that could e.g. be printed on a sticker and attached to the bottom of the device. Thedevice identifier 508 serves two purposes. Firstly it identifies the device to be configured, so that if multiple devices using the same configuration method are attached to the same network, or there are other network devices on the path that the configuration packet needs to travel to reach its destination, the appropriate network device can be identified and other devices can ignore configuration data which is not intended for them. The other, more important purpose of the device identifier is that if it is derived from an appropriate cryptographic key, the device being configured and the management station can use it to authenticate each other, and to exchange cryptographic keys with each other securely. The device identifier is optional, but multiple configurable devices on the same network cannot be distinguished and security cannot be guaranteed without device identifiers. - It is possible to have the device generate its own device identifier (e.g. when it is first powered on) by some method known as such, and e.g. display the device identifier on screen if the device has one. This may be desirable in some cases to make all devices be identical when they leave the factory.
- The device identifier is used for identifying the particular network device being configured by having the initial packet(s) sent to it contain either the device identifier directly, or some information derived from the device identifier (such as a hash of it and some other data). All receiving devices can then ignore configuration packets that are not destined to themself by checking the device identifier (or derived information) in each received configuration packet. To ease troubleshooting by users, the network device may display a warning if it sees a configuration packet that is not destined to itself. Device identifiers may also contain parity bits or other data that can be used to validate that a user has typed them in correctly.
- To use the device identifier for security, it is a value derived from a cryptographic public key. The public key can be a Diffie-Helman public value, an RSA (Rivest-Shamir-Adelman) key, a DSA key (Digital Signature Algorithm; US Government Digital Signature Standard), or some other public key. The use of Diffie-Hellman public values is known from patents U.S. Pat. No. 4,218,582 and U.S. Pat. No. 4,200,770, and the use of RSA keys is known from patent U.S. Pat. No. 4,405,829. For security, the device identifier should be derived from the public key in a way that makes it very hard to come up with another public key that would have the same identifier. One possible method is to use a cryptographic hash function (e.g. SHA1; Secure Hash Algorithm 1) to compress the public key, and then use an appropriate number of bits from the returned hash value. The use of the SHA1 algorithm is known from the publication “NIST, FIPS PUB 180-1, Secure Hash Standard, April 1995”. To make the device identifier easier for users to communicate, it is also possible to further process it for readability, e.g. by converting it to short English words similarly to what is used by some one-time-password methods.
- An advantageous embodiment of the method according to the invention will be described below with reference to FIG. 6, where a multitude of possible authentication features are included. Later on it will be mentioned, which steps of the method are optional and not necessarily required by the invention.
- To configure a new network device that has been installed in the network, the management station sends at stage601 a specially formatted configuration packet to the new network device. The packet will be addressed so that the new network device will be able to see it. The exact method of doing this depends on the network protocol that is used and on the embodiment of the invention that is applied. In an IP network, the configuration packet can be addressed to the broadcast address of the network containing the new device. This causes all devices on that physical network to see it, including the new device. Addressing directly to the new network device's IP address or some address behind it (for routers) will not work in this embodiment of the invention because the new network device has not yet been configured and consequently the ARP address resolving operation would fail. ARP (Address Resolution Protocol) is a known protocol that resolves IP addresses to Ethernet( addresses. Other alternatives than using the broadcast address have been described above in the general description of the invention.
- The configuration packet will typically contain the new device's device identifier (or derivation thereof), the device's IP address, netmask, default gateway, and the management station's IP address and device identifier and/or public key. It may also contain information for setting up a shared secret, such as the management station's Diffie-Hellman public value and/or a certificate that will be used to verify that the packet came from the correct management station.
- Each party (new network device and management station) needs to be assured that it is communicating directly with the other device and not with some intermediary (man-in-the-middle) that could modify the configuration data as it is transferred. If a single configuration packet is used without a further packet exchange, it may be sufficient to perform one-sided authentication, meaning that the new network device is assured that it receives the configuration packet directly from the management station without any intermediary tampering with the contents of the configuration packet.
- To authenticate bidirectionally and to establish security according to FIG. 6, each party will send its public key to the other party. At
stage 601 the management station sends its public key to the new network device along with the configuration packet. When a new network device receives the configuration packet labelled with its own device identifier, it computes atstage 602 the transmitting party's device identifier from the public key (and whatever other data might be used in the computation in a particular implementation) included in the configuration packet. It verifies that the device identifier it got by computing matches the known device identifier of the correct management station. The invention does not limit the way how this check is accomplished. There are several possible ways, like the following: - the network device displays the computed device identifier to a user, and the user verifies it using some out-of-band means (e.g. phone call or checking against written notes), and either accepts or rejects the identifier (e.g. by pressing the appropriate button),
- the device identifier identifying the correct management station has been entered into the new network device beforehand, or a user types it in on location by using a keyboard, and the new network device compares the typed identifier electronically against the computed one, or
- the device identifier is verified using some other means, such as checking a certificate or using a value stored in tamper-resistant memory means to verify that the identifier is acceptable; if a certificate contained in the packet is to be used the network device will most likely have the public key or a certificate of a CA (Certification Authority) in memory.
- After checking the identity of the management station at
stage 602, the new network device may compute a shared secret atstage 603 using any method known as such, some of which are listed below, and set up whatever method will be used for further communication with the management station. With IPSEC, for instance, it could set up an AH or ESP security association with the management station. Atstage 604 the network device sends a reply packet back to the management station, typically containing its own device identifier, its Diffie-Helman public value or other public key, and other information depending on the particular application. - Upon receiving the reply packet, the management station will verify at
stage 605 that the received public key or corresponding value matches the correct device identifier. Same methods may be applied as the other way round atstage 602. The management station may compute the shared secret atstage 606 before setting up whatever method will be used for further communication with the management station. - The calculation of a shared secret at
stages - Each public key is a Diffie-Hellman public value, and the device identifiers are derived from the public value (e.g. using the SHA1 hash); effectively, each party authenticates each other's public value, and computes the Diffie-Hellman shared secret. Because both public values were authenticated, the resulting shared secret is also authenticated.
- Each public key is a digital signature key (e.g. RSA or DSS), and the device identifiers are derived from the public key (e.g. using the SHA1 hash). The parties first obtain a shared secret (e.g. by a Diffie-Hellman exchange, public key encryption, or some equivalent method), and then digitally sign data used to derive it to prove to the other party that there was no man-in-the-middle.
- If the key agreement method uses implicit authentication, it may be necessary to actually use the shared secret to prove its possession to the other party.
- Once a shared secret has been established using any method, it can be used to cryptographically authenticate and/or encrypt any further messages. The configuration process may continue with an
arbitrary packet exchange 607 protected by the shared secret. A number of well-established methods exist for doing this once the shared secret is available. One possibility is using the IPSEC AH and ESP headers for protecting the rest of the configuration exchange. - It is also conceivable to use symmetric cryptographic keys with tamper-resistant hardware. In this case, the devices typically already have a shared secret key. No explicit authentication is necessary. The parties can directly use their secret key to encrypt or authenticate any messages they send, and the correct key will be needed by the other party to decrypt messages or generate/validate authentication codes. If cryptographic authentication is not required, it may be omitted from
stages - Appropriate timeouts and recovery mechanisms must be used to cope with packets lost in the network. For instance, a network device may want to disable listening for configuration packets once it has been configured. However, it cannot do so until after it knows the management station has received the reply packet. Alternatively the network device may accept any time a new configuration packet that correctly indicates the management station as the authenticated transmitting party. This way the operation of the network is easy to change online by reconfiguring the appropriate network devices when necessary.
- A user's view of the configuration process depends on the method used for verifying the other device's device identifier at
stages - Known peer device identifier is explicitly typed in at both management station and new network device.
- Known network device identifier is explicitly typed in at the managemement station but not at the new network device. When the management station has sent the configuration packet to the new network device, the new network device will display the computed device identifier of the management station and wait for user confirmation. The user will need to verify the device identifier out-of-band (e.g. by telephone, or having previously written it on paper).
- No device identifier typed in on either side; both sides display it on screen for verification.
- FIG. 7 is a schematic block diagram of those parts of a network device or
management station 700 that take part in the operation according to the invention. The following explanation of the block diagram refers to a new network device to be configured but the corresponding functions are equal in a management station, although during the remote configuration of a newly added network device they take place in different order in a management station than in the network device to be configured.Physical network interface 701 may be any prior art network interface known as such, adapted to receive and transmit packets through the network. Deviceidentifier observation block 702 reads device identifiers from received packets to recognise those packets that are meant for this particular network device. A positive recognition occurs when the device identifier of the received packet coincides with the network device's own previously stored device identifier, read from the appropriate nonvolatiledevice identification memory 703. A recognised packet will be written into ascratch pad storage 704 so that acomputing block 705 may compute the device identifier of the transmitting device from the public key contained in the received and stored packet. To authenticate the transmitting device, thecomputing block 705 compares the device identifier it has computed against a known correct device identifier inputted by the user through akeypad 707. Alternately thenetwork device 700 may show the computed device identifier in adisplay 708 and wait for a positive or negative acknowledgement from the user through akeypad 707. It is also possible to have the information used in the authentication read from a tamper-resistant memory 706. A positive comparison or positive acknowledgement causes the configuration parameters contained in the received and stored configuration message to be transferred from thescratch pad storage 704 to anonvolatile configuration memory 709. If the result of the comparison or acknowledgement is negative, the temporarily stored configuration message is discarded from thescratch pad storage 704 and thenetwork device 700 returns to its original dummy state where it only reads device identifiers from received packets and waits for its own configuration message without processing any other data received from the network. - After the transmitting management station has been correctly authenticated, a
transmitter block 710 assembles a reply packet containing at least the network device's own public key read from thedevice identification memory 703 and the management station's network address read from theconfiguration memory 709 as the recipient's address. The reply packet is sent through thenetwork interface 701 through the network to the management station. - Alternatively, the
computer 705 may be programmed to use the apparatus already described to carry out any of the various other configuration methods described herein or included within the scope of the claims. - Memory blocks703, 704, 706 and 709 may be any suitable memory circuits known as such.
Keypad 707 may be any known keypad or keyboard anddisplay 708 may be a LED display, a LCD screen, a cathode ray tube or any other suitable display known as such. Theintelligent blocks
Claims (15)
1. A method for configuring a network device connected to a network having also a management station connected thereto, comprising the steps of
transmitting to a network device coupled to a network from a management station (hereafter the “genuine transmitter”) also coupled to said network a configuration packet to said network device, said configuration packet containing configuration parameters to configure said network device,
authenticating at said network device said management station as the genuine transmitter of said configuration packet and,
decoding said configuration parameters contained in said configuration packet and storing them as said configuration parameters of said network device so as to configure said network device.
2. A method according to claim 1 , wherein both said management station and said network device each have a unique device identifier for authentication, and each device identifier has been derived from a certain cryptographic key.
3. A method according to claim 2 , wherein each device identifier has been derived from a certain Diffie-Hellman public value.
4. A method according to claim 2 , additionally comprising the steps of
including at said management station said cryptographic key into said configuration packet from which said device identifier of said management station has been formed,
computing at said network device, on the basis of said cryptographic key extracted from a received configuration packet, a computed device identifier, and
verifying that said computed device identifier is a valid identifier for said management station.
5. A method according to claim 4 , additionally comprising the step of at said network device using information read from a memory to verify that the received configuration packet came from said management station.
6. A method according to claim 4 , additionally comprising the step of manual verification that said computed device identifier corresponds to a known device identifier of said management station.
7. A method according to claim 4 , additionally comprising the step of deriving from said cryptographic key a shared secret for authenticating and optionally encrypting subsequent packets.
8. A method of configuring a network device coupled to a network from a remote management station also coupled to said network to which said network device is coupled, comprising:
transmitting from a management station coupled to a network to a network device to be configured or reconfigured and also coupled to said network a configuration packet containing a device identifier unique to the network device to be configured, and containing configuration data for said network device;
at said network device to be configured or reconfigured, recognizing the device identifier in said configuration packet as said device identifier assigned to the network device to be configured or reconfigured; and
using said configuration data of said configuration packet which contains a device identifier unique to said network device to be configured or reconfigured to configure said network device.
9. The method of claim 8 further comprising a step of authenticating said configuration packet as being from said management station and not from some other source not authorized to configure said network device.
10. The method of claim 8 wherein said step of transmitting said configuration packet comprises a step of transmitting said configuration packet to said network address of said network device to be configured with said configuration packet containing either a device identifier unique to said network device to be configured or cryptographic information from which said device identifier can be derived, and wherein said step of recognizing said device identifier comprises either examining said device identifier contained in said configuration packet or deriving a device identifier from said cryptographic information contained in said configuration packet and discarding any packet that does not contain said device identifier of said network device to be configured or reconfigured.
11. A method in a network device for configuring the network device, the network device being connected to a network, comprising the steps of
reception of a configuration packet by the network device from a second network device,
obtaining of the device identifier of said second network device from the received packet, and
verification that the device identifier is derived from a public key via a hash function.
12. A method according to claim 11 , further comprising the step of obtaining the public key from the received packet.
13. A method according to claim 11 , further comprising the step of obtaining the public key from memory of the network device.
14. A method according to claim 11 , further comprising the step of decoding configuration parameters in said configuration packet and storing them as configuration parameters of the network device so as to configure the network device.
15. A method according to claim 11 , further comprising the steps of
obtaining of a digital signature value from the received packet, and
verification of said digital signature value with said public key.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/846,614 US20040250072A1 (en) | 1998-06-10 | 2004-05-14 | Network connectable device and method for its installation and configuration |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FI981324 | 1998-06-10 | ||
FI981324A FI105739B (en) | 1998-06-10 | 1998-06-10 | Network-connectable arrangement and method for its installation and configuration |
US09/326,003 US6782474B1 (en) | 1998-06-10 | 1999-06-04 | Network connectable device and method for its installation and configuration |
US10/846,614 US20040250072A1 (en) | 1998-06-10 | 2004-05-14 | Network connectable device and method for its installation and configuration |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/326,003 Continuation US6782474B1 (en) | 1998-06-10 | 1999-06-04 | Network connectable device and method for its installation and configuration |
Publications (1)
Publication Number | Publication Date |
---|---|
US20040250072A1 true US20040250072A1 (en) | 2004-12-09 |
Family
ID=8551948
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/326,003 Expired - Lifetime US6782474B1 (en) | 1998-06-10 | 1999-06-04 | Network connectable device and method for its installation and configuration |
US10/846,614 Abandoned US20040250072A1 (en) | 1998-06-10 | 2004-05-14 | Network connectable device and method for its installation and configuration |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/326,003 Expired - Lifetime US6782474B1 (en) | 1998-06-10 | 1999-06-04 | Network connectable device and method for its installation and configuration |
Country Status (2)
Country | Link |
---|---|
US (2) | US6782474B1 (en) |
FI (1) | FI105739B (en) |
Cited By (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020062364A1 (en) * | 2000-11-17 | 2002-05-23 | Fujitsu Limited | Network device management method, system and management equipment thereof |
US20030212889A1 (en) * | 2002-05-13 | 2003-11-13 | Khieu Andrew K. | Method and system for exchanging data over networks using public key encryption |
US20030212892A1 (en) * | 2002-05-09 | 2003-11-13 | Canon Kabushiki Kaisha | Public key certification issuing apparatus |
US20040078583A1 (en) * | 2002-10-18 | 2004-04-22 | Hitachi, Ltd. | Storage device and method of setting configuration information of same |
US20050096795A1 (en) * | 2003-11-04 | 2005-05-05 | Krieter Kenneth J. | Wireless fluid inventory management system |
US20060015587A1 (en) * | 2004-06-23 | 2006-01-19 | Nokia Inc. | System and method for selecting of versions for SNMP communication |
US20060200471A1 (en) * | 2005-03-04 | 2006-09-07 | Network Appliance, Inc. | Method and apparatus for communicating between an agent and a remote management module in a processing system |
US20070118571A1 (en) * | 2005-11-23 | 2007-05-24 | Research In Motion Limited | Method and apparatus for synchronizing databases connected by wireless interface |
US20070186110A1 (en) * | 2006-02-06 | 2007-08-09 | Sony Corporation | Information processing apparatus, information recording medium manufacturing apparatus, information recording medium, information processing method, information recording medium manufacturing method, and computer program |
US20070234050A1 (en) * | 2006-04-04 | 2007-10-04 | Tomasz Hillar | Communications system and method |
US20080130844A1 (en) * | 2006-09-01 | 2008-06-05 | Christopher Todd Hubbard | System and method for self-configuring sip-capable device |
US20100115628A1 (en) * | 2004-09-03 | 2010-05-06 | Microsoft Corporation | Digital rights management scheme for an on-demand distributed streaming system |
US7783043B1 (en) * | 2002-08-05 | 2010-08-24 | Nortel Networks Limited | Secure group communications |
US20100226315A1 (en) * | 2009-03-03 | 2010-09-09 | Qualcomm Incorporated | Scalable header extension |
US20100296655A1 (en) * | 2008-03-10 | 2010-11-25 | Nds Limited | Key distribution system |
US20110218992A1 (en) * | 2010-03-05 | 2011-09-08 | Apple Inc. | Relevancy ranking for map-related search |
US8082444B1 (en) * | 2004-03-25 | 2011-12-20 | Verizon Corporate Services Group Inc. | System and method for adding new network devices to an existing network |
US8090810B1 (en) * | 2005-03-04 | 2012-01-03 | Netapp, Inc. | Configuring a remote management module in a processing system |
US20130318343A1 (en) * | 2012-05-22 | 2013-11-28 | Cisco Technology, Inc. | System and method for enabling unconfigured devices to join an autonomic network in a secure manner |
CN103460649A (en) * | 2011-03-29 | 2013-12-18 | 横河电机株式会社 | Connection setting information administration system |
US9853862B2 (en) | 2014-05-26 | 2017-12-26 | Axis Ab | Automatic configuration of a replacement camera |
EP3301958B1 (en) | 2004-12-23 | 2022-09-21 | Intellectual Ventures I LLC | Systems and methods for the connection and remote configuration of wireless clients |
Families Citing this family (58)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CA2402389A1 (en) * | 2000-03-08 | 2002-09-19 | Shuffle Master, Inc. | Computerized gaming system, method and apparatus |
US20010037314A1 (en) * | 2000-03-30 | 2001-11-01 | Ishikawa Mark M. | System, method and apparatus for authenticating the distribution of data |
US6996238B2 (en) * | 2000-10-02 | 2006-02-07 | Sony Corporation | Method for generating and looking-up transaction keys in communication networks |
JP4609683B2 (en) * | 2000-11-30 | 2011-01-12 | ソニー株式会社 | Information processing apparatus and method, and program storage medium |
US8219662B2 (en) | 2000-12-06 | 2012-07-10 | International Business Machines Corporation | Redirecting data generated by network devices |
US6978301B2 (en) * | 2000-12-06 | 2005-12-20 | Intelliden | System and method for configuring a network device |
US7054946B2 (en) * | 2000-12-06 | 2006-05-30 | Intelliden | Dynamic configuration of network devices to enable data transfers |
EP1342343B1 (en) * | 2000-12-23 | 2006-11-08 | Hirschmann Electronics GmbH & Co. KG | Automatic configuration of network components |
US7349957B1 (en) * | 2001-03-01 | 2008-03-25 | Smith Micro Software, Inc. | Network management method and tool |
US7150037B2 (en) * | 2001-03-21 | 2006-12-12 | Intelliden, Inc. | Network configuration manager |
US20020178241A1 (en) * | 2001-04-03 | 2002-11-28 | Par Eriksson | Framework for a dynamic management system |
US7203837B2 (en) * | 2001-04-12 | 2007-04-10 | Microsoft Corporation | Methods and systems for unilateral authentication of messages |
US7089297B1 (en) * | 2001-05-25 | 2006-08-08 | Oracle International Corporation | Mechanism for automatically configuring a network resource |
CN1146270C (en) * | 2001-06-27 | 2004-04-14 | 华为技术有限公司 | Method for automatically obtaining IP address of equipment |
US20030018758A1 (en) * | 2001-07-13 | 2003-01-23 | Changguan Fan | Generically provisioning an appliance |
US7240102B1 (en) * | 2001-08-03 | 2007-07-03 | Mcafee, Inc. | System and method for providing web browser-based secure remote network appliance configuration in a distributed computing environment |
US8296400B2 (en) | 2001-08-29 | 2012-10-23 | International Business Machines Corporation | System and method for generating a configuration schema |
US7155497B2 (en) * | 2001-09-27 | 2006-12-26 | Hewlett-Packard Development Company, L.P. | Configuring a network parameter to a device |
US20030069949A1 (en) * | 2001-10-04 | 2003-04-10 | Chan Michele W. | Managing distributed network infrastructure services |
US20030074268A1 (en) | 2001-10-11 | 2003-04-17 | Haines Robert E. | User and device interactions for web consolidation |
US20030074547A1 (en) * | 2001-10-11 | 2003-04-17 | Haines Robert E. | Hardcopy output engine consumable supply management and method |
US20030072027A1 (en) * | 2001-10-11 | 2003-04-17 | Haines Robert E. | Unique identifier for customer account and method |
US20030074428A1 (en) * | 2001-10-11 | 2003-04-17 | Haines Robert E. | Device configuration method and apparatus |
US7065562B2 (en) * | 2001-11-26 | 2006-06-20 | Intelliden, Inc. | System and method for generating a representation of a configuration schema |
US20030163570A1 (en) * | 2002-02-26 | 2003-08-28 | Sun Microsystems, Inc. | Command line interface session tool |
US7805606B2 (en) * | 2002-07-29 | 2010-09-28 | Bea Systems, Inc. | Computer system for authenticating a computing device |
US20040028069A1 (en) * | 2002-08-07 | 2004-02-12 | Tindal Glen D. | Event bus with passive queuing and active routing |
US7366893B2 (en) * | 2002-08-07 | 2008-04-29 | Intelliden, Inc. | Method and apparatus for protecting a network from attack |
US20040030771A1 (en) * | 2002-08-07 | 2004-02-12 | John Strassner | System and method for enabling directory-enabled networking |
US20040054747A1 (en) * | 2002-09-12 | 2004-03-18 | International Business Machines Corporation | Pervasive home network appliance |
US20040078457A1 (en) * | 2002-10-21 | 2004-04-22 | Tindal Glen D. | System and method for managing network-device configurations |
US7284126B2 (en) * | 2002-11-12 | 2007-10-16 | Agilent Technologies, Inc. | Device authentication using pre-configured security keys |
US20040230681A1 (en) * | 2002-12-06 | 2004-11-18 | John Strassner | Apparatus and method for implementing network resources to provision a service using an information model |
US7188161B1 (en) | 2003-02-11 | 2007-03-06 | At&T Corp. | Method for configuring a network element at a customer premise via a mobile data terminal |
US7865577B1 (en) | 2003-02-11 | 2011-01-04 | At&T Intellectual Property Ii, L.P. | Enhanced network elements and a method for configuring the enhanced network element via a trusted configuration device |
US8245032B2 (en) * | 2003-03-27 | 2012-08-14 | Avaya Inc. | Method to authenticate packet payloads |
US20050213768A1 (en) * | 2004-03-24 | 2005-09-29 | Durham David M | Shared cryptographic key in networks with an embedded agent |
US7653727B2 (en) * | 2004-03-24 | 2010-01-26 | Intel Corporation | Cooperative embedded agents |
DE102004037801B4 (en) * | 2004-08-03 | 2007-07-26 | Siemens Ag | Method for secure data transmission |
JP2006050267A (en) * | 2004-08-04 | 2006-02-16 | Matsushita Electric Ind Co Ltd | IPsec COMMUNICATION METHOD, COMMUNICATION CONTROLLER AND NETWORK CAMERA |
US7509324B2 (en) * | 2004-09-07 | 2009-03-24 | General Electric Company | Apparatus and method for sharing configuration data among a plurality of devices |
US8156207B2 (en) * | 2004-10-08 | 2012-04-10 | Hewlett-Packard Development Company, L.P. | Method and apparatus for remotely configuring network devices |
US20060150240A1 (en) * | 2005-01-03 | 2006-07-06 | Jason Robinson | Application-specific network access management system |
US7853703B1 (en) * | 2005-03-24 | 2010-12-14 | Google, Inc. | Methods and apparatuses for identification of device presence |
US20070033404A1 (en) * | 2005-08-04 | 2007-02-08 | Toshiba Corporation | System and method for the secure recognition of a network device |
US20070039039A1 (en) | 2005-08-10 | 2007-02-15 | Microsoft Corporation | Authorization of device access to network services |
US7958346B2 (en) * | 2005-08-18 | 2011-06-07 | Oracle International Corp. | Multilayered security for systems interacting with configuration items |
WO2007105838A1 (en) * | 2006-03-14 | 2007-09-20 | Korea Institute Of Science And Technology | A intelligent computing device agent system for automatic recognition of multi user computing environment and information sharing setup |
US8799989B1 (en) * | 2011-12-16 | 2014-08-05 | Google Inc. | Network settings browser synchronization |
US9154308B2 (en) * | 2013-09-27 | 2015-10-06 | Google Inc. | Revocable platform identifiers |
US10397186B2 (en) | 2017-10-06 | 2019-08-27 | Stealthpath, Inc. | Methods for internet communication security |
US10374803B2 (en) | 2017-10-06 | 2019-08-06 | Stealthpath, Inc. | Methods for internet communication security |
US10375019B2 (en) | 2017-10-06 | 2019-08-06 | Stealthpath, Inc. | Methods for internet communication security |
US10630642B2 (en) | 2017-10-06 | 2020-04-21 | Stealthpath, Inc. | Methods for internet communication security |
US10367811B2 (en) | 2017-10-06 | 2019-07-30 | Stealthpath, Inc. | Methods for internet communication security |
US10361859B2 (en) | 2017-10-06 | 2019-07-23 | Stealthpath, Inc. | Methods for internet communication security |
CN110276191A (en) * | 2019-05-06 | 2019-09-24 | 阿里巴巴集团控股有限公司 | A kind of equipment configuration method, device and electronic equipment |
US11558423B2 (en) | 2019-09-27 | 2023-01-17 | Stealthpath, Inc. | Methods for zero trust security with high quality of service |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6092191A (en) * | 1995-11-30 | 2000-07-18 | Kabushiki Kaisha Toshiba | Packet authentication and packet encryption/decryption scheme for security gateway |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6424717B1 (en) * | 1995-04-03 | 2002-07-23 | Scientific-Atlanta, Inc. | Encryption devices for use in a conditional access system |
DE69635264T2 (en) * | 1995-12-08 | 2006-07-20 | Nippon Telegraph And Telephone Corp. | Method and apparatus for communication with packet encryption |
US6240513B1 (en) * | 1997-01-03 | 2001-05-29 | Fortress Technologies, Inc. | Network security device |
US6101255A (en) * | 1997-04-30 | 2000-08-08 | Motorola, Inc. | Programmable cryptographic processing system and method |
US6154839A (en) * | 1998-04-23 | 2000-11-28 | Vpnet Technologies, Inc. | Translating packet addresses based upon a user identifier |
-
1998
- 1998-06-10 FI FI981324A patent/FI105739B/en not_active IP Right Cessation
-
1999
- 1999-06-04 US US09/326,003 patent/US6782474B1/en not_active Expired - Lifetime
-
2004
- 2004-05-14 US US10/846,614 patent/US20040250072A1/en not_active Abandoned
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6092191A (en) * | 1995-11-30 | 2000-07-18 | Kabushiki Kaisha Toshiba | Packet authentication and packet encryption/decryption scheme for security gateway |
Cited By (45)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020062364A1 (en) * | 2000-11-17 | 2002-05-23 | Fujitsu Limited | Network device management method, system and management equipment thereof |
US7124177B2 (en) * | 2000-11-17 | 2006-10-17 | Fuji Xerox Co., Ltd. | Network device management method, system and management equipment thereof |
US7461251B2 (en) | 2002-05-09 | 2008-12-02 | Canon Kabushiki Kaisha | Public key certification issuing apparatus |
US20030212892A1 (en) * | 2002-05-09 | 2003-11-13 | Canon Kabushiki Kaisha | Public key certification issuing apparatus |
US20030212889A1 (en) * | 2002-05-13 | 2003-11-13 | Khieu Andrew K. | Method and system for exchanging data over networks using public key encryption |
US8300830B2 (en) | 2002-08-05 | 2012-10-30 | Rockstar Bidco Lp | Secure group communications |
US9071588B2 (en) | 2002-08-05 | 2015-06-30 | Rpx Clearinghouse Llc | Secure group communications |
US20100290625A1 (en) * | 2002-08-05 | 2010-11-18 | Nortel Networks Limited | Secure group communications |
US7783043B1 (en) * | 2002-08-05 | 2010-08-24 | Nortel Networks Limited | Secure group communications |
US7136939B2 (en) * | 2002-10-18 | 2006-11-14 | Hitachi, Ltd. | Storage device and method of setting configuration information of same |
US20090248905A1 (en) * | 2002-10-18 | 2009-10-01 | Hitachi, Ltd. | Storage Device and Method of Setting Cofiguration Information of same |
US20040078583A1 (en) * | 2002-10-18 | 2004-04-22 | Hitachi, Ltd. | Storage device and method of setting configuration information of same |
US20070038747A1 (en) * | 2002-10-18 | 2007-02-15 | Hitachi, Ltd. | Storage device and method of setting configuration information of same |
US7877520B2 (en) | 2002-10-18 | 2011-01-25 | Hitachi, Ltd. | Storage device and method of setting configuration information of same |
US7562160B2 (en) * | 2002-10-18 | 2009-07-14 | Hitachi, Ltd. | Storage device and method of setting configuration information of same |
US20050096795A1 (en) * | 2003-11-04 | 2005-05-05 | Krieter Kenneth J. | Wireless fluid inventory management system |
US8082444B1 (en) * | 2004-03-25 | 2011-12-20 | Verizon Corporate Services Group Inc. | System and method for adding new network devices to an existing network |
US7472177B2 (en) * | 2004-06-23 | 2008-12-30 | Nokia Inc. | System and method for selecting of versions for SNMP communication |
US20060015587A1 (en) * | 2004-06-23 | 2006-01-19 | Nokia Inc. | System and method for selecting of versions for SNMP communication |
US8375456B2 (en) * | 2004-09-03 | 2013-02-12 | Microsoft Corp. | Digital rights management scheme for an on-demand distributed streaming system |
US20100115628A1 (en) * | 2004-09-03 | 2010-05-06 | Microsoft Corporation | Digital rights management scheme for an on-demand distributed streaming system |
EP3301958B1 (en) | 2004-12-23 | 2022-09-21 | Intellectual Ventures I LLC | Systems and methods for the connection and remote configuration of wireless clients |
US8090810B1 (en) * | 2005-03-04 | 2012-01-03 | Netapp, Inc. | Configuring a remote management module in a processing system |
US20060200471A1 (en) * | 2005-03-04 | 2006-09-07 | Network Appliance, Inc. | Method and apparatus for communicating between an agent and a remote management module in a processing system |
US8291063B2 (en) | 2005-03-04 | 2012-10-16 | Netapp, Inc. | Method and apparatus for communicating between an agent and a remote management module in a processing system |
US20070118571A1 (en) * | 2005-11-23 | 2007-05-24 | Research In Motion Limited | Method and apparatus for synchronizing databases connected by wireless interface |
US8185732B2 (en) * | 2006-02-06 | 2012-05-22 | Sony Corporation | Selecting and executing a content code corresponding to an information processing apparatus based on apparatus check information at the time of processing using the content code |
US20070186110A1 (en) * | 2006-02-06 | 2007-08-09 | Sony Corporation | Information processing apparatus, information recording medium manufacturing apparatus, information recording medium, information processing method, information recording medium manufacturing method, and computer program |
US8671283B2 (en) | 2006-02-06 | 2014-03-11 | Sony Corporation | Checking of apparatus certificates and apply codes associated with apparatus identifiers found in apparatus certificates |
US20070234050A1 (en) * | 2006-04-04 | 2007-10-04 | Tomasz Hillar | Communications system and method |
US20080130844A1 (en) * | 2006-09-01 | 2008-06-05 | Christopher Todd Hubbard | System and method for self-configuring sip-capable device |
US8964952B2 (en) * | 2006-09-01 | 2015-02-24 | Interactive Intelligence Group, Inc. | System and method for self-configuring sip-capable device |
US20100296655A1 (en) * | 2008-03-10 | 2010-11-25 | Nds Limited | Key distribution system |
US8396222B2 (en) * | 2008-03-10 | 2013-03-12 | Nds Limited | Key distribution system |
US8711771B2 (en) * | 2009-03-03 | 2014-04-29 | Qualcomm Incorporated | Scalable header extension |
US20100226315A1 (en) * | 2009-03-03 | 2010-09-09 | Qualcomm Incorporated | Scalable header extension |
US8838586B2 (en) * | 2010-03-05 | 2014-09-16 | Apple Inc. | Relevancy ranking for map-related search |
US20110218992A1 (en) * | 2010-03-05 | 2011-09-08 | Apple Inc. | Relevancy ranking for map-related search |
CN103460649A (en) * | 2011-03-29 | 2013-12-18 | 横河电机株式会社 | Connection setting information administration system |
US20140019599A1 (en) * | 2011-03-29 | 2014-01-16 | Yokogawa Electric Corporation | Connection setting information managing system |
US10050929B2 (en) * | 2011-03-29 | 2018-08-14 | Yokogawa Electric Corporation | Connection setting information managing system |
US20130318343A1 (en) * | 2012-05-22 | 2013-11-28 | Cisco Technology, Inc. | System and method for enabling unconfigured devices to join an autonomic network in a secure manner |
US9130837B2 (en) * | 2012-05-22 | 2015-09-08 | Cisco Technology, Inc. | System and method for enabling unconfigured devices to join an autonomic network in a secure manner |
US9774452B2 (en) | 2012-05-22 | 2017-09-26 | Cisco Technology, Inc. | System and method for enabling unconfigured devices to join an autonomic network in a secure manner |
US9853862B2 (en) | 2014-05-26 | 2017-12-26 | Axis Ab | Automatic configuration of a replacement camera |
Also Published As
Publication number | Publication date |
---|---|
FI981324A (en) | 1999-12-11 |
FI981324A0 (en) | 1998-06-10 |
US6782474B1 (en) | 2004-08-24 |
FI105739B (en) | 2000-09-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6782474B1 (en) | Network connectable device and method for its installation and configuration | |
Tschofenig et al. | Transport layer security (tls)/datagram transport layer security (dtls) profiles for the internet of things | |
JP4504713B2 (en) | How to authenticate the packet payload | |
Kaufman et al. | Internet key exchange protocol version 2 (IKEv2) | |
Aboba et al. | RADIUS (remote authentication dial in user service) support for extensible authentication protocol (EAP) | |
US7584505B2 (en) | Inspected secure communication protocol | |
US7320143B2 (en) | Method of gaining secure access to intranet resources | |
CN1833403B (en) | Communication system, communication device and communication method | |
US8886934B2 (en) | Authorizing physical access-links for secure network connections | |
US7865727B2 (en) | Authentication for devices located in cable networks | |
US7991993B2 (en) | Telecommunication system, for example an IP telecommunication system, and equipment units for use in the system | |
US20120036567A1 (en) | Methods for establishing a security session in a communications system | |
US20030023845A1 (en) | Method and apparatus for providing secure streaming data transmission facilites using unreliable protocols | |
CN103188351B (en) | IPSec VPN traffic method for processing business and system under IPv6 environment | |
CN1842993B (en) | Providing credentials | |
US20140181967A1 (en) | Providing-replay protection in systems using group security associations | |
US20050257039A1 (en) | Virtual private network configuration system and method | |
CN113904809B (en) | Communication method, device, electronic equipment and storage medium | |
US7536719B2 (en) | Method and apparatus for preventing a denial of service attack during key negotiation | |
Fossati | RFC 7925: Transport Layer Security (TLS)/Datagram Transport Layer Security (DTLS) Profiles for the Internet of Things | |
CN1197324C (en) | Method for identifying Internet users | |
Kivinen | Minimal internet key exchange version 2 (ikev2) initiator implementation | |
US20080104693A1 (en) | Transporting keys between security protocols | |
CN112839062B (en) | Port hiding method, device and equipment with mixed authentication signals | |
Schwenk | IP Security (IPSec) |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |