TECHNICAL FIELD
[0001] The present subject matter relates to communication networks and,
particularly but not exclusively, to open shortest path first (OSPF) routing protocol
for 5 communication networks.
BACKGROUND
[0002] Open shortest path first (OSPF) is a dynamic routing protocol for
Internet protocol (IP) based communication networks. To enable network devices,
such as routers or switches to communicate based on OSPF protocol, an OSPF
10 control plane module is implemented in each of the network devices. In some cases,
for the purposes of providing fault tolerance, more than one OSPF control plane
modules may be implemented in each of the network devices. Typically, the network
device includes a primary card OSPF control plane module and one or more standby
OSPF control plane modules that are included in order to provide redundancy in the
15 event of failure of the primary OSPF control plane module.
[0003] The redundant OSPF control plane module is required to assume the
responsibilities of a failed primary OSPF control plane module almost instantly. For
this reason, the primary OSPF control plane module and the redundant OSPF control
plane module should be synchronized, i.e., they should have access to the same
20 system information. Although synchronization between the primary OSPF control
plane module and the redundant OSPF control plane module is required, it is an
overhead and increases load on the network devices. Accordingly, it is desired that
the synchronization does not involve excessive communication between the primary
OSPF control plane module and the redundant OSPF control plane module and
25 efforts are made to minimize redundant communication between the primary OSPF
control plane module and the redundant OSPF control plane module of the a network
device.
3
SUMMARY
[0004] This summary is provided to introduce concepts related to
authentication of open shortest path first (OSPF) packets. This summary is not
intended to identify essential features of the claimed subject matter nor is it intended
for use in determining or limiting the scope of the claimed subject matter5 .
[0005] In an embodiment of the present subject matter, a method for
authenticating an OSPF packet in a network device comprising an active control
plane module and a standby control plane module is described. The method
comprises performing a switch-over from the active control plane module to the
10 standby control plane module. Based on the switch-over, the standby control plane
module increments a high-order 32 bits of a cryptographic sequence number in an
authentication trailer of a current OSPF packet to be transmitted by the network
device. The high-order 32 bits is incremented so that the high-order 32 bits of the
current OSPF packet has a value greater than that of the high-order 32 bits of a
15 previous OSPF packet transmitted by the network device prior to the switch-over.
The method comprises transmitting the current OSPF packet to a peer network device
coupled to the network device, wherein the peer network device is to authenticate the
current OSPF packet based on the cryptographic sequence number comprising the
incremented high-order 32 bits of the cryptographic sequence number.
20 [0006] Further, in an example implementation of the present subject matter,
network device for authenticating an OSPF packet is described. In accordance with
one implementation, the network device comprises an active control plane module
and a standby control plane module coupled to the active control plane module.
Further, the network device also comprises a switch-over module. The switch-over
25 module is configured to perform a switch-over from the active control plane module
to the standby control plane module. Based on the switch-over, the standby control
plane module is to increment a high-order 32 bits of a cryptographic sequence
number in an authentication trailer of a current OSPF packet to be transmitted by the
4
network device, such that the high-order 32 bits of the current OSPF packet has a
value greater than that of the high-order 32 bits of a previous OSPF packet
transmitted by the network device prior to the switch-over. In accordance with one
implementation, the network device may also comprise a transmission module to
transmit 5 it the current OSPF packet to a peer network device coupled to the network
device. The peer network device authenticates the current OSPF packet based on the
cryptographic sequence number comprising the incremented high-order 32 bits of the
cryptographic sequence number.
[0007] In yet another embodiment, a non-transitory computer-readable
10 medium having embodied thereon a computer program for executing a method for
authenticating an OSPF packet is described. In an example implementation of the
present subject matter, the method for authentication is implemented in a network
device comprising an active control plane module and a standby control plane
module. The method comprises switching over from the active control plane module
15 to the standby control plane module. Further to the switch-over, the standby control
plane module increments a high-order 32 bits of a cryptographic sequence number in
an authentication trailer of a current OSPF packet to be transmitted by the network
device. The high-order 32 bits is incremented such that the high-order 32 bits of the
current OSPF packet has a value greater than that of the high-order 32 bits of a
20 previous OSPF packet transmitted by the network device prior to the switch-over.
The method further comprises transmitting the current OSPF packet to a peer
network device of the network device, wherein the peer network device authenticates
the current OSPF packet based on the cryptographic sequence number comprising the
incremented high-order 32 bits of the cryptographic sequence number.
25 [0008] In an example implementation of the present subject matter, the nontransitory
computer-readable medium having the computer program for executing the
authenticating method embodied thereon, further comprises, updating the high-order
32 bits of the previous OSPF packet in a memory component of the network device
5
by the active control plane module. The memory component is configured to store the
high-order 32 bits of the cryptographic sequence number of OSPF packets
transmitted by the network device. The memory component is also accessible by the
standby control plane module. In one embodiment, the method further comprises
reading, 5 by the standby control plane module, the high-order 32 bits of the previous
OSPF packet from the memory component, wherein the standby control plane
module increments the high-order 32 bits of the current OSPF packet is based on the
reading.
BRIEF DESCRIPTION OF THE FIGURES
10 [0009] The detailed description is described with reference to the
accompanying figures. In the figures, the left-most digit(s) of a reference number
identifies the figure in which the reference number first appears. The same numbers
are used throughout the figures to refer features and components. Some embodiments
of system and/or methods in accordance with embodiments of the present subject
15 matter are now described, by way of example only, and with reference to the
accompanying figures, in which:
[0010] Figure 1 illustrates a network device comprising an active control
plane module and a standby control plane module, in accordance with an
embodiment of the present subject matter;
20 [0011] Figure 2 illustrates an authentication trailer of a OSPF packet, in
accordance with an embodiment of the present subject matter; and
[0012] Figure 3 illustrates a method for authenticating an OSPF packet in a
network device comprising an active control plane module and a standby control
plane module.
25 [0013] It should be appreciated by those skilled in the art that any block
diagrams herein represent conceptual views of illustrative systems embodying the
principles of the present subject matter. Similarly, it will be appreciated that any flow
6
charts, flow diagrams, state transition diagrams, pseudo code, and the like represent
various processes which may be substantially represented in computer readable
medium and so executed by a computer or processor, whether or not such computer
or processor is explicitly shown.
DETAILED 5 DESCRIPTION
[0014] In network devices, such as routers, switches or other intermediary
communication devices that communicate based on Open shortest path first (OSPF)
routing protocol, hot redundancy is frequently used due to high reliability
requirements. Hot redundancy may be provided by implementing at least one standby
10 control plane module in a network device, in addition to an active control plane
module, and synchronizing the active control plane module and the standby control
plane module such that, in an event of failure of the active control plane module, a
seamless transition, in operation, may take place from the active control plane
module to the standby control plane module.
15 [0015] While hot redundancy ensures fault-tolerance and enhances reliability
of communication networks, the inclusion of redundant components may result in
added complexity in operation of the network device. For example, in some cases,
inclusion of the redundant standby control plane module increases the intra-chassis
traffic in the network device. Intra-chassis traffic may be understood as the exchange
20 of signals between two or more components within the network device, such as the
active control plane module and the standby control plane module. One example of
an instance of increase in intra-chassis traffic in the network device due to inclusion
of the redundant standby control plane module is authentication of OSPF packets as
explained below.
25 [0016] Generally, for the purpose of authentication a cryptographic sequence
number is included in the authentication trailer of packets transmitted by network
devices. To avoid replay attacks, the cryptographic sequence number is regularly
7
incremented. Based on the protocol implemented in the network device, the
cryptographic sequence number may be incremented either periodically or for every
outgoing data packet. As per the OSPF routing protocol, OSPF packets include a 64-
bit cryptographic sequence number in the authentication trailer of the OSPF packets.
The 64-bit cryptographic sequence number 5 er is divided into high-order 32 bits and
low-order 32 bits. To explain, if the network device has transmitted a current OSPF
packet with a cryptographic sequence number “X”, then, it should use a sequence
number greater than “X” in an OSPF packet transmitted subsequent to the current
OSPF packet. The 64-bit cryptographic sequence number is incremented for every
10 outgoing data packet by increasing the low-order 32 bits for every outgoing OSPF
packet by one. The high-order 32 bits of the cryptographic sequence number are
changed once the low-order 32 bits wrap.
[0017] In accordance with OSPF protocol, a network device may establish
one or more OSPF sessions with various peer network devices that may be coupled to
15 the network device. For ease of explanation, in the present discussion, the network
device is considered to be engaged in an ongoing OSPF session with a peer network
device such that the network device. The peer network device to whom the network
device transmits a current OSPF packet may fail to authenticate the current OSPF
packet if the cryptographic sequence number in the current OSPF packet is less than
20 the cryptographic sequence number in a previous OSPF packet that preceded the
current OSPF packet and discards the same. Even in case of a switch-over from the
active control plane module to the standby OSPF control plane module, the OSPF
packet sent after the switch-over is required to have the cryptographic sequence
number greater than that of the OSPF packet sent prior to the switch-over.
25 [0018] Upon occurrence of the switch-over, once the standby OSPF control
plane module takes over, if the cryptographic sequence number is reinitialized to
zero, the peer network device do not accept the current OSPF packet since it would
have previously received the previous OSPF packet with a higher cryptographic
8
sequence number. To explain in reference to the above illustration, if the network
device had used a cryptographic sequence number “X” prior to the switch-over, then
it should use a cryptographic sequence number greater than “X” after the switchover.
[0019] Thus, 5 the standby control plane module needs to be aware of the last
cryptographic sequence number used by the active control plane module at all
instants. This enables a seamless switch-over from the active control plane module to
the standby OSPF control plane module which is not perceivable by the other peer
network devices. To this end, the active control plane module updates the
10 cryptographic sequence number associated with each OSPF session to the standby
control plane module so that, in case of a switch-over, the standby control plane
module can send out data packets with a higher cryptographic sequence number than
what was sent by the active standby control plane module previously. The standby
OSPF control plane module keeps a track of the cryptographic sequence number
15 associated with all the various OSPF sessions that the network device may have
established with other peer network devices.
[0020] Thus, in network devices that support a standby control plane module
in addition to the active control plane module, the intra-chassis traffic may increase
significantly since the active control plane module communicates the cryptographic
20 sequence number to be included in the outgoing data packets to the standby control
plane module in an on-going basis. Further, as OSPF sessions are scaled up, the intrachassis
traffic results in significant overhead. Accordingly, as evident, while inclusion
of the redundant standby control plane module is desirable, it may often increase the
intra-chassis traffic in the network devices, and in turn the load on communication
25 network.
[0021] The present subject matter relates to systems and methods for
authenticating OSPF packets in a network device comprising an active control plane
module and a standby control plane module. In accordance with one implementation
9
of the present subject matter, the systems and methods for authenticating OSPF
packets described herein, overcome the above mentioned shortcoming of high intrachassis
traffic in network devices that comprise a redundant standby control plane
module. In one embodiment, the systems and methods of the present subject matter
enable reduction in intra-5 tra-chassis traffic involved in authentication of OSPF packets in
network devices comprising a redundant standby control plane module in addition to
an active control plane module.
[0022] In accordance with one implementation of the present subject matter,
upon occurrence of a switch-over from the active control plane module to the standby
10 control plane module, the standby control plane module increments the high-order 32
bits of the cryptographic sequence number in an authentication trailer of a current
OSPF packet to be transmitted by the network device. In one embodiment, the value
of the incremented high-order 32 bits of the current OSPF packet is made greater than
that of the high-order 32 bits of the previous OSPF packet transmitted by the network
15 device prior to the switch-over.
[0023] Since the standby control plane module increments the high-order 32
bits instead of the low-order 32 bits of the current OSPF packet, the current OSPF
packet has a higher cryptographic sequence number compared to the cryptographic
sequence number which the active control plane module would have assigned a
20 previous packet transmitted by the network device prior to the switch-over. The
current OSPF packet, when transmitted to the peer network device, is authenticated
based on the cryptographic sequence number which is greater than that of the
previous OSPF packet.
[0024] Thus, the need for the standby control plane module to monitor
25 cryptographic sequence number associated with the various OSPF sessions that the
network device may have established with other peer network devices is eliminated
thereby significantly reducing intra-chassis traffic involved in authentication of OSPF
packets.
10
[0025] The manner in which the systems and methods for authenticating
OSPF packets in a network device comprising an active control plane module and a
standby control plane module has been explained in details with respect to the
Figures 1 to 3. While aspects of described systems and methods can be implemented
in any number of different computing systems, 5 s, transmission environments, and/or
configurations, the embodiments are described in the context of the following
exemplary system(s).
[0026] It should be noted that the description merely illustrates the principles
of the present subject matter. It will thus be appreciated that those skilled in the art
10 will be able to devise various arrangements that, although not explicitly described
herein, embody the principles of the present subject matter and are included within its
spirit and scope. Furthermore, all examples recited herein are principally intended
expressly to be only for pedagogical purposes to aid the reader in understanding the
principles of the invention and the concepts contributed by the inventor(s) to
15 furthering the art, and are to be construed as being without limitation to such
specifically recited examples and conditions. Moreover, all statements herein reciting
principles, aspects, and embodiments of the invention, as well as specific examples
thereof, are intended to encompass equivalents thereof.
[0027] Figure 1 illustrates a network device 100 comprising an active control
20 plane module 102 and a standby control plane module 104, in accordance with an
embodiment of the present subject matter. Examples of the network device 100
includes, but is not limited to devices, such as network switches and network routers,
implemented in communication networks for the purpose of transferring data packets.
In accordance with the illustrated embodiment of the present subject matter, the
25 network device 100 may be an OSPF protocol network router.
[0028] The network device 100 includes two major subsystems, namely, a
control plane 106 and a forwarding plane 108. The forwarding plane 108 performs
the packet forwarding functions involving storing, forwarding or discarding of data
11
packets. The forwarding plane 108 relies on a packet forwarding 'look-up' table that
is created and maintained by the control plane 106. The control plane 106 creates the
packet forwarding table using information from a network manager associated with
the network device 100 or from other peer network devices coupled to the network
5 device 100.
[0029] As illustrated, the control plane 106 includes more than one control
plane modules to carry out functions of the control plane 106. Generally, at a given
instance, the functions of the control plane 106 are carried out by any one of the
control plane modules, i.e., the active control plane module 102. The standby control
10 plane module 104 is implemented for the purposes of providing fault tolerance, as
explained previously. Although the figure depict only one standby control plane
module 104, it would be appreciated that more than one such standby control plane
modules may be implemented in the network device 100.
[0030] In one embodiment, the active control plane module 102 and the
15 standby control plane module 104 may be implemented as one or more
microprocessors, microcomputers, microcontrollers, digital signal processors, central
processing units, state machines, logic circuitries, and/or any devices that manipulate
signals based on operational instructions. The functions of the active control plane
module 102 and the standby control plane module 104 may be provided through the
20 use of dedicated hardware as well as hardware capable of executing software in
association with appropriate software.
[0031] The functions of the active control plane module 102 and the standby
control plane module 104 may be provided by a single dedicated processor, by a
single shared processor, or by a plurality of individual processors, some of which
25 may be shared. Moreover, explicit use of the term “processor” should not be
construed to refer exclusively to hardware capable of executing software, and may
implicitly include, without limitation, digital signal processor (DSP) hardware,
network processor, application specific integrated circuit (ASIC), field programmable
12
gate array (FPGA), read only memory (ROM) for storing software, random access
memory (RAM), and non-volatile storage. Other hardware, conventional and/or
custom, may also be included.
[0032] The forwarding plane 108 may include a transmission module 110 and
interface(s) 112 to enable the forwarding function. The interfaces 112 may 5 y include a
variety of software and hardware interfaces that allow the network device 100 to
interact with various entities of the communication network, for example, other
network devices. The interfaces 112 may facilitate multiple communications within a
wide variety of networks and protocol types, including but not restricted to OSPF
10 routing protocol.
[0033] The transmission module 110 may be coupled to the active control
plane module 102 and the standby control plane module 104. The transmission
module 110, amongst other things, includes routines, programs, objects, components,
data structures, etc., which perform particular tasks or implement particular abstract
15 data types. The transmission modules 110 may also be implemented as, signal
processor(s), state machine(s), logic circuitries, and/or any other device(s) or
component that manipulate signals based on operational instructions.
[0034] Further, the transmission modules 110 can be implemented in
hardware, instructions executed by a processing unit, or by a combination thereof.
20 The processing unit can comprise a computer, a processor, a state machine, a logic
array or any other suitable devices capable of processing instructions. The processing
unit can be a general-purpose processor which executes instructions to cause the
general-purpose processor to perform the required tasks or, the processing unit can be
dedicated to perform the required functions.
25 [0035] In another aspect of the present subject matter, the transmission
modules 110 may be machine-readable instructions (software) which, when executed
by a processor/processing unit, perform any of the described functionalities. The
13
machine-readable instructions may be stored on an electronic memory device, hard
disk, optical disk or other machine-readable storage medium or non-transitory
medium. In one implementation, the machine-readable instructions can be also be
downloaded to the storage medium via a network connection.
[0036] In an embodiment 5 nt of the present subject matter, the network device
100 may also include a memory component 114. The memory component 114 may
be coupled to the active control plane module 102 and the standby control plane
module 104 such that it is accessible by both active control plane module 102 and
standby control plane module 104. The memory component 114 can include any
10 computer-readable medium known in the art including, for example, non-volatile
memory, such as read only memory (ROM), erasable programmable ROM, flash
memories, hard disks, and optical disks. In accordance with one embodiment, the
memory component 114 may be configured to store the high-order 32 bits of the
cryptographic sequence number of OSPF packets transmitted by the network device
15 100 as explained later in the specification.
[0037] In an example implementation, the network device 100 comprises a
switch-over module 116 to perform a switch-over from the active control plane
module 102 to the standby control plane module 104, for example, in an event of a
fault in the active control plane module 102. Upon the switch-over, the standby
20 control plane module 104 assumes the responsibility of the active control plane
module 102 and begins to carry out the functions of the control plane 106.
[0038] Details of the process of switching-over from an active control plane
module 102 to a redundant control plane module are generally known in the art. Such
details, not being core to the present discussion have been omitted for the sake of
25 brevity. It will also be understood by one skilled in the art that the network device
100 may include several other components that enable the operation of the control
plane 106 and forwarding plane 108. However, since such components are also not
14
core to the present subject matter, they have not been elaborated herein for the sake
of brevity of description.
[0039] In accordance with one embodiment of the present subject matter, the
switch-over is such that it is not perceivable to other peer network devices of the
network device 100 and the authentication of 5 OSPF packets transmitted by the
network device 100 to peer network devices is unaffected due to the switch-over.
Further, the authentication of the OSPF packets also involves minimum intra-chassis
traffic, or, in other words, communication between the active control plane module
102 and the standby control plane module 104.
10 [0040] In accordance with one implementation of the present subject matter,
the systems and methods for authenticating OSPF packets in network device 100
comprising the active control plane module 102 and the standby control plane
module 104, so as to enable reduction in intra-chassis traffic is described further in
reference to Figure 2. Figure 2 illustrates an authentication trailer 200 of an OSPF
15 packet, in accordance with an embodiment of the present subject matter. The figure
illustrates the authentication trailer of an OSPFv3 packet. The same format for the
authentication trailer may also be applicable for an OSPFv2 packet. For simplicity,
OSPFv2 and OSPFv3 packets have been commonly referred to as OSPF packets in
the present description.
20 [0041] The authentication trailer 200 of an OSPF packet comprises
information that enables a peer network device receiving the OSPF packet to
authenticate the network device, for example, network device 100 that sent the OSPF
packet. The authentication trailer 200, comprising the various fields as depicted and
described herein, is appended to an OSPF packet. In an example, the authentication
25 trailer 200 comprises authentication data 202 of variable length which is the message
digest or information used by the peer network device for authenticating the network
device 100, along with some addition information in header 204 of the
authentication trailer 200 to aid the authentication process.
15
[0042] The header 204 of the authentication trailer 200 comprises Auth Type
206 which is a 16-bit field identifying the type of authentication. The header 204 of
the authentication trailer 200 also comprises Auth Data Len 208 indicative of the
length of the authentication trailer 200 in octets. The Security Association Identifier
(SA ID) 210 included in the header 204 is 5 a 32-bit field that maps to an
authentication algorithm and an secret key used to create the authentication data 202
appended to the OSPF packet. The header 204 of the authentication trailer 200 further
includes a cryptographic sequence number 212. The cryptographic sequence number
212 has 64-bits divided into high-order 32 bits 214 and low-order 32 bits 216.
10 [0043] The cryptographic sequence number 212 is incremented for every
outgoing OSPF packet as a guard against replay attacks. Upon reception of an OSPF
packet, for the peer network device to authenticate and accept the OSPF packet, the
cryptographic sequence number 212 of the OSPF packet needs to be greater than the
cryptographic sequence number 212 in the last OSPF packet that the peer network
15 device accepted from the network device 100. The cryptographic sequence number
212 is incremented for every outgoing OSPF packet by increasing the low-order 32
bits 216 of the cryptographic sequence number. If the value of the low-order 32 bit
216 wraps, the high-order 32 bits 214 may be incremented. In case the network
device 100 is deployed long enough that all the 64-bits of the cryptographic sequence
20 number 212 wrap, the 64-bits of the cryptographic sequence number 212 may be
reset.
[0044] In accordance with one embodiment of the present subject matter, the
cryptographic sequence number 212 associated with every outgoing packet may be
stored in a non-volatile storage, such as the memory component 114. The 64-bits of
25 the cryptographic sequence number 212 may be updated in the memory component
114 every time the network device 100 transmits an OSPF packet. In an example
implementation, the high-order 32 bits 214 of the cryptographic sequence number
212 alone may be saved in memory component 114. This eliminates the need of
16
additional memory space to store the low-order 32 bits 216 of the cryptographic
sequence number 212.
[0045] Prior to the switch-over when the active control plane module 102
performs the tasks of the control plane 106, the active control plane module 102
updates 5 the high-order 32 bits 214 of the cryptographic sequence number 212 of the
outgoing OSPF packets in the memory component 114. In an example, the active
control plane module 102 may store the high-order 32 bits 214 of the cryptographic
sequence number 212, associated with a current series of OSPF packets, in the
memory component 114 and update the same upon occurrence of a change in any of
10 the bits in the high-order 32 bits 214. Thus, the need to update the cryptographic
sequence number 212 in the memory component 114 is reduced from updating the
cryptographic sequence number 212 for every outgoing packet to updating the same
only for packets that involve a change in the high-order 32 bits 214 of the
cryptographic sequence number 212.
15 [0046] At an instant when the switch-over module 116 performs a switch-over
from the active control plane module 102 to the standby control plane module 104, the
standby control plane module 104 reads the cryptographic sequence number 212 that was
last updated by the active control plane module 102. As evident, the cryptographic
sequence number 212 that was last updated by the active control plane module 102 is the
20 cryptographic sequence number 212 in a previous OSPF packet transmitted by the
network device 100 prior to the switch-over. As explained above, the memory
component 114 may store the high-order 32 bits 214 of the cryptographic sequence
number 212 alone which may be read by the standby control plane module 104.
[0047] Based on the high-order 32 bits 214 of the cryptographic sequence
25 number 212 read by the standby control plane module 104, the standby control plane
module 104 increments the cryptographic sequence number 212 in a current OSPF
packet that the network device 100 transmits after the switch-over. In accordance
with one embodiment of the present subject matter, the standby control plane module
17
104 increments the cryptographic sequence number 212 of the current OSPF packet such
that the high-order 32 bits 214 of the current OSPF packet has a value greater than that of
the high-order 32 bits 214 of the previous OSPF packet transmitted by the network
device 100 prior to the switch-over.
[0048] Further, in an example implementation, 5 on, the standby control plane module
104 may also reinitialize the low-order 32 bits 216 of the cryptographic sequence
number 212 in the authentication trailer 200 of the current OSPF packet to zero. As
will be understood, since the standby control plane module 104 increments the highorder
32 bits 214 of the cryptographic sequence number 212 of the current OSPF
10 packet, the same is greater than that of the previous OSPF packet sent prior to the
switch-over notwithstanding the low-order 32 bits 216 of the cryptographic sequence
number 212 of the current OSPF packet being reinitialized to zero.
[0049] Based on the cryptographic sequence number 212 of the current OSPF
packet comprising the incremented high-order 32 bits that is greater than the
15 cryptographic sequence number 212 of the previous OSPF packet, the peer network
device coupled to the network device, to whom the network device 100 transmits the
OSPF packets in the ongoing OSPF session, authenticates the current OSPF packet.
[0050] The above described method and system of the present subject matter,
eliminate the needs for the active control plane module 102 to update the
20 cryptographic sequence number 212 for each OSPF session to the standby control
plane module 104. The standby control plane module 104 no longer keeps a track of
the cryptographic sequence number 212 associated with all the various OSPF
sessions that the network device 100 may have established with other peer network
devices resulting in significant reduction in intra-chassis traffic.
25 [0051] Figure 3 illustrates a method 300 for authenticating an OSPF packet in
a network device comprising an active control plane module and a standby control
plane module, in accordance with another embodiment of the present subject matter.
18
[0052] The order in which the method 300 is described is not intended to be
construed as a limitation, and any number of the described method blocks can be
combined in any order to implement the methods or any alternative method.
Additionally, individual blocks may be deleted from the methods without departing
from the spirit and scope of the subject matter 5 tter described herein. Furthermore, the
method can be implemented in any suitable hardware, software, firmware, or
combination thereof.
[0053] The method(s) may be described in the general context of computer
executable instructions. Generally, computer executable instructions can include
10 routines, programs, objects, components, data structures, procedures, modules,
functions, etc., that perform particular functions or implement particular abstract data
types. The methods may also be practiced in a distributed computing environment
where functions are performed by remote processing devices that are linked through a
communications network. In a distributed computing environment, computer
15 executable instructions may be located in both local and remote computer storage
media, including memory storage devices.
[0054] A person skilled in the art will readily recognize that steps of the
method can be performed by programmed computers. Herein, some embodiments are
also intended to cover program storage devices or computer readable medium, for
20 example, digital data storage media, which are machine or computer readable and
encode machine-executable or computer-executable programs of instructions, where
said instructions perform some or all of the steps of the described method. The
program storage devices may be, for example, digital memories, magnetic storage
media, such as a magnetic disks and magnetic tapes, hard drives, or optically readable
25 digital data storage media. The embodiments are also intended to cover both
communication network and communication devices to perform said steps of the
method(s).
19
[0055] Further, although the method 300 may be implemented in a variety of
network devices, for the sake of ease of understanding, in the following description
the method 300 has been explained in context of the network device 100 that has
been described earlier in the present description.
[0056] Referring to figure 3, at block 302, switch-over from the active contro5 l
plane module to the standby control plane module is performed. Upon occurrence of the
switch-over, at block 302, the standby control plane module increments the high-order 32
bits of a cryptographic sequence number in the authentication trailer of a current OSPF
packet to be transmitted by the network device, at block 304. As discussed previously,
10 the incrementing is such that the value of the incremented high-order 32 bits of the
current OSPF packet is made greater than that of the high-order 32 bits of the
previous OSPF packet transmitted by the network device prior to the switch-over.
[0057] Further, in accordance with one implementation of the present subject
matter, at step 306, the standby control plane module reinitializes the low-order 32
15 bits of the cryptographic sequence number of the current OSPF packet to zero. As
will be understood, although the low-order 32 bits of the cryptographic sequence
number of the current OSPF packet are reinitialized to zero, the standby control plane
module increments the high-order 32 bits of the cryptographic sequence number of
the current OSPF packet. Accordingly the current OSPF packet has a higher
20 cryptographic sequence number compare to the cryptographic sequence number
assigned by the active control plane module to the previous packet transmitted by the
network device prior to the switch-over.
[0058] Thus, at step 308, the current OSPF packet is transmitted to a peer
network device, where the peer network device authenticates the current OSPF
25 packet having cryptographic sequence number greater than that of the previous OSPF
packet.
20
[0059] It will also be appreciated by those skilled in the art that in the present
description the words during, while, and when as used herein are not exact terms that
mean an action takes place instantly upon an initiating action but that there may be
some small but reasonable delay, such as a propagation delay, between the initial
action and the reaction that is initiated by the initial action. Additionally, 5 the word
“connected” and “coupled” is used throughout for clarity of the description and can
include either a direct connection or an indirect connection.
[0060] Although embodiments of method for authenticating OSPF packets in
a network device comprising an active control plane module and a standby control
10 plane module, have been described in a language specific to structural features or
method(s), it is to be understood that the invention is not necessarily limited to the
specific features or method(s) described. Rather, the specific features and methods
are disclosed as embodiments for authenticating OSPF packets in network devices
that support redundant control plane module.

CLAIMS:1. A method for authenticating an open shortest path first (OSPF) packet in a network device comprising an active control plane module and a standby control plane module, the method comprising:
performing a switch-over from the active control plane module to the standby control plane module;
incrementing, based on the performing, by the standby control plane module, a high-order 32 bits of a cryptographic sequence number in an authentication trailer of a current OSPF packet to be transmitted by the network device, such that the high-order 32 bits of the current OSPF packet has a value greater than that of the high-order 32 bits of a previous OSPF packet transmitted by the network device prior to the switch-over; and
transmitting the current OSPF packet to a peer network device coupled to the network device, wherein the peer network device is to authenticate the current OSPF packet based on the cryptographic sequence number comprising the incremented high-order 32 bits of the cryptographic sequence number.

2. The method as claimed in claim 1 further comprising reinitializing, by the standby control plane module, low-order 32 bits of the cryptographic sequence number in the authentication trailer of the current OSPF packet to zero.

3. The method as claimed in claim 1 further comprising:
updating, by the active control plane module, the high-order 32 bits of the previous OSPF packet in a memory component of the network device, wherein the memory component is to store the high-order 32 bits of the cryptographic sequence number of OSPF packets transmitted by the network device and wherein the memory component is also accessible by the standby control plane module.

4. The method as claimed in claim 3 wherein the updating comprises changing a 32 bit value stored in the memory component based on a change in the high-order 32 bits of the previous OSPF packet.

5. The method as claimed in claim 3 further comprising reading, by the standby control plane module, the high-order 32 bits of the previous OSPF packet from the memory component, wherein the incrementing is based on the reading.

6. The method as claimed in claim 5, wherein the standby control plane module reads the high-order 32 bits of the previous OSPF packet from the memory component upon occurrence of the switch-over.

7. A network device for authenticating an open shortest path first (OSPF) packet, the network device comprising:
an active control plane module;
a standby control plane module coupled to the active control plane module;
a switch-over module to perform a switch-over from the active control plane module to the standby control plane module; and
wherein, the standby control plane module is to increment a high-order 32 bits of a cryptographic sequence number in an authentication trailer of a current OSPF packet to be transmitted by the network device, such that the high-order 32 bits of the current OSPF packet has a value greater than that of the high-order 32 bits of a previous OSPF packet transmitted by the network device prior to the switch-over, and
a transmission module to transmit the current OSPF packet to a peer network device coupled to the network device, wherein the peer network device is to authenticate the current OSPF packet based on the cryptographic sequence number comprising the incremented high-order 32 bits of the cryptographic sequence number.

8. The network device as claimed in claim 7, wherein the standby control plane module is to further reinitializing low-order 32 bits of the cryptographic sequence number in the authentication trailer of the current OSPF packet to zero.

9. The network device as claimed in claim 7, further comprising a memory component accessible by the active control plane module and the standby control plane module,
wherein the memory component is to store the high-order 32 bits of the cryptographic sequence number of OSPF packets transmitted by the network device, and
wherein the active control plane module updates the high-order 32 bits of the previous OSPF packet in the memory component.

10. The network device as claimed in claim 9, wherein the updating comprises changing a 32 bit string stored in the memory component based on a change in the high-order 32 bits of the previous OSPF packet.

11. The network device as claimed in claim 9, wherein the standby control plane module is to read the high-order 32 bits of the previous OSPF packet from the memory component, and wherein the standby control plane module is to increment the high-order 32 bits based on the reading.

12. A computer-readable medium having embodied thereon a computer program for executing a method for authenticating an open shortest path first (OSPF) packet in a network device comprising an active control plane module and a standby control plane module, the method comprising:
performing a switch-over from the active control plane module to the standby control plane module; and
incrementing, based on the performing, by the standby control plane module, a high-order 32 bits of a cryptographic sequence number in an authentication trailer of a current OSPF packet to be transmitted by the network device, such that the high-order 32 bits of the current OSPF packet has a value greater than that of the high-order 32 bits of a previous OSPF packet transmitted by the network device prior to the switch-over; and
transmitting the current OSPF packet to a peer network device coupled to the network device, wherein the peer network device is to authenticate the current OSPF packet based on the cryptographic sequence number comprising the incremented high-order 32 bits of the cryptographic sequence number.

13. The computer-readable medium as claimed in claim 12, wherein the method further comprises reinitializing low-order 32 bits of the cryptographic sequence number in the authentication trailer of the current OSPF packet to zero.

14. The computer-readable medium as claimed in claim 12, wherein the method further comprises updating, by the active control plane module, the high-order 32 bits of the previous OSPF packet in a memory component of the network device, wherein the memory component is to store the high-order 32 bits of the cryptographic sequence number of packets transmitted by the network device and wherein the memory component is also accessible by the standby control plane module.

15. The computer-readable medium as claimed in claim 14, wherein the method further comprises reading, by the standby control plane module, the high-order 32 bits of

the previous OSPF packet from the memory component, wherein the incrementing is based on the reading.