View All Documents & Correspondence
Mpls Network, Apparatus, And Method Therefore Ensuring Authenticity And Integrity Of Mpls Data Packets
Abstract: MPLS network carries service data, which is encrypted using end to end IPSEC tunnels. MPLS network carries the encrypted packet, however again encrypting at MPLS layer at every hop is not desired, and instead authenticating every packet and ensuring integrity of the packet makes more sense. To achieve this the present invention enables to carry a message authentication code (MAC) of the MPLS header or MPLS header along with MPLS payload in NSH for desired MPLS packet. According the present invention, the message authentication code (MAC) is computed at every hop in the MPLS network. By carrying computed message authentication code (MAC) of the MPLS label stack or MPLS packet in totality in NSH header with MPLS service label at the top of the label stack to indicate the existence of message authentication code (MAC) in NSH, the present invention authenticates and ensures integrity of MPLS data packets in the MPLS network instead of encrypting MPLS data packet. (TO BE PUBLISHED WITH FIGURE 3 & 4)
Notices, Deadlines & Correspondence
Patent Information
Applicants
HUAWEI TECHNOLOGIES INDIA PVT. LTD.
Inventors
1. NAGESH, Anil Kumar Srirangapatna
2. AGARWAL, Gaurav
3. SELVARAJ, Vinod Kumar
Specification
Claims:
1. An apparatus for transmitting at least one multiprotocol label switching (MPLS) data packet in the MPLS network, the apparatus comprising:
a processor; and
a memory coupled to the processor for executing a plurality of modules present in the memory, the plurality of modules comprising:
a detection module configured to detect presence of the MPLS data packet, wherein the MPLS data packet specifies an authentication required during transmission in the MPLS network;
a computation module configured to compute, using at least one message authentication code (MAC) technique, the MAC of at least MPLS label stack of the MPLS data packet or a combination of a MPLS label stack and a payload of the MPLS data packet;
an encoding module configured to encode the MAC computed in the MPLS data packet, wherein the MAC computed is carried in at least a metadata field of network service header (NSH);
a routing module configured to route the MPLS data packet encoded in the MPLS network.
2. The apparatus as claimed in claim 1, wherein the encoding module is further configured to encode at least one MPLS service label at the top of the MPLS data packet or a MPLS label stack including the payload of the MPLS data packet, indicative an existence of the computed MAC in the NSH.
3. The apparatus as claimed in claim 1, wherein the MAC technique is selected based on at least a common agreement between one or more apparatuses in the MPLS network to ensure the usage of common algorithms and keys to be used by the apparatuses for computing the MAC.
4. The apparatus as claimed in claim 1, wherein the apparatus is used in vanilla MPLS architecture and/or segment routing (SR) architecture, and configured to use the MPLS based forwarding plane.
5. The apparatus as claimed in claim 4, wherein if the apparatus is used in the vanilla MPLS architecture using MPLS based forwarding plane, the apparatus further comprises:
an identification module configured to identify presence of the MAC based on at least a local policy or presence of the MPLS service label, wherein the MPLS service label is an extended MPLS Label;
the computing module configured to compute, if the MAC not identified, at least one MACof at least a MPLS label stack of the MPLS data packet or a MPLS label stack including a payload of the MPLS data packet, using the MAC technique;
the encoding module configured to encode the MAC computed in the MPLS data packet, wherein the MAC computed is carried in the metadata field of the NSH; and
the routing module configured to route the MPLS data packet encoded in the multiprotocol label switching (MPLS) network.
6. The apparatus as claimed in claim 4, wherein if the apparatus is used in segment routing architecture using MPLS based forwarding plane, the apparatus further comprises:
an identification module configured to identify presence of the MAC based on at least a local policy or the present of the MPLS service label, specifically an SR MAC service label, wherein the SR MAC service label is inserted as a top label or after a peer node label of the MPLS label stack;
the computation module configured to compute, if the MAC not identified, at least one message authentication code (MAC) of at least a MPLS label stack of the MPLS data packet or a MPLS label stack including a payload of the MPLS data packet, using the MAC technique;
the encoding module configured to encode the MAC computed in the MPLS data packet, wherein the MAC computed is carried in the field, preferably the metadata field of network service header (NSH); and
the routing module configured to route the MPLS data packet in the multiprotocol label switching (MPLS) network.
7. An apparatus for receiving at least one multiprotocol label switching (MPLS) data packet in the MPLS network, the apparatus comprising:
a processor; and
a memory coupled to the processor for executing a plurality of modules present in the memory, the plurality of modules comprising:
a receiving module configured to receive the MPLS data packet;
a detection module configured to detect presence of at least a message authentication code (MAC) encoded in the MPLS data packet received, wherein the MAC is of at least a MPLS label stack of the MPLS data packet or a combination of a MPLS label stack and a payload of the MPLS data packet;
a computation module configured to compute, using at least one MAC technique, the MAC detected for the MPLS data packet;
a validation module configured to validate at least an integrity of the MPLS data packet based on the MAC computed and the MAC received in the MPLS data packet;
an encoding module configured to encode, if the integrity is valid, the MAC validated in the MPLS data packet, wherein the MAC computed is carried in at least a metadata field of the network service header (NSH);
a routing module configured to route the MPLS data packet encoded in the MPLS network.
8. The apparatus as claimed in claim 7, wherein the encoding module further configured to encode at least MPLS service label at the top of the MPLS data packet or a combination of a MPLS label stack and a payload of the MPLS data packet, indicative an existence of the MAC computed in the NSH.
9. The apparatus as claimed in claim 7, wherein the apparatus is used in vanilla MPLS architecture and/or segment routing (SR) architecture, and configured to use the MPLS based forwarding plane.
10. The apparatus as claimed in claim 9, wherein if the apparatus is used in vanilla MPLS architecture using MPLS based forwarding plane is used, before computing the detection module is further configured to detect presence of the MAC based on at least a local policy or present of the MPLS service label, specifically an extended MPLS Label.
11. The apparatus as claimed in claim 9, wherein if the apparatus is used in segment routing architecture using MPLS based forwarding plane is used, before computing the detection module is further configured to detect presence of the MAC based on at least a local policy or the present of the MPLS service label, specifically an SR MAC service label, wherein the SR MAC service label is inserted as a top label or after a peer node label.
12. The apparatus as claimed in claim 7, wherein the MAC technique is selected based on at least a common agreement between one or more apparatuses in the MPLS network to ensure the usage of common algorithms and keys by the apparatuses for computing the MAC.
13. A method for routing at least one multiprotocol label switching (MPLS) data packet in a multiprotocol label switching (MPLS) network, the method comprising:
detecting a presence of at least one MPLS data packet, wherein the MPLS data packet specifies an authentication required during transmission in the MPLS network;
computing, using at least one message authentication code (MAC) technique, at least one MAC of at least MPLS label stack of the MPLS data packet or a combination of a MPLS label stack and a payload of the MPLS data packet;
encoding the MAC computed in the MPLS data packet, wherein the MAC computed is carried in a metadata field of network service header (NSH);
routing the MPLS data packet encoded in the MPLS network.
14. The method as claimed in claim 13 further comprises encoding at least one MPLS service label at the top of the MPLS data packet or a MPLS label stack including the payload of the MPLS data packet, indicative an existence of the MAC computed in the NSH.
15. The method as claimed in claim 13, wherein the MAC technique is selected based on at least a common agreement between one or more apparatuses in the MPLS network to ensure the usage of common algorithms and keys to be used by the apparatuses for computing the MAC.
16. The method as claimed in claim 13, wherein if the method is used in vanilla MPLS architecture and/or segment routing (SR) architecture, and configured to use the MPLS based forwarding plane.
17. The method as claimed in claim 16, wherein if the method is used in vanilla MPLS architecture using MPLS based forwarding plane, the method before computing further comprises:
identifying presence of the MAC based on at least a local policy or present of the MPLS service label, wherein the MPLS service label is an extended MPLS Label;
computing, if the MAC not identified, at least one MAC of at least a MPLS label stack of the MPLS data packet or a MPLS label stack including a payload of the MPLS data packet, using the MAC technique;
encoding the MAC computed in the MPLS data packet, wherein the MAC computed is carried the metadata field of the NSH;
routing the MPLS data packet encoded in the multiprotocol label switching (MPLS) network.
18. The method as claimed in claim 16, wherein if the method is used in segment routing architecture using MPLS based forwarding plane, the method before computing further comprises:
identifying presence of the MAC based on at least a local policy or the present of the MPLS service label, specifically an SR MAC service label, wherein the SR MAC service label is inserted as a top label or after a peer node label of the MPLS label stack;
computing, if the MAC not identified, at least one message authentication code (MAC) of at least a MPLS label stack of the MPLS data packet or a MPLS label stack including a payload of the MPLS data packet, using the MAC technique;
encoding the MAC computed in the MPLS data packet, wherein the MAC computed is carried in the field, preferably the metadata field of network service header (NSH);
routing the MPLS data packet in the multiprotocol label switching (MPLS) network.
19. A method for receiving at least one multiprotocol label switching (MPLS) data packet in a multiprotocol label switching (MPLS) network, the method comprising:
receiving the MPLS data packet;
detecting presence of at least one at least message authentication code (MAC) encoded in the MPLS data packet received, wherein the MAC is of at least a MPLS label stack of the MPLS data packet or a combination of a MPLS label stack and a payload of the MPLS data packet;
computing, using at least one MAC technique, the MAC detected for the MPLS data packet;
validating at least an integrity of the MPLS data packet based on the MAC computed and the MAC received in the MPLS data packet;
encoding, if the integrity is valid, the MAC validated in the MPLS data packet, wherein the MAC computed is carried in at least a metadata field of the network service header (NSH);
routing the MPLS data packet encoded in the MPLS network.
20. The method as claimed in claim 19 further comprises encoding at least MPLS service label at the top of the MPLS data packet or a combination of a MPLS label stack and a payload of the MPLS data packet, indicative an existence of the MAC computed in the NSH.
21. The method as claimed in claim 19 is performed in vanilla MPLS architecture and/or segment routing (SR) architecture, using MPLS based forwarding plane.
22. The method as claimed in claim 21, wherein if the method is performed in the vanilla MPLS architecture using MPLS based forwarding plane, the method before computing further comprises:
detecting presence of the MAC based on at least a local policy or present of the MPLS service label, specifically an extended MPLS Label.
23. The method as claimed in claim 21, wherein if the method is performed in the segment routing architecture using MPLS based forwarding plane, the method before computing further comprises:
detecting presence of the MAC based on at least a local policy or the present of the MPLS service label, specifically an SR MAC service label, wherein the SR MAC service label is inserted as a top label or after a peer node label.
24. The method as claimed in claim 19, wherein the MAC technique is selected based on at least a common agreement between one or more apparatuses in the MPLS network to ensure the usage of common algorithms and keys by the apparatuses for computing the MAC.
25. A multiprotocol Label Switching (MPLS) network ensuring authenticity and integrity of the MPLS data packets being routed, the system comprising:
a sender apparatus for transmitting at least one multiprotocol label switching (MPLS) data packet in a multiprotocol label switching (MPLS) network, the sender apparatus comprises:
a detection module configured to detect presence of at least the MPLS data packet, wherein the MPLS data packet specifies an authentication required during transmission in the MPLS network;
a computation module configured to compute, using at least one message authentication code (MAC) technique, the MAC of at least MPLS label stack of the MPLS data packet or a combination of a MPLS label stack and a payload of the MPLS data packet;
an encoding module configured to encode the MAC computed in the MPLS data packet, wherein the MAC computed is carried in at least a metadata field of network service header (NSH); and
a routing module configured to route the MPLS data packet encoded in the MPLS network.
a receiver apparatus for receiving the MPLS data packet encoded by the sender apparatus, the receiver apparatus comprises:
a detection module configured to detect presence of the MAC encoded in the MPLS data packet received;
a computation module configured to compute, using the MAC technique, the MAC detected for the MPLS data packet;
a validation module configured to validate at least an integrity of the MPLS data packet based on the MAC computed and the MAC received in the MPLS data packet;
an encoding module configured to encode, if the integrity is valid, the MAC validated in the MPLS data packet, wherein the MAC computed is carried in at least a metadata field of network service header (NSH).
, Description:
TECHNICAL FIELD
The present subject matter described herein, in general, relates to networking technologies and/or information network security, and more particularly, to systems, networks, methods, and apparatuses for ensuring authenticity and integrity of multiprotocol label switching (MPLS) data packets or MPLS label stack integrity in the multiprotocol label switching (MPLS) network.
BACKGROUND
Multiprotocol Label Switching (MPLS) is a mechanism in high-performance telecommunications networks that directs data from one network node to the next based on short path labels rather than long network addresses, avoiding complex lookups in a routing table. The labels identify virtual links (paths) between distant nodes rather than endpoints. The MPLS can encapsulate packets of various network protocols. MPLS supports a range of access technologies, including T1/E1, ATM, Frame Relay, and DSL. As Multiprotocol Label Switching (MPLS) is becoming a more widespread technology for providing virtual private network (VPN) services, MPLS architecture security as well as MPLS data security is of increasing concern to service providers (SPs) and VPN customers.
Data security such as confidentiality, integrity, availability etc., in MPLS has previously relied on just two features i.e., physical isolation of MPLS networks and higher-layer protocol security. The physical isolation of MPLS networks has been used to ensure that interception of MPLS traffic was not possible, and the higher-layer protocol security (such as IPsec as disclosed in RFC4302, RFC4303), has been used whenever a particular flow has determined that security was desirable for at least one of the following reasons:
i. With the growth of intellect level of the attackers, the networks are increasingly easily compromised physically such that "taps" may be inserted in links between routers [RFC7258].
ii. Routers may be compromised either in their entirety or through the management/control plane (or misconfiguration). This may result in packets being diverted to transit inspection points on their way to their destination.
iii. The increased support for point-to-multipoint (P2MP) MPLS means that routers can easily be configured (or misconfigured) to make a copy of data and to send it to an additional destination.
iv. End-to-end payload security may be hard to manage and operate and is not turned on by default by many users. While this form of security is desirable, the network should also improve the security of data transfer that it offers.
Generally, the data security can be achieved using various techniques of cryptography, but message authentication is arguably even more important. In high communication networks, it may not be of taken into much consideration if some particular message sent out stays private, but the high communication networks certainly do want to be sure of the originator of each message that is been circulated. Message authentication enables to provide the guarantee of authenticity. Message authentication allows one party—the sender—to send a message to another party— the receiver—in such a way that if the message is modified while in route, then the receiver will almost certainly detect this modification. The message authentication is also called data-origin authentication. The message authentication is said to protect the integrity of a message, ensuring that each message that it is received and deemed acceptable is arriving in the same condition that it was sent out—with no bits inserted, missing, or modified.
As advancement, an Internet Engineering Task Force (IETF) Source Packet Routing in Networking (SPRING) working group came up with a new source based MPLS routing architecture called “Segment Routing” (SR), in which the path on which the MPLS data packet needs to travel is encoded in the MPLS data packet itself as a Label Stack. It may be understood by a person skilled in the art that the Segment Routing (SR) technology is also based on MPLS network and hence hereafter it will not be explicitly referred in this document, thereby the cases applicable to MPLS network will also be applicable to the Segment Routing (SR) Network). However, using SR, the security threats are even higher. For instance, if an un-authorized user alters the node/adjacency/service label in the current label stack of the SR MPLS packet, then the un-authorized user can reroute the SR MPLS data packet as per his desire. Further, since SR MPLS label stack is plain, it puts SR MPLS packet at risk for Man-in-the-Middle (MitM) attacks. Often times the attacker will use the information gathered during such an attack to gain further access into your network. However, there is a possibility that the attacker may also alter the SR MPLS label stack across the communication path to exploit to his desire.
As conventionally known one of the best methods for preserving data integrity is by generating checksums. In short, a checksum is a computed hash value representing the sum of correct digits, added in a piece of data. The hash value may be generated through number of algorithms conventionally available for the purpose of verification of both transmitted MPLS packet and received MPLS packet. Few common algorithms used are MD5, SHA-128, and SHA-256 etc.
Another concept for preserving data integrity, called Opportunistic Security (OS) was introduced in opportunistic Security in MPLS Networks draft-ietf-mpls-opportunistic-encrypt [RFC7435]. The document describes a way to apply opportunistic security between adjacent nodes on an MPLS Label Switched Path (LSP) or between end points of an LSP. It explains how keys may be agreed to enable encryption, and how key identifiers are exchanged in encrypted MPLS packets. Finally, this document describes the applicability of this approach to opportunistic security in MPLS networks with an indication of the level of improved security as well as the continued vulnerabilities. The RFC 7435 describes an OS design pattern. However, sometimes encrypting the whole MPLS packet might not be needed/ required. Also, the encryption techniques have their own disadvantages, one such major disadvantage is performance impact on forwarding plane, i.e., when the packet is encrypted on every hop/segment of MPLS network and decrypting the same on every hop/segment of MPLS network, it will really hit the performance of forwarding. Furthermore, achieving this encryption is too costly, specifically in MPLS data plane.
SUMMARY
This summary is provided to introduce concepts related to MPLS network, apparatus, and method for ensuring authenticity and integrity of MPLS data packets and the same are further described below in the detailed description. This summary is not intended to identify essential features of the claimed subject matter nor is it intended for use in determining or limiting the scope of the claimed subject matter.
In view of the technical problems as recited in the background section above, in order to achieve an efficient, economical, and secure MPLS network, there exists a dire need in MPLS data plane to authenticate the MPLS label stack/MPLS Packet and to ensure the integrity of the data communicated.
In order to provide a technical solution to the above mentioned technical problems, one aspect of the present invention is to provide a network, method and apparatus to authenticate and ensure integrity of MPLS data packets in the MPLS network instead of encrypting MPLS data packet.
Another aspect of the present invention is to provide a network, method and apparatus to authenticate and ensure integrity of MPLS data packets in the MPLS network instead of encrypting MPLS data packet by carrying computed message authentication code (MAC) of the MPLS label stack or MPLS packet in totality in NSH header with MPLS service label at the top of the label stack to indicate the existence of message authentication code (MAC) in network service header (NSH).
Another aspect of the present invention is to provide a network, method and apparatus that ensures the MPLS data packet is received from a credible peer (no other malicious user can compute message authentication code (MAC) for the received packet without knowing key value).
Yet another aspect of the present invention is to provide a network, method and apparatus that ensures the MPLS label stack is unaltered and received exactly same as what credible peer intended to receive.
Still another aspect of the present invention is to provide a network, method and apparatus wherein a message authentication code (MAC) can be computed for the whole MPLS packet instead of computing message authentication code (MAC) only to MPLS label stack (if desired), which ensures there is no transmission error or corruption to the MPLS payload along with guaranteeing MPLS label stack integrity.
The message authentication code (MAC) computation using hashing algorithms is fastest as compared to any encryption algorithm. Usually the MPLS network carries service data, which is encrypted using end to end IPSEC tunnels. The MPLS network just carries those encrypted packet, again encrypting at MPLS layer at every hop is not desired, and instead authenticating every packet and ensuring integrity of the packet makes more sense.
Accordingly, in one implementation, the present invention enables carrying a message authentication code (MAC) of the MPLS header or MPLS header along with the MPLS payload in NSH for desired MPLS packet. The message authentication code (MAC) is computed at every hop in the MPLS network. The present invention enables the usage of any existing key management protocol by every peer/node/device in the MPLS network. In case of broadcast interface all every peer/node/device in the MPLS network on the interface uses same key to compute message authentication code (MAC). The present invention enables the key management protocol to ensure the peers will use same key to compute message authentication code (MAC) while transmitting and receiving.
In one implementation, the MPLS label stack integrity is with respect to peer label switch router (LSR) / device. The Ingress/Transit LSR is configured to compute message authentication code (MAC) based on configured/agreed algorithm and keys for the peer LSRs /node/device in the MPLS network while transmitting MPLS packet. The same is encoded in NSH in the same MPLS packet while forwarding each MPLS data packet to the peer LSRs /node/device. The peer LSRs /node/device which receives the MPLS data packet with a MPLS service label indicates presence of the message authentication code (MAC) in NSH. Further, the received message authentication code (MAC) must be verified against the newly computed message authentication code (MAC) based on configured/agreed algorithm and key for the peer LSRs /node/device in the MPLS network, if matches, then the received MPLS data packet can be considered as authentic and un-distorted.
In one implementation, the present invention provides an apparatus for transmitting at least one multiprotocol label switching (MPLS) data packet in the MPLS network. The apparatus comprises a processor, and a memory coupled to the processor for executing a plurality of modules present in the memory. The plurality of modules comprises a detection module configured to detect presence of the MPLS data packet, wherein the MPLS data packet specifies an authentication required during transmission in the MPLS network; a computation module configured to compute, using at least one message authentication code (MAC) technique, the MAC of at least MPLS label stack of the MPLS data packet or a combination of a MPLS label stack and a payload of the MPLS data packet; an encoding module configured to encode the MAC computed in the MPLS data packet, wherein the MAC computed is carried in at least a metadata field of network service header (NSH); a routing module configured to route the MPLS data packet encoded in the MPLS network.
In one implementation, the present invention provides an apparatus for receiving at least one multiprotocol label switching (MPLS) data packet in the MPLS network. The apparatus comprises a processor, and a memory coupled to the processor for executing a plurality of modules present in the memory. The plurality of modules comprises a receiving module configured to receive the MPLS data packet; a detection module configured to detect presence of at least a message authentication code (MAC) encoded in the MPLS data packet received, wherein the MAC is of at least a MPLS label stack of the MPLS data packet or a combination of a MPLS label stack and a payload of the MPLS data packet; a computation module configured to compute, using at least one MAC technique, the MAC detected for the MPLS data packet; a validation module configured to validate at least an integrity of the MPLS data packet based on the MAC computed and the MAC received in the MPLS data packet; an encoding module configured to encode, if the integrity is valid, the MAC validated in the MPLS data packet, wherein the MAC computed is carried in at least a metadata field of the network service header (NSH); a routing module configured to route the MPLS data packet encoded in the MPLS network.
In one implementation, the present invention provides a method for routing at least one multiprotocol label switching (MPLS) data packet in a multiprotocol label switching (MPLS) network, the method comprises:
• detecting a presence of at least one MPLS data packet, wherein the MPLS data packet specifies an authentication required during transmission in the MPLS network;
• computing, using at least one message authentication code (MAC) technique, at least one MAC of at least MPLS label stack of the MPLS data packet or a combination of a MPLS label stack and a payload of the MPLS data packet;
• encoding the MAC computed in the MPLS data packet, wherein the MAC computed is carried in a metadata field of network service header (NSH);
• routing the MPLS data packet encoded in the MPLS network.
In one implementation, the present invention provides a method for receiving at least one multiprotocol label switching (MPLS) data packet in a multiprotocol label switching (MPLS) network, the method comprises:
• receiving the MPLS data packet;
• detecting presence of at least one at least message authentication code (MAC) encoded in the MPLS data packet received, wherein the MAC is of at least a MPLS label stack of the MPLS data packet or a combination of a MPLS label stack and a payload of the MPLS data packet;
• computing, using at least one MAC technique, the MAC detected for the MPLS data packet;
• validating at least an integrity of the MPLS data packet based on the MAC computed and the MAC received in the MPLS data packet;
• encoding, if the integrity is valid, the MAC validated in the MPLS data packet, wherein the MAC computed is carried in at least a metadata field of the network service header (NSH);
• routing the MPLS data packet encoded in the MPLS network.
In one implementation, the present invention provides a multiprotocol Label Switching (MPLS) network ensuring authenticity and integrity of the MPLS data packets being routed; the MPLS network comprises a sender apparatus and a receiver apparatus. The sender apparatus for transmitting at least one multiprotocol label switching (MPLS) data packet in a multiprotocol label switching (MPLS) network, the sender apparatus comprises a detection module configured to detect presence of at least the MPLS data packet, wherein the MPLS data packet specifies an authentication required during transmission in the MPLS network; a computation module configured to compute, using at least one message authentication code (MAC) technique, the MAC of at least MPLS label stack of the MPLS data packet or a combination of a MPLS label stack and a payload of the MPLS data packet; an encoding module configured to encode the MAC computed in the MPLS data packet, wherein the MAC computed is carried in at least a metadata field of network service header (NSH); and a routing module configured to route the MPLS data packet encoded in the MPLS network. The receiver apparatus for receiving the MPLS data packet encoded by the sender apparatus, the receiver apparatus comprises a detection module configured to detect presence of the MAC encoded in the MPLS data packet received; a computation module configured to compute, using at least one MAC technique, the MAC detected for the MPLS data packet; a validation module configured to validate at least an integrity of the MPLS data packet based on the MAC computed and the MAC received in the MPLS data packet; an encoding module configured to encode, if the integrity is valid, the MAC validated in the MPLS data packet, wherein the MAC computed is carried in at least a metadata field of network service header (NSH).
As compared to the prior-art techniques, the present invention ensures the MPLS packet integrity for Vanilla MPLS Architecture as well as Segment Routing Architecture. The present invention uses the NSH header to carry any authentication related data such as authentication key-id, HASH, MAC and HMAC computed from different algorithms. The present invention uses service label/extended label/local policy to indicate that the MPLS data packet is carrying message authentication code (MAC) in NSH header.
Further, the present invention ensures:
• the MPLS data packet is received from a credible peer since no other malicious user can compute message authentication code (MAC) for the received packet without knowing key value.
• MPLS label stack is unaltered and received exactly same as what credible peer intended to receive.
• Message authentication code (MAC) can be computed for the whole MPLS packet instead of computing message authentication code (MAC) only to MPLS label stack.
• no transmission error or corruption to the MPLS payload along with guaranteeing MPLS label stack integrity.
BRIEF DESCRIPTION OF THE ACCOMPANYING DRAWINGS
The detailed description is described with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The same numbers are used throughout the drawings to refer like features and components.
Figure 1 illustrates a sender apparatus, in accordance with an embodiment of the present subject matter.
Figure 2 illustrates a receiver apparatus in accordance with an embodiment of the present subject matter.
Figure 3 illustrates a method performed by the sender apparatus, in accordance with an embodiment of the present subject matter.
Figure 4 illustrates a method performed by the receiver apparatus, in accordance with an embodiment of the present subject matter.
Figure 5 illustrates SR packet formats, in accordance with an embodiment of the present subject matter.
Figure 6 illustrates working example showing an MPLS network, in accordance with an embodiment of the present subject matter.
It is to be understood that the attached drawings are for purposes of illustrating the concepts of the invention and may not be to scale.
DETAILED DESCRIPTION OF THE PRESENT INVENTION
The following clearly describes the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Apparently, the described embodiments are merely a part rather than all of the embodiments of the present invention. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts shall fall within the protection scope of the present invention.
The invention can be implemented in numerous ways, including as a process, an apparatus, a system, a composition of matter, a computer readable medium such as a computer readable storage medium or a computer network wherein program instructions are sent over optical or electronic communication links. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention.
A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured.
MPLS networks, apparatuses, and methods therefor ensuring authenticity and integrity of MPLS data packets are disclosed.
While aspects are described for MPLS network, apparatus, and method therefor ensuring authenticity and integrity of MPLS data packets, the present invention may be implemented in any number of different computing systems, environments, and/or configurations, the embodiments are described in the context of the following exemplary systems, apparatus, and methods.
Accordingly, in one implementation, the present invention enables carrying a message authentication code (MAC) of the MPLS header or MPLS header along with the MPLS payload in NSH for desired MPLS packet. The message authentication code (MAC) is computed at every hop in the MPLS network. The present invention enables the usage of any existing key management protocol by every peer/node/device in the MPLS network. In case of broadcast interface all every peer/node/device in the MPLS network on the interface uses same key to compute message authentication code (MAC). The present invention enables the key management protocol to ensure the peers will use same key to compute message authentication code (MAC) while transmitting and receiving.
In one implementation, the MPLS label stack integrity is with respect to peer label switch router (LSR) / device. The Ingress/Transit LSR is configured to compute message authentication code (MAC) based on configured/agreed algorithm and keys for the peer LSRs /node/device in the MPLS network while transmitting MPLS packet. The same is encoded in NSH in the same MPLS packet while forwarding each MPLS data packet to the peer LSRs /node/device. The peer LSRs /node/device which receives the MPLS data packet with a MPLS service label indicates presence of the message authentication code (MAC) in NSH. Further, the received message authentication code (MAC) must be verified against the newly computed message authentication code (MAC) based on configured/agreed algorithm and key for the peer LSRs /node/device in the MPLS network, if matches, then the received MPLS data packet can be considered as authentic and un-distorted.
In one implementation, the integrity of the MPLS/SR Label Stack may be ensured using following steps:
STEP 1: Sender device computing message authentication code (MAC): In one implementation, any existing standard message authentication code (MAC) computing algorithm may be used for computing the message authentication code (MAC). It may be understood by the person skilled in that art, to achieve the efficiency using the present invention, a common agreement must be attained between neighbors (sender device and receiver device) upon the computing algorithm as well as key (cryptographic keys) to be used to calculate the message authentication code (MAC). In one implementation, computing of the message authentication code (MAC) may be confined only to MPLS Label Stack or may be extended to complete MPLS packet including payload. The local policy for a particular device in the MPLS network may also define to exclude top N labels which may be required in case of some implementation constraints.
STEP 2: Sender device adding the computed message authentication code (MAC) in MPLS data packet while transmitting: The present invention is adaptable to any of the existing or new architectures using MPLS based forwarding plane. The architectures may include but not limited to the vanilla MPLS architecture as well as segment routing architecture. It may be understood by the person skilled in the art that based on the architectures selected there may be different ways to encode the computed message authentication code (MAC) in the MPLS packet.
In one example, for vanilla MPLS architecture, following steps may be performed by the present invention:
Methods to carry message authentication code (MAC) comprises:
a. The MAC may be carried as a metadata in NSH header. The header format may as per “draft-ietf-sfc-nsh (Network Service Header)”.
b. The MAC will be encoded just after Extended MPLS Label in the label stack in case extended MPLS label is used for identification and will be encoded at the beginning for the local policy scenario.
In one example, for Segment Routing architecture, following steps may be performed by the present invention:
Methods to carry message authentication code (MAC) comprises:
a. MAC may be carried as a metadata in NSH header. The header format may as per “draft-ietf-sfc-nsh (Network Service Header)”.
STEP 3: Receiver device identifying existence of MAC in Received MPLS: The process of identifying the existence or presence of the MAC may be based on the architectures using MPLS based forwarding plane.
In one example, for vanilla MPLS architecture, following steps may be performed by the present invention:
Methods of identifying presence of the MAC in MPLS packet comprises:
a. Local policy may be defined to indicate the presence of MAC in the packet: Local policy may specify that all the received MPLS Packet on a particular interface MUST be checked for data integrity, in which case packet MUST contain MAC, if not the packet has to be discarded.
b. Extended MPLS Label as defined by RFC 7274 may be used.
In one example, for Segment Routing architecture, following steps may be performed by the present invention:
Methods of identifying presence of MAC comprises:
a. Local Policy may be defined to indicate the presence of MAC in the packet: Local Policy may specify that all the received MPLS Packet on a particular interface MUST be checked for data integrity, in which case packet MUST contain MAC, if not the packet has to be discarded.
b. SR MAC Service Label to be encoded in Label Stack to indicate the presence of NSH with metadata carrying MAC. SR service Label may be inserted in 2 ways
i. SR MAC Service Label as a Top Label
ii. SR MAC Service Label after peer Node Label
STEP 4: Receiver device computing MAC for received MPLS data packet: In one implementation, this is performed based on the agreed/common MAC authentication parameters with sender device.
STEP 5: Validating the integrity of the received Packet: In one implementation, the received MAC in the Packet is compared against the computed MAC. If the integrity check fails then based on the local policy further action must be taken. The default behavior/ action may drop unauthenticated packet.
STEP 6: Preparing packet for further forwarding (if integrity check is pass): In one implementation, the processed NSH header is removed. If Next hop desires integrity check then Step 1 to Step 5 may be repeated again in the receiver device and thereby forward the MPLS data packet to the next node.
In one implementation, the local policy on a device may decide whether to perform the message integrity check on every hop or some specified hops only.
Referring now to figure 1, the figure 1 illustrates a sender apparatus 100, in accordance with an embodiment of the present subject matter.
Referring now to figure 2, the figure 2 illustrates a receiver apparatus 200 in accordance with an embodiment of the present subject matter.
Although the present subject matter is explained considering that the apparatus 100/200 for ensuring authenticity and integrity of MPLS data packets, it may be understood that the apparatus 100/200 may also be implemented in a variety of computing systems, such as a laptop computer, a desktop computer, a notebook, a workstation, a mainframe computer, a server, a network server, and the like. It will be understood that the apparatus 100/200 may be accessed by multiple users through one or more user devices (not shown) or applications residing on the user devices. Examples of the apparatus 100/200 may include, but are not limited to, a portable computer, a personal digital assistant, a handheld device, and a workstation, routers, servers. The apparatus 100/200 are communicatively coupled to the other devices (not shown) through a network (not shown), for example, there may be multiple sender apparatuses 100 connected to multiple receiver apparatuses 200.
In one implementation, the network may be a wireless network, a wired network or a combination thereof. The network can be implemented as one of the different types of networks, such as intranet, local area network (LAN), wide area network (WAN), the internet, and the like. The network may either be a dedicated network or a shared network. The shared network represents an association of the different types of networks that use a variety of protocols, for example, Hypertext Transfer Protocol (HTTP), Transmission Control Protocol/Internet Protocol (TCP/IP), Wireless Application Protocol (WAP), and the like, to communicate with one another. Further the network may include a variety of network devices, including routers, bridges, servers, computing devices, storage devices, and the like.
In one implementation, the apparatus 100/200 may include at least one processor 102/202, an input/output (I/O) interface 104 / 204, and a memory 106 / 206. The at least one processor 102 / 202 may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, and/or any devices that manipulate signals based on operational instructions. Among other capabilities, the at least one processor 102 / 202 is configured to fetch and execute computer-readable instructions stored in the memory 106 / 206.
The I/O interface 104 / 204 may include a variety of software and hardware interfaces, for example, a web interface, a graphical user interface, and the like. The I/O interface 104 / 204 may allow the apparatus 100/200 to interact with a user directly or through the client devices (not shown). Further, the I/O interface 104 / 204 may enable the apparatus 100/200 to communicate with other computing devices, such as web servers and external data servers (not shown). The I/O interface 104 / 204 can facilitate multiple communications within a wide variety of networks and protocol types, including wired networks, for example, LAN, cable, etc., and wireless networks, such as WLAN, cellular, or satellite. The I/O interface 104 / 204 may include one or more ports for connecting a number of devices to one another or to another server.
The memory 106 / 206 may include any computer-readable medium known in the art including, for example, volatile memory, such as static random access memory (SRAM) and dynamic random access memory (DRAM), and/or non-volatile memory, such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes.
The modules include routines, programs, objects, components, data structures, etc., which perform particular tasks or implement particular abstract data types.
In one implementation, the apparatus 100 for transmitting at least one packet in a multiprotocol label switching (MPLS) network. The apparatus 100 may include a processor 102 and a memory 106 coupled to the processor for executing a plurality of modules present in the memory. The modules may include a detection module 108, a computation module 110, and an encoding module 112, and routing module 114. The detection module 108 may be configured to detect presence of at least one MPLS data packet. The computation module 110 may be configured to compute, using at least one message authentication code (MAC) technique, at least one message authentication code (MAC) of at least a MPLS label stack of the MPLS data packet or a MPLS label stack including a payload of the MPLS data packet. The encoding module 112 may be configured to encode the MAC computed in the MPLS data packet, wherein the MAC computed is carried in at least a field, preferably a metadata field of network service header (NSH). The routing module 114 may be configured to route the MPLS data packet encoded in the multiprotocol label switching (MPLS) network.
In one implementation, if vanilla MPLS architecture is used for MPLS based forwarding plane is used, the apparatus 100 may further comprise: an identification module configured to identify presence of the MAC based on at least a local policy or present of the MPLS service label, specifically an extended MPLS Label; the computing module configured for compute, if the MAC not identified, at least one message authentication code (MAC) of at least a MPLS label stack of the MPLS data packet or a MPLS label stack including a payload of the MPLS data packet, using the MAC technique; the encoding module configured to encode the MAC computed in the MPLS data packet, wherein the MAC computed is carried in the field, preferably the metadata field of network service header (NSH); and the routing module configured to route the MPLS data packet in the multiprotocol label switching (MPLS) network.
In one implementation, if segment routing architecture is used for MPLS based forwarding plane is used, the apparatus 100 may further comprise: an identification module configured to identify presence of the MAC based on at least a local policy or the present of the MPLS service label, specifically an SR MAC service label, wherein the SR MAC service label is inserted as a top label or after a peer node label; the computation module configured to compute, if the MAC not identified, at least one message authentication code (MAC) of at least a MPLS label stack of the MPLS data packet or a MPLS label stack including a payload of the MPLS data packet, using the MAC technique; the encoding module configured to encode the MAC computed in the MPLS data packet, wherein the MAC computed is carried in the field, preferably the metadata field of network service header (NSH); and the routing module configured to route the MPLS data packet in the multiprotocol label switching (MPLS) network.
In one implementation, an apparatus 200 for receiving at least one packet in a Multiprotocol Label Switching (MPLS) network is disclosed. The apparatus comprises a processor 202 and a memory 106 coupled to the processor for executing a plurality of modules present in the memory. The modules may include a receiving module 208, a detection module 210, a computation module 212, a validation module 214, an encoding module 216, and a routing module 218. The receiving module 208 may be configured to receive at least one MPLS data packet. The detection module 210 may be configured to detect presence of at least one at least one message authentication code (MAC) encoded in the MPLS data packet received, wherein the message authentication code (MAC) is of at least a MPLS label stack of the MPLS data packet or a MPLS label stack including a payload of the MPLS data packet. The computation module 212 may be configured to compute, using at least one message authentication code (MAC) technique, the MAC detected for the MPLS data packet. The validation module 214 may be configured to validate at least an integrity of the MPLS data packet based on the MAC computed and the MAC received in the MPLS data packet. The encoding module 216 may be configured to encode, if the integrity is valid, the MAC validated in the MPLS data packet, wherein the MAC computed is carried in at least a field, preferably a metadata field of network service header (NSH). The routing module 218 may be configured to route the MPLS data packet encoded in the multiprotocol label switching (MPLS) network.
In one implementation, if vanilla MPLS architecture is used for MPLS based forwarding plane is used, the apparatus 200 may further comprise before computing the detection module is further configured to detect presence of the MAC based on at least a local policy or present of the MPLS service label, specifically an extended MPLS Label.
In one implementation, if segment routing architecture is used for MPLS based forwarding plane is used, the apparatus 200 may further comprise before computing the detection module is further configured to detect presence of the MAC based on at least a local policy or the present of the MPLS service label, specifically an SR MAC service label, wherein the SR MAC service label is inserted as a top label or after a peer node label.
In one implementation, the encoding module is further configured to encode at least one MPLS service label at the top of the MPLS data packet or a MPLS label stack including the payload of the MPLS data packet, indicative an existence of the MAC computed in the NSH.
In one implementation, the MAC technique is selected based on a common agreement of the apparatuses in the MPLS network, the common agreement ensures the usage of common algorithms and keys by the apparatuses for computing the MAC.
Figure 3 illustrates a method performed by the sender apparatus 100, in accordance with an embodiment of the present subject matter. Figure 4 illustrates a method performed by the receiver apparatus 200, in accordance with an embodiment of the present subject matter. The method may be described in the general context of computer executable instructions. Generally, computer executable instructions can include routines, programs, objects, components, data structures, procedures, modules, functions, etc., that perform particular functions or implement particular abstract data types. The method may also be practiced in a distributed computing environment where functions are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, computer executable instructions may be located in both local and remote computer storage media, including memory storage devices.
The order in which the method is described is not intended to be construed as a limitation, and any number of the described method blocks can be combined in any order to implement the method or alternate methods. Additionally, individual blocks may be deleted from the method without departing from the protection scope of the subject matter described herein. Furthermore, the method can be implemented in any suitable hardware, software, firmware, or combination thereof. However, for ease of explanation, in the embodiments described below, the method may be considered to be implemented in the above described apparatuses.
Referring now to figure 3, the figure 3 illustrates a method performed by the sender apparatus 100, in accordance with an embodiment of the present subject matter.
At block 302, a presence of at least one MPLS data packet is detected. In one implementation, the data packet and the local policy (statically configured/dynamically negotiated) specifies the need for MPLS authentication while transmitting data packet to MPLS Peer.
At block 304, at least one message authentication code (MAC) of at least a MPLS label stack of the MPLS data packet or a MPLS label stack including a payload of the MPLS data packet is computed using at least one message authentication code (MAC) technique.
At block 306, the MAC computed is encoded in the MPLS data packet. The MAC computed may be carried in at least a field, preferably a metadata field of network service header (NSH). It may be understood by the person skilled in the art that any field of the NSH which may carry the data may be used for carrying the MAC computed.
At block 308, the MPLS data packet encoded is routed in the multiprotocol label switching (MPLS) network. The person skilled in the art may understand that any existing routing mechanism may be used for routing the packets and a routing table may be maintained for the same. However, the routing mechanism used for routing is beyond the scope of the present invention and hence the details are excluded from the description.
In one implementation, if vanilla MPLS architecture using MPLS based forwarding plane is used, the method before computing may include: identifying presence of the MAC based on at least a local policy or present of the MPLS service label, specifically an extended MPLS Label; computing, if the MAC not identified, at least one message authentication code (MAC) of at least a MPLS label stack of the MPLS data packet or a MPLS label stack including a payload of the MPLS data packet, using the MAC technique; encoding the MAC computed in the MPLS data packet, wherein the MAC computed is carried in the field, preferably the metadata field of network service header (NSH); routing the MPLS data packet in the multiprotocol label switching (MPLS) network.
In one implementation, if segment routing architecture using MPLS based forwarding plane is used, the method before computing further comprises: identifying presence of the MAC based on at least a local policy or the present of the MPLS service label, specifically an SR MAC service label, wherein the SR MAC service label is inserted as a top label or after a peer node label; computing, if the MAC not identified, at least one message authentication code (MAC) of at least a MPLS label stack of the MPLS data packet or a MPLS label stack including a payload of the MPLS data packet, using the MAC technique; encoding the MAC computed in the MPLS data packet, wherein the MAC computed is carried in the field, preferably the metadata field of network service header (NSH); routing the MPLS data packet in the multiprotocol label switching (MPLS) network.
Referring now to figure 4, the figure 4 illustrates a method performed by the receiver apparatus 200, in accordance with an embodiment of the present subject matter.
At block 402, at least one MPLS data packet is received.
At block 404, a presence of at least one at least one message authentication code (MAC) encoded in the MPLS data packet received is detected. The message authentication code (MAC) may be of at least a MPLS label stack of the MPLS data packet or a MPLS label stack including a payload of the MPLS data packet.
At block 406, the MAC detected for the MPLS data packet is computed. The MAC may be computed using at least one message authentication code (MAC) technique.
At block 408, at least an integrity of the MPLS data packet is validated based on the MAC computed and the MAC received in the MPLS data packet, i.e., if the received MAC and Computed MAC matches, than authentication check is passed.
At block 410, if the integrity is valid, the MAC validated is encoded in the MPLS data packet, wherein the MAC computed is carried in at least a field, preferably a metadata field of network service header (NSH).
At block 412, the MPLS data packet encoded is routed in the multiprotocol label switching (MPLS) network.
In one implementation, if vanilla MPLS architecture using MPLS based forwarding plane is used, the method before computing further comprises: detecting presence of the MAC based on at least a local policy or present of the MPLS service label, specifically an extended MPLS Label.
In one implementation, if segment routing architecture using MPLS based forwarding plane is used, the method before computing further comprises detecting presence of the MAC based on at least a local policy or the present of the MPLS service label, specifically an SR MAC service label, wherein the SR MAC service label is inserted as a top label or after a peer node label.
In one implementation, the methods may include encoding at least one MPLS service label at the top of the MPLS data packet or a MPLS label stack including the payload of the MPLS data packet, indicative an existence of the MAC computed in the NSH.
In one implementation, the MAC technique is selected based on a common agreement of the apparatuses in the MPLS network, the common agreement ensures the usage of common algorithms and keys by the apparatuses for computing the MAC.
In one implementation, a multiprotocol Label Switching (MPLS) network ensuring authenticity and integrity of the MPLS data packets being routed, the system comprises a sender apparatus 100 for transmitting at least one packet in a multiprotocol label switching (MPLS) network, the sender apparatus 100 further comprises a detection module 102 configured to detect presence of at least one MPLS data packet; a computation module 104 configured to compute, using at least one message authentication code (MAC) technique, at least one message authentication code (MAC) of at least a MPLS label stack of the MPLS data packet or a MPLS label stack including a payload of the MPLS data packet; an encoding module 106 configured to encode the MAC computed in the MPLS data packet, wherein the MAC computed is carried in at least a field, preferably a metadata field of network service header (NSH); and a routing module 108 configured to route the MPLS data packet encoded in the multiprotocol label switching (MPLS) network; and a receiver apparatus 200 for receiving the MPLS data packet encoded by the sender apparatus, the receiver apparatus 200 comprises a detection module 202 configured to detect presence of the MAC encoded in the MPLS data packet received; a computation module 204 configured to compute, using at least one message authentication code (MAC) technique, the MAC detected for the MPLS data packet; a validation module 206 configured to validate at least an integrity of the MPLS data packet based on the MAC computed and the MAC received in the MPLS data packet; an encoding module 208 configured to encode, if the integrity is valid, the MAC validated in the MPLS data packet, wherein the MAC computed is carried in at least a field, preferably a metadata field of network service header (NSH).
Referring now to figure 5, the figure 5 illustrates different types of SR packet formats. As shown in figure 5, the SR MAC Service Label as a top label is shown in figure 5 (a), and the SR MAC service label after peer node label is shown in figure 5 (b).
Figure 6 illustrates a working example showing an MPLS network, in accordance with an embodiment of the present subject matter. As shown in the figure 6, before initiating a communication in the MPLS network, the algorithms used for computing message authentication code (MAC) and the keys used for the same are shared with all the transit nodes or the nodes available in the MPLS network. The service level agreements for each node i.e., ingress, transit, are egress nodes are already statically configured or may be dynamically negotiated.
According to the present invention, at the ingress node the packet / the payload is received and as specified by the local policies an authentication is to be performed for the packets/payloads. In order to achieve the authentication, according to the present invention a MAC for the payload is computed using the algorithms predefined is included in the NSH header, MPLS labels are added along with the SR service labels and added on top of the payload. The packet/payload after adding the MAC computed, and the labels is forwarded to the transit router as shown in the figure 6. Now the forwarded packet includes message authentication code (MAC) of the MPLS header or MPLS header along with the MPLS payload in NSH for desired MPLS packet.
On receipt of the MPLS data packet, the transit router identifies the presence of the SR label or extended MPLS Label in the packet, and accordingly verify the computed MAC against the received MAC. When the packet is verified i.e., when the computed and received MAC matches, the NSH header is updated and the packet along with the SR label is forwarded to the next router. The process is repeated if the next router is again the transit router. If the next router is the egress router then it only verifies if the packet received is an authenticated packet and then upon authentication removes all the labels and a normal payload is provided to the user.
Apart from what is explained above, the present invention also include the below mentioned advantages:
• MPLS data packet is received from a credible peer since no other malicious user can compute message authentication code (MAC) for the received packet without knowing key value.
• MPLS label stack is unaltered and received exactly same as what credible peer intended to receive.
• message authentication code (MAC) can be computed for the whole MPLS packet instead of computing message authentication code (MAC) only to MPLS label stack. This ensures there is no transmission error or corruption to the MPLS payload along with guaranteeing MPLS label stack integrity.
• The present invention ensures MPLS packet integrity for vanilla MPLS architecture as well as segment routing architecture.
• The present invention uses NSH header to carry any Authentication related data such as authentication key-id, HASH, MAC and HMAC computed from different algorithms.
• The present invention uses service label/extended label/local policy to indicate that the MPLS data packet is carrying message authentication code (MAC) in NSH header.
A person of ordinary skill in the art may be aware that in combination with the examples described in the embodiments disclosed in this specification, units and algorithm steps may be implemented by electronic hardware, or a combination of computer software and electronic hardware. Whether the functions are performed by hardware or software depends on the particular applications and design constraint conditions of the technical solution. A person skilled in the art may use different methods to implement the described functions for each particular application, but it should not be considered that the implementation goes beyond the scope of the present invention.
It may be clearly understood by a person skilled in the art that for the purpose of convenient and brief description, for a detailed working process of the foregoing system, apparatus, and unit, reference may be made to a corresponding process in the foregoing method embodiments, and details are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other manners. For example, the described apparatus embodiment is merely exemplary. For example, the unit division is merely logical function division and may be other division in actual implementation. For example, a plurality of units or components may be combined or integrated into another system, or some features may be ignored or not performed. In addition, the displayed or discussed mutual couplings or direct couplings or communication connections may be implemented through some interfaces. The indirect couplings or communication connections between the apparatuses or units may be implemented in electronic, mechanical, or other forms.
When the functions are implemented in a form of a software functional unit and sold or used as an independent product, the functions may be stored in a computer-readable storage medium. Based on such an understanding, the technical solutions of the present invention essentially, or the part contributing to the prior art, or a part of the technical solutions may be implemented in a form of a software product. The computer software product is stored in a storage medium, and includes several instructions for instructing a computer device (which may be a personal computer, a server, or a network device) to perform all or a part of the steps of the methods described in the embodiment of the present invention. The foregoing storage medium includes: any medium that can store program code, such as a USB flash drive, a removable hard disk, a read-only memory (Read-Only Memory, ROM), a random access memory (Random Access Memory, RAM), a magnetic disk, or an optical disc.
Although implementations for MPLS network, apparatus, and method therefore ensuring authenticity and integrity of MPLS data packets have been described in language specific to structural features and/or methods, it is to be understood that the appended claims are not necessarily limited to the specific features or methods described. Rather, the specific features and methods are disclosed as examples of implementations of the MPLS network, apparatus, and method therefore ensuring authenticity and integrity of MPLS data packets.
Documents
Application Documents
| # | Name | Date |
|---|---|---|
| 1 | 6400-CHE-2015-FORM-26 [03-02-2025(online)].pdf | 2025-02-03 |
| 1 | Form 3 [28-11-2015(online)].pdf | 2015-11-28 |
| 2 | 6400-CHE-2015-FORM-27 [30-09-2024(online)].pdf | 2024-09-30 |
| 2 | Drawing [28-11-2015(online)].pdf | 2015-11-28 |
| 3 | Description(Complete) [28-11-2015(online)].pdf | 2015-11-28 |
| 3 | 6400-CHE-2015-RELEVANT DOCUMENTS [19-09-2023(online)].pdf | 2023-09-19 |
| 4 | 6400-CHE-2015-RELEVANT DOCUMENTS [23-09-2022(online)].pdf | 2022-09-23 |
| 4 | 6400-CHE-2015-Form 1-280416.pdf | 2016-07-13 |
| 5 | 6400-CHE-2015-IntimationOfGrant08-01-2021.pdf | 2021-01-08 |
| 5 | 6400-CHE-2015-Correspondence-F1-280416.pdf | 2016-07-13 |
| 6 | abstract-6400-CHE-2015-jpeg.jpg | 2016-09-17 |
| 6 | 6400-CHE-2015-PatentCertificate08-01-2021.pdf | 2021-01-08 |
| 7 | 6400-CHE-2015-PA [06-04-2018(online)].pdf | 2018-04-06 |
| 7 | 6400-CHE-2015-CLAIMS [04-12-2019(online)].pdf | 2019-12-04 |
| 8 | 6400-CHE-2015-FER_SER_REPLY [04-12-2019(online)].pdf | 2019-12-04 |
| 8 | 6400-CHE-2015-ASSIGNMENT DOCUMENTS [06-04-2018(online)].pdf | 2018-04-06 |
| 9 | 6400-CHE-2015-8(i)-Substitution-Change Of Applicant - Form 6 [06-04-2018(online)].pdf | 2018-04-06 |
| 9 | 6400-CHE-2015-FER.pdf | 2019-08-29 |
| 10 | Correspondence by Agent_Deed of Assignment_17-04-2018.pdf | 2018-04-17 |
| 11 | 6400-CHE-2015-8(i)-Substitution-Change Of Applicant - Form 6 [06-04-2018(online)].pdf | 2018-04-06 |
| 11 | 6400-CHE-2015-FER.pdf | 2019-08-29 |
| 12 | 6400-CHE-2015-ASSIGNMENT DOCUMENTS [06-04-2018(online)].pdf | 2018-04-06 |
| 12 | 6400-CHE-2015-FER_SER_REPLY [04-12-2019(online)].pdf | 2019-12-04 |
| 13 | 6400-CHE-2015-CLAIMS [04-12-2019(online)].pdf | 2019-12-04 |
| 13 | 6400-CHE-2015-PA [06-04-2018(online)].pdf | 2018-04-06 |
| 14 | 6400-CHE-2015-PatentCertificate08-01-2021.pdf | 2021-01-08 |
| 14 | abstract-6400-CHE-2015-jpeg.jpg | 2016-09-17 |
| 15 | 6400-CHE-2015-Correspondence-F1-280416.pdf | 2016-07-13 |
| 15 | 6400-CHE-2015-IntimationOfGrant08-01-2021.pdf | 2021-01-08 |
| 16 | 6400-CHE-2015-Form 1-280416.pdf | 2016-07-13 |
| 16 | 6400-CHE-2015-RELEVANT DOCUMENTS [23-09-2022(online)].pdf | 2022-09-23 |
| 17 | 6400-CHE-2015-RELEVANT DOCUMENTS [19-09-2023(online)].pdf | 2023-09-19 |
| 17 | Description(Complete) [28-11-2015(online)].pdf | 2015-11-28 |
| 18 | 6400-CHE-2015-FORM-27 [30-09-2024(online)].pdf | 2024-09-30 |
| 18 | Drawing [28-11-2015(online)].pdf | 2015-11-28 |
| 19 | Form 3 [28-11-2015(online)].pdf | 2015-11-28 |
| 19 | 6400-CHE-2015-FORM-26 [03-02-2025(online)].pdf | 2025-02-03 |
Search Strategy
| 1 | Search_Strategy_6400CHE2015_08-08-2019.pdf |