| Sonstiges: |
- Nachgewiesen in: USPTO Patent Grants
- Sprachen: English
- Patent Number: 11711,367
- Publication Date: July 25, 2023
- Appl. No: 16/824028
- Application Filed: March 19, 2020
- Assignees: Juniper Networks, Inc. (Sunnyvale, CA, US)
- Claim: 1. A method, comprising: communicating, by a first network device, with a second network device via a media access control security (MACsec) key agreement (MKA) communication link, wherein an MKA session has been established between the first network device and the second network device; determining, by the first network device, that the second network device is unavailable; causing, by the first network device and based on determining that the second network device is unavailable, an MKA state of the first network device to be placed in a paused state; receiving, by the first network device and after causing the MKA state of the first network device to be placed in the paused state, a packet from the second network device via the MKA communication link; determining, by the first network device and based on the packet, that the MKA session has not ended, wherein determining that the MKA session has not ended comprises: identifying a message identifier of the packet, and determining that the message identifier of the packet is next in a sequence based on a last message identifier of the MKA session stored by the second network device; and continuing, by the first network device and based on the MKA session having not ended, the MKA session by reactivating the MKA state.
- Claim: 2. The method of claim 1 , wherein determining that the second network device is unavailable comprises: processing a particular packet received from the second network device to determine that the second network device has become unavailable.
- Claim: 3. The method of claim 1 , wherein determining that the second network device is unavailable comprises: determining that the first network device has not received an MKA packet from the second network device for a length of time.
- Claim: 4. The method of claim 1 , wherein causing the MKA state of the first network device to be placed in the paused state comprises: causing the first network device to suspend transmission of MKA packets associated with the MKA session; causing the first network device to suspend a timeout timer associated with the MKA session; causing the first network device to store information associated with the MKA session in a data structure; and causing the first network device to initiate a resume timer associated with the MKA session, wherein the resume timer is configured and/or negotiated between the first network device and the second network device.
- Claim: 5. The method of claim 1 , wherein determining that the MKA session has not ended comprises: determining a length of time between causing the MKA state of the first network device to be placed in the paused state and receiving the packet from the second network device via the MKA communication link; determining that the length of time does satisfy a threshold; and determining, based on determining that the length of time does satisfy the threshold and that the message identifier of the packet corresponds to a message identifier of the MKA session at the time when the MKA session was placed in the paused state, that the MKA session has not ended.
- Claim: 6. The method of claim 1 , wherein continuing the MKA session comprises: resuming the MKA session without performing a process for establishing a new MKA session.
- Claim: 7. The method of claim 1 , wherein continuing the MKA session comprises: causing the MKA state of the first network device to be placed into an active state.
- Claim: 8. The method of claim 1 , wherein continuing the MKA session comprises: causing the MKA state of the first network device to be placed into an active state; and causing a rekey process to be performed for the MKA session.
- Claim: 9. The method of claim 1 , further comprising: configuring the first network device to refrain from terminating an MKA session with the second network device when the second network device is unavailable.
- Claim: 10. A first network device, comprising: one or more memories; and one or more processors to: communicate with a second network device via a media access control security (MACsec) key agreement (MKA) communication link, wherein an MKA session has been established between the first network device and the second network device; cause, based on communicating with the second network device, information associated with an MKA state of the first network device and information associated with the MKA session to be stored in a data structure; determine that the first network device is to become unavailable at a particular time; send, to the second network device and based on determining that the first network device is to become unavailable at the particular time, a first MKA packet indicating that the first network device is to become unavailable; determine, after the particular time, that the first network device has become available, cause, after determining that the first network device has become available, the first network device to be updated based on the information associated with the MKA state of the first network device and the information associated with the MKA session stored in the data structure; and send a second MKA packet, wherein a second message identifier of the second MKA packet is next in a sequence based on a first message identifier of the first MKA packet.
- Claim: 11. The first network device of claim 10 , wherein sending the MKA packet to the second network device causes the second network device to place an MKA state of the second network device in a paused state.
- Claim: 12. The first network device of claim 10 , wherein the one or more processors are further to: generate, after causing the first network device to be updated, the second MKA packet; and wherein the one or more processors, to send the second MKA packet, are to: send the second MKA packet to the second network device via the MKA communication link.
- Claim: 13. The first network device of claim 12 , wherein sending the second MKA packet to the second network device causes the second network device to place an MKA state of the second network device in an active state.
- Claim: 14. The first network device of claim 10 , wherein the one or more processors are further to: generate, after causing the first network device to be updated, an additional MKA packet; send the additional MKA packet to the second network device via the MKA communication link; receive, after sending the additional MKA packet to the second network device, a rekey request MKA packet from the second network device; and cause, based on the rekey request MKA packet, a rekey process to be performed for the MKA session.
- Claim: 15. The first network device of claim 10 , wherein the one or more processors are further to: generate, after causing the first network device to be updated, an additional MKA packet; and send the additional MKA packet to the second network device via the MKA communication link to cause the second network device to perform a rekey process for the MKA session.
- Claim: 16. A non-transitory computer-readable medium storing instructions, the instructions comprising: one or more instructions that, when executed by one or more processors of a first network device, cause the one or more processors to: communicate with a second network device via a media access control security (MACsec) key agreement (MKA) communication link, wherein an MKA session has been established between the first network device and the second network device; cause, based on communicating with the second network device, information associated with an MKA state of the first network device and information associated with the MKA session to be stored in a data structure, determine, after causing the information associated with the MKA state of the first network device and information associated with the MKA session to be stored in the data structure, that the first network device has become available after being temporarily unavailable; cause, after determining that the first network device has become available, the first network device to be updated based on the information associated with the MKA state of the first network device and the information associated with the MKA session stored in the data structure; send, after causing the first network device to be updated, an MKA packet to the second network device via the MKA communication link; determine, based on sending the MKA packet to the second network device via the MKA communication link, that the MKA session has not ended, wherein the one or more instructions, that cause the one or more processors to determine that the MKA session has not ended, cause the one or more processors to: identify a message identifier of the MKA packet, and determine that the message identifier of the MKA packet is next in a sequence based on a last message identifier of the MKA session stored by the second network device; and perform, by the first network device and based on determining that the MKA session has not ended, at least one action.
- Claim: 17. The non-transitory computer-readable medium of claim 16 , wherein the message identifier of the MKA packet corresponds to a message identifier of the MKA session at a time when the first network device became temporarily unavailable.
- Claim: 18. The non-transitory computer-readable medium of claim 16 , wherein the one or more instructions, that cause the one or more processors to determine that the MKA session has not ended, cause the one or more processors to: determine whether the first network device has received one or more packets associated with the MKA session from the second network device via the MKA communication link.
- Claim: 19. The non-transitory computer-readable medium of claim 16 , wherein the first network device determined that the MKA session has not ended, wherein the one or more instructions, that cause the one or more processors to perform the at least one action, cause the one or more processors to: continue the MKA session by reactivating the MKA state.
- Claim: 20. The non-transitory computer-readable medium of claim 16 , wherein the first network device determined that the MKA session has not ended, wherein the one or more instructions, that cause the one or more processors to perform the at least one action, cause the one or more processors to: cause a rekey process to be performed for the MKA session.
- Patent References Cited: 5694537 December 1997 Montenegro ; 8719567 May 2014 Weis ; 10469461 November 2019 Singh ; 11265301 March 2022 Gupta ; 20110296044 December 2011 Weis ; 20140258532 September 2014 Weis ; 20160036813 February 2016 Wakumoto ; 20170142064 May 2017 Weis ; 20180302269 October 2018 Sankaran ; 20190116183 April 2019 Hussain ; 20190191307 June 2019 Sheng ; 20190281031 September 2019 Pothula ; 20190386824 December 2019 Havaralu Rama Chandra Adiga ; 20200067891 February 2020 Singh ; 20200120134 April 2020 Hill ; 20200220843 July 2020 Hill ; 20200259834 August 2020 Hussain ; 20200358764 November 2020 Hojilla Uy ; 20210105348 April 2021 Pothula ; 20210176255 June 2021 Hill
- Other References: Extended European Search Report for Application No. EP20174112.1, dated Sep. 15, 2020, 10 pages. cited by applicant ; Weis., “MKA Suspension,” IEEE Draft XBX-WEIS-MKA-SUSPENSION-0713, Jul. 14, 2012, vol. 802 (1), pp. 1-9, XP068008497, [Retrieved on Jul. 14, 2012]. cited by applicant
- Primary Examiner: Lemma, Samson B
- Attorney, Agent or Firm: Harrity & Harrity, LLP
|
