公开(公告)号：US20160057121A1

公开(公告)日：2016-02-25

申请号：US14780785

申请日：2013-03-27

Applicant: NOKIA SOLUTIONS AND NETWORKS OY

Inventor： Esa Markus METSALA ,  Heikki-Stefan ALMAY

IPC: H04L29/06 ,  H04L9/32

CPC classification number: H04L63/08 ,  H04L9/3263 ,  H04L63/0823 ,  H04L63/162 ,  H04L63/164 ,  H04L2209/24 ,  H04L2209/64 ,  H04W12/06

Abstract: A secure storage for an X.509v3 digital certificate is provided (301, 302). Ports of a first and second apparatus (101, 102) are mutually authenticated (303) by using 802.1X based authentication and 802.1AR certificates. Traffic types are divided (304, 305) by an operator-configurable selector function into user plane, control plane, synchronization plane, and management plane traffic types. For Ethernet transport a virtual port is created for each traffic type, and a different MACsec secure connectivity association is created for each virtual port. For Ethernet transport an operator-programmable security policy is maintained for each traffic type. For IP transport an IPsec security association is created for each traffic type, and an operator-programmable security policy is maintained for each security association. For IP transport, TLS support may be enabled for compatibility with network management traffic. A port is repeatedly re-authenticated by an operator-definable timer value.

Abstract translation: 提供X.509v3数字证书的安全存储（301,302）。 通过使用基于802.1X的认证和802.1AR证书，相互认证（303）第一和第二设备（101,102）的端口。 流量类型由操作员可配置的选择器功能划分为用户平面，控制平面，同步平面和管理平面流量类型（304,305）。 对于以太网传输，为每种流量类型创建虚拟端口，并为每个虚拟端口创建不同的MACsec安全连接关联。 对于以太网传输，为每种流量类型维护运营商可编程的安全策略。 对于IP传输，为每种流量类型创建IPsec安全关联，并为每个安全关联维护一个操作员可编程的安全策略。 对于IP传输，可以启用TLS支持以兼容网络管理流量。 端口由操作员可定义的定时器值反复重新认证。