PROVIDING-REPLAY PROTECTION IN SYSTEMS USING GROUP SECURITY ASSOCIATIONS

摘要

A method and apparatus is disclosed which enables detection of undesired packets received at a device in a network, where the device is a member of a group of devices in the network. A registration table stores transform identifiers for each member of a group and controls the forwarding of the transform identifiers to the members of the group as members are added and deleted. A transform identifier indicates a format or transformation of a packet transmitted by an associated member. The transform identifier can therefore be used at a receiving device to distinguish between transmissions by different members of the group, thereby enabling the receiving device to extract sequence information associated with the member from the packet. The sequence information can be compared against an expected sequence number for the member to determine whether the packet is an undesirable or rogue packet.

主权项

1. A method of processing packets in an edge device of a network comprising a group of devices, the method comprising, at the edge device:
associating a unique respective transform identifier with each other device of the group of devices, the group of devices using at least one group security association for communication between the devices in the group of devices, each unique transform identifier being determined by the at least one group security association; associating a respective expected sequence number with each other device of the group of devices; receiving a packet from a first device of the group of devices; using the unique respective transform identifier associated with the first device to extract a sequence number from the packet received from the first device; and comparing the extracted sequence number with the respective expected sequence number associated with the first device to determine validity of the packet received from the first device.