Search

EP-4175228-B1 - ENCRYPTION SEGMENTS FOR SECURITY IN COMMUNICATION NETWORKS

EP4175228B1EP 4175228 B1EP4175228 B1EP 4175228B1EP-4175228-B1

Inventors

  • BIDGOLI, HOOMAN

Dates

Publication Date
20260513
Application Date
20221026

Claims (13)

  1. Apparatus comprising means for performing: supporting, within a network, communication of a packet of an encrypted traffic flow, wherein the packet includes a payload, wherein an encrypted portion of the packet is encrypted based on an encryption protocol, wherein the encrypted portion of the packet includes the payload, wherein the packet includes an encryption header of the encryption protocol on top of the encrypted portion of the packet, wherein the packet includes an encryption segment identifier configured to uniquely identify the encrypted traffic flow within the network, wherein the encryption segment identifier is configured to identify an encryption segment configured to encrypt the encrypted traffic flow based on a set of encryption resources, wherein the encryption segment identifier is configured to identify the encrypting node as a source of the encrypted traffic flow.
  2. The apparatus according to claim 1, wherein the set of encryption resources includes an encryption algorithm used to encrypt the encrypted traffic flow and an encryption key used to encrypt the encrypted traffic flow.
  3. The apparatus according to claim 1 or 2, wherein the encryption segment identifier is arranged on top of the encryption header of the encryption protocol.
  4. The apparatus according to any of claims 1 to 3, wherein the encrypted traffic flow is an encrypted service or an encrypted tunnel supporting a set of services.
  5. The apparatus according to any of claims 1 to 4, wherein the encrypted traffic flow is a Layer 2.5 flow or a Layer 3 flow.
  6. The apparatus according to any of claims 1 to 5, wherein the packet includes a transport segment identifier configured to connect an encrypting node that encrypts the encrypted traffic flow to a decrypting node that decrypts the encrypted traffic flow, wherein the transport segment identifier is arranged on top of the encryption segment identifier.
  7. The apparatus according to any of claims 1 to 6, wherein the packet includes at least one communication header arranged on top of the encryption segment identifier.
  8. The apparatus according to any of claims 1 to 6, wherein, to support communication of the packet, the apparatus comprises means for performing: determining, by an encrypting node, that the packet belongs to the encrypted traffic flow; identifying, by the encrypting node based on the packet, the encryption segment; and generating, by the encrypting node based on the encryption segment identifier, the packet.
  9. The apparatus according to any of claims 1 to 7, wherein, to support communication of the packet, the apparatus comprises means for performing: receiving, by a node, the packet, wherein the packet includes at least one communication header arranged on top of the encryption segment identifier; and sending, by the node toward a destination node based on the at least one communication header, the packet.
  10. The apparatus according to any of claims 1 to 7, wherein, to support communication of the packet, apparatus comprises means for performing: determining, by a decrypting node based on the encryption segment identifier in the packet, that the packet is to be decrypted; decrypting, by the decrypting node, the encrypted portion of the packet to form a decrypted packet; and sending, by the decrypting node, the decrypted packet.
  11. The apparatus according to any of claims 1 to 10, wherein the means comprises: at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the performance of the apparatus.
  12. A computer-readable storage medium storing computer program code configured to cause an apparatus at least to perform: supporting, within a network, communication of a packet of an encrypted traffic flow, wherein the packet includes a payload, wherein an encrypted portion of the packet is encrypted based on an encryption protocol, wherein the encrypted portion of the packet includes the payload, wherein the packet includes an encryption header of the encryption protocol on top of the encrypted portion of the packet, wherein the packet includes an encryption segment identifier configured to uniquely identify the encrypted traffic flow within the network, wherein the encryption segment identifier is configured to identify an encryption segment configured to encrypt the encrypted traffic flow based on a set of encryption resources, wherein the encryption segment identifier is configured to identify the encrypting node as a source of the encrypted traffic flow.
  13. A method, comprising: supporting, within a network, communication of a packet of an encrypted traffic flow, wherein the packet includes a payload, wherein an encrypted portion of the packet is encrypted based on an encryption protocol, wherein the encrypted portion of the packet includes the payload, wherein the packet includes an encryption header of the encryption protocol on top of the encrypted portion of the packet, wherein the packet includes an encryption segment identifier configured to uniquely identify the encrypted traffic flow within the network (610), wherein the encryption segment identifier is configured to identify an encryption segment configured to encrypt the encrypted traffic flow based on a set of encryption resources, wherein the encryption segment identifier is configured to identify the encrypting node as a source of the encrypted traffic flow.

Description

TECHNICAL FIELD Various example embodiments relate generally to communication networks and, more particularly but not exclusively, to supporting security for communications in communication networks. BACKGROUND In communication networks, various communications technologies may be used to support communications. Patent publication CN112118270A refers to VPN flow identification method based on SSL encryption. Patent publication US9930066B2 describes infrastructure level LAN security. SUMMARY The invention is defined in the independent claims. Particular embodiments are set out in the dependent claims. In at least some example embodiments, an apparatus includes at least one processor and at least one memory including computer program code, wherein the at least one memory and the computer program code are configured, with the at least one processor, to cause the apparatus to at least support, within a network, communication of a packet of an encrypted traffic flow, wherein the packet includes a payload, wherein an encrypted portion of the packet is encrypted based on an encryption protocol, wherein the encrypted portion of the packet includes the payload, wherein the packet includes an encryption header of the encryption protocol on top of the encrypted portion of the packet, wherein the packet includes an encryption segment identifier configured to uniquely identify the encrypted traffic flow within the network. In at least some example embodiments, the encryption segment identifier is configured to identify, on an encrypting node, an encryption segment configured to encrypt the encrypted traffic flow based on a set of encryption resources. In at least some example embodiments, the encryption segment identifier is configured to identify the encrypting node as a source of the encrypted traffic flow. In at least some example embodiments, the set of encryption resources includes an encryption algorithm used to encrypt the encrypted traffic flow and an encryption key used to encrypt the encrypted traffic flow. In at least some example embodiments, the encryption segment identifier is configured to identify an encrypting node that encrypts the encrypted traffic flow. In at least some example embodiments, the encryption segment identifier is configured to identify an encryption segment, on the encrypting node, configured to encrypt the encrypted traffic flow based on a set of encryption resources. In at least some example embodiments, the set of encryption resources includes an encryption algorithm used to encrypt the encrypted traffic flow and an encryption key used to encrypt the encrypted traffic flow. In at least some example embodiments, the encryption segment identifier is configured to identify a set of encryption resources used by an encryption segment to encrypt the encrypted traffic flow. In at least some example embodiments, the set of encryption resources includes an encryption algorithm used to encrypt the encrypted traffic flow and an encryption key used to encrypt the encrypted traffic flow. In at least some example embodiments, the encryption segment identifier is arranged on top of the encryption header of the encryption protocol. In at least some example embodiments, the encrypted traffic flow is an encrypted service or an encrypted tunnel supporting a set of services. In at least some example embodiments, the encrypted traffic flow is a Layer 2.5 flow or a Layer 3 flow. In at least some example embodiments, the encrypted traffic flow is a Multiprotocol Label Switching (MPLS) flow or an Internet Protocol (IP) flow. In at least some example embodiments, the encrypted portion of the packet includes at least one of at least one Multiprotocol Label Switching (MPLS) label or at least one Internet Protocol (IP) header. In at least some example embodiments, the encrypted portion of the packet includes a second encryption segment identifier configured to uniquely identify a second encrypted traffic flow within the network. In at least some example embodiments, the packet includes a transport segment identifier configured to connect an encrypting node that encrypts the encrypted traffic flow to a decrypting node that decrypts the encrypted traffic flow, wherein the transport segment identifier is arranged on top of the encryption segment identifier. In at least some example embodiments, the packet includes at least one communication header arranged on top of the encryption segment identifier. In at least some example embodiments, the at least one communication header includes at least one of a Layer 3 header, a Layer 2.5 header, or a Layer 2 header. In at least some example embodiments, the at least one communication header includes at least one of an Internet Protocol (IP) header, a Multiprotocol Label Switching (MPLS) header, or an Ethernet header. In at least some example embodiments, the packet includes a second encryption segment identifier configured to uniquely identify a second encrypted traffic flo