Search

EP-4195592-B1 - FORWARDING NETWORK TRAFFIC ASSOCIATED WITH A SECURITY CLASSIFICATION VIA A ROUTING PATH ASSOCIATED WITH THE SECURITY CLASSIFICATION

EP4195592B1EP 4195592 B1EP4195592 B1EP 4195592B1EP-4195592-B1

Inventors

  • TALWAR, MANISH
  • BONICA, Ronald
  • KACHRANI, Ajay

Dates

Publication Date
20260506
Application Date
20220209

Claims (14)

  1. A network device (1), comprising: one or more memories (330); and one or more processors (320) to: receive (105), from another network device (4), a first message, a second message, and a third message, wherein: the first message includes information indicating that a first link of the other network device is associated with a first security classification, and information indicating at least a first cost metric of the first link, the second message includes information indicating that a second link of the other network device is associated with a second security classification, and information indicating at least a second cost metric of the second link, and the third message includes information indicating that a third link of the other network device is associated with a third security classification, and information indicating at least a third cost metric of the third link; update (110), based on the first message, the second message, and the third message, a routing table; determine (115), based on the routing table, a first routing path associated with the first security classification from the network device to the other network device based on the first cost metric of the first link, a second routing path associated with the second security classification from the network device to the other network device based on the second cost metric of the second link, and a third routing path associated with the third security classification from the network device to the other network device based on the third cost metric of the third link; receive (120) network traffic that is destined for the other network device and that is associated with a particular security classification, of the first security classification, the second security classification, or the third security classification; and forward (125) the network traffic based on a particular routing path, of the first routing path, the second routing path, or the third routing path, that is associated with the other network device and the particular security classification.
  2. The network device of claim 1, wherein: the first message further includes at least one of information identifying the other network device, or information identifying the first link of the other network device; the second message further includes at least one of information identifying the other network device, or information identifying the second link of the other network device; and the third message further includes at least one information identifying the other network device, or information identifying the third link of the other network device.
  3. The network device of claim 1 or claim 2, wherein: the first security classification is associated with a public security classification; the second security classification is associated with a private security classification; and the third security classification is associated with a restricted security classification.
  4. The network device of any of claims 1 to 3, wherein: the first link of the other network device is a link that does not utilize media access control security (MACsec); the second link of the other network device is a link that utilizes MACsec for authentication; and the third link of the other network device is a link that utilizes MACsec for authentication and encryption.
  5. The network device of any preceding claim, wherein: the first routing path includes at least one of a link that does not utilize media access control security (MACsec), a link that utilizes MACsec for authentication, or a link that utilizes MACsec for authentication and encryption; the second routing path includes at least one of a link that utilizes MACsec for authentication or a link that utilizes MACsec for authentication and encryption, and does not include a link that does not utilize MACsec; and the third routing path includes a link that utilizes MACsec for authentication and encryption, and does not include a link that does not utilize MACsec and a link that utilizes MACsec for authentication.
  6. The network device of any preceding claim, wherein the one or more processors, to determine the first routing path, the second routing path, and the third routing path, are to: identify, based on the routing table, a first set of links associated with at least one of the first security classification, the second security classification, or the third security classification; determine, based on the first set of links and using a path computation technique, the first routing path; identify, based on the routing table, a second set of links associated with at least one of the second security classification or the third security classification; determine, based on the second set of links and using the path computation technique, the second routing path; identify, based on the routing table, a third set of links associated with the third security classification; and determine, based on the third set of links and using the path computation technique, the third routing path.
  7. The network device of any preceding claim, wherein the one or more processors, to forward the network traffic, are to: process the network traffic to determine that the network traffic is destined for the other network device and that the network traffic is associated with the particular security classification; select, based on information identifying the other network device and the particular security classification, the particular routing path that is associated with the other network device and the particular security classification; determine, based on the particular routing path, a next hop for the network traffic; and forward the network traffic to the next hop.
  8. The network device of any preceding claim, wherein forwarding the network traffic based on the particular routing path is to cause the network traffic to be transmitted, from the network device to the other network device, via one or more links that are associated with security classifications that have respective security levels that are greater than or equal to a security level of the particular security classification.
  9. A computer-readable medium comprising a set of instructions, the set of instructions comprising: one or more instructions that, when executed by one or more processors of a network device, cause the network device to: receive (105), from another network device, a first message, a second message, and a third message, wherein: the first message includes information indicating that a first link of the other network device is associated with a first security classification, and information indicating at least a first cost metric of the first link, the second message includes information indicating that a second link of the other network device is associated with a second security classification, and information indicating at least a second cost metric of the second link, and the third message includes information indicating that a third link of the other network device is associated with a third security classification, and information indicating at least a third cost metric of the third link; update (110), based on the first message, the second message, and the third message, a routing table; determine (115), based on the routing table, a first routing path associated with the first security classification from the network device to the other network device based on the first cost metric of the first link, a second routing path associated with the second security classification from the network device to the other network device based on the second cost metric of the second link, and a third routing path associated with the third security classification from the network device to the other network device based on the third cost metric of the third link; receive (120) network traffic that is destined for the other network device and that is associated with a particular security classification, of the first security classification, the second security classification, or the third security classification; and forward (125) the network traffic based on a particular routing path, of the first routing path, the second routing path, or the third routing path, that is associated with the other network device and the particular security classification.
  10. The computer-readable medium of claim 9, wherein each of the one or more messages includes at least one of: information identifying the other network device; or information identifying a link of the other network device.
  11. The computer-readable medium of any of claims 9 to 10, wherein: the first routing path includes at least one of a link that does not utilize authentication and does not utilize encryption, a link that utilizes authentication and not encryption, or a link that utilizes authentication and encryption; the second routing path includes at least one of a link that utilizes authentication and not encryption or a link that utilizes authentication and encryption, and does not include a link that does not utilize authentication and does not utilize encryption; and the third routing path includes a link that utilizes authentication and encryption, and does not include a link that does not utilize authentication and does not utilize encryption and a link that utilizes authentication and not encryption.
  12. The computer-readable medium of any of claims 9 to 11, wherein: the first routing path includes a set of links that are associated with at least one of the first security classification, the second security classification, or the third security classification; the second routing path includes a set of links that are associated with at least one of the second security classification or the third security classification, and not the first security classification; and the third routing path includes a set of links that are associated with the third security classification, and not the first security classification and the second security classification.
  13. The computer-readable medium of any of claims 9 to 12, wherein the one or more instructions, that cause the network device to forward the network traffic, cause the network device to: process the network traffic to determine that the network traffic is destined for the other network device and that the network traffic is associated with the particular security classification; select, based on information identifying the other network device and the particular security classification, the particular routing path that is associated with the other network device and the particular security classification; and forward the network traffic to a next hop indicated by the particular routing path.
  14. A method for a network device, the method comprising: receiving (610), from another network device, a first message, a second message, and a third message, wherein: the first message includes information indicating that a first link of the other network device is associated with a first security classification, and information indicating at least a first cost metric of the first link, the second message includes information indicating that a second link of the other network device is associated with a second security classification, and information indicating at least a second cost metric of the second link, and the third message includes information indicating that a third link of the other network device is associated with a third security classification, and information indicating at least a third cost metric of the third link; updating (620), based on the first message, the second message, and the third message, a routing table; determining (630), based on the routing table, a first routing path associated with the first security classification from the network device to the other network device based on the first cost metric of the first link, a second routing path associated with the second security classification from the network device to the other network device based on the second cost metric of the second link, and a third routing path associated with the third security classification from the network device to the other network device based on the third cost metric of the third link; receiving (640), by the network device, network traffic that is destined for the other network device and that is associated with a particular security classification of the first security classification, the second security classification, or the third security classification; and forwarding (650), by the network device, the network traffic based on a particular routing path, of the first routing path, the second routing path, or the third routing path, that is associated with the other network device and the particular security classification.

Description

BACKGROUND Media access control security (MACsec) provides secure communication for traffic on physical links, such as Ethernet links. MACsec provides point-to-point security on links between directly connected devices. EP 2 797 267 discloses: data is routed within a data network (8), for example a mobile ad hoc network (MANET), comprising at least one wireless network node (10), typically having a router (11). A processor (18) analyses characteristics of a wireless link (12ab) between a pair of nodes (10a, 10b) within the network (8). Following such analysis, the processor (18) assigns a link class to the wireless link (12ab), the link class being chosen from a predefined set of link classes. A first link class represents that the link (for example link 12ab) is suitable for carrying one or more types of traffic (for example real-time audio and text), but not suitable for one or more other types of traffic (for example real-time video of a certain quality). A second link class represents that a link (for example link 12ac) is suitable for two or more types of traffic (for example real-time audio and real-time video) including at least one type of traffic (for example real-time video) not supported by the first link class. Data may then be routed across the network (8) whilst ensuring that only data of types consistent with the link classes assigned to respective links (12ab, 12ac, 12bd, etc) are transmitted via those links. US 8 352 729 B2 discloses: a computer implemented method and apparatus to secure a routing path. A local node receives a request for secure route identification from an upstream node. Responsive to receiving a request for secure route identification, the local node transmits a local node security level and an authentication key to the upstream node. The local node determines whether at least one downstream node is authentic and has sufficient security level from a second-level downstream node. The local node may then establish a socket to the upstream node. SUMMARY Some implementations described herein relate to a network device according to claim 1. Some implementations described herein relate to a computer-readable medium according to claim 9. Some implementations described herein relate to a method according to claim 15. BRIEF DESCRIPTION OF THE DRAWINGS Figs. 1A-1D are diagrams of an example implementation described herein.Fig. 2 is a diagram of an example environment in which systems and/or methods described herein may be implemented.Figs. 3 and 4 are diagrams of example components of one or more devices of Fig. 2.Figs. 5-6 are flowcharts of example processes relating to forwarding network traffic associated with a security classification via a routing path associated with the security classification. DETAILED DESCRIPTION The following detailed description of example implementations refers to the accompanying drawings. The same reference numbers in different drawings may identify the same or similar elements. In a network of network devices, media access control security (MACsec) can be utilized to provide point-to-point security on links between directly connected network devices. However, for network traffic that needs to be securely routed among more than two network devices and, ensuring that the network traffic transmits via a routing path that includes just MACsec links can be challenging. In some cases, network devices, prior to forwarding network traffic, may process the network traffic using traffic engineering processes (e.g., that are level 3 processes in the open systems interconnection (OSI) model) to encapsulate the network traffic with information to cause the network traffic to be steered via an appropriately secure routing path through the network. But, to perform such traffic engineering processes, the network devices must include specialized hardware. Further, performing such processes often uses significant amounts of computing resources (e.g., processing resources, memory resources, communication resources, and/or power resources, among other examples) and induces a latency, or a delay, associated with routing the network traffic through the network. Some implementations described herein are directed to determining routing paths for network traffic associated with different security classifications, such as a routing path for public network traffic, a routing path for private network traffic, and/or a routing path for restricted network traffic. Public network traffic may be routed via any type of links. Private network traffic may be routed over links that support authentication (e.g., links that utilize MACsec for authentication and links that utilize MACsec for authentication and encryption). Restricted network traffic may be routed over links that support authentication and encryption (e.g., links that utilize MACsec for authentication and encryption). In some implementations, each network device in a network sends advertisement messages to other network de