A network bridge may be an electronic device that connects multiple networks together. A network bridge may include a plurality of physical ports to interface with different networks.
Some examples of the present application are described with respect to the following figures:
A network bridge may include a plurality of physical ports to interface with different networks via Ethernet cables. When the number of networks to be connected via a network bridge is more than the number of physical ports on the network bridge, a bridge port extender may be used to increase the number of physical ports available to the network bridge. A bridge port extender may be an electronic device that includes a plurality of ports, physical and/or logical, to forward Ethernet frames. A bridge port extender may forward an Ethernet frame from a network bridge based on a forwarding decision determined at the network bridge.
To ensure data confidentiality and integrity when an Ethernet frame is forwarded via a bridge port extender, a bridge port extender may implement multiple instances of the Institute of Electrical and Electronics Engineers (IEEE) 802.1AE protocol. For example, a bridge port extender may implement an instance of the IEEE 802.1AE protocol at an upstream port connecting to a network bridge. The bridge port extender may also implement another instance of the IEEE 802.1AE protocol at an egress port connecting to a client device. However, multiple implementations of the IEEE 802.1AE protocol may increase design complexity of a bridge port extender.
Examples described herein provide a bridge port extender that forwards an Ethernet frame in a transparent manner so that implementations of multiple instances of the IEEE 802.1AE protocol may be avoided. For example, a bridge port extender may receive an Ethernet frame from a network bridge. The Ethernet frame may include an encapsulated portion and an unencapsulated portion. The unencapsulated portion may include an E-tag that is indicative of an egress port of the bridge port extender. The bridge port extender may remove the E-tag from the unencapsulated portion to form a modified Ethernet frame. The bridge port extender may transmit the modified Ethernet frame to a client device based on the E-tag. The client device may decapsulate the encapsulated portion to access a payload of the modified Ethernet frame. In this manner, examples described herein may reduce design complexity of a bridge port extender.
Referring now to the figures,
Bridge port extender 104 may be an electronic device or circuitry that connects to network bridge 102 to increase the number of ports available to network bridge 102. As an example, bridge port extender 104 may be a bridge port extender in compliance with the IEEE 802.1BR protocol. Bridge port extender 104 may forward an Ethernet frame from network bridge 102 using a forwarding table generated and/or configured by network bridge 102. An example of network bridge 102 and an example of bridge port extender 104 are described in more detail in
During operation, network bridge 102 may transmit an Ethernet frame 106 to a client device 108 via bridge port extender 104. Client device 108 may be, for example, a notebook computer, a desktop computer, a server computer, a mobile device, a network switch, a bridge port extender, etc. Ethernet frame 106 may include an unencapsulated portion 110 and an encapsulated portion 112. Unencapsulated portion 110 may be data in Ethernet frame 106 is not subjected to an encryption operation, such as an encryption operation in compliance with the IEEE 802.1AE protocol. Encapsulated portion 112 may be data in Ethernet frame 106 is encrypted, such as by an encryption operation in compliance with the IEEE 802.1AE protocol. Unencapsulated portion 110 may include an E-tag 114. E-tag 114 may be a data field that is indicative of an egress port of bridge port extender 104 used to forward Ethernet frame 106. Network bridge 102 may generate E-tag 114 based on the IEEE 802.1BR protocol.
In response to receiving Ethernet frame 106, bridge port extender 104 may modify Ethernet frame 106 via a processor 116 to generate a modified Ethernet frame 118. Processor 116 may be, for example, a central processing unit (CPU), a semiconductor-based microprocessor, and/or other hardware devices suitable to control operations of bridge port extender 104. In some examples, processor 116 may generate modified Ethernet frame 118 based on processor executable instructions (not shown in
To generate modified Ethernet frame 118, bridge port extender 104 may remove E-tag 114 from unencapsulated portion 110 while leaving encapsulated portion 112 unmodified. Thus, modified Ethernet frame 118 may include a second unencapsulated portion 120 and encapsulated portion 112. Second unencapsulated portion 120 may include content of unencapsulated portion 110 minus E-tag 114. Bridge port extender 104 may identify an egress port (not shown in
In response to receiving modified Ethernet frame 118, client device 108 may decapsulate encapsulated portion 112 to access data in encapsulated portion 112. For example, client device 108 may decapsulate encapsulated portion 112 based on the IEEE 802.1AE protocol. Thus, encapsulated portion 112 may be passed through bridge port extender 104 in a transparent manner and implementation of the IEEE 802.1AE protocol at bridge port extender 104 may be avoided.
During operation, network bridge 202 may receive an Ethernet frame 210 via a network port 212 of network bridge 202. Ethernet frame 210 may be received from a client device 214. Client device 214 may be similar to client device 108 of
Based on at least one field of Ethernet frame 210, network bridge 202 may determine that payload 222 is destined for a client device 226 coupled to bridge port extender 204. For example, network bridge 202 may use MAC DA 216 to determine the destination of payload 222. In response to a determination that payload 222 is to be forwarded to client device 226 via bridge port extender 204, a port extender function 228 of network bridge 202 may generate an E-tag 230. Port extender function 228 may be implemented using processor executable instructions.
Port extender function 228 may generate E-tag 230 based on at least one field of Ethernet frame 210. For example, E-tag 230 may be generated using MAC DA 216, a destination Internet protocol (IP) address, or a combination thereof. In some examples, E-tag 230 may be generated using any set of fields in Ethernet frame 210 under the open flow protocols. Port extender function 228 may add E-tag 230 to Ethernet frame 210 to form an intermediate Ethernet frame 232. Thus, intermediate Ethernet frame 232 may include MAC DA 216, MAC SA 218, E-tag 230, type field 220, payload 222, and FCS 224.
In some examples, E-tag 230 may include information that is indicative of an egress port of bridge port extender 204 that is used to transmit payload 222 to client device 226. For example, E-tag 230 may include E-channel identification information that is indicative of an egress port of bridge port extender 204. In some examples, E-tag 230 may include an egress port identification that is indicative of an egress port of bridge port extender 204. In some examples, E-tag 230 may also include a tag protocol identification value to indicate the type of E-tag 230. For example, the type of E-tag 230 may be the IEEE 802.1BR E-tag type. In some examples, E-tag 230 may further include an ingress extended port identification information
A transmission security function 234 of network bridge 202 may generate a second Ethernet frame 236 based on intermediate Ethernet frame 232. Transmission security function 234 may be implemented using processor executable instructions. Second Ethernet frame 236 may include an encapsulated portion 238 and an unencapsulated portion 240. Encapsulated portion 238 may include type field 220, payload 222, and integrity check value (ICV) 242. Unencapsulated portion 240 may include MAC DA 216, MAC SA 218, E-tag 230, a security tag 244, and FCS 224.
Transmission security function 234 may generate security tag 244 to indicate that a portion of second Ethernet frame 236 is encapsulated. In some examples, security tag 244 may indicate the type of encapsulation mechanism used to generate encapsulated portion 240. In some example, transmission security function 234 may generate encapsulated portion 240 by encrypting type field 220, payload 222, and integrity check value (ICV) 242. Transmission security function 234 may generate ICV 242 based on MAC DA 216, MAC SA 218, security tag 244, type field 220, and payload 222. In some examples, ICV 242 may be a hash value. Network bridge 202 may transmit second Ethernet frame 236 to bridge port extender 204 via a network port 258 of network bridge 202.
Bridge port extender 204 may receive second Ethernet frame 236 via an upstream port 246. Upstream port 246 may be a physical port of bridge port extender 204 that is used to interface with network bridge 202 via an Ethernet cable. In response to receiving second Ethernet frame 236, bridge port extender 204 may modify second Ethernet frame 236 to generate a modified Ethernet frame 250. For example, bridge port extender 204 may generate modified Ethernet frame 250 by removing E-tag 230 from second Ethernet frame 236. A tag removal function 248 of bridge port extender 204 may remove E-tag 230 from second Ethernet frame 236. Thus, unencapsulated portion 240 may form a second unencapsulated portion 252 when E-tag 230 is removed from encapsulated portion 240. Tag removal function 248 may be implemented using processor executable instructions.
Modified Ethernet frame 250 may include encapsulated portion 238 and second unencapsulated portion 252. Second unencapsulated portion 252 may include MAC DA 216, MAC SA 218, security tag 244, and FCS 224. Processor 208 may use E-tag 230 to index a forwarding table 254 to identify an egress port of bridge port extender 204 for forwarding modified Ethernet frame 250 to client device 226. For example, bridge port extender 204 may use the E-channel identification information and/or the egress port identification in E-tag 230 to look up an egress port associated with the E-channel identification information and/or the egress port identification in forwarding table 254. As an example, the identified egress port may be a network port 256. Network port 256 may be a physical port or a logical port. Thus, bridge port extender 204 may transmit modified Ethernet frame 250 to client device 226 via network port 256. In response to receiving modified Ethernet frame 250 at client device 226, client device 226 may decapsulate encapsulated portion 238 to access payload 222.
Thus, encapsulated portion 238 may remain encapsulated prior to a transmission of modified Ethernet frame 250. That is, encapsulated portion 238 is not decapsulated and re-encapsulated again while encapsulated portion 238 is at bridge port extender 204. Similarly, security tag 244 may remain unprocessed prior to the transmission of modified Ethernet frame 250 since encapsulated portion 238 may remain encapsulated. Security tag 244 may be removed when encapsulated portion 238 is deencapsulated. By keeping encapsulated portion 238 unmodified while encapsulated portion 238 is at bridge port extender 204, the design complexity of bridge port extender 204 may be reduced as implementation of a decapsulation mechanism at bridge port extender 204 may be avoided.
When client device 226 is to transmit data, such as payload 222, to client device 214 via bridge port extender 204 and via network bridge 202, bridge port extender 204 may perform the generation of E-tag 230 and network bridge 202 may perform the removal of E-tag 230. For example, client device 226 may generate modified Ethernet frame 250 and transmit modified Ethernet frame 250 to bridge port extender 204. Bridge port extender 204 may generate E-tag 230 via processor 208. Bridge port extender 204 may modify modified Ethernet frame 250 to generate second Ethernet frame 236 may adding E-tag 230 into modified Ethernet frame 250. Bridge port extender 204 may transmit second Ethernet frame 236 to network bridge 202 via upstream port 246.
In response to receiving second Ethernet frame 236, transmission security function may decapsulate encapsulated portion 238 to remove security tag 244 and to form intermediate Ethernet frame 232. Port extender function 228 may remove E-tag 230 from intermediate Ethernet frame 232 to form Ethernet frame 210. Network bridge 202 may transmit Ethernet frame 210 to client device 214.
Processor 302 may be a central processing unit (CPU), a semiconductor-based microprocessor, and/or other hardware devices suitable for retrieval and execution of instructions stored in computer-readable storage medium 304. Processor 302 may fetch, decode, and execute instructions 306-312 to control a process of generating and transmitting an Ethernet frame that includes an encapsulated portion, such as encapsulated portion 238 of
Computer-readable storage medium 304 may be any electronic, magnetic, optical, or other physical storage device that contains or stores executable instructions. Thus, computer-readable storage medium 304 may be, for example, Random Access Memory (RAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a storage device, an optical disc, etc. In some examples, computer-readable storage medium 304 may be a non-transitory storage medium, where the term “non-transitory” does not encompass transitory propagating signals. As described in detail below, computer-readable storage medium 304 may be encoded with a series of processor executable instructions 306-312 for generating and transmitting an Ethernet frame that includes an encapsulated portion and an unencapsulated portion including an E-tag.
Ethernet frame reception instructions 306 may receive an Ethernet frame from a client device, such as client device 214 of
Ethernet frame reception instructions 406 may receive an Ethernet frame from a network bridge, such as network bridge 202 of
Method 500 also includes generating an E-tag based on at least one of the plurality of fields, where the E-tag is indicative of an egress port of a bridge port extender, at 504. For example, referring to
Method 600 includes receiving, at a bridge port extender, an Ethernet frame from a network bridge, where the Ethernet frame includes an encapsulated portion and a first unencapsulated portion, and where the first unencapsulated portion includes an E-tag and a security tag, at 602. For example, referring to
Method 600 further includes generating a modified Ethernet frame using the encapsulated portion and the second unencapsulated portion, at 606. For example, referring to
The use of “comprising”, “including” or “having” are synonymous and variations thereof herein are meant to be inclusive or open-ended and do not exclude additional unrecited elements or method steps.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/US2014/063826 | 11/4/2014 | WO | 00 |
Publishing Document | Publishing Date | Country | Kind |
---|---|---|---|
WO2016/072972 | 5/12/2016 | WO | A |
Number | Name | Date | Kind |
---|---|---|---|
8543826 | Hutchison et al. | Sep 2013 | B1 |
9887917 | Sundaram | Feb 2018 | B2 |
20070133791 | Han | Jun 2007 | A1 |
20090274162 | Gowda et al. | Nov 2009 | A1 |
20090307751 | Lin et al. | Dec 2009 | A1 |
20130091349 | Chopra | Apr 2013 | A1 |
20130117856 | Branscomb | May 2013 | A1 |
20130322457 | Budhia et al. | Dec 2013 | A1 |
20140003428 | Li et al. | Jan 2014 | A1 |
20140177641 | Kalkunte et al. | Jun 2014 | A1 |
20140269710 | Sundaram | Sep 2014 | A1 |
20150163173 | Chu | Jun 2015 | A1 |
Entry |
---|
“Configuring Media Access Control Security (MACsec),” Apr. 24, 2014, pp, 1-7, Juniper Networks, Inc. |
“Identity-Based Networking Services: MAC Security,” 2014, pp. 1-20, Cisco. |
“Port Extenders Based on PBB-TE Proposal for 802.1Qbh/802.1BR,” Jul. 4, 2011, pp. 1-160, IEEE. Jul. 4, 2011. |
International Search Report and Written Opinion, International Application No. PCT/US2014/063826, dated Jun. 22, 2015, pp. 1-11, KIPO. |
Mick Seaman, “MACsec Hops,” Feb. 10, 2013, pp. 1-16, Revision 2.0, IEEE. |
Number | Date | Country | |
---|---|---|---|
20170279639 A1 | Sep 2017 | US |