US 12,206,706 B2
Infrastructure level LAN security
Amit Chopra, Palo Alto, CA (US); and Uday Masurekar, Sunnyvale, CA (US)
Assigned to Nicira, Inc., Palo Alto, CA (US)
Filed by Nicira, Inc., Palo Alto, CA (US)
Filed on Jul. 27, 2023, as Appl. No. 18/226,772.
Application 18/226,772 is a continuation of application No. 17/883,383, filed on Aug. 8, 2022, granted, now 11,743,292.
Application 17/883,383 is a continuation of application No. 16/945,909, filed on Aug. 2, 2020, granted, now 11,411,995, issued on Aug. 9, 2022.
Application 16/945,909 is a continuation of application No. 14/965,870, filed on Dec. 10, 2015, granted, now 10,771,505, issued on Sep. 8, 2020.
Application 14/965,870 is a continuation of application No. 13/765,618, filed on Feb. 12, 2013, granted, now 9,930,066, issued on Mar. 27, 2018.
Prior Publication US 2023/0370496 A1, Nov. 16, 2023
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); H04L 9/08 (2006.01)
CPC H04L 63/162 (2013.01) [H04L 9/0825 (2013.01); H04L 9/0833 (2013.01); H04L 9/0866 (2013.01); H04L 63/0272 (2013.01); H04L 63/0457 (2013.01); H04L 63/0485 (2013.01); H04L 63/061 (2013.01); H04L 63/065 (2013.01); H04L 63/0876 (2013.01); H04L 63/123 (2013.01)] 18 Claims
OG exemplary drawing
 
1. A computer-implemented method of providing group key-based encryption, comprising:
receiving a selection of a Layer 2 (L2) domain on which a secure wire is to be enabled;
generating, for the secure wire, an encryption key encrypting messages exchanged between a group of interfaces of a group of machines;
associating, with the secure wire, a set of interfaces of a set of machines that execute on a set of host computers and that are part of the L2 domain, wherein each particular interface of each particular machine connects the particular machine to a virtual switch that executes on the particular machine's host computer;
each host computer using the encryption key to encrypt frames that each particular machine of the set of machines passes along the particular machine's interface to another machine in the set of machines en route out of the particular machine's host computer; and
adding to each encrypted frame a key identifier and an encrypted initialization vector;
wherein the method further comprises:
on each particular host computer in the set of computers, adding to each frame at least one of a value that identifies the encryption key and a signed hash value used to authenticate the encrypted frames and ensure data integrity.