1. Field of the Invention
The present invention relates to the management of computer networks in which end stations in the network have the power management circuitry; and more particularly to techniques for securely issuing commands across the network to such end stations to wake-up or execute other system and power management functions.
2. Description of Related Art
Management of computer networks is accomplished in many systems by a central network management station which has access to end stations in the network for management functions. However, in complex network environments, many of the end stations are turned off at night or at other times when they are not in use, either manually or automatically by power management circuits. This prevents the network management station from gaining access to the end station, limiting the ability to effectively manage the network. Thus, technology has evolved which allows a remote network management station to wake-up an end station in the network to allow it to perform network management processes, or otherwise communicate with the end station. Such technology is referred to generally as Wake On LAN herein. The Wake On LAN feature of network adapter cards in personal computers allows network administrators to remotely boot powered offend systems. One popular technology for implementing the Wake On LAN feature is referred to as the xe2x80x9cMagic Packetxe2x80x9d technology, developed by Advanced Micro Devices, Inc. See xe2x80x9cMagic Packet Technologyxe2x80x94White Paperxe2x80x9d Advanced Micro Devices, Inc., issued November 1995. One concern that the Wake On LAN feature creates is the potential for intruders acting remotely to power-up unattended systems, and attempt to penetrate them. This danger is more acute than that for already powered up systems, from one point of view, because their powered down state can be used as evidence that they are not being monitored for intrusion. Thus, Wake On LAN protocols present an avenue for hackers to gain access through a network to sleeping devices.
The xe2x80x9cMagic Packetxe2x80x9d technology developed by AMD involves transmission of a special packet which is identified by 16 duplications of the. MAC address of the end station to be woken up without breaks or interruptions, inside a single packet. The network interface card is adapted to recognize this special packet, and signal the host system that it has received a Wake On LAN command.
One approach to providing security for the Wake On LAN feature involves transmitting a separate packet carrying a password. Before the network interface card issues a command to the host system, it must receive both the special Wake On LAN packet and the special password packet. This approach has a number of drawbacks, including the fact that packets can be snooped by other stations in the network, allowing the password to be learned by other parties. Also, the Wake On LAN packet sequence can be easily replayed by parties attempting to enter the system. In addition, the requirement of two packets requires complicated circuitry in the network interface card, increasing costs. Thus, the password packet approach provides limited security at increased costs.
It is desirable to provide a secure Wake On LAN system, and otherwise extend the Wake On LAN protocol for greater flexibility and functionality.
The present invention provides secure wake up or power management message protocol, such as by adding a security feature to the Wake On LAN packet itself or by providing an alternative secure manage protocol for this function. Other aspects of the invention provide an extensible mechanism allowing for other commands and options to be specified within the secure message packet, such as remote power down, remote reset, remote diagnostics, wake-up into boot ROM bypassing password prompts, or other system management and power management commands.
Thus an apparatus for signaling management circuits in a host computer in response to messages received through a network interface is provided. The apparatus includes logic that is coupled to the network interface to detect a received network packet carrying a message from a source to the management circuits in the host computer. The logic includes security logic that is responsive to data in the packet to authenticate the source of the message, to accept the message and generate a signal to the management circuits in the host computer when the message passes authentication, and to discard the message when the message fails authentication.
According to one embodiment, the message includes a message authentication code. The security logic includes resources to verify the message authentication code. The message authentication code in various embodiments comprises a message digest taken over the message and a secret value known to the source of the message and to the security logic in the network interface. For example, one message authentication code comprises the results of a hash function over the message and the secret value.
The message also includes a token used to prevent reuse of the same packet by an intruder. In one embodiment, the token includes a timestamp indicating a time at which the source produced the message, and the security logic includes resources to verify that the timestamp falls within a security window of time.
According to another embodiment, the information to indicate reuse of the message, comprises a random value token which can be truly random or pseudo-random. The security logic includes resources to detect re-use of the message by comparing the random value token to random value tokens used previously. Thus, in this embodiment the security logic includes logic to determine whether another message has been received having the same token. Such logic includes memory for storing random values from previous messages to be compared with the random value of a current message.
The timestamp and/or random value token can be used to detect reuse according to a variety of algorithms. According to one algorithm, the logic that detects reuse ensures that the timestamp in a message being authenticated is more recent than a last received and authenticated message. Thus, the timestamp of any valid packet must be more recent than the timestamp of any other packet that had been received.
According to another approach, resources detect reuse by storing timestamps of received messages and comparing the stored timestamps with the timestamp of a message being authenticated to verify that the timestamp of the message being authenticated is more recent than a baseline time and does not match the timestamp of a received message in the memory. The baseline time is equal to the most recent of the current time as measured for the security logic at the host computer and a time represented by an earliest timestamp in the memory. According to one embodiment of this algorithm, the network adaptor which detects a message that has a valid authentication code but also a timestamp matching a timestamp in the memory issues a signal to the source of the message indicating a collision. This allows the source of the message to reissue a new message with an updated timestamp.
According to another approach, the token comprises a timestamp and a random or pseudo-random value. In this embodiment, the message must be authenticated, carry a timestamp more recent than a baseline time, and carry a value which does not match both a timestamp and a random or pseudo-random value of a received message already in the memory.
According to one aspect of the invention, the message comprises one of a set of messages concerning host system or power management, the set of messages including at least one member for signaling the management circuits to boot the host computer, a member for signaling the management circuits to wake the host computer from a sleeping state, a signal carrying commands for diagnostic processes, a signaling for causing reset of the host computer, and a signal which provides booting the host system while bypassing the boot password requirements in the boot memory.
According to other embodiments of the invention, an apparatus is provided for connecting a host computer having power management circuits to a network. According to this embodiment the system includes a medium access control unit for connection to a network, a host interface for communication of received network packets to the host computer, and logic coupled to the medium access control unit to detect received network packets carrying a message from a source to the power management circuits in the host computer. In this embodiment, the messages include a message authentication code and one or more of a timestamp, and a random value token, and the system includes security logic to verify the authenticity of the messages as discussed above. The medium access control unit in a preferred embodiment comprises an Ethernet MAC unit having a MAC address, and the medium access control unit is adapted to receive packets having a destination address within a set, of one or more destination addresses, when the host system is powered down or otherwise in a state of limited function due to power management processes. The set of destination addresses preferably includes the MAC address of the medium access control unit and/or a multi-destination MAC address.
According to yet another aspect, the present invention provides a method for signaling management circuits in an end station from a management station through a network. The method comprises establishing a protocol for transmitting management messages including authentication with the end station, producing the management message according to the protocol, and transmitting the management message to the end station. In one embodiment, the protocol includes sharing a secret value with the end station, and the message includes a message authentication code produced according to the secret value. A token is included in the messages, in various combinations, such as a random value token and/or a timestamp, used to prevent reuse of the message.
Accordingly, the present invention provides an improvement over the Wake On LAN protocol, providing for enhanced security and flexibility in systems that allow a remote station to issue wake-up commands to an end station in the network. The improved security is combined with greater flexibility associated with providing a command set that extends the Wake On. LAN concept to a variety of management processes. Thus, network usability, flexibility and security are enhanced.
Other aspects and advantages of the present invention can be seen upon review of the figures, the detailed description, and the claims which follow.