The invention generally relates networks and, more particularly, the invention relates to multicast transmissions across a computer network.
Multicasting is a well known method of transmitting messages to selected groups of users across a network, such as the Internet. One simple example of multicasting entails transmitting an E-mail message to a plurality of users that each are on a mailing list. Video conferencing and teleconferencing also use multicasting principles and thus, often are referred to as xe2x80x9cmulticonferencing.xe2x80x9d
Problems arise, however, when an unauthorized network device transmits a message to a multicast session. For example, an unauthorized network device undesirably may transmit a message that prematurely ends a multicast session. Such a message can disrupt such a multicast session.
In accordance with one aspect of the invention, an apparatus and method, utilized by a receiving node in a multicast for authenticating a message received from a transmitting node, uses tags to determine if the transmitting node is in the multicast. More particularly, a first tag received with the message is located and utilized to determine if the transmitting node is in the multicast. The first tag includes data associated with at least one of the receiving node and the transmitting node. A second tag then is generated if the transmitting node is determined to be in the multicast. Once generated, the second tag is transmitted with the message to a third node in the multicast. Among other things, the second tag includes data indicating that the receiving node is in the multicast.
In preferred embodiments, at least one of the receiving node and the transmitting has an associated encryption key that is used to produce a generated first tag. The generated first tag then is compared with the located first tag to determine if the transmitting network is in the multicast. The second tag may be generated based upon either the receiving node key, or an encryption key of the third node in the multicast. In other embodiments, the message includes a plurality of tags that each are associated with one of a plurality of nodes in the multicast. The plurality of tags preferably are appended to the message.
In accord with other aspects of the invention, an apparatus and method utilized by a receiving node in a computer network for authenticating a message received from a transmitting node also utilizes tags. To that end, a first tag received with the message is located. The first tag includes information indicating if the transmitting node is in the multicast. The first tag then is utilized to determine if the transmitting node is in the multicast. A second tag is generated if the transmitting node is determined to be in the multicast. In preferred embodiments, the generated second tag includes information that the receiving node is in the multicast. The message and generated second tag then are transmitted to a third node in the multicast.
The tag may be appended to the message, or may be one of a plurality of tags appended to the message. Each of the plurality of appended tags preferably are associated with one of a plurality of tags in the multicast. In other embodiments, the tag is incorporated into the message. The receiving node may be any computer device, such as a router. The receiving node and transmitting node may each have respective encryption keys. The second tag maybe generated based upon either one of the encryption keys, depending upon the relation of the third node to the receiving node. The first tag may be utilized to determine if the transmitting node is in the multicast by ascertaining the first tag, and then comparing it to the located first tag. Specifically, the transmitting node may be determined to be in the multicast if the ascertained first tag is substantially identical to the located first tag. The first tag may be ascertained via memory, calculations, or other related method. For example, the first tag may be calculated from an encryption key associated with the receiving node. In other embodiments, the message is generated by an origin node having an origin tag. The receiving node may receive the origin tag, and the first tag and second tag may be calculated based upon the origin tag.
In accord with other aspects of the invention, a receiving node in a computer network with a multicast may be configured to authenticate a message received from a transmitting node in a manner similar to above noted aspects. More particularly, the receiving node may include an input that receives a first tag having information indicating whether the transmitting node is in the multicast, a multicast identifier that utilizes the first tag to determine if the transmitting node is in the multicast, a second tag generator that generates a second tag if the transmitting node is determined to be in the multicast, and an output that transmits the message and generated second tag to a third node in the multicast. The second tag includes information indicating that the receiving node is in the multicast.
In accord with yet other aspects of the invention, a network device for participating in a multicast in a computer network includes an input that receives message and tags from other network devices, a tag generator, an authenticator that reads tags associated with each message received from other network devices, and an output that transmits an authenticated message and a tag to a given network device. The authenticator determines if each received message is received from a network device in the multicast based upon the tag associated with each received message. Each received message is deemed to be authenticated if determined to be from a network device in the multicast. The tag is generated by the tag generator to include information indicating that the network device is in the multicast.
In preferred embodiments, a first message and associated first tag are received at the input from a first network device having a first encryption key. The authenticator then may utilized the first encryption key to produce a generated first tag. The authenticator then compares the generated first tag with the associated first tag received at the input to determine if the first network device is in the multicast. In other embodiments, the network device further includes an encryption key that the authenticator utilizes (instead of the encryption key of the first network device) to produce the generated first key.
Messages received without tags preferably are deemed to not be authenticated. In some embodiments, the given network device has an associated encryption key that is utilized by the tag generator to produce the transmitted tag. In other embodiments, the transmitted tag is generated based upon the encryption key of the network device.
In accord with other aspects of the invention, a method of filtering a message comprises receiving the message and identification tag from a first network device, determining if the first network device is in the multicast based upon the identification tag, and forwarding the message to a second network device in the multicast if the first network device is determined to be in the multicast. The identification tag preferably includes data identifying the multicast. In preferred embodiments, a second tag is forwarded with the message to the second network device if the first network device is determined to be in the multicast. The second tag includes data indicating the that message has been forwarded from at least one network device in the multicast. The tag may be generated based upon an encryption key.
Preferred embodiments of the invention are implemented as a computer program product having a computer usable medium with computer readable program code thereon. The computer readable code may be read and utilized by the computer system in accordance with conventional processes.