WO2000044132A2 - Secure and efficient address resolution for client stations connected over wide area network links to ip networks such as the internet - Google Patents
Secure and efficient address resolution for client stations connected over wide area network links to ip networks such as the internet Download PDFInfo
- Publication number
- WO2000044132A2 WO2000044132A2 PCT/SE2000/000145 SE0000145W WO0044132A2 WO 2000044132 A2 WO2000044132 A2 WO 2000044132A2 SE 0000145 W SE0000145 W SE 0000145W WO 0044132 A2 WO0044132 A2 WO 0044132A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- address
- client
- network
- server
- arp
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
Definitions
- the present invention relates to the field of internet access, and in particular, to the provision of access to internet(s) over a network such as a wide area network (WAN) configured to act as a local area network (LAN).
- WAN wide area network
- LAN local area network
- the LAN was developed in response to the needs of computer users to communicate among themselves and to share computing resources such as printers, file servers, and electronic mail systems.
- a LAN may be defined as a network system that allows a number of independent stations (e.g. personal computers (PCs), servers, routers, other computers, etc.) to communicate with each other wil-hin a moderately sized geographic area over one or more communication channels.
- PCs personal computers
- routers other computers, etc.
- WANs may be used to interconnect LANs that are sufficiently distant from one another to be beyond the physical transmission limitations of a LAN. This is analogous to a telephone network where local telephone systems are interconnected by long distance carriers.
- An application of LAN/WAN technology is internet access, where WANs and/or LANs are used to access the internet from home, work, or the like. Such an application may be implemented over the public switched telephone network (PSTN) using di.al-up or Integrated Services Digital Network (ISDN) modems to access a Network Service Provider (NSP) who then provides access to the internet.
- PSTN public switched telephone network
- ISDN Integrated Services Digital Network
- NSP Network Service Provider
- IP Internet Protocol
- MODEMs MOdulator/DEModulators
- TCP/IP Transmission Control Protocol/Internet Protocol
- IP addresses are typically identified by network layer (see "network" layer in Fig. 2 OSI model) addresses such as IP addresses. These addresses provide a simple mechanism for identifying the source and destination of messages within the network.
- IP address may be a 32-bit (or more) binary number with a format of four or more bytes, divided into four or more 8-bit parts.
- each byte of an IP address (e.g. 140.179.220.200) is a number from 0 to 255, with one part of the address identifying the network and another part the station.
- stations are identified at a lower level by hardware addresses such as Media Access Control (MAC) addresses; an example of such hardware addresses are Ethernet addresses.
- MAC Media Access Control
- An exemplary MAC address may be 48 bits in length. One set of digits may identify the manufacturer or vendor of the station, and another set of digits may include an interface serial number or some other value administered by a vendor.
- ARP Address Resolution Protocol
- a requester station e.g. PC, file server, set-top box, or router
- all stations on the LAN in an attempt to learn the hardware address of the station with which the requester wants to communicate.
- the ARP request is received and processed by all stations on the LAN, although only the station that owns the requested address responds by sending an ARP reply message to the requester containing both the responder's network layer address and hardware address.
- the router 3 may associate in an ARP table the ARP reply including the network layer and hardware address with the WAN 5 connection over which the ARP response was received.
- IP-based station A with an IP address 192.0.2.1 wants to send data over an Ethernet channel to another IP-based station B on the same network having IP address 192.0.2.2.
- Station A does not have station B's MAC address, and thus sends an ARP request essentially saying "I need the MAC address for 192.0.2.2.”
- the ARP request is sent in a broadcast frame. Every Ethernet station on the network reads the ARP request and looks to see whether the request is for its own address. If so, they respond. If not, they ignore it.
- station B with IP address 192.0.2.2 responds by sending a reply packet containing station B's MAC address back to the requesting station A (e.g. a reply saying in effect that 192.0.2.2 has a MAC address of, e.g., 8:0:20:1:56:34 (Ethernet addresses may be 48 bits)).
- a reply packet containing station B's MAC address e.g. 8:0:20:1:56:34 (Ethernet addresses may be 48 bits).
- a reply packet containing station B's MAC address e.g. 8:0:20:1:56:34 (Ethernet addresses may be 48 bits).
- a reply packet containing station B's MAC address e.g. 8:0:20:1:56:34 (Ethernet addresses may be 48 bits).
- a predetermined period of time e.g. 15 minutes
- dynamically entered ARP table entries are typically timed out and removed by a router, while static ARP entries
- IP addresses these have historically been assigned statically during network configuration. In such cases, stations are pre- configured to use a statically assigned IP address. However, in large or rapidly changing networks, static assignment of IP addresses is often inadequate due to the potential for misconfiguration. As a result, IP addresses within networks are increasingly assigned automatically using the Dynamic Host Configuration Protocol (DHCP) per Internet RFC 1541. hereby incorporated herein by reference.
- DHCP is an extension of the Bootstrap Protocol (BOOTP), allowing hosts on a TCP/IP network to dynamically obtain basic configuration information (e.g. IP address(es)).
- BOOTP Bootstrap Protocol
- DHCP provides for dynamic automatic set-up of IP addresses for stations in a network.
- a client for example, after a client (a "client” herein may be a PC, set-top box, or the like at a subscriber location) station is turned on, it and a DHCP server may exchange DHCPDISCOVERY (client asking server for an IP address), DHCP OFFER (server offering client an address), DHCPREQUEST (client attempting to accept the offer), and DHCPACK (server leases IP address to client ) messages during the IP address allocation process.
- the DHCP server leases dynamic IP addresses to respective clients for finite periods of time which expire, after which such leases must be renewed.
- DSL Digital Subscriber Line
- DSL DSL
- ASDL Asynchronous DSL
- high bit rate DSL high bit rate DSL
- rate adaptive DSL rate adaptive DSL
- a "LAN segment” may be, for example, a portion of a LAN cable or link, disposed between the client and a corresponding NT.
- VC virtual circuit
- a VC is typically used to describe a logical connection between two stations in a network (e.g. packet switching, cell switching, or frame switching network).
- a VC is a connection between two stations in a network that acts as though it is a direct connection even though it may share a physical interface or link with other connections/links for some part of its path.
- Frame Relay VCs, ATM VCs, and X.25 VC connections are examples of VCs.
- Possibilities include a single LAN, separate LANs, and multiple LANs.
- Router 3 includes DHCP server 15 for dynamic assignment of IP addresses to client stations attached to the subnet.
- Router 3 also includes an IP address pool or table 17, for enabling IP addresses to be stored. All client LAN segments are considered by router 3 to be within the same LAN so that the WAN is effectively configured to act as a local area network (LAN).
- LAN local area network
- DHCP messages such as DHCP OFFER
- DHCP OFFER may need to be broadcast by the server to all VCs which leads to increased traffic volumes on the WAN.
- the router may have to spend CPU cycles doing message copying, which is also undesirable.
- a client VC is a VC over which the server may communicate with a client.
- a client VC is a VC over which the server may communicate with a client.
- Bogus information may be used to direct all traffic for a range of IP addresses to go down the attacker's (or faulty client's) VC instead of the valid client's VC. Vulnerability to such attacks/mistakes renders the network less secure than would otherwise be desirable.
- the following message sequences are used to help illustrate how a system in accordance with Figure 4 operates, with the DHCP server allocating the client (e.g. PC or set-top box) an IP address and thereafter the server and client communicating with one another.
- client e.g. PC or set-top box
- DHCPOFFER possible MAC broadcast, all VCs provisional lease allocation in DHCP table.
- DHCPACK possible MAC broadcast, all VCs allocated IP address lease and check if still available. IP address allocated to client.
- client may validate the allocated address using an ARP to SELF.
- ARP for CLIENT address (MAC broadcast, user's VC)
- So client is now OK with the address.
- ARP for SERVER address (MAC broadcast, user's VC)
- ARP request broadcast for CLIENT address (MAC broadcast, all VCs)
- server 15 broadcasts its DHCPOFFER and DHCPACK messages to all VCs (not just the one for the intended client station). Moreover, server 15 must copy and broadcast its ARP requests to all VCs to determine the desired client's hardware address. This is undesirable for the reasons discussed above.
- Each VC from a client LAN is connected to a separate IP subnetwork 23-25.
- each of the client LAN segments is considered to be a separate LAN by router 3.
- This approach removes the broadcast problems of the Figure 4 system. Since there is only one VC in each IP subnetwork, only one copy of ARP request messages and DHCP messages need be sent by each server 27-29.
- multiple IP subnetworks 23-25 and DHCP address pools 31-33 need to be configured on the router. This results in poor IP address utilization and may lead to configuration problems and/or the need for additional hardware/software.
- the servers must keep track of which IP addresses have been leased from each of the pools.
- each client must use a different IP address for server services, depending on which IP subnetwork they are connected to.
- the third approach is a hybrid of the single LAN (Fig. 4) and separate LANs (Fig. 5) approaches described above. Small clusters of LANs may be considered by a router as, and supported by, a single LAN. Accordingly, this scenario has a hybrid of the advantages and drawbacks of the other two approaches.
- a method and/or system for reducing network traffic (i) a method and/or system for eliminating the need for a server to broadcast messages over multiple WAN or other network connections, (iii) a method and/or system for mapping (or associating) client addresses (e.g. IP addresses) to corresponding client connections (VCs) in response to network layer address request (e.g. DHCP) messages in order to reduce the need for broadcasting server messages; and/or (iv) a method and/or system for increasing security of any such network.
- client addresses e.g. IP addresses
- VCs client connections
- DHCP network layer address request
- An object of this invention is to eliminate the need for the server to broadcast address request messages on an IP network.
- internet includes not only the global interconnected network but also more localized networks running the IP
- a server to map in memory a network address of a client to the network connection (e.g. VC) for that client (i.e. client addressxlient network connection) in response to a network layer address request message received by the server, so as to achieve the aforesaid object of reducing the need for the server to broadcast messages on the network.
- a network connection e.g. VC
- client addressxlient network connection i.e. client addressxlient network connection
- Another object of this invention is to reduce the chance of a server sending messages to incorrect client(s).
- Yet another object of this invention is for a server to temporarily lock in a mapping of a client address to a corresponding client connection when or after the mapping is stored. This reduces the likelihood of address: connection mappings being incorrectly modified, thereby achieving the object of reducing the chance of messages being sent to incorrect client(s) so as to achieve a more secure system.
- Another object of this invention is to satisfy or fulfill any or all of the above listed objects or needs.
- this invention may include a method of mapping a client address to a client network connection.
- the server receives from the client a network layer address request message over a network connection.
- a channel identifier indicating the network connection over which the request was received may be at least partially included in the message or alternatively inferred by the server depending upon the channel or network connection that the message is received on.
- the server allocates a network layer address to the client and maps the network layer address to the network connection in a memory. The server thus need not subsequently broadcast address request messages over the network when it desires to communicate with that client.
- ARP entry timing is modified in a manner such that a DHCP server maps at least one client station address (e.g. IP address) to that client's network connection (e.g. VC) via an ARP table entry (e.g. including IP address, MAC address and VC ID) for the client when, or as a function of when, the server dynamically allocates a network layer address (e.g. IP address) to that client.
- This mapping is temporarily locked in for a period of time, and the server need not subsequently broadcast address request messages (e.g. ARP requests) across the network to obtain client addresses and/or connections. Due to the locking, messages received from attacking or faulty clients seeking to incorrectly change the address: connection mapping are ignored and/or not acted upon by the server.
- certain embodiments of this invention satisfy one or more of the above-listed objects or needs by: reducing or even eliminating the need for the server to broadcast ARP requests thereby reducing WAN traffic; reducing the potential for an attacking or faulty client to falsify entries in the server's ARP table(s); reducing or eliminating the need for the server to broadcast certain DHCP messages; and/or rendering the network more secure.
- Figure 1 is a schematic diagram of a network configuration including a plurality of client LAN segments connected over DSL VC links to a router.
- Figure 2 is a schematic diagram of the OSI layer model.
- FIG. 3 is a diagram illustrating a TCP packet on Ethernet including the use of ARP to obtain a station's hardware address.
- Figure 4 is a schematic diagram of a first implementation of the Figure 1 network configuration where client internet access is provided over a WAN configured to act as a LAN.
- Figure 5 is a schematic diagram of a second implementation of the Fig. 1 network configuration where multiple LANs are provided, as well as multiple servers and address pools in the router.
- Figure 6(a) is a schematic diagram of a network configuration including a plurality of supported client LAN segments as well as a plurality of unsupported client LAN segments connected over DSL links to a router in accordance with an embodiment of this invention.
- Figure 6(b) schematic diagram of a first implementation of the router of Fig. 6(a) according to an embodiment of this invention.
- Figure 7 is a flow chart illustrating steps taken by a server in mapping a ⁇ client address : network connection ⁇ in response to receiving a network layer address message from the client in accordance with an embodiment of this invention.
- Figure 8 is a flow chart illustrating steps taken by the DHCP server/processor of Fig. 6 in allocating a network address (e.g. IP address) to a client and making an ARP table entry (including a mapping of a client network layer address to a network connection for that client) in accordance with an embodiment of this invention.
- a network address e.g. IP address
- ARP table entry including a mapping of a client network layer address to a network connection for that client
- FIG. 9 is a flow chart illustrating how the DHCP server/processor of
- Fig. 6 ignores ARP response message it receives identifying supported clients, yet responds to ARP requests, in accordance with an embodiment of this invention.
- FIG. 6(a) illustrates a network according to an embodiment of this invention for enabling client (e.g. PC 9) access to an internet over a WAN 40 configured to act as a LAN.
- Router 39 communicates with client LANs including respective client PCs (or set-top boxes) 9 over WAN or other network connections 42 (e.g. VCs), thereby enabling PCs 9 to access the internet.
- router 39 includes at least one DHCP server including processor 41, at least one IP subnetwork 45 for enabling the router to communicate over a plurality of WAN connections (e.g. permanent or temporary VCs), and a memory 47 including at least one IP address pool 43 and ARP table 49 (described below).
- Input devices 51 and output devices 53 are in communication with the server system of the router, and represent a range of varying I/O devices such as disk drives, keyboards, modems, network adapters, printers, displays, and the like.
- router 39 may be an Ericsson AXI 510 Edge Router including DHCP server/processor 41 and memory 47.
- the AXI 510 may include an ATM OC-3c/STM-l interface for connection to the ADSL access network and/or WAN(s), and up to 18 built-in serial ports for Frame Relay WAN connectivity.
- Frame Relay involves a frame switched network based on point-to-point circuits from router 39 to a frame relay switch with packets being identified by router 39 as to their network connection with a virtual circuit ID. While the AXI-510 is utilized in a preferred exemplary embodiment, it will be recognized by those of skill in the art that other suitable routers may instead be used in other embodiments of this invention.
- DHCP server 41 may provide networked clients 9 with the required TCP/IP configuration information from a central location, thereby reducing the need for the clients to be set up individually.
- a DHCP client e.g. a PC or set-top box
- the source IP address for this may be 0.0.0.0, as the client has no IP address at this time.
- DHCP server 41 responds to this packet with a DHCPOFFER packet sent to the client, offering to configure the client. If the client accepts the offered configuration information (e.g. IP address) from server 41, the client sends a DHCPREQUEST packet to that server. DHCP server 41, in response to the request packet, then sends a DHCPACK packet to the client containing the final parameters (e.g. IP address) for the client to use, and the configuration information is allocated (leased) to the client for a period of time (e.g. seconds or minutes). Server 41 notes the IP address internally as in use via a table or cache entry and does not offer it to any other client(s) during the in-use period.
- the offered configuration information e.g. IP address
- the client TCP stack Upon receiving the DHCPACK packet, the client TCP stack finishes configuring itself. For example, it is known that a client may validate its allocated IP address by sending out an ARP request identifying the IP address just allocated to it (i.e. ARP to SELF). If another station responds, then the client assumes that the allocated address is not valid since it is already in use on the network. Finally, the client may have to periodically renew its lease via the server in order to continue to use the configuration.
- certain embodiments of this invention take advantage of the fact that, when a client 9 is turned on or started up, the first valid communication(s) from the client to DHCP server 41 is a DHCPDISCO VER or DHCPREQUEST for an IP address.
- this process is handled independently from the ARP protocol, thereby requiring the server to broadcast ARP requests after the DHCP messages have been exchanged when the server subsequently wishes to communicate with a particular client, resulting in much WAN traffic.
- the normal operation and/or timing of ARP protocol entries is modified.
- ARP table entries are stored by DHCP server 41 in ARP table 49 when the server allocates an IP address from pool 43 to a DHCP requesting client 9.
- a channel identifier indicative of the VC (or other network connection) that the DHCP message comes in on is determined by the receiving server (i.e. the server associates the VC with the message when it receives it).
- the DHCP message may be, for example, one of a DHCPDISCOVER or DHCPREQUEST.
- the DHCP message is passed up the protocol stack to DHCP server 41.
- the DHCP server When the DHCP server is ready to allocate an IP address to the client, it also has all of the information required to set up an ARP entry (i.e..
- IP address, MAC address, and VC ID in table 49 for the client.
- the IP address, VC ID and MAC address are thus stored simultaneously or in close time proximation with DHCP lease information in table 49, or at a time which is a function of when the table entry of DHCP lease information is made.
- the server thus maps the allocated IP address to the network connection (e.g. VC) in such a manner.
- the DHCP and modified ARP allocations may be made together as one entry in table 49, or as separate entries in separate tables in different embodiments of this invention.
- the server may determine the network connection (e.g. VC) which an incoming DHCP message comes in or is received on.
- a channel identifier may be attached to the message indicative of the network connection.
- the server may use this channel identifier (either alone or in combination with additional physical information such as which port/board the message was received on) to identify the relevant network connection (e.g. VC), and store the same as the client's IP address is to be mapped thereto.
- the server may use physical receiving port ID information as a channel identifier in WO 00/44132 PCTtSEOO/00145
- the server stores a channel identifier that is indicative of the network connection on which the DHCP message was received, and the same is mapped to the allocated network layer address for the client at issue.
- IP address leases are held by the server for finite periods of time.
- the DHCP server releases its hold on an IP address lease, it also removes the corresponding ARP table 49 entry for the client.
- ARP entries in table 49 are not subject to the conventional ARP timeout mechanism (they need not be deleted if not used for a given period of time).
- server entered ARP information for a client in table 49 is stored and/or deleted along with the client's allocated IP address.
- the IP address lease may timeout and be revoked, and the ARP entry removed from table 49.
- a conventional ARP entry is compared below to an ARP entry (table 49 entry) according to an embodiment of this invention:
- IP Protocol
- MAC Hardware
- IP Protocol
- MAC Hardware
- Network Connection ID e.g. VC ID
- ARP table 49 of router 39 is extended according to certain embodiments of this invention so as to include the client' s network connection ID information (e.g. a WAN connection ID such as VC ID) therein.
- a WAN connection ID such as VC ID
- the Logical Interface may not always be specific enough to correctly identify the VC or other WAN connection that a remote client is located on.
- certain WAN connections (e.g. VCs x - z ) support the modified ARP system described above wherein network layer addresses (e.g. IP addresses) may be mapped to WAN connection IDs in table 49 when the network layer addresses are allocated.
- network layer addresses e.g. IP addresses
- server 41 may also communicate with unsupported network connections and or clients 9b using standard ARP procedures and broadcasts.
- inventive mapping described above need not apply to all WAN connections in the network.
- router 39 may include ARP table 49 that includes ARP entries for both supported clients 9a and unsupported clients 9b.
- extended ARP entries are made in table 49 in response to received DHCP messages as discussed above thereby mapping client addresses (e.g. IP addresses) to respective client network connections (e.g. VCs), so that the server does not have to broadcast ARP requests if it subsequently wishes to communicate to a client.
- client addresses e.g. IP addresses
- client network connections e.g. VCs
- ARP entries are also made in table 49; however for such unsupported clients these entries are made only after the server has broadcast an ARP request and received an ARP response from a client as to its address.
- the entries in table 49 may have zeros input in the VC ID area according to certain embodiments of this invention.
- ARP table format there need not be a change to the ARP table format in certain embodiments, but only a change in the ⁇ ranner in which ARP entries are created in the router's table.
- separate ARP tables may be provided in the router for supported versus unsupported client ARP entries, or alternatively all ARP entries WO 00/44132 PCTtSEOO/00145
- router 39 does not create and delete entries in ARP table 49 using the ARP procedures of RFC 826; instead, router 39 creates and deletes the modified ARP entries when DHCP server 41 assigns or removes a network address lease (e.g. lease of an IP address).
- a network address lease e.g. lease of an IP address.
- ARP herein is not limited to its conventional meaning, but instead means an address entry for a client which may or may not include a network connection identifier (e.g. VC ID) mapped to a network address such as an IP address.
- server 41 need not (and preferably does not) broadcast ARP requests to resolve addresses for supported clients 9a, since all such clients with either dynamic DHCP leases and/or static DHCP addresses are known to the server. Traffic for unresolved addresses may be dropped.
- the address resolution module of server 41 does not find an associated pair of IP and MAC addresses in its ARP table 49 for a supported client, the server does not generate an ARP request in an attempt to resolve the same. Additionally, server 41 does not update its ARP table 49 entries when it receives alleged ARP replies from clients said to be supported (e.g. VCs x .
- the server's ARP mechanism may still be used to respond to ARP requests originating from clients that are sent to, and received by, server 41. Therefore, in the context of the single LAN scenario of Figure 4, the drawback of the ARP broadcasts is removed with regard to supported clients 9a, since the router no longer has to broadcast ARP requests to locate supported clients (e.g. VCs x - z ). In addition, the drawback of the ARP information validation is removed for such clients 9a, since incoming ARP response information is ignored by the router.
- incoming DHCP messages pertaining to current leases may be validated by the server to ensure that the VC (or other network connection) they come in on is the same as for the originally mapped VC ID corresponding to the address at issue.
- Invalid requests e.g., a lease release message from a different VC to the original lease
- IP addresses present in the server's ARP table 49 that are associated with static entries are not leased to clients of the DHCP server. This ensures that statically addressed nodes do not affect DHCP addressed nodes and vice versa.
- Outgoing messages from server 41 to broadcast or multicast addresses are checked during output processing. Messages from the DHCP server are further interrogated to determine the target IP address. This IP address of a supporting client is used to perform a lookup in ARP table 49 to determine the network connection (e.g. VC) over which to send the message. This enables the server to send outgoing messages over proper connections. Messages from the DHCP server which do not contain a target IP address, (e.g., DHCP NACK messages), have the target WAN connection embedded in a formerly unused portion of the message which is extracted by the output processor when determining the target WAN connection. Other messages to broadcast or multicast addresses may be dropped by the output processor.
- a target IP address e.g., DHCP NACK messages
- VCs are shown as preferred network connections.
- Exemplary types of VCs either permanent or temporary, which may be utilized in networks according to different embodiments of this invention include ATM VCs, Frame Relay VCs, and X.25 VCs.
- Other types of WAN connections may instead be used in certain embodiments of this invention, including but not limited to dedicated HDLC links and media supporting the point-to-point protocol (PPP).
- PPP point-to-point protocol
- DHCPDISCOVER (MAC broadcast, user's VC) - looking for server
- DHCPOFFER possible MAC broadcast, user's VC make provisional allocation in DHCP table and ARP table.
- DHCPACK possible MAC broadcast, user's VC
- client may validate the allocated IP address using an ARP to SELF.
- ARP for CLIENT address (MAC broadcast, user's VC)
- So client is now OK with the address.
- ARP for SERVER address (MAC broadcast, user's VC)
- Client can now speak to server and vice versa. Now client will run out of DHCP lease at some time
- DHCPACK (MAC broadcast, user's VC) available.
- FIG. 7 is a flow chart illustrating steps taken in mapping a client network layer address to a network connection in accordance with an embodiment of this invention.
- DHCP server 41 receives a network layer address message from a supported client 9a over a network connection, with at least a portion of a connection identifier attached thereto and/or implicit in the transport inferred by the server.
- server 41 maps the network layer address (e.g. IP address) allocated to the client to the network connection (e.g. via the connection identifier) in ARP table 49.
- the network layer address e.g. IP address
- server 41 ignores messages that it receives seeking to modify entries in table 49 for supported clients, thereby rendering the system more secure.
- the client's network layer address and network connection identifier are removed at 95. The client must ask for renewal to continue using the same.
- FIG 8 is a flow chart illustrating a more detailed embodiment of this invention, including how server 41 receives a DHCP message from a supported client (e.g. PC 9a), and in response thereto allocates an IP address to the client and makes an ARP table 49 entry for that client mapping the two to one another.
- DHCP server 41 receives the DHCPDISCOVERY broadcast on a VC from a supported client 9. The logical channel number or identifier for identifying the VC is noted and stored by the server.
- server 41 looks up an IP address lease and allocates an IP address for the client and makes an ARP entry for the client which includes the client's logical interface, IP address, hardware (e.g.
- step 63 the server sends a DHCPOFFER message to the client offering it the allocated IP address.
- step 64 if the client decides to accept the IP address, it sends a DHCPREQUEST message to the server.
- step 65 if the IP address lease is still available, server 41 sends a DHCPACK to the client leasing the client the address for a period of time.
- step 66 the client may optionally validate the IP address received from the server (e.g. ARP to SELF as described above).
- step 67 when the server times out the IP address, it removes both the DHCP and ARP entries for the supported client.
- FIG. 8 shows server 41 making its modified ARP entry at step 62 in response to a DHCPDISCOVERY message received from a supported client.
- the server may instead make its ARP table 49 entry with channel identifier in response to a DHCPREQUEST message received from the client; because the first message from a client to a server regarding DHCP may be a DHCPREQUEST, and a DHCPDISCOVER message may never be received from a supported client.
- FIG 9 is a flow chart illustrating how server 41 ignores alleged ARP responses which it receives, yet still responds to ARP requests.
- server 41 maps a network and or hardware address(es) to a network connection which an address request message was received on, for supported client #1.
- Server 41 may thereafter communicate with client #1 without having to broadcast an ARP request for that client because the ARP table 49 entry resolves .any potential address issues regarding that client.
- server 41 receives an ARP reply message from attacking client #2 requesting that the server modify the table 49 entry for client #1 by replacing the stored WAN connection ID with client #2's WAN connection ID (client #2 is attempting to trick the server into sending it client #1 's messages).
- server 41 ignores and/or does not respond to the message from client #2, as the table 49 entry is essentially "locked" and cannot be modified until a new network layer address is allocated to client #1.
- client #2 cannot modify entries in the ARP table of a "secure" IP subnet except via the DHCP server, regardless of whether a lease is allocated to client #1.
- Server 41 may ignore ARP replies allegedly from supported clients because the server need not broadcast any ARP requests to these clients — so ARP replies from them are unimportant). This renders the system more secure.
- server 41 may still communicate with client #1 despite client #2's attempt to modify the table 49 ARP entry.
- client #3 (supported or unsupported) wishes to send a message to server 41
- client #3 broadcasts an ARP request for the server across its LAN and WAN connections (e.g. VC) in step 79.
- server 41 responds to ARP requests which it receives, using the single relevant VC of the client. After client #3 receives the ARP response from the server, it is able to communicate directly with the server.
- connection ID in this case a VC
- ATM over ADSL
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB0120317A GB2363043A (en) | 1999-01-25 | 2000-01-25 | Secure and efficient address resolution for client stations connected over wide area network links to ip networks such as the internet |
AU24697/00A AU2469700A (en) | 1999-01-25 | 2000-01-25 | Secure and efficient address resolution for client stations connected over wide area network links to ip networks such as the internet |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11697799P | 1999-01-25 | 1999-01-25 | |
US60/116,977 | 1999-01-25 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2000044132A2 true WO2000044132A2 (en) | 2000-07-27 |
WO2000044132A3 WO2000044132A3 (en) | 2000-11-30 |
Family
ID=22370375
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/SE2000/000145 WO2000044132A2 (en) | 1999-01-25 | 2000-01-25 | Secure and efficient address resolution for client stations connected over wide area network links to ip networks such as the internet |
Country Status (3)
Country | Link |
---|---|
AU (1) | AU2469700A (en) |
GB (1) | GB2363043A (en) |
WO (1) | WO2000044132A2 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2375022A (en) * | 2001-04-24 | 2002-10-30 | Ip Access Ltd | Configuration of LAN hosts |
EP1331760A1 (en) * | 2000-10-30 | 2003-07-30 | Sharp Kabushiki Kaisha | Node structure information management method and radio network system |
EP1502385A1 (en) * | 2002-05-09 | 2005-02-02 | Optical Solutions, Inc. | Network address assignment in a passive optical network |
KR101064382B1 (en) * | 2007-06-07 | 2011-09-14 | 주식회사 케이티 | Arp attack blocking system in communication network and method thereof |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2388498B (en) * | 2002-05-07 | 2005-10-19 | Nokia Corp | Method and apparatus for ensuring address information of a wireless terminal device in communications network |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5708654A (en) * | 1996-11-27 | 1998-01-13 | Arndt; Manfred R. | Method for detecting proxy ARP replies from devices in a local area network |
WO1998026530A1 (en) * | 1996-12-09 | 1998-06-18 | Motorola Inc. | System, device, and method for routing dhcp packets in a public data network |
EP0883266A2 (en) * | 1997-05-12 | 1998-12-09 | Kabushiki Kaisha Toshiba | Router device, datagram transfer method and communication system realizing handoff control for mobile terminals |
US5922049A (en) * | 1996-12-09 | 1999-07-13 | Sun Microsystems, Inc. | Method for using DHCP and marking to override learned IP addesseses in a network |
-
2000
- 2000-01-25 WO PCT/SE2000/000145 patent/WO2000044132A2/en active Application Filing
- 2000-01-25 GB GB0120317A patent/GB2363043A/en not_active Withdrawn
- 2000-01-25 AU AU24697/00A patent/AU2469700A/en not_active Abandoned
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5708654A (en) * | 1996-11-27 | 1998-01-13 | Arndt; Manfred R. | Method for detecting proxy ARP replies from devices in a local area network |
WO1998026530A1 (en) * | 1996-12-09 | 1998-06-18 | Motorola Inc. | System, device, and method for routing dhcp packets in a public data network |
US5922049A (en) * | 1996-12-09 | 1999-07-13 | Sun Microsystems, Inc. | Method for using DHCP and marking to override learned IP addesseses in a network |
EP0883266A2 (en) * | 1997-05-12 | 1998-12-09 | Kabushiki Kaisha Toshiba | Router device, datagram transfer method and communication system realizing handoff control for mobile terminals |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1331760A1 (en) * | 2000-10-30 | 2003-07-30 | Sharp Kabushiki Kaisha | Node structure information management method and radio network system |
EP1331760A4 (en) * | 2000-10-30 | 2005-11-02 | Sharp Kk | Node structure information management method and radio network system |
US7103354B2 (en) | 2000-10-30 | 2006-09-05 | Sharp Kabushiki Kaisha | Node structure information management method and radio network system |
GB2375022A (en) * | 2001-04-24 | 2002-10-30 | Ip Access Ltd | Configuration of LAN hosts |
GB2375022B (en) * | 2001-04-24 | 2004-10-20 | Ip Access Ltd | Configuration of Lan Hosts |
EP1502385A1 (en) * | 2002-05-09 | 2005-02-02 | Optical Solutions, Inc. | Network address assignment in a passive optical network |
EP1502385A4 (en) * | 2002-05-09 | 2005-11-02 | Optical Solutions Inc | Network address assignment in a passive optical network |
US7020157B2 (en) | 2002-05-09 | 2006-03-28 | Optical Solutions, Inc. | Network address assignment in a passive optical network |
US7525980B2 (en) | 2002-05-09 | 2009-04-28 | Calix Networks, Inc. | Network address assignment in a passive optical network |
KR101064382B1 (en) * | 2007-06-07 | 2011-09-14 | 주식회사 케이티 | Arp attack blocking system in communication network and method thereof |
Also Published As
Publication number | Publication date |
---|---|
GB2363043A (en) | 2001-12-05 |
AU2469700A (en) | 2000-08-07 |
GB0120317D0 (en) | 2001-10-17 |
WO2000044132A3 (en) | 2000-11-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7046666B1 (en) | Method and apparatus for communicating between divergent networks using media access control communications | |
US9143479B2 (en) | DHCP proxy in a subscriber environment | |
US8125993B2 (en) | Network element having a DHCP lease timer | |
US7801123B2 (en) | Method and system configured for facilitating residential broadband service | |
US7640287B1 (en) | Method and apparatus for auto-configuring layer three intermediate computer network devices | |
US6240464B1 (en) | Method and system for managing addresses for network host interfaces in a data-over-cable system | |
JP4519214B2 (en) | Client configuration method | |
US8572217B2 (en) | Methods and apparatuses for dynamically provisioning a dynamic host configuration protocol (DHCP) client as a clientless internet protocol services (CLIPS) subscriber on a last-resort interface | |
US8681695B1 (en) | Single address prefix allocation within computer networks | |
EP1718032B1 (en) | Detection of duplicated network addresses by a proxy | |
WO1998026530A1 (en) | System, device, and method for routing dhcp packets in a public data network | |
US7313610B2 (en) | Method and array for determining internet protocol addresses of a terminal array | |
JP2001326696A (en) | Method for controlling access | |
WO2003067837A2 (en) | Dynamic host configuration protocol lease time determination | |
US7570647B2 (en) | LAN type internet access network and subscriber line accommodation method for use in the same network | |
US7085836B1 (en) | System and method for automatic private IP address selection | |
WO2000044132A2 (en) | Secure and efficient address resolution for client stations connected over wide area network links to ip networks such as the internet | |
Cisco | Configuring IP | |
Cisco | Configuring IP | |
Cisco | Configuring IP | |
Yalagandula et al. | Transparent mobility with minimal infrastructure | |
Cisco | Configuring IP | |
Cisco | Configuring IP | |
Cisco | Configuring IP | |
Cisco | Configuring IP |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
AK | Designated states |
Kind code of ref document: A3 Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A3 Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
ENP | Entry into the national phase |
Ref country code: GB Ref document number: 200120317 Kind code of ref document: A Format of ref document f/p: F |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
122 | Ep: pct application non-entry in european phase |