Arrangement for tracking IP address usage based on authenticated link identifier

US 20060028996A1
Filed: 08/09/2004
Published: 02/09/2006
Est. Priority Date: 08/09/2004
Status: Active Grant

First Claim

Patent Images

1. A method in an Internet Protocol (IP) based router in a network, the method comprising:

creating a cache entry specifying an authenticated client identifier and a corresponding authenticated link identifier for a client device attached to the network based on the authenticated link identifier;

receiving a message that specifies the authenticated link identifier and a source IP address;

adding the source IP address to the cache entry specifying the authenticated link identifier based on parsing the message; and

outputting to an audit resource a record that specifies the source IP address and the authenticated link identifier.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Link layer authentication information is supplied by a link layer authentication device to an access router for tracking IP address usage by a client device. The authentication information supplied to the access router includes an authenticated client identifier and a corresponding authenticated link identifier for the client device that attached to the network based on the authenticated link identifier. The access router, in response to receiving a message that specifies the authenticated link identifier and a source IP address, adds the source IP address to a cache entry that specifies the authenticated client identifier and the corresponding authenticated link identifier, and outputs to an audit resource a record that specifies the source IP address and the authenticated link identifier.

Citations

31 Claims

1. A method in an Internet Protocol (IP) based router in a network, the method comprising:
- creating a cache entry specifying an authenticated client identifier and a corresponding authenticated link identifier for a client device attached to the network based on the authenticated link identifier;
  
  receiving a message that specifies the authenticated link identifier and a source IP address;
  
  adding the source IP address to the cache entry specifying the authenticated link identifier based on parsing the message; and
  
  outputting to an audit resource a record that specifies the source IP address and the authenticated link identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the outputting includes specifying within the record the corresponding authenticated client identifier.
  - 3. The method of claim 1, further comprising:
    - receiving a second message that specifies the authenticated link identifier and a second source IP address;
      
      the creating including creating a second cache entry specifying the authenticated client identifier, the corresponding authenticated link identifier, and the second source IP address, based on having determined the second source address is distinct from the source IP address;
      
      the outputting including outputting a second record specifying the second source IP address and the authenticated link identifier based on creation of the second cache entry.
  - 4. The method of claim 1, further comprising receiving the authenticated client identifier and the corresponding authenticated link identifier in a message from a link authentication device, the link authentication device having established with the client device a link having the corresponding authenticated link identifier.
  - 5. The method of claim 1, wherein the IP based router includes a link layer authentication portion, the method further comprising:
    - detecting by the link layer authentication portion establishment of a link with the client device on an identified link port;
      
      sending to an authentication server, by the link layer authentication portion, client device information including a client identifier; and
      
      selectively designating the client identifier as the authenticated client identifier and the an authenticated link identifier relative to the identified link port, based on having received an approval of the client identifier by the authentication server.
  - 6. The method of claim 5, wherein the selectively designating includes designating a Media Access Control (MAC) address used by the client device on the identified link port as the authenticated link identifier.
  - 7. The method of claim 5, wherein the selectively designating includes designating the identified link port as the authenticated link identifier.

8. A method in a network, the method comprising:
- in a link layer authentication device;
  
  (1) detecting an establishment of a link with a client device on an identified link port, (2) attempting authentication of the client device attached to the identified link port based on sending, to an authentication server, client device information including a client identifier, and (3) outputting to an IP router, based on authentication of the client device by the authentication server, the client identifier as an authenticated client identifier and an authenticated link identifier relative to the corresponding link port; and
  
  in the IP router;
  
  (1) receiving the authenticated client identifier and the corresponding authenticated link identifier, (2) creating a cache entry specifying the authenticated client identifier and the corresponding authenticated link identifier, (3) receiving a message that specifies the authenticated link identifier and a source IP address, (4) adding the source IP address to the cache entry specifying the authenticated link identifier based on parsing the message, and (5) outputting to an audit resource a record that specifies the source IP address and the authenticated link identifier.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The method of claim 8, wherein the outputting by the IP router includes specifying within the record the corresponding authenticated client identifier.
  - 10. The method of claim 8, further comprising in the IP router:
    - receiving a second message that specifies the authenticated link identifier and a second source IP address;
      
      the creating including creating a second cache entry specifying the authenticated client identifier, the corresponding authenticated link identifier, and the second source IP address, based on having determined the second source address is distinct from the source IP address;
      
      the outputting including outputting a second record specifying the second source IP address and the authenticated link identifier based on creation of the second cache entry.
  - 11. The method of claim 8, wherein the outputting by the link layer authentication device includes designating a Media Access Control (MAC) address used by the client device on the identified link port as the authenticated link identifier.
  - 12. The method of claim 8, wherein the outputting by the link layer authentication device includes designating the identified link port as the authenticated link identifier.

13. An Internet Protocol (IP) based router configured for outputting IP packets in a network, the router comprising:
- means for creating a cache entry specifying an authenticated client identifier and a corresponding authenticated link identifier for a client device attached to the network based on the authenticated link identifier;
  
  means for receiving a message that specifies the authenticated link identifier and a source IP address, the means for creating configured for adding the source IP address to the cache entry specifying the authenticated link identifier based on parsing the message; and
  
  means for outputting to an audit resource a record that specifies the source IP address and the authenticated link identifier.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The router of claim 13, wherein the means for outputting is configured for specifying within the record the corresponding authenticated client identifier.
  - 15. The router of claim 13, wherein:
    - the means for receiving is configured for receiving a second message that specifies the authenticated link identifier and a second source IP address;
      
      the means for creating is configured for creating a second cache entry specifying the authenticated client identifier, the corresponding authenticated link identifier, and the second source address, based on having determined the second source address is distinct from the source IP address;
      
      the means for outputting is configured for outputting a second record specifying the second source IP address and the authenticated link identifier based on creation of the second cache entry.
  - 16. The router of claim 13, wherein the means for receiving is configured for receiving the authenticated client identifier and the corresponding authenticated link identifier in a message from a link authentication device, the link authentication device having established with the client device a link having the corresponding authenticated link identifier.
  - 17. The router of claim 13, further comprising a link layer authentication portion, the link layer authentication portion further comprising:
    - means for detecting establishment of a link with the client device on an identified link port;
      
      means for sending, to an authentication server, client device information including a client identifier, the means for sending configured for selectively designating the client identifier as the authenticated client identifier and the an authenticated link identifier relative to the identified link port, based on having received an approval of the client identifier by the authentication server.
  - 18. The router of claim 17, wherein the means for sending is configured for designating a Media Access Control (MAC) address used by the client device on the identified link port as the authenticated link identifier.
  - 19. The router of claim 17, wherein the means for sending is configured for designating the identified link port as the authenticated link identifier.

20. A network comprising:
- an IP router; and
  
  a link layer authentication device having;
  
  (1) means for detecting an establishment of a link with a client device on an identified link port, (2) means for attempting authentication of the client device attached to the identified link port based on sending, to an authentication server, client device information including a client identifier, and (3) means for outputting to the IP router, based on authentication of the client device by the authentication server, the client identifier as an authenticated client identifier and an authenticated link identifier relative to the corresponding link port;
  
  the IP router comprising;
  
  (1) means for receiving an authentication message specifying the authenticated client identifier and the corresponding authenticated link identifier, (2) means for creating a cache entry specifying the authenticated client identifier and the corresponding authenticated link identifier based on the authentication message, (3) the means for receiving further configured for receiving a message that specifies the authenticated link identifier and a source IP address, the means for creating configured for adding the source IP address to the cache entry specifying the authenticated link identifier based on parsing the message, and (4) means for outputting to an audit resource a record that specifies the source IP address and the authenticated link identifier.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The network of claim 20, wherein the means for outputting to the audit resource is configured for specifying within the record the corresponding authenticated client identifier.
  - 22. The network of claim 20, wherein:
    - the means for receiving is configured for receiving a second message that specifies the authenticated link identifier and a second source IP address;
      
      the means for creating further configured for creating a second cache entry specifying the authenticated client identifier, the corresponding authenticated link identifier, and the second source IP address, based on having determined the second source address is distinct from the source IP address;
      
      the means for outputting to the audit resource is configured for outputting a second record specifying the second source IP address and the authenticated link identifier based on creation of the second cache entry.
  - 23. The network of claim 20, wherein the means for attempting authentication is configured for designating a Media Access Control (MAC) address used by the client device on the identified link port as the authenticated link identifier.
  - 24. The network of claim 20, wherein the means for attempting authentication is configured for designating the identified link port as the authenticated link identifier.

25. A computer readable medium having stored thereon sequences of instructions, executable by a router, for tracking Internet Protocol (IP) address usage, the sequences of instructions including instructions for:
- creating a cache entry specifying an authenticated client identifier and a corresponding authenticated link identifier for a client device attached to the network based on the authenticated link identifier;
  
  receiving a message that specifies the authenticated link identifier and a source IP address;
  
  adding the source IP address to the cache entry specifying the authenticated link identifier based on parsing the message; and
  
  outputting to an audit resource a record that specifies the source IP address and the authenticated link identifier.
- View Dependent Claims (26, 27, 28, 29, 30, 31)
- - 26. The medium of claim 25, wherein the outputting includes specifying within the record the corresponding authenticated client identifier.
  - 27. The medium of claim 25, further comprising instructions for:
    - receiving a second message that specifies the authenticated link identifier and a second source IP address;
      
      the creating including creating a second cache entry specifying the authenticated client identifier, the corresponding authenticated link identifier, and the second source IP address, based on having determined the second source address is distinct from the source IP address;
      
      the outputting including outputting a second record specifying the second source IP address and the authenticated link identifier based on creation of the second cache entry.
  - 28. The medium of claim 25, further comprising instructions for receiving the authenticated client identifier and the corresponding authenticated link identifier in a message from a link authentication device, the link authentication device having established with the client device a link having the corresponding authenticated link identifier.
  - 29. The medium of claim 25, wherein the IP based router includes a link layer authentication portion, the sequences of instructions further comprising instructions for:
    - detecting by the link layer authentication portion establishment of a link with the client device on an identified link port;
      
      sending to an authentication server, by the link layer authentication portion, client device information including a client identifier; and
      
      selectively designating the client identifier as the authenticated client identifier and the an authenticated link identifier relative to the identified link port, based on having received an approval of the client identifier by the authentication server.
  - 30. The medium of claim 29, wherein the selectively designating includes designating a Media Access Control (MAC) address used by the client device on the identified link port as the authenticated link identifier.
  - 31. The medium of claim 30, wherein the selectively designating includes designating the identified link port as the authenticated link identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Foo, Ian, Gleichauf, Robert Eric, Dobbins, Ellis Roland, Huegen, Craig Allen

Granted Patent

US 8,068,414 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/252
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 63/08   for authentication of entit...

H04L 63/126   the source of the received ...

H04L 63/1466   Active attacks involving in...

H04L 63/162   at the data link layer

Arrangement for tracking IP address usage based on authenticated link identifier

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Arrangement for tracking IP address usage based on authenticated link identifier

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links