Method and arrangement for preventing illegitimate use of ip addresses
1 Assignment
0 Petitions
Accused Products
Abstract
Illegitimate use of IP addresses is counteracted. A network (1) includes a switch (5) with ports (P1,P2,P3) to subscribers (6,6A) and a port (PN) to a core network (2) with DHCP servers (4, 4a,4b). The switch includes a database (MAC1, MAC2), port numbers (P1, P2) and VLAN identities (VLAN1, VLAN2) for the subscribers (6, 6A) and the filter has a list over trusted DHCP servers. Initially onlY DHCP messages from the subscribers are allowed. When the subscriber (6) requests (M1, M3) for an IP address it is checked that it is a DHCP message with valid subscriber values (MAC1, P1, VLAN1). A respond (M2, M4) with an allocated IP address (IP1) and lease time interval (T1) is checked to come from a trusted DHCP server. If so, a list in the filter (9) with correct information is dynamically generated (MAC1, P1, VLAN1, IP1, T1). A messsage (M5) from the subscriber (6) with false IP address is discarded by the filter. Attempts by the subscriber to use false IP address are counted and a warning signal is generated.
-
Citations
22 Claims
-
1-12. -12. (canceled)
-
13. A method in an IP network, the network including a switch node, at least one DHCP server and at least one subscriber being associated with the node, the method including the steps of:
-
creating a list of trusted ones of the DHCP servers;
transmitting by the subscriber a DHCP request message for an IP address;
receiving a reply message, which carries an assigned subscriber IP address;
analysing the reply message to be a DHCP message and having a source address from one of the trusted DHCP servers;
updating a filter dynamically in the node, the filter storing an identification of the subscriber and the assigned subscriber IP address;
transmitting a frame from the subscriber using a source IP address;
comparing in the filter said source IP address with the stored subscriber IP address;
discarding said frame when said source IP address differs from the stored subscriber IP address. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A device in an IP network, the device including:
-
at least one port for a subscriber;
an uplink port for DHCP servers in the network; and
a filter device having a list of trusted ones of the DHCP servers, the filter device being associated with the ports;
wherein;
the device is operative to receive a subscriber IP address request message on the subscriber port, analyse it to be a DHCP message and transmit it on the uplink port;
the device is operative to receive a reply message on the uplink port, analyse it to be a DHCP message and to have a source IP address from one of the trusted DHCP servers on the list;
the device is operative to dynamically update the filter with an identification of the subscriber and a corresponding assigned subscriber IP address in the reply message;
the device is operative to receive a frame with a source IP address on the subscriber port;
the device is operative to compare in the filter said source IP address with the stored subscriber IP address; and
the device is operative to discard said frame when said source IP address differs from the stored subscriber IP address. - View Dependent Claims (19, 20, 21, 22)
-
Specification
-
- Resources
-
Current AssigneeTelefonaktiebolaget LM Ericsson
-
Original AssigneeTelefonaktiebolaget LM Ericsson
-
InventorsNesz, Peter, Juhl, Michael Valentin, Johansson, Thomas
-
Granted Patent
-
Time in Patent OfficeDays
-
Field of Search
-
US Class Current709/227
-
CPC Class CodesH04L 61/5014 using dynamic host configur...H04L 63/0236 Filtering by address, proto...H04L 63/1466 Active attacks involving in...H04L 69/16 Implementation or adaptatio...H04L 69/161 Implementation details of T...
