Method and apparatus for securing a layer II bridging switch/switch of subscriber aggregation

US 20070036160A1
Filed: 04/18/2006
Published: 02/15/2007
Est. Priority Date: 08/11/2005
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a packet from an input circuit on a layer II bridging switch, the packet including a source address and a destination address; and

making a forwarding decision for the packet based on at least, one of the addresses of the packet being currently assigned to a second circuit, and, the type of that second circuit.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for securing a layer II bridging switch for subscriber aggregation is described. The method includes receiving packets from a circuit on the layer II bridging switch and making a forwarding decision for the packet based on at least one of the addresses of the packet being currently assigned to a second circuit.

Citations

20 Claims

1. A method, comprising:
- receiving a packet from an input circuit on a layer II bridging switch, the packet including a source address and a destination address; and
  
  making a forwarding decision for the packet based on at least, one of the addresses of the packet being currently assigned to a second circuit, and, the type of that second circuit.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein one of the addresses of the packet has been assigned to a third circuit.
  - 3. The method of claim 1, wherein the forwarding decision includes dropping the packet upon determining, the input circuit is untrusted, and the source address is assignedto a trusted circuit.
  - 4. The method of claim 1, wherein the forwarding decision includes dropping the packet upon determining, the input circuit is untrusted, and the source address is assigned to a different untrusted circuit and cannot be reassigned to the input untrusted circuit.

5. A method, comprising:
- receiving a packet from a first untrusted circuit on a layer II bridging switch, the packet including a source address and a destination address;
  
  dropping the packet upon determining, the source address is assigned to a trusted circuit, or the source address is assigned to a second untrusted circuit and cannot be reassigned to the first untrusted circuit; and
  
  forwarding the packet to the destination address upon determining the destination address is assigned to a trusted circuit.
- View Dependent Claims (6, 7)
- - 6. The method of claim 5 wherein the source address cannot be reassigned if the first untrusted circuit is restricted.
  - 7. The method of claim 5 wherein the source address cannot be reassigned if the source address is marked as static drop.

8. A method, comprising:
- receiving a packet from an input circuit, the packet including a source address and a destination address;
  
  upon determining the input circuit is a trusted input circuit, forwarding the packet to the destination address; and
  
  upon determining the input circuit is an untrusted input circuit, restricting network flow of the packet based upon circuit management rules.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8 wherein the circuit management rules include dropping the packet if, the source address is associated with a first untrusted circuit, and the destination address is associated with a second untrusted circuit.
  - 10. The method of claim 8 wherein the circuit management rules include, dropping the packet upon determining the source address of the packet is marked as static drop.
  - 11. The method of claim 8 wherein the circuit management rules include, dropping the packet upon determining the destination address of the packet is marked as static drop.
  - 12. The method of claim 8 wherein the circuit management rules include dropping the packet upon determining, the input circuit is restricted, and the source address is not associated with the input circuit.
  - 13. The method of claim 8 wherein the circuit management rules include dropping the packet if the source address of the packet is associated with a trusted circuit.

14. A method for forwarding a packet, comprising:
- receiving the packet from an input circuit, wherein the packet includes a source address and a destination address;
  
  dropping the packet if, the source address is associated with a first untrusted circuit, and the destination address is associated with a second untrusted circuit; and
  
  forwarding the packet if, the source address is associated with a third untrusted circuit, and the destination address is associated with a first trusted circuit.
- View Dependent Claims (15, 16, 17)
- - 15. The method of claim 14 wherein the address of the input circuit does not correspond with the source address of the packet.
  - 16. The method of claim 15 further comprising dropping the packet upon determining the input circuit is restricted.
  - 17. The method of claim 15 further comprising dropping the packet upon determining the source address of the packet is associated with a second trusted circuit.

18. A layer II bridging switch, comprising:
- a plurality of interfaces to transmit and receive packets over circuits; and
  
  an inter-circuit and circuit type security management module to make forwarding decisions for the packets received on at least some of the circuits, the receiving circuit type and addresses assigned to others of the circuits and their type.
- View Dependent Claims (19)
- - 19. The layer II bridging switch of claim 18 further comprising:
    - one or more tables to maintain identification of a plurality of circuits, the identification to include whether the plurality of circuits are untrusted or trusted, and maintain addresses of the plurality of circuits;
      
      a packet address lookup module coupled to the one or more tables to examine the one or more tables for the addresses assigned to the plurality of circuits;
      
      a circuit type lookup module coupled to the one or more tables and the packet address lookup module to examine types of the plurality of circuits; and
      
      a forwarding decision module coupled to the packet address lookup module and the circuit type lookup module to make a forwarding decision based on matches between the addresses of the packets and the addresses currently assigned to the plurality of circuits and those circuit types.

20. A method to forward a packet from an untrusted circuit to a trusted circuit, comprising:
- receiving a packet from the untrusted circuit;
  
  upon determining the untrusted circuit is unknown in a bridge table, entering the untrusted circuit into the bridge table, and examining the data packet to determine its destination;
  
  upon determining the destination of the data packet is a different untrusted circuit, dropping the data packet;
  
  forwarding the data packet to the trusted circuit

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ericsson AB (Telefonaktiebolaget LM Ericsson)
Original Assignee
Ericsson AB (Telefonaktiebolaget LM Ericsson)
Inventors
Pang, James, Lam, Peter

Granted Patent

US 7,778,250 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/392
CPC Class Codes

H04L 45/66   Layer 2 routing, e.g. in Et...

H04L 49/602   Multilayer or multiprotocol...

H04L 63/0236   Filtering by address, proto...

H04L 63/1466   Active attacks involving in...

Method and apparatus for securing a layer II bridging switch/switch of subscriber aggregation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for securing a layer II bridging switch/switch of subscriber aggregation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links