Method of preventing infection propagation in a dynamic multipoint virtual private network

US 20080047011A1
Filed: 08/01/2006
Published: 02/21/2008
Est. Priority Date: 08/01/2006
Status: Active Grant

First Claim

Patent Images

1. A method of preventing infection propagation in a Dynamic Multipoint Virtual Private Network comprising:

receiving an indication at a hub router that a spoke router site, including a spoke router in communication with said hub router, has become infected;

sending a purge message to said spoke router, said purge message directing said spoke router to purge at least one Next Hop Resolution Protocol (NHRP) request; and

purging, by said spoke router, at least one cached entry from a database and refraining from resolving any next-hop requests from said spoke router.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus and computer program product for preventing infection propagation in a DMVPN is presented. An infected spoke router site is isolated from the DMVPN network such that the spoke router may (bi-directionally) completely or partially limit communicating with any network devices (including the hub router, any other spoke routers etc.) within the DMVPN which prevents the DMVPN melt-down, isolates a worm-infected spoke router site from the rest of the DMVPN and restricts the spread of the worm within the DMVPN network.

Citations

26 Claims

1. A method of preventing infection propagation in a Dynamic Multipoint Virtual Private Network comprising:
- receiving an indication at a hub router that a spoke router site, including a spoke router in communication with said hub router, has become infected;
  
  sending a purge message to said spoke router, said purge message directing said spoke router to purge at least one Next Hop Resolution Protocol (NHRP) request; and
  
  purging, by said spoke router, at least one cached entry from a database and refraining from resolving any next-hop requests from said spoke router.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 further comprising sending, by said spoke router, a purge reply message to said hub router acknowledging the purging of the spoke router database.
  - 3. The method of claim 2 further comprising invalidating, by said hub router, next-hop information for said spoke router at other spoke routers in communication with said hub router.
  - 4. The method of claim 1 further comprising said hub router refusing to receive traffic from said spoke router.
  - 5. The method of claim 1 further comprising said hub router receiving traffic from said spoke router and forwarding said traffic to a traffic cleansing device.
  - 6. The method of claim 5 further comprising said hub router receiving cleaned traffic from said traffic cleansing device, and forwarding said cleaned traffic to appropriate spoke routers.
  - 7. The method of claim 1 wherein said receiving an indication at a hub router that a spoke router site including spoke router in communication with said hub router has an infection further comprises said hub router sending an Access Control List (ACL) to said spoke router.
  - 8. The method of claim 7 further comprising said spoke router installing said ACL such that said ACL causes traffic from said spoke router to other spoke routers to be dropped at said spoke router.
  - 9. The method of claim 8 further comprising said ACL causing traffic from said spoke router to said hub router to be dropped by said spoke router.
  - 10. The method of claim 1 further comprising receiving an indication at said hub router that the spoke router site including a spoke router in communication with said hub router is no longer infected, and sending a resume message to said spoke router.
  - 11. The method of claim 10 further comprising:
    - receiving said resume message at said spoke router;
      
      sending a reply to said resume message to said hub router; and
      
      sending relevant NHRP requests to said hub router.
  - 12. The method of claim 1 wherein said receiving an indication at a hub router that a spoke router site including a spoke router in communication with said hub router has become infected comprises exceeding a limit for one of the group consisting of a number of resolution requests sent from said spoke router to said hub router and a number of resolution replies sent from said hub router to said spoke router.

13. A hub router comprising:
- a memory;
  
  a processor;
  
  a communications interface;
  
  an interconnection mechanism coupling the memory, the processor and the communications interface; and
  
  wherein the memory is encoded with an infection propagation prevention application that when performed on the processor, provides a process for processing information, the process causing the network device to be capable of performing the operations of;
  
  receiving an indication that a spoke router site including a spoke router in communication with said network device has become infected; and
  
  sending a purge message to said spoke router, said purge message directing said spoke router to purge at least one NextHop Resolution Request.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The hub router of claim 13 wherein said hub router invalidates next-hop information for said spoke router at other spoke routers and also forces no more next-hop resolution for said spoke router at other spoke routers, by sending the purge request to the other spoke routers.
  - 15. The hub router of claim 13 wherein said network device refuses to receive traffic from said spoke router.
  - 16. The hub router of claim 13 wherein said network device receives traffic from said spoke router and forwards said traffic to a scrubber.
  - 17. The hub router of claim 16 wherein said network device receives cleaned traffic from said scrubber, and forwards said cleaned traffic to appropriate spoke routers.
  - 18. The hub router of claim 13 wherein said receiving an indication that a spoke router in communication with said hub router has an infection further comprises sending an Access Control List (ACL) to said spoke router.
  - 19. The hub router of claim 13 wherein said network device receives an indication that the spoke router is no longer infected, and sends a resume message to said spoke router.

20. A spoke router comprising:
- a memory;
  
  a processor;
  
  a communications interface;
  
  an interconnection mechanism coupling the memory, the processor and the communications interface; and
  
  wherein the memory is encoded with an infection propagation prevention application that when performed on the processor, provides a process for processing information, the process causing the network device to be capable of performing the operations of;
  
  receiving a purge message from a hub router; and
  
  purging at least one cached entry from a database and refraining from resolving one or more next-hop.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The spoke router of claim 20 wherein said spoke router sends a purge reply message to said hub router acknowledging the purging of the network device database.
  - 22. The spoke router of claim 21 wherein said spoke router installs an Access Control List (ACL) such that said ACL causes traffic from said spoke router to other spoke routers to be dropped at said spoke router.
  - 23. The spoke router of claim 22 wherein said ACL causes traffic from said spoke router to said hub router to be dropped by said spoke router.
  - 24. The spoke router of claim 20 wherein said spoke router receives a resume message, sends a reply to said resume message to said hub router, and sends relevant resolution requests to said hub router.

25. A spoke router comprising:
- a memory;
  
  a processor;
  
  a communications interface;
  
  an interconnection mechanism coupling the memory, the processor and the communications interface;
  
  wherein the memory is encoded with a probabilistic signature generation application that when executed on the processor configures the computerized device with a means for generating a signature, the means including;
  
  means for receiving a purge message from a hub router; and
  
  means for purging at least one cached entry from a database and refraining from resolving one or more next-hop.

26. A hub router comprising:
- a memory;
  
  a processor;
  
  a communications interface;
  
  an interconnection mechanism coupling the memory, the processor and the communications interface;
  
  wherein the memory is encoded with a probabilistic signature generation application that when executed on the processor configures the computerized device with a means for generating a signature, the means including;
  
  means for receiving an indication that a spoke router site including a spoke router in communication with said network device has become infected; and
  
  means for sending a purge message to said spoke router, said purge message directing said spoke router to purge at least one NextHop Resolution Request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Khalid, Mohamed, Asati, Rajiv, Niazi, Haseeb, Guy, Jason

Granted Patent

US 8,307,442 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/145 the attack involving the pr...

Method of preventing infection propagation in a dynamic multipoint virtual private network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Method of preventing infection propagation in a dynamic multipoint virtual private network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links