MECHANISM FOR ENABLING LAYER TWO HOST ADDRESSES TO BE SHIELDED FROM THE SWITCHES IN A NETWORK

US 20110078331A1
Filed: 12/05/2010
Published: 03/31/2011
Est. Priority Date: 10/22/2008
Status: Active Grant

First Claim

Patent Images

1. A method performed by a border component situated at a border of a network of switches, comprising:

receiving, by the border component from the network of switches, a first packet intended for a first host coupled to the border component, wherein the first host has a first L2 (layer

2) address and a first L3 (layer

3) address associated therewith, and wherein the first packet includes the first L3 address as a destination L3 address, and includes a substitute L2 address as a destination L2 address, wherein the substitute L2 address is associated with a communication channel of the border component;

accessing, by the border component, a data structure, wherein the data structure comprises a first set of information that indicates an association between the first L3 address and the first L2 address;

determining, by the border component, based at least partially upon the first L3 address in the first packet and the first set of information, that the destination L2 address for the first packet should be the first L2 address;

deriving, by the border component, a first updated packet from the first packet, wherein deriving the first updated packet comprises replacing the substitute L2 address with the first L2 address, thereby making the first L2 address the destination L2 address for the first updated packet; and

sending, by the border component, the first updated packet to the first host.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for shielding layer two host addresses (e.g., MAC addresses) from a network are provided. According to one embodiment, a border component of a network of switches receives a first packet intended for a first host having a first L2 address and a first L3 address associated therewith. The first packet includes the first L3 address and a substitute L2 address as destination addresses. The substitute L2 address is associated with a communication channel of the border component. A data structure including information regarding an association between the first L3 address and the first L2 address is accessed by the border component. A determination is made that the destination L2 address for the first packet should be the first L2 address. A first updated packet is derived from the first packet by replacing the substitute L2 address with the first L2 address and sent to the first host.

26 Citations

View as Search Results

24 Claims

1. A method performed by a border component situated at a border of a network of switches, comprising:
- receiving, by the border component from the network of switches, a first packet intended for a first host coupled to the border component, wherein the first host has a first L2 (layer
  
  2) address and a first L3 (layer
  
  3) address associated therewith, and wherein the first packet includes the first L3 address as a destination L3 address, and includes a substitute L2 address as a destination L2 address, wherein the substitute L2 address is associated with a communication channel of the border component;
  
  accessing, by the border component, a data structure, wherein the data structure comprises a first set of information that indicates an association between the first L3 address and the first L2 address;
  
  determining, by the border component, based at least partially upon the first L3 address in the first packet and the first set of information, that the destination L2 address for the first packet should be the first L2 address;
  
  deriving, by the border component, a first updated packet from the first packet, wherein deriving the first updated packet comprises replacing the substitute L2 address with the first L2 address, thereby making the first L2 address the destination L2 address for the first updated packet; and
  
  sending, by the border component, the first updated packet to the first host.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein the first L2 address and the substitute L2 address are MAC (media access control) addresses, and wherein the first L3 address is an IP (Internet Protocol) address.
  - 3. The method of claim 1, further comprising:
    - receiving, from the network of switches, a second packet intended for a second host coupled to the border component, wherein the second host has a second L2 address and a second L3 address associated therewith, and wherein the second packet includes the second L3 address as a destination L3 address, and includes the substitute L2 address as a destination L2 address;
      
      accessing the data structure, wherein the data structure further comprises a second set of information that indicates an association between the second L3 address and the second L2 address;
      
      determining, based at least partially upon the second L3 address in the second packet and the second set of information, that the destination L2 address for the second packet should be the second L2 address;
      
      deriving a second updated packet from the second packet, wherein deriving the second updated packet comprises replacing the substitute L2 address with the second L2 address, thereby making the second L2 address the destination L2 address for the second updated packet; and
      
      sending the second updated packet to the second host.

4. A border component situated at a border of a network of switches, comprising:
- a communication channel; and
  
  a communication manager, wherein the communication manager comprises;
  
  means for receiving, from the network of switches via the communication channel, a first packet intended for a first host coupled to the communication channel, wherein the first host has a first L2 (layer
  
  2) address and a first L3 (layer
  
  3) address associated therewith, and wherein the first packet includes the first L3 address as a destination L3 address, and includes a substitute L2 address as a destination L2 address, wherein the substitute L2 address is associated with the communication channel;
  
  means for accessing a data structure, wherein the data structure comprises a first set of information that indicates an association between the first L3 address and the first L2 address;
  
  means for determining, based at least partially upon the first L3 address in the first packet and the first set of information, that the destination L2 address for the first packet should be the first L2 address;
  
  means for deriving a first updated packet from the first packet, wherein the means for deriving the first updated packet comprises means for replacing the substitute L2 address with the first L2 address, thereby making the first L2 address the destination L2 address for the first updated packet; and
  
  means for sending, via the communication channel, the first updated packet to the first host.
- View Dependent Claims (5, 6)
- - 5. The border component of claim 4, wherein the first L2 address and the substitute L2 address are MAC (media access control) addresses, and wherein the first L3 address is an IP (Internet Protocol) address.
  - 6. The border component of claim 4, wherein the communication manager further comprises:
    - means for receiving, from the network of switches via the communication channel, a second packet intended for a second host coupled to the communication channel, wherein the second host has a second L2 address and a second L3 address associated therewith, and wherein the second packet includes the second L3 address as a destination L3 address, and includes the substitute L2 address as a destination L2 address;
      
      means for accessing the data structure, wherein the data structure further comprises a second set of information that indicates an association between the second L3 address and the second L2 address;
      
      means for determining, based at least partially upon the second L3 address in the second packet and the second set of information, that the destination L2 address for the second packet should be the second L2 address;
      
      means for deriving a second updated packet from the second packet, wherein the means for deriving the second updated packet comprises means for replacing the substitute L2 address with the second L2 address, thereby making the second L2 address the destination L2 address for the second updated packet; and
      
      means for sending, via the communication channel, the second updated packet to the second host.

7. A border component situated at a border of a network of switches, comprising:
- a communication channel; and
  
  a communication manager configured to;
  
  receive, from the network of switches via the communication channel, a first packet intended for a first host coupled to the communication channel, wherein the first host has a first L2 (layer
  
  2) address and a first L3 (layer
  
  3) address associated therewith, and wherein the first packet includes the first L3 address as a destination L3 address, and includes a substitute L2 address as a destination L2 address, wherein the substitute L2 address is associated with the communication channel;
  
  access a data structure, wherein the data structure comprises a first set of information that indicates an association between the first L3 address and the first L2 address;
  
  determine, based at least partially upon the first L3 address in the first packet and the first set of information, that the destination L2 address for the first packet should be the first L2 address;
  
  derive a first updated packet from the first packet, wherein deriving the first updated packet comprises replacing the substitute L2 address with the first L2 address, thereby making the first L2 address the destination L2 address for the first updated packet; and
  
  send, via the communication channel, the first updated packet to the first host.
- View Dependent Claims (8, 9)
- - 8. The border component of claim 7, wherein the first L2 address and the substitute L2 address are MAC (media access control) addresses, and wherein the first L3 address is an IP (Internet Protocol) address.
  - 9. The border component of claim 7, wherein the communication manager is further configured to:
    - receive, from the network of switches via the communication channel, a second packet intended for a second host coupled to the communication channel, wherein the second host has a second L2 address and a second L3 address associated therewith, and wherein the second packet includes the second L3 address as a destination L3 address, and includes the substitute L2 address as a destination L2 address;
      
      access the data structure, wherein the data structure further comprises a second set of information that indicates an association between the second L3 address and the second L2 address;
      
      determine, based at least partially upon the second L3 address in the second packet and the second set of information, that the destination L2 address for second first packet should be the second L2 address;
      
      derive a second updated packet from the second packet, wherein deriving the second updated packet comprises replacing the substitute L2 address with the second L2 address, thereby making the second L2 address the destination L2 address for the second updated packet; and
      
      send, via the communication channel, the second updated packet to the second host.

10. A system comprising:
- a first border component comprising a first communication channel and a first communication manager, wherein the first border component is situated at a border of a network of switches and coupled to the network of switches via the first communication channel, wherein the first border component is also coupled to a first host via the first communication channel, and wherein the first communication channel has a particular L2 (layer
  
  2) address associated therewith; and
  
  a second border component comprising a second communication channel and a second communication manager, wherein the second border component is also situated at a border of the network of switches and coupled to the network of switches via the second communication channel, wherein the second border component is also coupled to a second host via the second communication channel, and wherein the second communication channel has a certain L2 address associated therewith;
  
  wherein the first communication manager is configured to;
  
  receive, from the first host via the first communication channel, a first packet destined for the second host, wherein the first host has a first L3 (layer
  
  3) address and a first L2 address associated therewith, wherein the second host has a second L3 address and a second L2 address associated therewith, and wherein the first packet includes the first L3 address as a source L3 address, includes the first L2 address as a source L2 address, includes the second L3 address as a destination L3 address, and includes the certain L2 address associated with the second communication channel of the second border component as a destination L2 address;
  
  derive a first updated packet from the first packet, wherein deriving the first updated packet comprises replacing the first L2 address with the particular L2 address associated with the first communication channel of the first border component, thereby making the particular L2 address the source L2 address for the first updated packet; and
  
  send, via the first communication channel, the first updated packet to the network of switches to be switched to the second border component; and
  
  wherein the second communication manager is configured to;
  
  receive, from the network of switches via the second communication channel, the first updated packet;
  
  access a certain data structure, wherein the certain data structure comprises a first set of information that indicates an association between the second L3 address and the second L2 address;
  
  determine, based at least partially upon the second L3 address in the first updated packet and the first set of information, that the destination L2 address for the first updated packet should be the second L2 address;
  
  derive a second updated packet from the first updated packet, wherein deriving the second updated packet comprises replacing the certain L2 address associated with the second communication channel of the second border component with the second L2 address, thereby making the second L2 address the destination L2 address for the second updated packet; and
  
  send, via the second communication channel, the second updated packet to the second host.
- View Dependent Claims (11, 12)
- - 11. The system of claim 10, wherein the second communication manager is further configured to:
    - receive, from the second host via the second communication channel, a second packet destined for the first host, wherein the second packet includes the second L3 address as a source L3 address, includes the second L2 address as a source L2 address, includes the first L3 address as a destination L3 address, and includes the particular L2 address associated with the first communication channel of the first border component as a destination L2 address;
      
      derive a third updated packet from the second packet, wherein deriving the third updated packet comprises replacing the second L2 address with the certain L2 address associated with the second communication channel of the second border component, thereby making the certain L2 address the source L2 address for the third updated packet; and
      
      send, via the second communication channel, the third updated packet to the network of switches to be switched to the first border component; and
      
      wherein the first communication manager is configured to;
      
      receive, from the network of switches via the first communication channel, the third updated packet;
      
      access a particular data structure, wherein the particular data structure comprises a second set of information that indicates an association between the first L3 address and the first L2 address;
      
      determine, based at least partially upon the first L3 address in the third updated packet and the second set of information, that the destination L2 address for the third updated packet should be the first L2 address;
      
      derive a fourth updated packet from the third updated packet, wherein deriving the fourth updated packet comprises replacing the particular L2 address associated with the first communication channel of the first border component with the first L2 address, thereby making the first L2 address the destination L2 address for the fourth updated packet; and
      
      send, via the first communication channel, the fourth updated packet to the first host.
  - 12. The system of claim 11, wherein the first L2 address, the second L2 address, the particular L2 address, and the certain L2 address are MAC (media access control) addresses, and wherein the first L3 address and the second L3 address are IP (Internet Protocol) addresses.

13. A method performed by a border component situated at a border of a network of switches, comprising:
- receiving, by the border component from the network of switches via a communication channel, a request packet requesting a L2 (layer
  
  2) address for a target host, wherein the target host has a first target L3 (layer
  
  3) address associated therewith, and wherein the request packet includes a first L2 address as a source L2 address, includes a first L3 address as a sending L3 address, and includes the first target L3 address as the L3 address for the target host for which a requested L2 address is being requested;
  
  determining, by the border component, whether the target host is a host that is coupled to the communication channel;
  
  in response to a determination that the target host is a host that is coupled to the communication channel, deriving, by the border component, a reply packet from the request packet, wherein deriving the reply packet comprises replacing the first L2 address with a substitute L2 address associated with the communication channel, thereby making the substitute L2 address the source L2 address for the reply packet, inserting the substitute L2 address into the reply packet to represent the requested L2 address for the target host, and making the first L2 address the destination L2 address for the reply packet; and
  
  sending, by the border component, the reply packet to the network of switches via the communication channel.
- View Dependent Claims (14)
- - 14. The method of claim 13, wherein the first L2 address and the substitute L2 address are MAC (media access control) addresses, and wherein the first L3 address and the first target L3 address are IP (Internet Protocol) addresses.

15. A border component situated at a border of a network of switches, comprising:
- a communication channel; and
  
  a communication manager, wherein the communication manager comprises;
  
  means for receiving, from the network of switches via the communication channel, a request packet requesting a L2 (layer
  
  2) address for a target host, wherein the target host has a first target L3 (layer
  
  3) address associated therewith, and wherein the request packet includes a first L2 address as a source L2 address, includes a first L3 address as a sending L3 address, and includes the first target L3 address as the L3 address for the target host for which a requested L2 address is being requested;
  
  means for determining whether the target host is a host that is coupled to the communication channel;
  
  means for deriving, in response to a determination that the target host is a host that is coupled to the communication channel, a reply packet from the request packet, wherein the means for deriving the reply packet comprises means for replacing the first L2 address with a substitute L2 address associated with the communication channel, thereby making the substitute L2 address the source L2 address for the reply packet, means for inserting the substitute L2 address into the reply packet to represent the requested L2 address for the target host, and means for making the first L2 address the destination L2 address for the reply packet; and
  
  means for sending the reply packet to the network of switches via the communication channel.
- View Dependent Claims (16)
- - 16. The border component of claim 15, wherein the first L2 address and the substitute L2 address are MAC (media access control) addresses, and wherein the first L3 address and the first target L3 address are IP (Internet Protocol) addresses.

17. A border component situated at a border of a network of switches, comprising:
- a communication channel; and
  
  a communication manager configured to;
  
  receive, from the network of switches via the communication channel, a request packet requesting a L2 (layer
  
  2) address for a target host, wherein the target host has a first target L3 (layer
  
  3) address associated therewith, and wherein the request packet includes a first L2 address as a source L2 address, includes a first L3 address as a sending L3 address, and includes the first target L3 address as the L3 address for the target host for which a requested L2 address is being requested;
  
  determine whether the target host is a host that is coupled to the communication channel;
  
  in response to a determination that the target host is a host that is coupled to the communication channel, derive a reply packet from the request packet, wherein deriving the reply packet comprises replacing the first L2 address with a substitute L2 address associated with the communication channel, thereby making the substitute L2 address the source L2 address for the reply packet, inserting the substitute L2 address into the reply packet to represent the requested L2 address for the target host, and making the first L2 address the destination L2 address for the reply packet; and
  
  send the reply packet to the network of switches via the communication channel.
- View Dependent Claims (18)
- - 18. The border component of claim 17, wherein the first L2 address and the substitute L2 address are MAC (media access control) addresses, and wherein the first L3 address and the first target L3 address are IP (Internet Protocol) addresses.

19. A method performed by a border component situated at a border of a network of switches, comprising:
- receiving, by the border component from the network of switches via a communication channel, a request packet requesting a L2 (layer
  
  2) address for a target host, wherein the target host has a first target L3 (layer
  
  3) address associated therewith, and wherein the request packet includes a first L2 address as a source L2 address, includes a first L3 address as a sending L3 address, and includes the first target L3 address as the L3 address for the target host for which a requested L2 address is being requested;
  
  determining, by the border component, whether the target host is a host that is coupled to the communication channel;
  
  in response to a determination that the target host is a host that is coupled to the communication channel, sending, by the border component, the request packet, or an updated version thereof, to the target host;
  
  receiving, by the border component, a reply packet from the target host, wherein the target host has a target host L2 address associated therewith, and wherein the reply packet includes the first L3 address, includes the first L2 address as a destination address, includes the first target L3 address, includes the target host L2 address as the requested L2 address for the target host, and includes the target host L2 address as a source L2 address;
  
  deriving, by the border component, an updated reply packet from the reply packet, wherein deriving the updated reply packet comprises replacing the target host L2 address with a substitute L2 address associated with the communication channel, thereby making the substitute L2 address the requested L2 address for the target host, and making the substitute L2 address the source L2 address for the updated reply packet; and
  
  sending, by the border component, the updated reply packet to the network of switches via the communication channel.
- View Dependent Claims (20)
- - 20. The method of claim 19, wherein the first L2 address, the target host L2 address, and the substitute L2 address are MAC (media access control) addresses, and wherein the first L3 address and the first target L3 address are IP (Internet Protocol) addresses.

21. A border component situated at a border of a network of switches, comprising:
- a communication channel; and
  
  a communication manager, wherein the communication manager comprises;
  
  means for receiving, from the network of switches via the communication channel, a request packet requesting a L2 (layer
  
  2) address for a target host, wherein the target host has a first target L3 (layer
  
  3) address associated therewith, and wherein the request packet includes a first L2 address as a source L2 address, includes a first L3 address as a sending L3 address, and includes the first target L3 address as the L3 address for the target host for which a requested L2 address is being requested;
  
  means for determining whether the target host is a host that is coupled to the communication channel;
  
  means for sending, in response to a determination that the target host is a host that is coupled to the communication channel, the request packet, or an updated version thereof, to the target host;
  
  means for receiving a reply packet from the target host, wherein the target host has a target host L2 address associated therewith, and wherein the reply packet includes the first L3 address, includes the first L2 address as a destination address, includes the first target L3 address, includes the target host L2 address as the requested L2 address for the target host, and includes the target host L2 address as a source L2 address;
  
  means for deriving an updated reply packet from the reply packet, wherein the means for deriving the updated reply packet comprises means for replacing the target host L2 address with a substitute L2 address associated with the communication channel, thereby making the substitute L2 address the requested L2 address for the target host, and making the substitute L2 address the source L2 address for the updated reply packet; and
  
  means for sending the updated reply packet to the network of switches via the communication channel.
- View Dependent Claims (22)
- - 22. The border component of claim 21, wherein the first L2 address, the target host L2 address, and the substitute L2 address are MAC (media access control) addresses, and wherein the first L3 address and the first target L3 address are IP (Internet Protocol) addresses.

23. A border component situated at a border of a network of switches, comprising:
- a communication channel; and
  
  a communication manager configured to;
  
  receive, from the network of switches via the communication channel, a request packet requesting a L2 (layer
  
  2) address for a target host, wherein the target host has a first target L3 (layer
  
  3) address associated therewith, and wherein the request packet includes a first L2 address as a source L2 address, includes a first L3 address as a sending L3 address, and includes the first target L3 address as the L3 address for the target host for which a requested L2 address is being requested;
  
  determine whether the target host is a host that is coupled to the communication channel;
  
  send, in response to a determination that the target host is a host that is coupled to the communication channel, the request packet, or an updated version thereof, to the target host;
  
  receive a reply packet from the target host, wherein the target host has a target host L2 address associated therewith, and wherein the reply packet includes the first L3 address, includes the first L2 address as a destination address, includes the first target L3 address, includes the target host L2 address as the requested L2 address for the target host, and includes the target host L2 address as a source L2 address;
  
  derive an updated reply packet from the reply packet, wherein deriving the updated reply packet comprises replacing the target host L2 address with a substitute L2 address associated with the communication channel, thereby making the substitute L2 address the requested L2 address for the target host, and making the substitute L2 address the source L2 address for the updated reply packet; and
  
  send the updated reply packet to the network of switches via the communication channel.
- View Dependent Claims (24)
- - 24. The border component of claim 23, wherein the first L2 address, the target host L2 address, and the substitute L2 address are MAC (media access control) addresses, and wherein the first L3 address and the first target L3 address are IP (Internet Protocol) addresses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
TANAKA, BERT H., MIHELICH, JOSEPH R.

Granted Patent

US 8,125,996 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/245
CPC Class Codes

H04L 12/4625   Single bridge functionality...

H04L 12/56   Packet switching systems

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 45/00   Routing or path finding of ...

H04L 45/66   Layer 2 routing, e.g. in Et...

H04L 45/74   Address processing for routing

H04L 49/25   Routing or path finding in ...

H04L 49/351   for local area network [LAN...

H04L 61/2596   Translation of addresses of...

MECHANISM FOR ENABLING LAYER TWO HOST ADDRESSES TO BE SHIELDED FROM THE SWITCHES IN A NETWORK

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

MECHANISM FOR ENABLING LAYER TWO HOST ADDRESSES TO BE SHIELDED FROM THE SWITCHES IN A NETWORK

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others