System and method for controlled access to shared-medium public and semi-public internet protocol (IP) networks
First Claim
1. In a dynamic user/device environment, a system preventing unauthorized user/devices from accessing a shared IP network, comprising:
- a) a plurality of router/switches in a layered communication system coupled to the user/devices at access points;
b) a Dynamic Host Control Protocol (DHCP) server and database coupled to the router/switches;
c) means for storing in the database user/device registration information including a Medium Access Control (MAC) address;
d) means for disabling Address Resolution Protocol (ARP) in the router/switches for MAC addresses in a table at the access points;
e) means for initiating a user/device request including a MAC address with the DHCP server for access to the network;
f) means for determining from the request whether the MAC address is registered in the database for the user/device;
g) means for selecting an appropriate IP address if the user/device is registered or refusing to handle the request if the MAC address is not registered; and
h) means for adding an ARP to the MAC address table at the router/switch for the selected IP address and user/device MAC address whereby the user/device has provisional access to the network.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method prevent unauthorized users and devices, in a dynamic user/device environment, from obtaining access to shared-medium public and semi-public IP networks. A network includes a layered communication system and routers/switches for coupling users and devices to a Dynamic Host Control Protocol (DHCP) server and an authentication server. Databases support the servers. The network incorporates Address Resolution Protocol (ARP). Authorized users and devices register for service by providing the DHCP with user identification for log-in, passwords, MAC addresses, etc. When users connect to the network access point, a DHCP exchange is initiated to obtain a valid IP address and other associated parameters. The DHCP client initiates a MAC broadcast for IP addresses which contain in the request the end user'"'"'s device MAC address. The associated router switch will pick up and forward to a DHCP server the end user'"'"'s device request. The DHCP server will process the end user'"'"'s request and extract the end user'"'"'s device MAC address. With the end user'"'"'s MAC address, the DHCP server accesses its device and/or user information in the database. If the MAC address is not registered, the DHCP server refuses to handle the request and logs the attempt, potentially alerting network operators of a security breach. If the MAC address is registered, a DHCP server selects an appropriate IP address and associated parameters to be returned to the requesting end user and connects via programming or command interface to the router switch that is forwarding the DHCP request on behalf of the end user device. The server adds an ARP IP to the MAC address table entry with the selected IP address and end user'"'"'s MAC address. End user device authentication and IP lease are marked as provisional. A timer is started for a suggested duration. Optionally, the DHCP dynamically sets up filter rules in the router switch limiting access to a subset of IP addresses such as the address of a log-in server. Initial DHCP processing is completed and an IP address is assigned to the requesting end user'"'"'s device by DHCP. When the timer expires, if the DHCP server finds the authenticating user state is provisional, it will revoke the IP lease, invalidate the corresponding ARP to MAC table entry in the associated router switch, and reset any IP-permissive filtering for that device. If the user is in the full authenticated state, it will simply remove the restrictive filtering.
457 Citations
16 Claims
-
1. In a dynamic user/device environment, a system preventing unauthorized user/devices from accessing a shared IP network, comprising:
-
a) a plurality of router/switches in a layered communication system coupled to the user/devices at access points;
b) a Dynamic Host Control Protocol (DHCP) server and database coupled to the router/switches;
c) means for storing in the database user/device registration information including a Medium Access Control (MAC) address;
d) means for disabling Address Resolution Protocol (ARP) in the router/switches for MAC addresses in a table at the access points;
e) means for initiating a user/device request including a MAC address with the DHCP server for access to the network;
f) means for determining from the request whether the MAC address is registered in the database for the user/device;
g) means for selecting an appropriate IP address if the user/device is registered or refusing to handle the request if the MAC address is not registered; and
h) means for adding an ARP to the MAC address table at the router/switch for the selected IP address and user/device MAC address whereby the user/device has provisional access to the network. - View Dependent Claims (2, 3, 4, 5, 6)
i) means for allowing a fast network re-start by enabling all user/devices to join the network and subsequently culling the network for unauthorized user/devices.
-
-
3. The system of claim 1 further comprising:
-
(j) an authentication or login server coupled to the network;
(k) means for transferring the user/device to full access from provisional access to the network upon successful authentication by the authentication server.
-
-
4. The system of claim 1 further comprising:
-
(l) means for starting a timer and setting up filter rules in the router/switches for access to an authentication server for login purposes within a selected timing period; and
(m) means for transferring the user/device to full access from provisional access to the network upon successful authentication by the login server within the selected timing period.
-
-
5. The system of claim 4 further comprising:
(n) means for invalidating the ARP to MAC table entry for the user/device if the timing period expires before authentication of the user/device by the login server.
-
6. The system of claim 4 further comprising:
(o) means for resetting the filter rules if the timing period expires before authentication of the user/device by the login server.
-
7. In a controlled or shared access network including a layered communication system;
- a DHCP server and database;
an Address Resolution Protocol (ARP) installed in the network;
an authentication server and a timer for limiting authentication of a user/device to access the network, a method of preventing unauthorized user/devices from obtaining shared network services, comprising the steps of;a) initiating a DHCP exchange by a user/device in an attempt to obtain a valid IP address;
b) initiating a MAC broadcast DHCP request for an IP address which contains the user/device MAC address;
c) forwarding the request to a DHCP server for processing and extraction of the user/device MAC address;
d) accessing the database to determine if the user/device is registered;
e) refusing to handle the request if the user/device MAC address is not registered and invalid;
f) selecting an appropriate IP address to return to the end user if the address is registered and valid;
g) adding an ARP IP to the MAC address with the selected IP address and the user/device MAC address; and
h) granting provisional access to the user/device within a timer period during which the user is authenticated or access is revoked;
i) disabling the Address Resolution Protocol (ARP) in the router/switches for MAC addresses in a table at the access points prior t receiving user/device requests for access to the network. - View Dependent Claims (8, 9, 10, 11)
j) starting the timer and setting up filter rules in the router/switches for access to the authentication server for login purposes within a selected timing period; and
k) transferring the user/device to full access from provisional access to the network upon successful authentication by the authentication server.
- a DHCP server and database;
-
9. The method of claim 7 further comprising the step of:
l) invalidating the ARP to MAC table entry for the user/device if the timing period expires before authentication of the user/device by the authentication server.
-
10. The method of claim 7 further comprising the step of:
m) resetting the filter rules if the timing period expires before authentication of the user/device by the login server.
-
11. The method of claim 7 further comprising the step of:
(n) allowing a past network restart by enabling all user/devices to join the network and subsequently culling from the network any unauthorized user/device.
-
12. A medium, executable in a computer system for preventing unauthorized user/devices from obtaining shared network services, comprising:
-
a) program instructions for initiating a DHCP exchange by a user/device in an attempt to obtain a valid IP address;
b) program instructions for initiating a MAC broadcast DHCP request for an IP address which contains the user/device MAC address;
c) program instructions for forwarding the request to a DHCP server for processing and extraction of the user/device MAC address;
d) program instructions for accessing the database to determine if the user/device is registered;
e) program instructions for refusing to handle the request if the user/device MAC address is not registered and invalid;
f) program instructions for selecting an appropriate IP address to return to the end user if the address is registered and valid;
g) program instructions for adding an ARP to the MAC address with the selected IP address and the user/device MAC address; and
h) program instructions for granting provisional access to the user/device within a timer period during which the user is authenticated or access is revoked;
i) program instructions for disabling the Address Resolution Protocol (ARP) in he router/switches for MAC addresses in a table at the access points prior t receiving user/device requests for access to the network. - View Dependent Claims (13, 14, 15, 16)
j) program instructions for starting the timer and setting up filter rules in the router/switches for access to the authentication server for login purposes within a selected timing period; and
k) program instructions for transferring the user/device to full access from provisional access to the network upon successful authentication by the authentication server.
-
-
14. The medium of claim 12 further comprising:
l) program instructions for invalidating the ARP to MAC table entry for the user/device if the timing period expires before authentication of the user/device by the authentication server.
-
15. The medium of claim 12 further comprising:
m) program instructions for resetting the filter rules if the timing period expires before authentication of the user/device by the login server.
-
16. The medium of claim 12 further comprising:
n) program instructions for allowing a past network restart by enabling all user/devices to join the network and subsequently culling from the network any unauthorized user/device.
Specification
-
- Resources
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsMassarani, Leonardo C.
-
Primary Examiner(s)Najjar, Saleh
-
Application NumberUS09/289,676Time in Patent Office1,135 DaysField of Search709/225, 709/227, 709/228, 709/229, 709/238US Class Current709/227CPC Class CodesH04L 61/10 of different typesH04L 61/35 involving non-standard use ...H04L 61/5014 using dynamic host configur...H04L 63/0428 wherein the data content is...H04L 63/083 using passwords cryptograph...
