Controlling ARP traffic to enhance network security and scalability in TCP/IP networks

US 7,490,351 B1
Filed: 03/12/2003
Issued: 02/10/2009
Est. Priority Date: 03/12/2003
Status: Active Grant

First Claim

Patent Images

1. A method of preventing Address Resolution Protocol (ARP) broadcast flooding of subscriber access links, comprising:

receiving an Address Resolution Protocol (ARP) request packet at a subscriber network edge device, wherein the ARP request packet comprises source information including a source IP address and a source MAC address;

comparing, at the subscriber network edge device, source and destination information contained within the ARP request packet to an address lease information for subscribers of a subscriber network that comprises, for a subscriber, an Internet Protocol (IP) address, a Media Access Control (MAC) address, and a port that includes determining if the source IP address and the source MAC address match the address lease information of the subscriber;

broadcasting only on network uplinks coupled to the network edge device if the destination information obtained from the ARP request packet is not associated with the address lease information of at least one of the subscribers; and

discarding the ARP request packet if the source IP and the source MAC address do not match the address lease information of the subscriber.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of preventing ARP broadcast flooding of subscriber access links where an ARP packet is received at a subscriber network edge device and the source and destination information contained within the ARP packet is compared to address lease information for subscribers of a subscriber network. If the destination information obtained from the ARP packet is not associated with an address lease assigned to one of the subscribers, the network device only broadcasts the ARP packet to network uplinks. The method further includes preventing subscribers of a subscriber network from spoofing ARP responses by responding to an ARP request packet with an ARP response packet containing false information. The ARP response packet information is compared to address lease information for the transmitting subscriber. If the source information obtained from the ARP response packet corresponds to address lease information of the transmitting subscriber the ARP response packet is accordingly forwarded.

Citations

21 Claims

1. A method of preventing Address Resolution Protocol (ARP) broadcast flooding of subscriber access links, comprising:
- receiving an Address Resolution Protocol (ARP) request packet at a subscriber network edge device, wherein the ARP request packet comprises source information including a source IP address and a source MAC address;
  
  comparing, at the subscriber network edge device, source and destination information contained within the ARP request packet to an address lease information for subscribers of a subscriber network that comprises, for a subscriber, an Internet Protocol (IP) address, a Media Access Control (MAC) address, and a port that includes determining if the source IP address and the source MAC address match the address lease information of the subscriber;
  
  broadcasting only on network uplinks coupled to the network edge device if the destination information obtained from the ARP request packet is not associated with the address lease information of at least one of the subscribers; and
  
  discarding the ARP request packet if the source IP and the source MAC address do not match the address lease information of the subscriber.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein before receiving the packet the address lease information is stored in a database accessible by the network edge device.
  - 3. The method of claim 1, wherein the address lease information is stored in a database each time when the IP address is assigned to the subscriber.
  - 4. The method of claim 1, wherein the address lease information is obtained via a Dynamic Host Configuration Protocol (DHCP) relay/snooping.
  - 5. The method of claim 1, wherein the address lease information is statistically configured by a network administrator.
  - 6. The method of claim 1, wherein the destination information obtained from the ARP request packet includes a destination IP address.
  - 7. The method of claim 6, wherein the packet is forwarded to a subscriber link connected to the network edge device if the destination information is associated with any of the subscriber address lease information.
  - 8. The method of claim 6, wherein another of the subscribers transmits the ARP request packet.
  - 9. The method of claim 8, wherein the ARP request packet is discarded if the destination IP address of the ARP request packet corresponds to address lease information of the transmitting subscriber port.

10. A network edge device for preventing Address Resolution Protocol (ARP) broadcast flooding of subscriber access links, comprising:
- at least one first network port for transmitting and receiving network packets, including Address Resolution Protocol (ARP) request packets, to and from a subscriber network, wherein a ARP request packet comprises source information including a source IP address and a source MAC address;
  
  at least one second network port coupled to the first network port, the second network port for transmitting and receiving network packets, including ARP request packets, to and from a provider network; and
  
  means for comparing, at the network edge device, source and destination information contained within the ARP request packets received at either the first or second network port to an address lease information for subscribers of the subscriber network that comprises, for a subscriber, an Internet Protocol (IP) address, a Media Access Control (MAC) address, and a port that includes determining if the source IP address and the source MAC address match the address lease information of the subscriber, and broadcasting only on the second network port if the destination information obtained from the ARP request packets is not associated with the address lease information assigned to one or more of the subscribers, and discarding the ARP request packet if the source IP and the source MAC address do not match the address lease information of the subscriber.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The network device of claim 10, further comprising:
    - means for storing the address lease information in a database accessible by the means for comparing.
  - 12. The network device of claim 10, further comprising:
    - means for forwarding the ARP request packets to a subscriber link on the first network port of the network device if the destination information is associated with any of the subscriber address lease information.
  - 13. The network device of claim 10, further comprising:
    - means for discarding a subscriber transmitted ARP request packet if the destination IP address found within the ARP request packet corresponds to address lease information of the transmitting subscriber port.
  - 14. The network device of claim 10, wherein the address lease information is obtained via means for a Dynamic Host Configuration Protocol (DHCP) relay/snooping.
  - 15. The network device of claim 10, wherein the address lease information is statistically configured by a network administrator.

16. A machine readable medium having embodied thereon an instruction set, the instruction set being executable by a machine to perform a method, the method comprising:
- receiving an Address Resolution Protocol (ARP) request packet at a subscriber network edge device;
  
  comparing, at the subscriber network edge device, source and destination information contained within the ARP request packet to an address lease information for subscribers of a subscriber network that comprises, for a subscriber, an Internet Protocol (IP) address, a Media Access Control (MAC) address, and a port that includes determining if the source IP address and the source MAC address match the address lease information of the subscriber; and
  
  broadcasting only on network uplinks coupled to the network edge device if the destination information obtained from the ARP request packet is not associated with the address lease information of at least one of the subscribers; and
  
  discarding the ARP request packet if the source IP and the source MAC address do not match the address lease information of the subscriber.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The machine readable medium as recited in claim 16, wherein the method further includes forwarding the ARP request packet to a subscriber link if the destination information is associated with any of the subscriber address lease information.
  - 18. The machine readable medium as recited in claim 16, wherein the method further includes discarding a subscriber transmitted ARP request packet if the destination IP address found within the ARP request packet corresponds to address lease information of the transmitting subscriber.
  - 19. The machine readable medium as recited in claim 16, wherein the method further includes discarding the ARP response packet if the source information obtained from the ARP response packet does not correspond to address lease information of the responding subscriber.
  - 20. The machine-readable medium of claim 16, wherein the address lease information is obtained via a Dynamic Host Configuration Protocol (DHCP) relay/snooping.
  - 21. The machine-readable medium of claim 16, wherein the address lease information is statistically configured by a network administrator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Calix Incorporated
Original Assignee
Occam Networks Incorporated (Calix Incorporated)
Inventors
Ilgun, Koral, Altarac, Henri, Caves, Evan John
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Lipman; Jacob

Application Number

US10/388,251
Time in Patent Office

2,162 Days
Field of Search

726/13, 726/22
US Class Current

726/13
CPC Class Codes

H04L 61/103   across network layers, e.g....

H04L 61/2546   Arrangements for avoiding u...

H04L 63/1466   Active attacks involving in...

Controlling ARP traffic to enhance network security and scalability in TCP/IP networks

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling ARP traffic to enhance network security and scalability in TCP/IP networks

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links