Controlling ARP traffic to enhance network security and scalability in TCP/IP networks
First Claim
1. A method of preventing Address Resolution Protocol (ARP) broadcast flooding of subscriber access links, comprising:
- receiving an Address Resolution Protocol (ARP) request packet at a subscriber network edge device, wherein the ARP request packet comprises source information including a source IP address and a source MAC address;
comparing, at the subscriber network edge device, source and destination information contained within the ARP request packet to an address lease information for subscribers of a subscriber network that comprises, for a subscriber, an Internet Protocol (IP) address, a Media Access Control (MAC) address, and a port that includes determining if the source IP address and the source MAC address match the address lease information of the subscriber;
broadcasting only on network uplinks coupled to the network edge device if the destination information obtained from the ARP request packet is not associated with the address lease information of at least one of the subscribers; and
discarding the ARP request packet if the source IP and the source MAC address do not match the address lease information of the subscriber.
12 Assignments
0 Petitions
Accused Products
Abstract
A method of preventing ARP broadcast flooding of subscriber access links where an ARP packet is received at a subscriber network edge device and the source and destination information contained within the ARP packet is compared to address lease information for subscribers of a subscriber network. If the destination information obtained from the ARP packet is not associated with an address lease assigned to one of the subscribers, the network device only broadcasts the ARP packet to network uplinks. The method further includes preventing subscribers of a subscriber network from spoofing ARP responses by responding to an ARP request packet with an ARP response packet containing false information. The ARP response packet information is compared to address lease information for the transmitting subscriber. If the source information obtained from the ARP response packet corresponds to address lease information of the transmitting subscriber the ARP response packet is accordingly forwarded.
-
Citations
21 Claims
-
1. A method of preventing Address Resolution Protocol (ARP) broadcast flooding of subscriber access links, comprising:
-
receiving an Address Resolution Protocol (ARP) request packet at a subscriber network edge device, wherein the ARP request packet comprises source information including a source IP address and a source MAC address; comparing, at the subscriber network edge device, source and destination information contained within the ARP request packet to an address lease information for subscribers of a subscriber network that comprises, for a subscriber, an Internet Protocol (IP) address, a Media Access Control (MAC) address, and a port that includes determining if the source IP address and the source MAC address match the address lease information of the subscriber; broadcasting only on network uplinks coupled to the network edge device if the destination information obtained from the ARP request packet is not associated with the address lease information of at least one of the subscribers; and discarding the ARP request packet if the source IP and the source MAC address do not match the address lease information of the subscriber. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A network edge device for preventing Address Resolution Protocol (ARP) broadcast flooding of subscriber access links, comprising:
-
at least one first network port for transmitting and receiving network packets, including Address Resolution Protocol (ARP) request packets, to and from a subscriber network, wherein a ARP request packet comprises source information including a source IP address and a source MAC address; at least one second network port coupled to the first network port, the second network port for transmitting and receiving network packets, including ARP request packets, to and from a provider network; and means for comparing, at the network edge device, source and destination information contained within the ARP request packets received at either the first or second network port to an address lease information for subscribers of the subscriber network that comprises, for a subscriber, an Internet Protocol (IP) address, a Media Access Control (MAC) address, and a port that includes determining if the source IP address and the source MAC address match the address lease information of the subscriber, and broadcasting only on the second network port if the destination information obtained from the ARP request packets is not associated with the address lease information assigned to one or more of the subscribers, and discarding the ARP request packet if the source IP and the source MAC address do not match the address lease information of the subscriber. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A machine readable medium having embodied thereon an instruction set, the instruction set being executable by a machine to perform a method, the method comprising:
-
receiving an Address Resolution Protocol (ARP) request packet at a subscriber network edge device; comparing, at the subscriber network edge device, source and destination information contained within the ARP request packet to an address lease information for subscribers of a subscriber network that comprises, for a subscriber, an Internet Protocol (IP) address, a Media Access Control (MAC) address, and a port that includes determining if the source IP address and the source MAC address match the address lease information of the subscriber; and broadcasting only on network uplinks coupled to the network edge device if the destination information obtained from the ARP request packet is not associated with the address lease information of at least one of the subscribers; and discarding the ARP request packet if the source IP and the source MAC address do not match the address lease information of the subscriber. - View Dependent Claims (17, 18, 19, 20, 21)
-
Specification