System and method for source IP anti-spoofing security

US 7,523,485 B1
Filed: 07/31/2003
Issued: 04/21/2009
Est. Priority Date: 05/21/2003
Status: Active Grant

First Claim

Patent Images

1. A method for providing port security in a network device, the method comprising:

receiving a first data packet on a port of the network device, the first data packet including a first MAC address and a first source IP address;

determining if the first MAC address is a new MAC address that is not included in a table of the network device, the table configured to store a plurality of source IP address and MAC address pairs;

if the first MAC address is a new MAC address, learning the first source IP address, wherein the first MAC address and the first source IP address form a first source IP address and MAC address pair, and wherein said learning is delayed from a time of receipt of the first data packet until a predetermined amount of traffic has passed through the port;

upon learning, storing the first source IP address and MAC address pair in the table; and

using the table to control transmission of data packets through the port.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method that provides for using source IP addresses and MAC addresses in a network to provide security against attempts by users of the network to use false source IP addresses in data packets. The system and method provide for analyzing MAC addresses and source IP addresses at the datalink (layer 2) level, and to use the information derived from such analysis to block access through a port where a host device is using a false, or spoofed, source IP address in transmitted data packets.

Citations

19 Claims

1. A method for providing port security in a network device, the method comprising:
- receiving a first data packet on a port of the network device, the first data packet including a first MAC address and a first source IP address;
  
  determining if the first MAC address is a new MAC address that is not included in a table of the network device, the table configured to store a plurality of source IP address and MAC address pairs;
  
  if the first MAC address is a new MAC address, learning the first source IP address, wherein the first MAC address and the first source IP address form a first source IP address and MAC address pair, and wherein said learning is delayed from a time of receipt of the first data packet until a predetermined amount of traffic has passed through the port;
  
  upon learning, storing the first source IP address and MAC address pair in the table; and
  
  using the table to control transmission of data packets through the port.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 17, 18)
- - 2. The method of claim 1, wherein using the table to control transmission of data packets through the port comprises:
    - receiving a second data packet on the port, the second data packet including a second source IP address and a second MAC address, the second source IP address and second MAC address forming a second source IP address and MAC address pair;
      
      comparing the second source IP address and MAC address pair with source IP address and MAC address pairs stored in the table; and
      
      passing the second data packet through the port, when the second source IP address and MAC address pair is found in the table.
  - 3. The method of claim 2 further comprising:
    - performing a reverse IP check to confirm the learned first source IP address.
  - 4. The method of claim 2 wherein the learning of the first source IP address utilizes at least one process selected from the following group of processes:
    - (1) using a reverse address resolution protocol;
      
      (2) listening to a DHCP response packet;
      
      (3) watching for a IP header information in a data packet; and
      
      (4) listening to ARP requests and ARP reply messages.
  - 5. The method of claim 2 wherein the table is stored in an access control list of a content addressable memory device.
  - 6. The method of claim 2 further comprising:
    - detecting when a device having a third source IP address, which is stored in the table, is no longer coupled to the port; and
      
      removing the third source IP address from the table when the device having the third source IP address is determined to no longer be coupled to the port.
  - 7. The method of claim 2 further comprising:
    - detecting when a device having the learned first source IP address, which is stored in the table, is no longer coupled to the port; and
      
      removing the learned first source IP address from the table when the device having the learned first source IP address is determined to no longer be coupled to the port.
  - 8. The method of claim 2 further comprising receiving input from a system administrator which selects a maximum number of source IP addresses which have access through a port.
  - 9. The method of claim 2 further comprising receiving input from a system administrator which selects ports of the plurality of ports, where access though selected ports will be provided based on a source IP address and MAC address pair contained in a data packet.
  - 10. The method of claim 2 further comprising:
    - receiving a third data packet on the port; and
      
      blocking the third data packet at the port, if a third source IP address and a third MAC address for the third data packet is determined to not be stored in the table, and a maximum number of source IP addresses already have access through the port.
  - 11. The method of claim 2 further comprising:
    - receiving a third data packet on the port;
      
      determining a third source IP address and a third MAC address for the third data packet; and
      
      storing the third source IP address and the third MAC address in the table, if a maximum number of source IP addresses has not already been reached for the port, and passing the third data packet through the port.
  - 12. The method of claim 11 further comprising blocking the third data packet at the port, when the source IP address for the third data packet is determined to not be stored in the table, and a maximum number of source IP addresses already have access through the port.
  - 17. The method of claim 1, wherein using the table to control transmission of packets through the port comprises:
    - comparing a second source IP address and MAC address pair with source IP address and MAC address pairs stored in the table, the second source IP address and MAC address pair being determined from a second data packet received at the port;
      
      if the second source IP address and MAC address pair is found in the table, passing the second data packet through the port; and
      
      if the second source IP address and MAC address pair is not found in the table, blocking the second data packet at the port.
  - 18. The method of claim 17, wherein the network device includes a timer configured to clear the table of one or more source IP addresses at predetermined time intervals.

13. A network device for use in a computer network having a plurality of hosts each host having a MAC address, the network device comprising:
- a plurality of ports;
  
  a MAC detector which operates to identify source MAC addresses for data packets received at a first port of the plurality of ports;
  
  a source IP address detector which operates to identify source IP addresses for data packets received at the first port, a source IP address and source MAC address for a given data packet forming a source IP address and MAC address pair; and
  
  a processor which operates to;
  
  compare a first MAC address for a first data packet received on the first port with information in a table configured to store a plurality of source IP address and MAC address pairs;
  
  if the first MAC address is not found in the table, learn a first source IP address of the first data packet, wherein the first MAC address and first source IP address form a first source IP address and MAC address pair, and wherein said learning is delayed from a time of receipt of the first data packet until a predetermined amount of traffic has passed through the first port;
  
  upon learning, store the first source IP address and MAC address pair in the table;
  
  compare a second source IP address and MAC address pair for a second data packet received at the first port with the information in the table; and
  
  pass the second data packet through the first port when the second source IP address and MAC address pair is found in the table.
- View Dependent Claims (14, 15, 16)
- - 14. The network device of claim 13 wherein the network device includes a content addressable memory and wherein the table is stored in an access control list of the content addressable memory.
  - 15. The network device of claim 13 wherein the processor further operates to block the second data packet at the first port when the second source IP address and MAC address pair is not found in the table.
  - 16. The network device of claim 13 wherein the processor further operates to selectively block access to selected ports of the plurality of ports based on a source IP address contained in data packets received at a port.

19. A network device for use in a computer network having a plurality of hosts, each host having a MAC address, the network device comprising:
- a plurality of ports;
  
  a table configured to store a plurality of source IP address and MAC address pairs; and
  
  a processor configured to;
  
  receive a data packet on the port, the data packet including a MAC address and a source IP address;
  
  determine if the MAC address is a new MAC address that is not included in the table;
  
  if the MAC address is a new MAC address, learn the source IP address, wherein the MAC address and the source IP address form a source IP address and MAC address pair, and wherein said learning is delayed from a time of receipt of the data packet until a predetermined amount of traffic has passed through the port;
  
  upon learning, store the source IP address and MAC address pair in the table; and
  
  use the table to control transmission of data packets through the port.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Foundry Networks Incorporated (Broadcom, Inc.)
Inventors
Kwan, Philip
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
POLTORAK, PIOTR

Application Number

US10/631,366
Time in Patent Office

2,091 Days
Field of Search

726 22- 23, 726 13- 14
US Class Current

726/2
CPC Class Codes

H04L 61/103   across network layers, e.g....

H04L 63/0236   Filtering by address, proto...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1466   Active attacks involving in...

System and method for source IP anti-spoofing security

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for source IP anti-spoofing security

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links