Method and apparatus for automatic filter generation and maintenance

US 7,870,603 B2
Filed: 08/26/2008
Issued: 01/11/2011
Est. Priority Date: 10/25/2002
Status: Active Grant

First Claim

Patent Images

1. A method, the method comprising the computer-implemented steps of:

detecting from one or more first network packets, an Internet Protocol (IP) address and a first Media Access Control (MAC) address;

wherein the IP address and the first MAC address are used to determine that the IP address and another MAC address that are detected in one or more second network packets is an illegal binding and wherein said another MAC address is different from the first MAC address;

causing a network element to create, in an address resolution protocol filter, based on the IP address and the first MAC address, one or more rules that cause the network element to prevent an address resolution protocol table from including a binding that includes only one of the IP address and the first MAC address; and

in response to detecting the IP address and said another MAC address in the one or more second network packets, preventing the address resolution protocol table from including the illegal binding that includes the IP address and said another MAC address.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is disclosed for automatic filter generation and maintenance. From information transmitted on a network, a first device identifier and a second device identifier are detected. Based on the first and second device identifiers, a filter is automatically configured to deny network-transmitted information that attempts to establish an association between the first device identifier and a device identifier other than the second device identifier.

28 Citations

View as Search Results

20 Claims

1. A method, the method comprising the computer-implemented steps of:
- detecting from one or more first network packets, an Internet Protocol (IP) address and a first Media Access Control (MAC) address;
  
  wherein the IP address and the first MAC address are used to determine that the IP address and another MAC address that are detected in one or more second network packets is an illegal binding and wherein said another MAC address is different from the first MAC address;
  
  causing a network element to create, in an address resolution protocol filter, based on the IP address and the first MAC address, one or more rules that cause the network element to prevent an address resolution protocol table from including a binding that includes only one of the IP address and the first MAC address; and
  
  in response to detecting the IP address and said another MAC address in the one or more second network packets, preventing the address resolution protocol table from including the illegal binding that includes the IP address and said another MAC address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as recited in claim 1, wherein the one or more first network packets are Dynamic Host Configuration Protocol (DHCP) packets.
  - 3. The method as recited in claim 1, further comprising the computer-implemented steps of:
    - detecting, from one or more third network packets, an indication that a second IP address is relinquished by a device that has a second MAC address; and
      
      causing the network element to, based on detecting the one or more third network packets, remove, from an address resolution protocol filter, one or more rules that cause the network element to prevent an address resolution protocol table from including a binding that includes only one of the second IP address and the second MAC address.
  - 4. The method as recited in claim 1, further comprising the computer-implemented steps of:
    - sending a query to a server;
      
      receiving a response to the query; and
      
      based on detecting the one or more second network packets, causing the network element to remove, from an address resolution protocol filter, one or more rules that cause the network element to prevent an address resolution protocol table from including a binding that includes only one of the second IP address and the second MAC address.
  - 5. The method as recited in claim 1, further comprising the computer-implemented steps of:
    - detecting, within a specified period of time after detecting the IP address from the one or more first network packets, one or more third network packets that specify the IP address and a second MAC address that differs from the first MAC address; and
      
      in response to detecting the one or more third network packets, causing the network element to create, in an address resolution protocol filter, one or more rules that cause the network element to prevent an address resolution protocol table from including a binding that includes the IP address.
  - 6. The method as recited in claim 1, further comprising the computer-implemented steps of:
    - detecting, within a specified period of time after detecting the IP address in the one or more first network packets, one or more third network packets that specify the IP address and a second MAC address that differs from the first MAC address; and
      
      in response to detecting the one or more third network packets, generating a notification.
  - 7. The method as recited in claim 1, further comprising the computer-implemented steps of:
    - inspecting one or more second packets that are received within a specified period of time after detecting the IP address and the first MAC address from the one or more network packets; and
      
      upon determining that none of the one or more second network packets specifies the IP address and a second MAC address that differs from the first MAC address, causing the network element to include, in an address resolution protocol filter, one or more rules that cause the network element to prevent an ARP table from including a binding that includes only one of the IP address and the first MAC address.
  - 8. The method as recited in claim 1, wherein the address resolution protocol table is configured to be compatible with an IPv6 Neighbor Discovery Protocol.
  - 9. The method as recited in claim 1, further comprising the computer-implemented step of:
    - based on the detecting, including, in a filter, one or more rules that cause a network element to not transmit network packets that include only one of the IP address and the first MAC address.

10. A computer-readable storage medium storing one or more sequences of instructions, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- detecting from one or more first network packets, an Internet Protocol (IP) address and a first Media Access Control (MAC) address;
  
  wherein the IP address and the first MAC address are used to determine that the IP address and another MAC address that are detected in one or more second network packets is an illegal binding and wherein said another MAC address is different from the first MAC address;
  
  causing a network element to create, in an address resolution protocol filter, based on the IP address and the first MAC address, one or more rules that cause the network element to prevent an address resolution protocol table from including a binding that includes only one of the IP address and the first MAC address; and
  
  in response to detecting the IP address and said another MAC address in the one or more second network packets, preventing the address resolution protocol table from including the illegal binding that includes the IP address and said another MAC address.

11. An apparatus, comprising:
- means for detecting from one or more first network packets, an Internet Protocol (IP) address and a first Media Access Control (MAC) address;
  
  wherein the IP address and the first MAC address are used to determine that the IP address and another MAC address that are detected in one or more second network packets is an illegal binding and wherein said another MAC address is different from the first MAC address;
  
  means for causing a network element to create, in an address resolution protocol filter, based on the IP address and the first MAC address, one or more rules that cause the network element to prevent an address resolution protocol table from including a binding that includes only one of the IP address and the first MAC address; and
  
  means for preventing the address resolution protocol table from including the illegal binding that includes the IP address and said another MAC address, in response to detecting the IP address and said another MAC address in the one or more second network packets.

12. An apparatus for automatic filter generation and maintenance, comprising:
- a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
  
  a processor; and
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  detecting from one or more first network packets, an Internet Protocol (IP) address and a first Media Access Control (MAC) address;
  
  wherein the IP address and the first MAC address are used to determine that the IP address and another MAC address that are detected in one or more second network packets is an illegal binding and wherein said another MAC address is different from the first MAC address;
  
  causing a network element to create, in an address resolution protocol filter, based on the IP address and the first MAC address, one or more rules that cause the network element to prevent an address resolution protocol table from including a binding that includes only one of the IP address and the first MAC address; and
  
  in response to detecting the IP address and said another MAC address in the one or more second network packets, preventing the address resolution protocol table from including the illegal binding that includes the IP address and said another MAC address.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The apparatus as recited in claim 12, wherein the network packet is a Dynamic Host Configuration Protocol (DHCP) packet.
  - 14. The apparatus as recited in claim 12, the one or more stored sequences of instructions further comprising instructions which, when executed by the processor, cause the processor to carry out the steps of:
    - detecting, from one or more third network packets, an indication that a second IP address is relinquished by a device that has a second MAC address; and
      
      causing the network element to, based on detecting the one or more third network packets, remove, from an address resolution protocol filter, one or more rules that cause the network element to prevent an address resolution protocol table from including a binding that includes only one of the second IP address and the second MAC address.
  - 15. The apparatus as recited in claim 12, the one or more stored sequences of instructions further comprising instructions which, when executed by the processor, cause the processor to carry out the steps of:
    - sending a query to a server;
      
      receiving a response to the query; and
      
      based on detecting the one or more second network packets, causing the network element to remove, from an address resolution protocol filter, one or more rules that cause the network element to prevent an address resolution protocol table from including a binding that includes only one of the second IP address and the second MAC address.
  - 16. The apparatus as recited in claim 12, the one or more stored sequences of instructions further comprising instructions which, when executed by the processor, cause the processor to carry out the steps of:
    - detecting, within a specified period of time after detecting the IP address from the one or more first network packets, one or more third network packets that specify the IP address and a second MAC address that differs from the first MAC address; and
      
      in response to detecting the one or more third network packets, causing the network element to create, in an address resolution protocol filter, one or more rules that cause the network element to prevent an address resolution protocol table from including a binding that includes the IP address.
  - 17. The apparatus as recited in claim 12, the one or more stored sequences of instructions further comprising instructions which, when executed by the processor, cause the processor to carry out the steps of:
    - detecting, within a specified period of time after detecting the IP address in the one or more first network packets, one or more third network packets that specify the IP address and a second MAC address that differs from the first MAC address; and
      
      in response to detecting the one or more third network packets, generating a notification.
  - 18. The apparatus as recited in claim 12, the one or more stored sequences of instructions further comprising instructions which, when executed by the processor, cause the processor to carry out the steps of:
    - inspecting one or more second packets that are received within a specified period of time after detecting the IP address and the first MAC address from the one or more network packets; and
      
      upon determining that none of the one or more second network packets specifies the IP address and a second MAC address that differs from the first MAC address, causing the network element to include, in an address resolution protocol filter, one or more rules that cause the network element to prevent an ARP table from including a binding that includes only one of the IP address and the first MAC address.
  - 19. The apparatus as recited in claim 12, wherein the address resolution protocol table is configured to be compatible with an IPv6 Neighbor Discovery Protocol.
  - 20. The apparatus as recited in claim 12, the one or more stored sequences of instructions further comprising instructions which, when executed by the processor, cause the processor to carry out the steps of:
    - based on the detecting, including, in a filter, one or more rules that cause a network element to not transmit network packets that include only one of the IP address and the first MAC address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Paggen, Christophe, Tabarovsky, Oleg, Foschiano, Marco, Kouzmitch, Andrei
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
To; Baotran N

Application Number

US12/198,646
Publication Number

US 20080313729A1
Time in Patent Office

868 Days
Field of Search

726/2, 726 11- 15, 713153-154, 709/227, 709/236, 709/238, 709/245, 370/292
US Class Current

726/13
CPC Class Codes

H04L 61/103 across network layers, e.g....

H04L 63/1441 Countermeasures against mal...

Method and apparatus for automatic filter generation and maintenance

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for automatic filter generation and maintenance

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others