Arrangement for tracking IP address usage based on authenticated link identifier

US 8,068,414 B2
Filed: 08/09/2004
Issued: 11/29/2011
Est. Priority Date: 08/09/2004
Status: Active Grant

First Claim

Patent Images

1. A method in an Internet Protocol (IP) based router in a network, the method comprising:

creating by the router a cache entry in the router and that specifies an authenticated client identifier and a corresponding authenticated Media Access Control (MAC) address for a client device attached to the network based on the authenticated MAC address, the authenticated MAC address based on link layer authentication of a MAC address used by the client device relative to the authenticated client identifier and according to a prescribed link layer authentication protocol to authenticate use of the MAC address by the client device and to prevent spoofing of the authenticated MAC address;

receiving by the router a message originated by the client device and that specifies the authenticated MAC address and a source IP address, the router implemented as a default gateway for enabling the client device to access the network, wherein any packet output by a given client device and having a corresponding MAC address that has not been authenticated for use by the given client device is contained from access to the network;

the router responding to receiving the message originated by the client device by adding the source IP address to the cache entry specifying the authenticated MAC address based on parsing the message; and

the router responding to adding the source IP address to the cache entry by outputting to an audit resource a record that specifies the source IP address and the authenticated MAC address.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Link layer authentication information is supplied by a link layer authentication device to an access router for tracking IP address usage by a client device. The authentication information supplied to the access router includes an authenticated client identifier and a corresponding authenticated link identifier for the client device that attached to the network based on the authenticated link identifier. The access router, in response to receiving a message that specifies the authenticated link identifier and a source IP address, adds the source IP address to a cache entry that specifies the authenticated client identifier and the corresponding authenticated link identifier, and outputs to an audit resource a record that specifies the source IP address and the authenticated link identifier.

27 Citations

View as Search Results

21 Claims

1. A method in an Internet Protocol (IP) based router in a network, the method comprising:
- creating by the router a cache entry in the router and that specifies an authenticated client identifier and a corresponding authenticated Media Access Control (MAC) address for a client device attached to the network based on the authenticated MAC address, the authenticated MAC address based on link layer authentication of a MAC address used by the client device relative to the authenticated client identifier and according to a prescribed link layer authentication protocol to authenticate use of the MAC address by the client device and to prevent spoofing of the authenticated MAC address;
  
  receiving by the router a message originated by the client device and that specifies the authenticated MAC address and a source IP address, the router implemented as a default gateway for enabling the client device to access the network, wherein any packet output by a given client device and having a corresponding MAC address that has not been authenticated for use by the given client device is contained from access to the network;
  
  the router responding to receiving the message originated by the client device by adding the source IP address to the cache entry specifying the authenticated MAC address based on parsing the message; and
  
  the router responding to adding the source IP address to the cache entry by outputting to an audit resource a record that specifies the source IP address and the authenticated MAC address.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the outputting includes specifying within the record the corresponding authenticated client identifier.
  - 3. The method of claim 1, further comprising:
    - receiving a second message that specifies the authenticated MAC address and a second source IP address;
      
      the creating including creating a second cache entry specifying the authenticated client identifier, the corresponding authenticated MAC address, and the second source IP address, based on having determined the second source IP address is distinct from the source IP address;
      
      the outputting including outputting a second record specifying the second source IP address and the authenticated MAC address based on creation of the second cache entry.
  - 4. The method of claim 1, further comprising receiving the authenticated client identifier and the corresponding authenticated MAC address in a message from a link authentication device, the link authentication device having established with the client device a link having the corresponding authenticated MAC address.
  - 5. The method of claim 1, wherein the IP based router includes a link layer authentication portion, the method further comprising:
    - detecting by the link layer authentication portion establishment of a link with the client device on an identified link port;
      
      sending to an authentication server, by the link layer authentication portion, client device information including a client identifier; and
      
      selectively designating the client identifier as the authenticated client identifier and the authenticated MAC address relative to the identified link port, based on having received an approval of the client identifier by the authentication server.

6. A method in a network, the method comprising:
- in a link layer authentication device;
  
  (1) detecting an establishment of a link with a client device on an identified link port of the link layer authentication device,(2) attempting authentication of a MAC address used by the client device attached to the identified link port based on sending, to an authentication server, client device information including a client identifier, and(3) outputting to an IP router, based on authentication of the client device by the authentication server relative to the client identifier, an authentication message specifying the client identifier as an authenticated client identifier and the MAC address used by the client device as an authenticated Media Access Control (MAC) address that is authenticated according to a prescribed link layer authentication protocol to authenticate the use of the MAC address by the client device and to prevent spoofing of the authenticated MAC address; and
  
  in the IP router;
  
  (1) receiving the authentication message specifying the authenticated client identifier and the corresponding authenticated MAC address,(2) creating a cache entry in the IP router in response to receiving the authentication message, the cache entry specifying the authenticated client identifier and the corresponding authenticated MAC address,(3) receiving a message originated by the client device and that specifies the authenticated MAC address and a source IP address, the IP router implemented as a default gateway for enabling the client device to access the network,(4) the IP router responding to receiving the message originated by the client device by adding the source IP address to the cache entry specifying the authenticated MAC address based on parsing the message, and(5) the IP router responding to adding the source IP address to the cache entry by outputting to an audit resource a record that specifies the source IP address and the authenticated MAC address;
  
  wherein any packet output by a given client device and having a corresponding MAC address that has not been authenticated for use by the given client device is contained from access to the network.
- View Dependent Claims (7, 8)
- - 7. The method of claim 6, wherein the outputting by the IP router includes specifying within the record the corresponding authenticated client identifier.
  - 8. The method of claim 6, further comprising in the IP router:
    - receiving a second message that specifies the authenticated MAC address and a second source IP address;
      
      the creating including creating a second cache entry specifying the authenticated client identifier, the corresponding authenticated MAC address, and the second source IP address, based on having determined the second source address is distinct from the source IP address;
      
      the outputting including outputting a second record specifying the second source IP address and the authenticated MAC address based on creation of the second cache entry.

9. An Internet Protocol (IP) based router configured for outputting IP packets in a network, the router comprising:
- means for creating a cache entry in the router and that specifies an authenticated client identifier and a corresponding authenticated Media Access Control (MAC) address for a client device attached to the network based on the authenticated MAC address, the authenticated MAC address based on link layer authentication of a MAC address used by the client device relative to the authenticated client identifier and according to a prescribed link layer authentication protocol to authenticate the use of the MAC address by the client device and to prevent spoofing of the authenticated MAC address, wherein any packet output by a given client device and having a corresponding MAC address that has not been authenticated for use by the given client device is contained from access to the network;
  
  means for receiving a message originated by the client device and that specifies the authenticated MAC address and a source IP address, the means for creating responding to receiving the message originated by the client device by adding the source IP address to the cache entry specifying the authenticated MAC address based on parsing the message, the router implemented as a default gateway for enabling the client device to access the network; and
  
  means for outputting to an audit resource a record that specifies the source IP address and the authenticated MAC address in response to the adding of the source IP address to the cache entry.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The router of claim 9, wherein the record specifies the corresponding authenticated client identifier.
  - 11. The router of claim 9, wherein:
    - the means for receiving receives a second message that specifies the authenticated MAC address and a second source IP address;
      
      the means for creating creates a second cache entry specifying the authenticated client identifier, the corresponding authenticated MAC address, and the second source IP address, based on having determined the second source IP address is distinct from the source IP address;
      
      the means for outputting outputs a second record specifying the second source IP address and the authenticated MAC address based on creation of the second cache entry.
  - 12. The router of claim 9, wherein the means for receiving receives the authenticated client identifier and the corresponding authenticated MAC address in a message from a link authentication device, the link authentication device having established with the client device a link having the corresponding authenticated MAC address.
  - 13. The router of claim 9, further comprising a link layer authentication portion, the link layer authentication portion further comprising:
    - means for detecting establishment of a link with the client device on an identified link port;
      
      means for sending, to an authentication server, client device information including a client identifier, the means for sending selectively designating the client identifier as the authenticated client identifier and the authenticated MAC address relative to the identified link port, based on having received an approval of the client identifier by the authentication server.

14. A network comprising:
- an IP router; and
  
  a link layer authentication device having;
  
  (1) means for detecting an establishment of a link with a client device on an identified link port of the link layer authentication device,(2) means for attempting authentication of a Media Access Control (MAC) address used by the client device attached to the identified link port based on sending, to an authentication server, client device information including a client identifier, and(3) means for outputting to the IP router an authentication message, the authentication message based on authentication of the client device by the authentication server relative to the client identifier, the authentication message generated by the means for attempting authentication and specifying the client identifier as an authenticated client identifier and the MAC address used by the client device as an authenticated MAC address that is authenticated according to a prescribed link layer authentication protocol to authenticate the use of the MAC address by the client device and to prevent spoofing of the authenticated MAC address;
  
  the IP router comprising;
  
  (1) means for receiving the authentication message specifying the authenticated client identifier and the corresponding authenticated MAC address,(2) means for creating a cache entry in the IP router in response to receiving the authentication message, the cache entry specifying the authenticated client identifier and the corresponding authenticated MAC address based on the authentication message,(3) the means for receiving further receiving a message originated by the client device and that specifies the authenticated MAC address and a source IP address, the means for creating responding to receiving the message originated by the client device by adding the source IP address to the cache entry specifying the authenticated MAC address based on parsing the message, the IP router implemented as a default gateway for enabling the client device to access the network, and(4) means for outputting to an audit resource a record that specifies the source IP address and the authenticated MAC address in response to the adding of the source IP address to the cache entry;
  
  wherein any packet output by a given client device and having a corresponding MAC address that has not been authenticated for use by the given client device is contained from access to the network.
- View Dependent Claims (15, 16)
- - 15. The network of claim 14, wherein the record specifies the corresponding authenticity client identifier.
  - 16. The network of claim 14, wherein:
    - the means for receiving receives a second message that specifies the authenticated MAC address and a second source IP address;
      
      the means for creating creating a second cache entry specifying the authenticated client identifier, the corresponding authenticated MAC address, and the second source IP address, based on having determined the second source address is distinct from the source IP address;
      
      the means for outputting to the audit resource outputting a second record specifying the second source IP address and the authenticated MAC address based on creation of the second cache entry.

17. An apparatus comprising:
- a cache configured for storing at least one cache entry;
  
  a cache manager configured for creating the cache entry, the cache entry specifying an authenticated client identifier and a corresponding authenticated Media Access Control (MAC) address for a client device attached to a network based on the authenticated MAC address, the cache manager configured for responding to the apparatus receiving a message, originated by the client device and specifying the authenticated MAC address and a source IP address, by adding the source IP address to the cache entry specifying the authenticated MAC address based on parsing the message originated by the client device, the authenticated MAC address based on link layer authentication of a MAC address used by the client device relative to the authenticated client identifier and according to a prescribed link layer authentication protocol to authenticate the use of the MAC address by the client device and to prevent spoofing of the authenticated MAC address;
  
  an Internet Protocol (IP) interface configured for outputting a record to an audit resource, the record generated by the apparatus in response to the cache manager adding the source IP address to the cache entry and specifying the source IP address and the authenticated MAC address, the apparatus implemented as a default gateway for enabling the client device to access the network, wherein any packet output by a given client device and having a corresponding MAC address that has not been authenticated for use by the given client device is contained from access to the network.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The apparatus of claim 17, wherein the record generated by the apparatus specifies the corresponding authenticated client identifier.
  - 19. The apparatus of claim 17, wherein:
    - the IP interface is configured for receiving a second message that specifies the authenticated MAC address and a second source IP address;
      
      the cache manager is configured for creating a second cache entry specifying the authenticated client identifier, the corresponding authenticated MAC address, and the second source IP address, based on having determined the second source IP address is distinct from the source IP address;
      
      the IP interface configured for outputting a second record generated by the apparatus and specifying the second source IP address and the authenticated MAC address based on creation of the second cache entry.
  - 20. The apparatus of claim 17, wherein the IP interface is configured for receiving the authenticated client identifier and the corresponding authenticated MAC address in a message from a link authentication device, the link authentication device having established with the client device a link having the corresponding authenticated MAC address.
  - 21. The apparatus of claim 17, further comprising a link layer authentication portion, the link layer authentication portion further comprising:
    - a link layer protocol resource configured for detecting establishment of a link with the client device on an identified link port; and
      
      an authentication resource configured for sending, to an authentication server, client device information including a client identifier, the authentication resource configured for selectively designating the client identifier as the authenticated client identifier and the authenticated MAC address relative to the identified link port, based on having received an approval of the client identifier by the authentication server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Gleichauf, Robert Eric, Huegen, Craig Allen, Foo, Ian, Dobbins, Ellis Roland
Primary Examiner(s)
Moe; Aung S
Assistant Examiner(s)
Alia; Curtis A

Application Number

US10/913,363
Publication Number

US 20060028996A1
Time in Patent Office

2,668 Days
Field of Search

370/230, 370/389, 370/395.2, 370/395.31, 370/395.32, 370/395.52, 370/395.54
US Class Current

370/230
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 63/08   for authentication of entit...

H04L 63/126   the source of the received ...

H04L 63/1466   Active attacks involving in...

H04L 63/162   at the data link layer

Arrangement for tracking IP address usage based on authenticated link identifier

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Arrangement for tracking IP address usage based on authenticated link identifier

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links