Arrangement for tracking IP address usage based on authenticated link identifier
First Claim
1. A method in an Internet Protocol (IP) based router in a network, the method comprising:
- creating by the router a cache entry in the router and that specifies an authenticated client identifier and a corresponding authenticated Media Access Control (MAC) address for a client device attached to the network based on the authenticated MAC address, the authenticated MAC address based on link layer authentication of a MAC address used by the client device relative to the authenticated client identifier and according to a prescribed link layer authentication protocol to authenticate use of the MAC address by the client device and to prevent spoofing of the authenticated MAC address;
receiving by the router a message originated by the client device and that specifies the authenticated MAC address and a source IP address, the router implemented as a default gateway for enabling the client device to access the network, wherein any packet output by a given client device and having a corresponding MAC address that has not been authenticated for use by the given client device is contained from access to the network;
the router responding to receiving the message originated by the client device by adding the source IP address to the cache entry specifying the authenticated MAC address based on parsing the message; and
the router responding to adding the source IP address to the cache entry by outputting to an audit resource a record that specifies the source IP address and the authenticated MAC address.
1 Assignment
0 Petitions
Accused Products
Abstract
Link layer authentication information is supplied by a link layer authentication device to an access router for tracking IP address usage by a client device. The authentication information supplied to the access router includes an authenticated client identifier and a corresponding authenticated link identifier for the client device that attached to the network based on the authenticated link identifier. The access router, in response to receiving a message that specifies the authenticated link identifier and a source IP address, adds the source IP address to a cache entry that specifies the authenticated client identifier and the corresponding authenticated link identifier, and outputs to an audit resource a record that specifies the source IP address and the authenticated link identifier.
27 Citations
21 Claims
-
1. A method in an Internet Protocol (IP) based router in a network, the method comprising:
-
creating by the router a cache entry in the router and that specifies an authenticated client identifier and a corresponding authenticated Media Access Control (MAC) address for a client device attached to the network based on the authenticated MAC address, the authenticated MAC address based on link layer authentication of a MAC address used by the client device relative to the authenticated client identifier and according to a prescribed link layer authentication protocol to authenticate use of the MAC address by the client device and to prevent spoofing of the authenticated MAC address; receiving by the router a message originated by the client device and that specifies the authenticated MAC address and a source IP address, the router implemented as a default gateway for enabling the client device to access the network, wherein any packet output by a given client device and having a corresponding MAC address that has not been authenticated for use by the given client device is contained from access to the network; the router responding to receiving the message originated by the client device by adding the source IP address to the cache entry specifying the authenticated MAC address based on parsing the message; and the router responding to adding the source IP address to the cache entry by outputting to an audit resource a record that specifies the source IP address and the authenticated MAC address. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method in a network, the method comprising:
-
in a link layer authentication device; (1) detecting an establishment of a link with a client device on an identified link port of the link layer authentication device, (2) attempting authentication of a MAC address used by the client device attached to the identified link port based on sending, to an authentication server, client device information including a client identifier, and (3) outputting to an IP router, based on authentication of the client device by the authentication server relative to the client identifier, an authentication message specifying the client identifier as an authenticated client identifier and the MAC address used by the client device as an authenticated Media Access Control (MAC) address that is authenticated according to a prescribed link layer authentication protocol to authenticate the use of the MAC address by the client device and to prevent spoofing of the authenticated MAC address; and in the IP router; (1) receiving the authentication message specifying the authenticated client identifier and the corresponding authenticated MAC address, (2) creating a cache entry in the IP router in response to receiving the authentication message, the cache entry specifying the authenticated client identifier and the corresponding authenticated MAC address, (3) receiving a message originated by the client device and that specifies the authenticated MAC address and a source IP address, the IP router implemented as a default gateway for enabling the client device to access the network, (4) the IP router responding to receiving the message originated by the client device by adding the source IP address to the cache entry specifying the authenticated MAC address based on parsing the message, and (5) the IP router responding to adding the source IP address to the cache entry by outputting to an audit resource a record that specifies the source IP address and the authenticated MAC address; wherein any packet output by a given client device and having a corresponding MAC address that has not been authenticated for use by the given client device is contained from access to the network. - View Dependent Claims (7, 8)
-
-
9. An Internet Protocol (IP) based router configured for outputting IP packets in a network, the router comprising:
-
means for creating a cache entry in the router and that specifies an authenticated client identifier and a corresponding authenticated Media Access Control (MAC) address for a client device attached to the network based on the authenticated MAC address, the authenticated MAC address based on link layer authentication of a MAC address used by the client device relative to the authenticated client identifier and according to a prescribed link layer authentication protocol to authenticate the use of the MAC address by the client device and to prevent spoofing of the authenticated MAC address, wherein any packet output by a given client device and having a corresponding MAC address that has not been authenticated for use by the given client device is contained from access to the network; means for receiving a message originated by the client device and that specifies the authenticated MAC address and a source IP address, the means for creating responding to receiving the message originated by the client device by adding the source IP address to the cache entry specifying the authenticated MAC address based on parsing the message, the router implemented as a default gateway for enabling the client device to access the network; and means for outputting to an audit resource a record that specifies the source IP address and the authenticated MAC address in response to the adding of the source IP address to the cache entry. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A network comprising:
-
an IP router; and a link layer authentication device having; (1) means for detecting an establishment of a link with a client device on an identified link port of the link layer authentication device, (2) means for attempting authentication of a Media Access Control (MAC) address used by the client device attached to the identified link port based on sending, to an authentication server, client device information including a client identifier, and (3) means for outputting to the IP router an authentication message, the authentication message based on authentication of the client device by the authentication server relative to the client identifier, the authentication message generated by the means for attempting authentication and specifying the client identifier as an authenticated client identifier and the MAC address used by the client device as an authenticated MAC address that is authenticated according to a prescribed link layer authentication protocol to authenticate the use of the MAC address by the client device and to prevent spoofing of the authenticated MAC address;
the IP router comprising;(1) means for receiving the authentication message specifying the authenticated client identifier and the corresponding authenticated MAC address, (2) means for creating a cache entry in the IP router in response to receiving the authentication message, the cache entry specifying the authenticated client identifier and the corresponding authenticated MAC address based on the authentication message, (3) the means for receiving further receiving a message originated by the client device and that specifies the authenticated MAC address and a source IP address, the means for creating responding to receiving the message originated by the client device by adding the source IP address to the cache entry specifying the authenticated MAC address based on parsing the message, the IP router implemented as a default gateway for enabling the client device to access the network, and (4) means for outputting to an audit resource a record that specifies the source IP address and the authenticated MAC address in response to the adding of the source IP address to the cache entry; wherein any packet output by a given client device and having a corresponding MAC address that has not been authenticated for use by the given client device is contained from access to the network. - View Dependent Claims (15, 16)
-
-
17. An apparatus comprising:
-
a cache configured for storing at least one cache entry; a cache manager configured for creating the cache entry, the cache entry specifying an authenticated client identifier and a corresponding authenticated Media Access Control (MAC) address for a client device attached to a network based on the authenticated MAC address, the cache manager configured for responding to the apparatus receiving a message, originated by the client device and specifying the authenticated MAC address and a source IP address, by adding the source IP address to the cache entry specifying the authenticated MAC address based on parsing the message originated by the client device, the authenticated MAC address based on link layer authentication of a MAC address used by the client device relative to the authenticated client identifier and according to a prescribed link layer authentication protocol to authenticate the use of the MAC address by the client device and to prevent spoofing of the authenticated MAC address; an Internet Protocol (IP) interface configured for outputting a record to an audit resource, the record generated by the apparatus in response to the cache manager adding the source IP address to the cache entry and specifying the source IP address and the authenticated MAC address, the apparatus implemented as a default gateway for enabling the client device to access the network, wherein any packet output by a given client device and having a corresponding MAC address that has not been authenticated for use by the given client device is contained from access to the network. - View Dependent Claims (18, 19, 20, 21)
-
Specification