Host tracking in a layer 2 IP ethernet network

US 8,107,396 B1
Filed: 07/24/2006
Issued: 01/31/2012
Est. Priority Date: 07/24/2006
Status: Active Grant

First Claim

Patent Images

1. A method of tracking at least one host in a network on a tracking device, comprising:

a) sending a unicast address resolution protocol (ARP) request to the at least one host, wherein the unicast ARP request includes;

a target hardware address (THA) field associated with the at least one host with a value set to all zeroes or all ones indicating a missing media access control (MAC) address for the at least one host,a source protocol address (SPA) field associated with a sender of the unicast ARP request with a value set to all zeroes to prevent the at least one host from updating an ARP cache associated with the at least one host with the information in the SPA field, anda target protocol address (TPA) field associated with the at least one host with a value indicating an authenticated IP address of the at least one host stored in a device tracking list that also stores an authenticated MAC address for the at least one host;

b) receiving an ARP reply from the at least one host with the missing MAC address supplied by the at least one host; and

c) validating the missing MAC address supplied by comparing the missing MAC address to the authenticated MAC address stored in the device tracking list.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and an apparatus to detect end host machines in a layer 2 Ethernet network are provided. The knowledge of the detected hosts may then be utilized by various security applications operating on layer 2 devices at the access and the distribution layers of the network for host session monitoring. Hosts that are no longer connected or do not respond to a layer 2 query may have their access privileges revoked.

50 Citations

View as Search Results

16 Claims

1. A method of tracking at least one host in a network on a tracking device, comprising:
- a) sending a unicast address resolution protocol (ARP) request to the at least one host, wherein the unicast ARP request includes;
  
  a target hardware address (THA) field associated with the at least one host with a value set to all zeroes or all ones indicating a missing media access control (MAC) address for the at least one host,a source protocol address (SPA) field associated with a sender of the unicast ARP request with a value set to all zeroes to prevent the at least one host from updating an ARP cache associated with the at least one host with the information in the SPA field, anda target protocol address (TPA) field associated with the at least one host with a value indicating an authenticated IP address of the at least one host stored in a device tracking list that also stores an authenticated MAC address for the at least one host;
  
  b) receiving an ARP reply from the at least one host with the missing MAC address supplied by the at least one host; and
  
  c) validating the missing MAC address supplied by comparing the missing MAC address to the authenticated MAC address stored in the device tracking list.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the missing MAC address is a correct MAC address for the host.
  - 3. The method of claim 1, further comprising periodically repeating steps a)-c).
  - 4. The method of claim 3, further comprising revoking access privileges granted to the at least one host if the missing MAC address supplied cannot be validated within a defined period.

5. A method of detecting and tracking at least one host in a network by a network address device (NAD), the method comprising:
- a) learning a new media access control (MAC) address for the at least one host;
  
  b) updating a device tracking list stored on the NAD with the learned new MAC address, wherein the device tracking list stores an authenticated Internet Protocol (IP) address and the learned new MAC address for the at least one host;
  
  c) granting access privileges to the at least one host;
  
  d) sending a unicast ARP request from the NAD to the at least one host, wherein the unicast ARP request includes;
  
  a target hardware address (THA) field associated with the at least one host with a value set to all zeroes or all ones indicating a false MAC address for the at least one host,a source protocol address (SPA) field associated with the NAD with a value set to all zeroes to prevent the at least one host from updating an ARP cache associated with the at least one host with the information in the SPA field, anda target protocol address (TPA) field associated with the at least one host with a value indicating the authenticated IP address of the at least one host stored in the device tracking list;
  
  e) receiving an ARP reply with a response MAC address from the at least one host; and
  
  f) checking the response MAC address against the learned MAC address stored in the device tracking list.
- View Dependent Claims (6, 7, 8, 9, 10, 11)
- - 6. The method of claim 5, further comprising revoking the access privileges of the at least one host in response to one or more of the following conditions:
    - the response MAC address does not match the learned MAC address stored in the device tracking list, the at least one host does not respond, or the at least one host has been disconnected from the network.
  - 7. The method of claim 6, further comprising quarantining the learned MAC address of the at least one host whose access privileges have been revoked from the device tracking list.
  - 8. The method of claim 5, further comprising repeating steps d)-e) until either the response MAC address matches the learned MAC address or steps d)-e) have been repeated a predetermined number of times.
  - 9. The method of claim 8, further comprising revoking the access privileges of the at least one host if steps d)-e) have been repeated a predetermined number of times.
  - 10. The method of claim 5, wherein learning the new MAC address comprises snooping an ARP request broadcast from the at least one host to the network and extracting a new internet protocol (IP) address and the new MAC address for the at least one host.
  - 11. The method of claim 5, wherein learning the new MAC address comprises snooping a dynamic host configuration protocol (DHCP) message during authentication of the at least one host.

12. A network device for tracking a host on layer 2 of a network, the device comprising:
- a device tracking list for maintaining at least one media access control (MAC) address and at least one Internet Protocol (IP) address corresponding to the host; and
  
  logic configured to track the host by periodically sending unicast ARP requests to the host, wherein the unicast ARP requests include;
  
  a target hardware address (THA) field associated with the at least one host with a value set to all zeroes or all ones indicating a false MAC address for the host,a source protocol address (SPA) field associated with the network device with a value set to all zeroes to prevent the at least one host from updating an ARP cache associated with the at least one host with the information in the SPA field, anda target protocol address (TPA) field associated with the at least one host with a value indicating the at least one IP address of the host stored in the device tracking list and assign network access privileges for the host based on ARP replies received or not received from the host.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The network device of claim 12, wherein the device tracking list is used to maintain an internet protocol (IP) address corresponding to the host.
  - 14. The network device of claim 12, wherein the logic is configured to revoke access privileges of the host in response to one or more of the following conditions:
    - a MAC address received in an ARP reply from the host does not match a learned MAC address stored in the device tracking list, the host does not respond, or the host has been disconnected from the network.
  - 15. The method of claim 12, wherein the logic is configured to learn a MAC address of the host by snooping an ARP request broadcast from the host.
  - 16. The method of claim 12, wherein the logic is configured to learn a MAC address of the host by snooping a dynamic host configuration protocol (DHCP) message during authentication of the host.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Sharma, Govind P.
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
Weidner, Timothy J

Application Number

US11/459,524
Time in Patent Office

2,017 Days
Field of Search

None
US Class Current

370/254
CPC Class Codes

H04L 61/103   across network layers, e.g....

H04L 63/0876   based on the identity of th...

H04L 63/162   at the data link layer

Host tracking in a layer 2 IP ethernet network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

50 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Host tracking in a layer 2 IP ethernet network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links