Host tracking in a layer 2 IP ethernet network
First Claim
Patent Images
1. A method of tracking at least one host in a network on a tracking device, comprising:
- a) sending a unicast address resolution protocol (ARP) request to the at least one host, wherein the unicast ARP request includes;
a target hardware address (THA) field associated with the at least one host with a value set to all zeroes or all ones indicating a missing media access control (MAC) address for the at least one host,a source protocol address (SPA) field associated with a sender of the unicast ARP request with a value set to all zeroes to prevent the at least one host from updating an ARP cache associated with the at least one host with the information in the SPA field, anda target protocol address (TPA) field associated with the at least one host with a value indicating an authenticated IP address of the at least one host stored in a device tracking list that also stores an authenticated MAC address for the at least one host;
b) receiving an ARP reply from the at least one host with the missing MAC address supplied by the at least one host; and
c) validating the missing MAC address supplied by comparing the missing MAC address to the authenticated MAC address stored in the device tracking list.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and an apparatus to detect end host machines in a layer 2 Ethernet network are provided. The knowledge of the detected hosts may then be utilized by various security applications operating on layer 2 devices at the access and the distribution layers of the network for host session monitoring. Hosts that are no longer connected or do not respond to a layer 2 query may have their access privileges revoked.
50 Citations
16 Claims
-
1. A method of tracking at least one host in a network on a tracking device, comprising:
-
a) sending a unicast address resolution protocol (ARP) request to the at least one host, wherein the unicast ARP request includes; a target hardware address (THA) field associated with the at least one host with a value set to all zeroes or all ones indicating a missing media access control (MAC) address for the at least one host, a source protocol address (SPA) field associated with a sender of the unicast ARP request with a value set to all zeroes to prevent the at least one host from updating an ARP cache associated with the at least one host with the information in the SPA field, and a target protocol address (TPA) field associated with the at least one host with a value indicating an authenticated IP address of the at least one host stored in a device tracking list that also stores an authenticated MAC address for the at least one host; b) receiving an ARP reply from the at least one host with the missing MAC address supplied by the at least one host; and c) validating the missing MAC address supplied by comparing the missing MAC address to the authenticated MAC address stored in the device tracking list. - View Dependent Claims (2, 3, 4)
-
-
5. A method of detecting and tracking at least one host in a network by a network address device (NAD), the method comprising:
-
a) learning a new media access control (MAC) address for the at least one host; b) updating a device tracking list stored on the NAD with the learned new MAC address, wherein the device tracking list stores an authenticated Internet Protocol (IP) address and the learned new MAC address for the at least one host; c) granting access privileges to the at least one host; d) sending a unicast ARP request from the NAD to the at least one host, wherein the unicast ARP request includes; a target hardware address (THA) field associated with the at least one host with a value set to all zeroes or all ones indicating a false MAC address for the at least one host, a source protocol address (SPA) field associated with the NAD with a value set to all zeroes to prevent the at least one host from updating an ARP cache associated with the at least one host with the information in the SPA field, and a target protocol address (TPA) field associated with the at least one host with a value indicating the authenticated IP address of the at least one host stored in the device tracking list; e) receiving an ARP reply with a response MAC address from the at least one host; and f) checking the response MAC address against the learned MAC address stored in the device tracking list. - View Dependent Claims (6, 7, 8, 9, 10, 11)
-
-
12. A network device for tracking a host on layer 2 of a network, the device comprising:
-
a device tracking list for maintaining at least one media access control (MAC) address and at least one Internet Protocol (IP) address corresponding to the host; and logic configured to track the host by periodically sending unicast ARP requests to the host, wherein the unicast ARP requests include; a target hardware address (THA) field associated with the at least one host with a value set to all zeroes or all ones indicating a false MAC address for the host, a source protocol address (SPA) field associated with the network device with a value set to all zeroes to prevent the at least one host from updating an ARP cache associated with the at least one host with the information in the SPA field, and a target protocol address (TPA) field associated with the at least one host with a value indicating the at least one IP address of the host stored in the device tracking list and assign network access privileges for the host based on ARP replies received or not received from the host. - View Dependent Claims (13, 14, 15, 16)
-
Specification