Routing a packet by a device

US 8,291,114 B2
Filed: 07/08/2010
Issued: 10/16/2012
Est. Priority Date: 09/28/2001
Status: Expired due to Term

First Claim

Patent Images

1. A network device comprising:

a first port, of a plurality of ports of the network device, to receive a packet via a network; and

a controller to;

obtain a destination address from the received packet,determine that a table, associated with the network device, does not store the obtained destination address, the table storing a plurality of destination addresses,create a probe packet that includes the destination address, the probe packet being created based on determining that the table does not store the obtained destination address, the probe packet being different than the received packet,broadcast the probe packet to each of a group of ports of the plurality of ports,prevent the received packet from being transmitted until a response, to the probe packet, is received via a particular port, of the group of ports, that is associated with the destination address, andtransmit the received packet when the response, to the probe packet, is received.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for transferring packets in a packet switched communication system. A system is provided that includes an L2 device including a controller determining for each packet received whether the received packet is to be inspected, an inspection device operable to inspect and filter packets identified by the controller including using a zone specific policy and an L2 controller for transferring inspected packets in accordance with L2 header information using L2 protocols.

77 Citations

View as Search Results

20 Claims

1. A network device comprising:
- a first port, of a plurality of ports of the network device, to receive a packet via a network; and
  
  a controller to;
  
  obtain a destination address from the received packet,determine that a table, associated with the network device, does not store the obtained destination address, the table storing a plurality of destination addresses,create a probe packet that includes the destination address, the probe packet being created based on determining that the table does not store the obtained destination address, the probe packet being different than the received packet,broadcast the probe packet to each of a group of ports of the plurality of ports,prevent the received packet from being transmitted until a response, to the probe packet, is received via a particular port, of the group of ports, that is associated with the destination address, andtransmit the received packet when the response, to the probe packet, is received.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The network device of claim 1, where the controller is further to determine that the table does not store information identifying a second port, of the plurality of ports, corresponding to the first port.
  - 3. The network device of claim 1, where the controller is further to determine that the table does not store a port identifier for the particular port.
  - 4. The network device of claim 1, where the controller is further to create the probe packet to include a time-to-life (TTL) field in a header of the probe packet.
  - 5. The network device of claim 4, where the controller is further to set a value of the TTL field to cause a device, in the network, to send a message, to the network device, based on the device receiving the probe packet, the received packet being transmitted based on the message from the device,the response, received via the particular port, including the message.
  - 6. The network device of claim 5, where the probe packet is an Internet Control Message Protocol (ICMP) Ping packet, and the value of the TTL field is set to one (1).
  - 7. The network device of claim 1, where the received packet includes a source address and a destination address, andwhere the controller is further to create the probe packet to include:
    - the source address included in the received packet, andthe destination address included in the received packet.
  - 8. The network device of claim 1, where the controller is further to prevent transfer of the received packet to each of the group of ports, for a particular amount of time, while awaiting to receive a response to the probe packet.
  - 9. The network device of claim 1, where the network is associated with a plurality of security zones, andwhere the received packet is associated with a particular security zone, of the plurality of security zones, andwhere the controller is further to prevent information, from the received packet, from being communicated to a different security zone of the plurality of security zones.
  - 10. The network device of claim 1, where the controller is further to:
    - receive, via the particular port, information regarding the destination address, andupdate the table to include an entry including the destination address and a port identifier identifying the particular port.

11. A method comprising:
- determining, by a security device, that a destination address, obtained from a packet, is not stored in a table associated with the security device, the packet being received via a first port of a plurality of ports of the security device;
  
  creating, by the security device, a probe packet that includes the destination address, the probe packet being created based on determining that the destination address is not stored in the table;
  
  transmitting, by the security device, the probe packet to one or more ports of the plurality of ports, the probe packet being transmitted to the one or more ports based on determining that the destination address is not stored in the table;
  
  preventing, by the security device, the packet from being transmitted until a response, to the transmitted probe packet, is received via a particular port of the one or more ports that is associated with the destination address; and
  
  transmitting, by the security device, the packet when the response, to the transmitted probe packet, is received.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11, where each port, of the plurality of ports, corresponds to a particular security zone, the method further comprising:
    - preventing transfer of the packet to a port, of the plurality of ports, corresponding to a security zone that differs from a security zone associated with the first port.
  - 13. The method of claim 11, further comprising:
    - receiving the response via the particular port of the one or more ports, the response identifying a device, in the network, that is connected to the particular port; and
      
      transmitting the packet to the device via the particular port, when the response is received.
  - 14. The method of claim 11, where the packet is prevented from being transmitted for a particular amount of time.
  - 15. The method of claim 14, further comprising dropping the packet upon expiration of the particular amount of time.
  - 16. The method of claim 11, where the probe packet comprises an Internet Control Message Protocol (ICMP) Ping packet including a time-to-life (TTL) field, and the response comprises an ICMP TTL expired message.

17. A system comprising:
- a non-transitory computer-readable medium comprising a plurality of instructions which, when executed by a security device, cause the security device to;
  
  obtain a destination address included in a first packet, the first packet being received via a port of a plurality of ports of the security device;
  
  determine that an entry, corresponding to the destination address, is not stored in a table associated with the security device;
  
  transmit a second packet, that includes the destination address, to one or more ports of the plurality of ports, the second packet being transmitted to the one or more ports based on determining that the entry is not stored in the table, the second packet being different than the first packet;
  
  prevent the first packet from being transmitted until a response, to the transmitted second packet, is received via a particular port of the one or more ports that is associated with the destination address; and
  
  transmit the first packet when the response is received.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, where the first packet is received via a network that includes a plurality of security zones, andwhere the non-transitory computer-readable medium further comprises one or more instructions which, when executed by the security device, cause the security device further to update the table, based on the response, with respect to a particular security zone, of the plurality of security zones, associated with the destination address.
  - 19. The system of claim 17, where the first packet includes a source address and a destination address, andwhere the non-transitory computer-readable medium further comprises one or more instructions which, when executed by the security device, cause the security device further to create the second packet to include:
    - the source address included in the first packet, andthe destination address included in the first packet.
  - 20. The system of claim 17, where the first packet is received via a network that includes a plurality of security zones,where the first packet is associated with a particular security zone, of the plurality of security zones, andwhere the non-transitory computer-readable medium further comprises one or more instructions which, when executed by the security device, cause the security device further to prevent information, from the first packet, from being communicated to security zones, of the plurality of security zones, that differ from the particular security zone.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Mao, Yu Ming, Lian, Roger Jia-Jyi, Huang, Guangsong, Cheung, Lee Chik
Primary Examiner(s)
LAFORGIA, CHRISTIAN A

Application Number

US12/832,347
Publication Number

US 20100281533A1
Time in Patent Office

831 Days
Field of Search

709/242, 370/254, 370/351, 370/428
US Class Current

709/242
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0227   Filtering policies mail mes...

H04L 63/04   for providing a confidentia...

H04L 63/102   Entity profiles

H04L 63/162   at the data link layer

Routing a packet by a device

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

77 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Routing a packet by a device

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

77 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others