Secure DHCP processing for layer two access networks
First Claim
Patent Images
1. A method comprising:
- receiving a layer two domain identifier of a layer two domain in which a first subscriber device resides;
storing an association between the layer two domain identifier of the first subscriber device and a layer two address of the first subscriber device;
comparing a layer two domain identifier and a layer two address of a second subscriber device attempting to acquire a layer three address with the layer two domain identifier and the layer two address of the first subscriber device;
denying a layer three address to the second subscriber device based on the comparison if the first subscriber device and the second subscriber device share the same layer two address and share the same layer two domain identifier; and
offering the second subscriber device a layer three address based on the comparison if the first subscriber device and the second subscriber device share the same layer two address but have different layer two domain identifiers.
11 Assignments
0 Petitions
Accused Products
Abstract
In general, this disclosure describes network security techniques that may accommodate legitimate movement of a subscriber device while preventing MAC collisions that may result from configuration errors or MAC spoofing attempts. MAC spoofing may result in packets directed to one subscriber device being sent instead to another subscriber device. By modifying an access node or a Dynamic Host Configuration Protocol (DHCP) server to allow only authorized subscriber devices on the access network, layer two collisions (“MAC collisions”) may be prevented.
-
Citations
32 Claims
-
1. A method comprising:
-
receiving a layer two domain identifier of a layer two domain in which a first subscriber device resides; storing an association between the layer two domain identifier of the first subscriber device and a layer two address of the first subscriber device; comparing a layer two domain identifier and a layer two address of a second subscriber device attempting to acquire a layer three address with the layer two domain identifier and the layer two address of the first subscriber device; denying a layer three address to the second subscriber device based on the comparison if the first subscriber device and the second subscriber device share the same layer two address and share the same layer two domain identifier; and offering the second subscriber device a layer three address based on the comparison if the first subscriber device and the second subscriber device share the same layer two address but have different layer two domain identifiers. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A network device comprising a processor configured to:
-
receive a layer two domain identifier of a layer two domain in which a first subscriber device resides; store an association between the layer two domain identifier of the first subscriber device and a layer two address of the first subscriber device; compare a layer two domain identifier and a layer two address of a second subscriber device attempting to acquire a layer three address with the layer two domain identifier and the layer two address of the first subscriber device; deny a layer three address to the second subscriber device based on the comparison if the first subscriber device and the second subscriber device share the same layer two address and share the same layer two domain identifier; and offer the second subscriber device a layer three address based on the comparison if the first subscriber device and the second subscriber device share the same layer two address but have different layer two domain identifiers. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable medium comprising instructions encoded on the computer-readable medium that, upon execution, cause a processor within a network device to:
-
receive a layer two domain identifier of a layer two domain in which a first subscriber device resides; store an association between the layer two domain identifier of the first subscriber device and a layer two address of the first subscriber device; compare a layer two domain identifier and a layer two address of a second subscriber device attempting to acquire a layer three address with the layer two domain identifier and the layer two address of the first subscriber device; deny a layer three address to the second subscriber device based on the comparison if the first subscriber device and the second subscriber device share the same layer two address and share the same layer two domain identifier; and offer the second subscriber device a layer three address based on the comparison if the first subscriber device and the second subscriber device share the same layer two address but have different layer two domain identifiers. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
-
25. A network device comprising:
-
means for receiving a layer two domain identifier of a layer two domain in which a first subscriber device resides; means for storing an association between the layer two domain identifier of the first subscriber device and a layer two address of the first subscriber device; means for comparing a layer two domain identifier and a layer two address of a second subscriber device attempting to acquire a layer three address with the layer two domain identifier and the layer two address of the first subscriber device; means for denying a layer three address to the second subscriber device based on the comparison if the first subscriber device and the second subscriber device share the same layer two address and share the same layer two domain identifier; and means for offering the second subscriber device a layer three address based on the comparison if the first subscriber device and the second subscriber device share the same layer two address but have different layer two domain identifiers. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
-
Specification