Secure DHCP processing for layer two access networks

US 8,862,705 B2
Filed: 07/30/2009
Issued: 10/14/2014
Est. Priority Date: 07/30/2009
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a layer two domain identifier of a layer two domain in which a first subscriber device resides;

storing an association between the layer two domain identifier of the first subscriber device and a layer two address of the first subscriber device;

comparing a layer two domain identifier and a layer two address of a second subscriber device attempting to acquire a layer three address with the layer two domain identifier and the layer two address of the first subscriber device;

denying a layer three address to the second subscriber device based on the comparison if the first subscriber device and the second subscriber device share the same layer two address and share the same layer two domain identifier; and

offering the second subscriber device a layer three address based on the comparison if the first subscriber device and the second subscriber device share the same layer two address but have different layer two domain identifiers.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, this disclosure describes network security techniques that may accommodate legitimate movement of a subscriber device while preventing MAC collisions that may result from configuration errors or MAC spoofing attempts. MAC spoofing may result in packets directed to one subscriber device being sent instead to another subscriber device. By modifying an access node or a Dynamic Host Configuration Protocol (DHCP) server to allow only authorized subscriber devices on the access network, layer two collisions (“MAC collisions”) may be prevented.

Citations

32 Claims

1. A method comprising:
- receiving a layer two domain identifier of a layer two domain in which a first subscriber device resides;
  
  storing an association between the layer two domain identifier of the first subscriber device and a layer two address of the first subscriber device;
  
  comparing a layer two domain identifier and a layer two address of a second subscriber device attempting to acquire a layer three address with the layer two domain identifier and the layer two address of the first subscriber device;
  
  denying a layer three address to the second subscriber device based on the comparison if the first subscriber device and the second subscriber device share the same layer two address and share the same layer two domain identifier; and
  
  offering the second subscriber device a layer three address based on the comparison if the first subscriber device and the second subscriber device share the same layer two address but have different layer two domain identifiers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein storing an association between the layer two domain identifier of the first subscriber device and a layer two address of the first subscriber device further comprises:
    - storing, for each of a plurality of subscriber lines, an association between a plurality of layer two domain identifiers and a plurality of layer two addresses in a table.
  - 3. The method of claim 1, wherein the layer two domain identifier is received as a Dynamic Host Configuration Protocol (DHCP) option in a DHCP message relayed from the subscriber device.
  - 4. The method of claim 1, wherein the layer two domain identifier comprises at least one virtual local area network (VLAN) identifier associated with the subscriber device.
  - 5. The method of claim 1, further comprising:
    - probing the network to determine whether a layer three address is in use before offering the layer three address to the subscriber device.
  - 6. The method of claim 5, wherein probing the network comprises:
    - transmitting a data unit using a ping utility to the layer three address; and
      
      determining whether a reply data unit is received from the layer three address in response to the ping utility.
  - 7. The method of claim 1, wherein the network device is a first network device, the method further comprising:
    - protecting a table in a second network device by configuring a third network device to act as a layer two relay agent; and
      
      providing a dedicated Virtual Local Area Network (VLAN) for transmitting Dynamic Host Configuration Protocol (DHCP) data unit traffic, wherein the VLAN comprises the second network device, the third network device, and a fourth network device, and wherein the fourth network device is in communication with the first network device.
  - 8. The method of claim 7, wherein the first network device is a DHCP server, the second network device includes a layer two switch, the third network device includes an access node, and the fourth network device includes a layer three router.

9. A network device comprising a processor configured to:
- receive a layer two domain identifier of a layer two domain in which a first subscriber device resides;
  
  store an association between the layer two domain identifier of the first subscriber device and a layer two address of the first subscriber device;
  
  compare a layer two domain identifier and a layer two address of a second subscriber device attempting to acquire a layer three address with the layer two domain identifier and the layer two address of the first subscriber device;
  
  deny a layer three address to the second subscriber device based on the comparison if the first subscriber device and the second subscriber device share the same layer two address and share the same layer two domain identifier; and
  
  offer the second subscriber device a layer three address based on the comparison if the first subscriber device and the second subscriber device share the same layer two address but have different layer two domain identifiers.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The network device of claim 9, wherein the layer two domain identifier is received as a Dynamic Host Configuration Protocol (DHCP) option in a DHCP message relayed from the subscriber device.
  - 11. The network device of claim 9, wherein the layer two domain identifier comprises at least one virtual local area network (VLAN) identifier associated with the subscriber device.
  - 12. The network device of claim 9, wherein the processor configured to store an association between the layer two domain identifier of the first subscriber device and a layer two address of the first subscriber device is further configured to:
    - store, for each of a plurality of subscriber lines, an association between a plurality of layer two domain identifiers and a plurality of layer two addresses in a table.
  - 13. The network device of claim 9, wherein the processor is further configured to:
    - probe the network to determine whether a layer three address is in use before offering the layer three address to the first subscriber device.
  - 14. The network device of claim 13, wherein the processor configured to probe the network is configured to:
    - transmit a data unit using a ping utility to the layer three address; and
      
      determine whether a reply data unit is received from the layer three address in response to the ping utility.
  - 15. The network device of claim 9, wherein the network device is a first network device, and wherein the processor is further configured to:
    - protect a table in a second network device by configuring a third network device to act as a layer two relay agent; and
      
      provide a dedicated Virtual Local Area Network (VLAN) for transmitting Dynamic Host Configuration Protocol (DHCP) data unit traffic, wherein the VLAN comprises the second network device, the third network device, and a fourth network device, and wherein the fourth network device is in communication with the first network device.
  - 16. The network device of claim 15, wherein the first network device is a DHCP server, the second network device is a layer two switch, the third network device is an access node, and the fourth network device is a layer three router.

17. A non-transitory computer-readable medium comprising instructions encoded on the computer-readable medium that, upon execution, cause a processor within a network device to:
- receive a layer two domain identifier of a layer two domain in which a first subscriber device resides;
  
  store an association between the layer two domain identifier of the first subscriber device and a layer two address of the first subscriber device;
  
  compare a layer two domain identifier and a layer two address of a second subscriber device attempting to acquire a layer three address with the layer two domain identifier and the layer two address of the first subscriber device;
  
  deny a layer three address to the second subscriber device based on the comparison if the first subscriber device and the second subscriber device share the same layer two address and share the same layer two domain identifier; and
  
  offer the second subscriber device a layer three address based on the comparison if the first subscriber device and the second subscriber device share the same layer two address but have different layer two domain identifiers.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The non-transitory computer-readable medium of claim 17, wherein the layer two domain identifier is received as a Dynamic Host Configuration Protocol (DHCP) option in a DHCP message relayed from the subscriber device.
  - 19. The non-transitory computer-readable medium of claim 17, wherein the layer two domain identifier comprises at least one virtual local area network (VLAN) identifier associated with the subscriber device.
  - 20. The non-transitory computer-readable medium of claim 17, wherein the subscriber device is a first subscriber device, further comprising instructions to cause the processor to:
    - store, for each of a plurality of subscriber lines, an association between a plurality of layer two domain identifiers and a plurality of layer two addresses in a table.
  - 21. The non-transitory computer-readable medium of claim 17, further comprising instructions to cause the processor to:
    - probe the network to determine whether a layer three address is in use before offering the layer three address to the subscriber device.
  - 22. The non-transitory computer-readable medium of claim 21, wherein the instructions that cause the processor to probe the network comprise instructions to cause the processor to:
    - transmit a data unit using a ping utility to the layer three address; and
      
      determine whether a reply data unit is received from the layer three address in response to the ping utility.
  - 23. The non-transitory computer-readable medium of claim 17, wherein the network device is a first network device, further comprising instructions to cause the processor to:
    - protect a table in a second network device by configuring a third network device to act as a layer two relay agent; and
      
      provide a dedicated Virtual Local Area Network (VLAN) for transmitting Dynamic Host Configuration Protocol (DHCP) data unit traffic, wherein the VLAN comprises the second network device, the third network device, and a fourth network device, and wherein the fourth network device is in communication with the fourth network device.
  - 24. The non-transitory computer-readable medium of claim 23, wherein the first network device is a DHCP server, the second network device includes a layer two switch, the third network device includes an access node, and the fourth network device includes a layer three router.

25. A network device comprising:
- means for receiving a layer two domain identifier of a layer two domain in which a first subscriber device resides;
  
  means for storing an association between the layer two domain identifier of the first subscriber device and a layer two address of the first subscriber device;
  
  means for comparing a layer two domain identifier and a layer two address of a second subscriber device attempting to acquire a layer three address with the layer two domain identifier and the layer two address of the first subscriber device;
  
  means for denying a layer three address to the second subscriber device based on the comparison if the first subscriber device and the second subscriber device share the same layer two address and share the same layer two domain identifier; and
  
  means for offering the second subscriber device a layer three address based on the comparison if the first subscriber device and the second subscriber device share the same layer two address but have different layer two domain identifiers.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
- - 26. The network device of claim 25, wherein the means for storing an association between the layer two domain identifier of the first subscriber device and a layer two address of the first subscriber device further comprises:
    - means for storing, for each of a plurality of subscriber lines, an association between a plurality of layer two domain identifiers and a plurality of layer two addresses in a table.
  - 27. The network device of claim 25, wherein the layer two domain identifier is received as a Dynamic Host Configuration Protocol (DHCP) option in a DHCP message relayed from the subscriber device.
  - 28. The network device of claim 25, wherein the layer two domain identifier comprises at least one virtual local area network (VLAN) identifier associated with the subscriber device.
  - 29. The network device of claim 25, further comprising:
    - means for probing the network to determine whether a layer three address is in use before offering the layer three address to the subscriber device.
  - 30. The network device of claim 29, wherein probing the network comprises:
    - means for transmitting a data unit using a ping utility to the layer three address; and
      
      means for determining whether a reply data unit is received from the layer three address in response to the ping utility.
  - 31. The network device of claim 25, wherein the network device is a first network device, the method further comprising:
    - means for protecting a table in a second network device by configuring a third network device to act as a layer two relay agent; and
      
      means for providing a dedicated Virtual Local Area Network (VLAN) for transmitting Dynamic Host Configuration Protocol (DHCP) data unit traffic, wherein the VLAN comprises the second network device, the third network device, and a fourth network device, and wherein the fourth network device is in communication with the first network device.
  - 32. The network device of claim 31, wherein the first network device is a DHCP server, the second network device includes a layer two switch, the third network device includes an access node, and the fourth network device includes a layer three router.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Calix Incorporated
Original Assignee
Calix Incorporated
Inventors
Baykal, Berkay, Butler, Duane M., Conner, Michael W., Missett, Shaun Noel
Primary Examiner(s)
Eskandarnia, Arvin

Application Number

US12/512,245
Publication Number

US 20110029645A1
Time in Patent Office

1,902 Days
Field of Search

709/221
US Class Current

709/221
CPC Class Codes

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 61/00   Network arrangements, proto...

H04L 61/103   across network layers, e.g....

H04L 61/5014   using dynamic host configur...

H04L 61/5046   Resolving address allocatio...

H04L 63/1466   Active attacks involving in...

Secure DHCP processing for layer two access networks

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Secure DHCP processing for layer two access networks

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links