Method and apparatus for preventing insertion of malicious content at a named data network router

US 9,609,014 B2
Filed: 05/22/2014
Issued: 03/28/2017
Est. Priority Date: 05/22/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

forwarding, by a network node via an egress interface, an Interest specifying a location-independent, hierarchical, variable-length content name that identifies a first Content Object;

storing, in a Pending Interest Table (PIT) within a data repository of the network node, a PIT entry for the Interest specifying the egress interface and a return interface;

receiving, by the network node, a second Content Object associated with the same content name via a second interface;

performing, based on the content name, a lookup operation in the PIT to identify the PIT entry for the previously forwarded Interest;

determining, from the PIT entry, the egress interface used previously by the network node to forward the Interest; and

responsive to determining that the egress interface specified by the PIT entry matches the second interface for the Content Object, forwarding the Content Object via the return interface specified in the PIT entry.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An object-forwarding device can block a malicious Content Object from being inserted into an Interest'"'"'s reverse path over a named data network. During operation, the device can receive a Content Object via a first interface, and can perform a lookup operation in a Pending Interest Table (PIT) to identify a PIT entry for an Interest associated with the Content Object. The device then determines, from the PIT entry, an egress interface used to forward the Interest. If the device determines that the egress interface of the PIT entry matches the first interface for the Content Object, the device forwards the Content Object via a return interface specified in the PIT entry. On the other hand, if the egress interface of the PIT entry does not match the first interface for the Content Object, the device can block the Content Object.

586 Citations

21 Claims

1. A computer-implemented method, comprising:
- forwarding, by a network node via an egress interface, an Interest specifying a location-independent, hierarchical, variable-length content name that identifies a first Content Object;
  
  storing, in a Pending Interest Table (PIT) within a data repository of the network node, a PIT entry for the Interest specifying the egress interface and a return interface;
  
  receiving, by the network node, a second Content Object associated with the same content name via a second interface;
  
  performing, based on the content name, a lookup operation in the PIT to identify the PIT entry for the previously forwarded Interest;
  
  determining, from the PIT entry, the egress interface used previously by the network node to forward the Interest; and
  
  responsive to determining that the egress interface specified by the PIT entry matches the second interface for the Content Object, forwarding the Content Object via the return interface specified in the PIT entry.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - responsive to determining that the egress interface specified by the PIT entry and used previously to forward the Interest differs from the second interface for the Content Object, blocking the Content Object from being forwarded via the return interface.
  - 3. The method of claim 1, wherein the egress interface includes a physical interface.
  - 4. The method of claim 1, wherein the egress interface includes a virtual interface.
  - 5. The method of claim 4, wherein the virtual interface is associated with a Conjunctive Normal Form (CNF) expression that describes a logical relationship for a set of interfaces.
  - 6. The method of claim 1, further comprising:
    - receiving a second Interest via a third interface;
      
      performing a lookup operation in a Forwarding Information Base, based on the second Interest'"'"'s name, to determine an egress interface for forwarding the second Interest; and
      
      responsive to forwarding the second Interest via the egress interface, creating a new entry in the PIT for the Interest, wherein the new PIT entry includes the egress interface used to forward the Interest.
  - 7. The method of claim 1, wherein the PIT entry includes a name field storing one or more of:
    - a hierarchically structured variable-length identifier (HSVLI); and
      
      a hash value.

8. A non-transitory computer-readable storage medium storing instructions that when executed by a network node computer cause the network node computer to perform a method, the method comprising:
- forwarding, via an egress interface, an Interest specifying a location-independent, hierarchical, variable-length content name that identifies a first Content Object;
  
  storing, in a Pending Interest Table (PIT) within a data repository, a PIT entry for the Interest specifying the egress interface and a return interface;
  
  receiving a second Content Object associated with the same content name via a second interface;
  
  performing, based on the content name, a lookup operation in the PIT to identify the PIT entry for the previously forwarded Interest;
  
  determining, from the PIT entry, the egress interface used previously to forward the Interest; and
  
  responsive to determining that the egress interface specified by the PIT entry matches the second interface for the Content Object, forwarding the Content Object via the return interface specified in the PIT entry.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The storage medium of claim 8, further comprising:
    - responsive to determining that the egress interface specified by the PIT entry and used previously to forward the Interest differs from the second interface for the Content Object, blocking the Content Object from being forwarded via the return interface.
  - 10. The storage medium of claim 8, wherein the egress interface includes a physical interface.
  - 11. The storage medium of claim 8, wherein the egress interface includes a virtual interface.
  - 12. The storage medium of claim 11, wherein the virtual interface is associated with a Conjunctive Normal Form (CNF) expression that describes a logical relationship for a set of interfaces.
  - 13. The storage medium of claim 8, further comprising:
    - receiving a second Interest via a third interface;
      
      performing a lookup operation in a Forwarding Information Base, based on the second Interest'"'"'s name, to determine an egress interface for forwarding the second Interest; and
      
      responsive to forwarding the second Interest via the egress interface, creating a new entry in the PIT for the Interest, wherein the new PIT entry includes the egress interface used to forward the Interest.
  - 14. The storage medium of claim 8, wherein the PIT entry includes a name field storing one or more of:
    - a hierarchically structured variable-length identifier (HSVLI); and
      
      a hash value.

15. An apparatus, comprising:
- a forwarding module to forward, via an egress interface, an Interest specifying a location-independent, hierarchical, variable-length content name that identifies a first Content Object;
  
  an interface-storing module to store, in a Pending Interest Table (PIT) within a data repository, a PIT entry for the Interest specifying the egress interface and a return interface;
  
  a communication module to receive a second Content Object associated with the same content name via a second interface;
  
  an object-processing module to perform, based on the content name, a lookup operation in the PIT to identify the PIT entry for the previously forwarded Interest;
  
  an interface-determining module to determine, from the PIT entry, the egress interface used previously to forward the Interest;
  
  an interface-checking module to determine whether the egress interface specified by the PIT entry matches the second interface for the Content Object; and
  
  wherein responsive to the interface-checking module determining that the egress interface specified by the PIT entry matches the second interface for the Content Object, the communication module is further configured to forward the Content Object via the return interface specified in the PIT entry.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The apparatus of claim 15, wherein responsive to determining that the egress interface specified by the PIT entry and used previously to forward the Interest differs from the second interface for the Content Object, the communication module is further configured to block the Content Object from being forwarded via the return interface.
  - 17. The apparatus of claim 15, wherein the egress interface includes a physical interface.
  - 18. The apparatus of claim 15, wherein the egress interface includes a virtual interface.
  - 19. The apparatus of claim 18, wherein the virtual interface is associated with a Conjunctive Normal Form (CNF) expression that describes a logical relationship for a set of interfaces.
  - 20. The apparatus of claim 15, wherein the communication module is further configured to receive a second Interest via a third interface;
    - wherein the apparatus further comprises an Interest-processing module to perform a lookup operation in a Forwarding Information Base, based on the second Interest'"'"'s name, to determine an egress interface for forwarding the second Interest; and
      
      wherein the interface-checking module is further configured to create a new entry in the PIT for the Interest, wherein the new PIT entry includes the egress interface used to forward the Interest, responsive to the communication module forwarding the second Interest via the egress interface.
  - 21. The apparatus of claim 15, wherein the PIT entry includes a name field storing one or more of:
    - a hierarchically structured variable-length identifier (HSVLI); and
      
      a hash value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Systems, Inc.
Inventors
Solis, Ignacio, Mosko, Marc E.
Primary Examiner(s)
Patel, Chirag R

Application Number

US14/285,555
Publication Number

US 20150341373A1
Time in Patent Office

1,041 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 12/6418   Hybrid transport

H04L 45/00   Routing or path finding of ...

H04L 45/028   Dynamic adaptation of the u...

H04L 45/245   Link aggregation, e.g. trun...

H04L 45/58   Association of routers

H04L 45/745   Address table lookup; Addre...

H04L 45/80   Ingress point selection by ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

H04L 63/162   at the data link layer

H04L 63/304   intercepting circuit switch...

H04L 67/568   Storing data temporarily at...

H04L 67/63   Routing a service request d...

Method and apparatus for preventing insertion of malicious content at a named data network router

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

586 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for preventing insertion of malicious content at a named data network router

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

586 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links