FIG. 1 is a functional diagram of a conventional layer 2 (L2) switch 200 connected to user terminals 110 and 120.
Referring to FIG. 1, the L2 switch 200 includes an input port 210, an output port 220, a forwarding process unit 250 transferring a frame input through the input port 210 to the output port 220 that is connected to a user terminal 120 having a destination address, a determination unit 260 learning an address of a user terminal 110 that is connected to the input port 210 from a source address included in the frame, and a filtering database 270 storing information on the output port 220 connected to the user terminal 120 having the destination address of the frame based on information received from the determination unit 260. The L2 switch 200 may further include a group management unit 280 functioning as an Internet group management protocol (IGMP) proxy and managing multicast groups.
When the input port 210 receives the frame from the user terminal 110, the input port 210 notifies the determination unit 260 of receiving the frame and transfers the frame to the forwarding process unit 250. The forwarding process unit 250 transfers the frame to the output port 220 connected to the user terminal 120 having the destination address with reference to the filtering database 270.
The determination unit 260 reads the source address of the frame and notifies the filtering database 270 that the user terminal 110 having the source address is connected to the input port 210. Accordingly, the filtering database 270 obtains information on the user terminals 110 and 120 respectively connected to the input and output ports 210 and 220.
A unicast frame uses a receiver's specific address as the destination address and a transmitter's specific address as the source address and thus the receiver of the frame is always identified. However, a multicast frame uses a multicast address as the destination address instead of the receiver's specific address and then the multicast address cannot be learned by performing a source media access control (MAC) learning method. The frame that has the multicast address unregistered to the filtering database 270 as the destination address is forwarded from the L2 switch 200 to every port and thus a multicast stream even flows into routes unconnected to the user terminal 120 that needs to receive data. As a result, bandwidths are wasted and, at worst, a multicast service can be paralyzed.
In order to prevent the above-described problem, in general, the L2 switch 200 performs IGMP snooping. An IGMP manages the multicast groups on an Internet protocol (IP) layer. Originally, the L2 switch 200 may not read the IGMP. Accordingly, the L2 switch 200 includes the group management unit 280 that can read the IGMP so as to check the output port 220 connected to the user terminal 120 that needs to receive the data with respect to a certain multicast address.
FIG. 2 is a diagram for describing a conventional attack by forged multicast packets when only IGMP snooping is preformed. In FIG. 2, solid arrows 12, 14, and 16 represent normal traffic and dotted arrows 22, 24, and 26 represent abnormal traffic.
Referring to FIG. 2, when normal user terminals 120 and 130 that are allowed to receive data request an L2 switch 200 for the data with respect to a certain multicast address (hereinafter referred to as an MA1) by using frames including IGMP control packets (hereinafter referred to as IGMP frames), the L2 switch 200 determines ports 220 and 230 of the requested user terminals 120 and 130 as reception ports of the MA1, and updates a filtering database. The L2 switch 200 notifies an IGMP querier (not shown) about the result of the update.
In general, an IGMP is used by hosts participating in a multicast service in order to register the hosts with a router for multicast communication. Here, the router that manages registration of the hosts is referred to as the IGMP querier.
A reference numeral 300 may be the IGMP querier or may be a layer 3 (L3) switch disposed on a route from a corresponding subnet to the IGMP querier.
The IGMP querier 300 reflects the result of updating to an upper multicast routing protocol, routes multicast packets having the MA1, and transfers received multicast packets to the L2 switch 200. The L2 switch 200 transmits the multicast packets to the ports 220 and 230 identified as the reception ports of the MA1. In this case, if another user terminal 110 forges a multicast packet having the MA1 and transmits the forged multicast packet to a port 210, the L2 switch 200 transmits the forged multicast packet to the ports 220 and 230 with reference to the filtering database. Accordingly, the normal traffic 14 and 16, and the abnormal traffic 24 and 26 flow at the same time through the ports 220 and 230. When forged packets of the forged multimedia traffic 24 and 26 respectively flow into the user terminals 120 and 130, unless properly processed, quality of an image displayed by using the data included in the normal traffic 14 and 16 may deteriorate.
Although the user terminals 120 and 130 have a function to cope with the above-described problem, if a large number of user terminals such as the user terminal 110 intend to make an attack, bandwidths between the user terminals and the L2 switch 200 are filled with abnormal traffic and thus the multicast communication can be paralyzed. The attack may be generated by, for example, a computer virus.
A multicast packet input through any port other than the ports 220 and 230 connected to the user terminals 120 and 130 that are allowed to receive the data may be blocked by setting a virtual local area network (VLAN). For example, an input port 240 through which a normal multicast packet is input and the ports 220 and 230, which are output ports of the normal multicast packets, may be combined together to form one VLAN.
However, it is not easy to manage VLANs with respect to a plurality of multicast addresses and a problem of scalability may occur. Internet protocol television (IPTV) service providers may provide hundreds of channels and the number of channels will increase as demand for more channels grows in the future. However, it is not efficient to use the VLANs to combine ports together because the allowable number of VLAN addresses is limited and the VLANs have various other uses. Furthermore, although the VLAN is set, a user terminal not subscribed to the VLAN may be blocked. However, a user terminal subscribed to the VLAN may not be blocked from transmitting the forged multicast packet to an address of the VLAN. Accordingly, a method of blocking an inflow of a multicast packet that has an IPTV source address and is input from a port other than a transmission port, is necessary.
In short, in a monodirectional multicast service such as a real-time IPTV service, if information on a source of data transmission is broadly known, a forged frame voluntarily generated by an ill-intentioned user can enter a network. Unless properly processed, the forged frame may cause two kinds of problems as described below.
If the forged frame enters a user terminal that doesn't have a device for blocking it, image quality of the user terminal may deteriorate. Also, if a plurality of users transmit the forged frame at the same time, for example, by a computer virus, the forged frame encroaches upon resources of the network and thus performance of the network may be reduced. In particular, an L2 switch widely used by an access network rarely is prepared for the above-mentioned risks and thus the network may be paralyzed when a synchronized attack is made.