1. Field of the Invention
The present invention generally concerns communications security between network communications devices, in particular security implemented through packet-or frame-level encoding.
2. Description of the Related Art
In packet switch architectures commonly employed today there is, generally speaking, a central core or processor which switches multiple data streams operating at speeds of many millions or billions of bits per second. There are also peripheral devices which work on those streams as input interfaces, output interfaces, and/or subprocessors. The link between the central core and the peripherals is often implemented by using standard communications protocols such as Ethernet and/or Internet Protocol (IP) with standard packet formats. As the peripherals are slave devices to the core, there is a need for control packets to be sent between the core and the peripherals. These packets control such functions as enabling or disabling peripheral ports and gathering statistics from the ports. The use of such master/slave communications systems is well-known in the art.
There are two approaches commonly in use for carrying control packets between a core and its peripherals. One approach, referred to as out-of-band signaling, provides physical separation of the communication channels for control vs. user data packets. That separation can be provided by various means, such as physically separate wires, different carrier frequencies in a radio system, different wavelengths in a fiber system, etc. The common element of these systems is that separation of control vs. user data traffic does not rely on the contents of the packets or frames themselves.
The alternative approach is commonly referred to as in-band signaling. In the in-band approach, both user data and control frames are carried over the same communication channel. An Ethernet link between the core and a peripheral, as one in-band example, carries both user data packets and control packets. Correct operation of the system requires that both the core and the peripherals are reliably able to distinguish control packets from user data packets.
The current methodology of communicating between core and peripherals renders the system open to denial of service attacks by malicious users who xe2x80x9cspoofxe2x80x9d the control packets. Such spoofing takes the form of maliciously introducing packets configured as control packets into the network in an attempt to seize control or xe2x80x9cownxe2x80x9d the switch or communications device or simply to disrupt its operations. Current systems are also susceptible to the incorrect categorization of user data packets as control packets when, for example, standard test equipment (such as the Netcom Systems, Inc. SMARTBITS(trademark) tester) is configured to run test packets filled with random data through the switch. These random data packets can, probabilistically, assume a format that may match that of a control packet, thereby causing current network communications devices to misinterpret the random data packet as a control packet with deleterious affects. (SMARTBITS is a trademark of Netcom Systems, Inc. of Calabasas, Calif.)
Communications protocols other than Ethernet and IP are of course also possible. For example, asynchronous transfer mode (ATM) frames may be used to communicate between elements of a distributed switching or routing system. Accordingly, the present problem is not limited to packet-oriented data; the terms xe2x80x9cpacketxe2x80x9d and xe2x80x9cframexe2x80x9d may be used interchangeably in the context of the present disclosure. One of ordinary skill in the art will readily appreciate that any data packetization or framing scheme will face the same problems.
What is needed is a system whereby control and data packets or frames are reliably and rapidly distinguishable from one another in transit and on receipt in a communications device. Furthermore, such a system must be robust and resistant to spoofing by outside users as well as resistant to packet mis-identification when configured for testing.
The present invention is a method and apparatus for modifying the error detection code (EDC) generation and verification logic at both ends of the core/peripheral communications link so that data packets and control packets use different algorithms. In particular, data packets are configured to use a standard cyclic redundancy check (CRC) or other EDC scheme while control packets use a special xe2x80x9ccontrolxe2x80x9d CRC/EDC. Device elements at both ends of the communications link use methods well-known in the art to decide whether a packet is supposed to be a control packet or a data packet. However, if a packet is determined to be a control packet, it is sent over the link with a special CRC encoding. At the receiving end of the link (in, for example, a peripheral unit within a communications system or device), a test is run on the received packet to determine whether the CRC matches the standard form or, if not, whether the CRC complies with the special control CRC algorithm. If the CRC complies with neither of these two requirements, it is flagged as a bad packet and discarded by means well known in the art. If, however, the packet does not comply with the standard CRC form but does match the control CRC, the packet is checked to see if the header is in the expected control header format, again by means well-known in the art. The packet is forwarded for further processing only if it is in the correct form. If, however, the control CRC is present but the header is incorrectly formatted, the packet is discarded. In either situation, the standard notification method for the receipt of bad packets is initiated.
In the case where the CRC matches the standard data packet CRC form, the packet is checked to see if a control header is present. In this case, i.e., if a control header is found with the standard CRC, the system concludes that a spoof control packet has been received. The system sets the appropriate alerts though means well known in the art and discards the packet. If, however, the control header is not present, then the packet is a standard packet having a standard header, i.e., a data packet. The data packet is passed onward for further processing according to the usual means employed in such communications devices.
The present invention and its various embodiments thus provide a fast and efficient security system for protecting a communications device from control packet spoofing and/or interference from randomly-generated test data. This invention provides a robust means of segregating user data from control traffic in systems using in-band signaling. The system is readily adaptable for a wide variety of data communications applications, especially including but not limited to packet routing and switching, data networking, and virtual private circuit networking.