Packet-based transmission of digitally encoded information between different parties over IP (Internet Protocol) networks is used for a variety of communication services, such as e-mail messaging, Internet browsing, voice and video telephony, content streaming, games, and so forth. Digitally encoded information is arranged into data packets at a sending party, which are then transmitted towards a targeted receiving party over a transmission path. The transmission path between the sending party and the receiving party may include various networks, switches, gateways, routers and interfaces. The communicating parties are often referred to as “end-hosts” which may be any type of equipment capable of packet-based IP communication, such as fixed and mobile telephones, computers, servers, game stations, etc. In this description, the term end-host will generally represent any such communication equipment.
An end-host connected to the Internet or other IP network has typically been assigned a forwarding identity in the form of an IP address needed for routing any data packets directed to that end-host along a transmission path. Typically, the end-host has also been assigned a more or less intelligible name in a text string, e.g. a conventional e-mail address or web address, such as user@operator.com, which is associated with an assigned IP address of either the actual user/end-host or some other host receiving messages on behalf of the user. A DNS (Domain Name Server) system comprising a hierarchy of DNS servers is used for retrieving the current IP address of a particular host name. Thus, an end-host can query the DNS system with a host name to communicate with, and the DNS will then reply by providing the current IP address of the corresponding end-host. This type of query is sometimes referred to as a destination query, identity query or address query, the latter being used throughout this description.
Data packets are basically configured with a data field containing payload data and a header field in which the sending end-host inserts the destination address of the target end-host, i.e. the IP address obtained from the DNS system. Thus, each data packet is routed over multiple network nodes, generally referred to as IP routers, along a suitable transmission path based on the destination address in the packet's header field.
In addition to simply receiving and forwarding data packets, an IP router may also be capable of other functions such as security functions, packet scheduling, and translation of addresses and protocols. Further, end-hosts may have a filter/firewall functionality for determining whether incoming data packets should be admitted or discarded, e.g. according to settings typically made by a user or administrator associated with the end-host.
Each router in an IP network typically comprises ingress and egress units acting as interfaces for receiving and sending data packets, respectively. The router also comprises a routing or forwarding function for determining which router an incoming data packet should be sent to as a “next hop” towards the final destination, based on a forwarding table defined in the router. As is well-known in this field, a data packet can often be routed along multiple alternative paths depending on the network topology and the current traffic load.
Links to the “nearest” neighbouring routers are provided in each router by means of corresponding ports, and a forwarding architecture is also configured in the routers based on the distribution of topology information and link information. Each port can have an IP address and an IP mask configured on its interfaces, and routing protocols are used to distribute this information among the routers in the network in a configuring procedure. From the distributed topology information, each router then calculates its own forwarding table, containing multiple destination IP-addresses and associated outgoing ports. As each incoming data packet has a destination IP-address in its header, the forwarding table is used to find the suitable entry in the forwarding table from that IP-address. The main function of the forwarding table is thus to determine the appropriate outgoing port, leading to the next hop router, for each incoming packet.
In FIG. 1, the basic structure of a conventional IP router 100 is shown, when situated in an IP network. Among other things, IP router 100 comprises an ingress part 100a, an egress part 100b and a forwarding function here schematically represented by a forwarding table 100c. The egress part 100b comprises a plurality of outgoing ports PA, PB, PC, . . . leading to different neighbouring routers A, B, C, . . . , respectively, to which router 100 is directly connected. Any incoming data packet 102 has a payload field PL and a header H, the latter containing the destination address for the packet.
The forwarding table 100c is comprised of multiple entries each containing an IP mask, an IP address and an outgoing port number. The IP mask may be defined in terms of a hexadecimal encoded string such as, e.g., FF.FF.FF.0, or FF.FF.8.0, etc. Briefly described, the destination address in header H is combined with the IP masks in forwarding table 100c by applying a logic “AND”-operation, in order to detect a matching entry with the same IP address. The purpose of this masking mechanism is to aggregate the traffic towards several distinct destinations, and to simplify identification of the outgoing port for the aggregate. Effectively, the bit mask works similar to a “wildcard” when comparing and matching destination addresses to the entries. Once a matching entry is found, the packet can be sent out on the outgoing port according to the port number of that entry.
The incoming data packet 102, which may have been forwarded from a previous router (not shown) to router 100, is thus first received at the ingress unit 100a. It is then determined which next router the packet should be sent to, based on the destination address in header H and using the forwarding table 100c and the above logic “AND”-operation. In this example, the incoming packet 102 has a destination IP address that, when combined with the mask, matches the IP address of an entry in forwarding table 100c having port number PC. The packet 102 is therefore sent out on the corresponding port which is connected to router C, being the next-hop router in this case.
As mentioned above, a routing protocol is used to distribute topology and link information among the routers in an IP network. The currently used routing protocols are configured to obtain “resilience”, i.e. packets must be re-routed in a different path in the case of link or node failure in the original path. The routing protocols are also configured to facilitate router management, since configuring routers is typically a cumbersome task which is generally desirable to simplify. Thus, in case of detecting failure in a link or node, the routing protocol will reconfigure the forwarding table in affected routers and at the same time distribute the information to the routers, thereby simplifying the management. In order to obtain scalability, which otherwise is an inherent problem in the routing architecture, the routing process can use aggregation of routes based on the above hierarchical bit-mask scheme, which is well-known in the art and not necessary to describe here further.
However, a major problem in IP-networks and the Internet is that the security support is generally insufficient, as explained below. In a sense, the above mentioned resilience can sometimes make it “too easy” to get across packets through the network. This is because the current routing architecture and protocols were originally designed for a “friendly” environment, i.e. assuming that there are no “illicit” or “corrupt” users communicating in IP networks and that no protection is necessary for the transmission of data packets. Nevertheless, it has been found necessary or desirable to add various security solutions to the IP architecture in order to protect the communicated data, such as IP-sec on a low layer and also TLS (Transport Layer Security) on a higher layer. These protocols can provide authentication and encryption of the data packets. Further, MPLS (Multiprotocol Label Switching) is a solution for building Layer 3 VPNs (Virtual Private Networks) to ensure secure communication. In the VPN case when an intranet is used, private addressing is required and the network is somewhat isolated from the public Internet such that external un-authorized hosts are not allowed to reach and communicate with the hosts attached to the intranet.
Other prior solutions for providing security in the routing protocol include: secure communication between routers such that no illicit entity can eavesdrop, manipulate or imitate a router, the establishment of IP-sec tunnels between router ports to protect the transport of packets between routers, and link security on the layer 2, e.g. according to IEEE 802.1AE or IEEE 802.10. Various authentication procedures using cryptographic keys can also be used, e.g. according to DNSSec (DNS Security), HIP (Host Identity Protocol) and CGA (Cryptographically Generated Addresses), to enhance the security. However, while protection against unwanted traffic is used for certain applications (e.g. spam filtering for e-mails), no basic protection against violating end-hosts and unwanted data packets has been generally provided in the public IP infrastructure, though.
Since the internal forwarding identities, i.e. IP addresses, are publicly distributed end-to-end in the manner described above, any end-host is basically able to send messages and data packets to any other end-host over the Internet, resulting in the well-known problems of flooding, spamming, virus, fraud and so-called “Denial-of-service” (DoS) threats. Hence, it has generally become a problem that any end-host can get across data packets totally out of control of the receiving end-host, and that public packet-switched networks such as the Internet have no mechanism in the IP infrastructure for preventing that data packets from potentially illicit or corrupt end-users are routed to the receiver.
More or less complex functionality can be added though at the end-host or in the link layer, such as filters/firewalls or the like, in order to limit the connectivity. However, these solutions are “last line of defence” solutions, meaning that the transport of unwanted data packets can still consume network resources along the entire sender-receiver path, while the packets are anyway discarded at the receiver.
Another problem in communication systems with plenty of end-hosts and multiple routers, is that the forwarding tables in the routers would comprise an enormous number of entries if a security solution is used that cannot employ the above-described bit-masking of IP addresses nor any equivalent thereof, to achieve aggregation of routes. Such large forwarding tables can be very complex to handle, requiring substantial resources for storing, processing and communication, which may typically result in undesirable costs and delays. In particular, if a cryptographic security mechanism is introduced in the routers, the overhead would become even greater, e.g. due to management of cryptographic keys and/or cryptographic processing, thereby making complexity reductions in the routers all the more desirable.