1. Field of the Invention
The present invention relates to computer networks, and more specifically to such networks having valuable resources, e.g., content, storage and media or media servers, or other gateways, in short, any valuable asset needing protection.
2. Background Information
Data communication in a computer network involves the exchange of data between two or more entities interconnected by communication links and subnetworks (subnets). These entities are typically software programs executing on hardware computer platforms, such as end nodes and intermediate network nodes. The intermediate network nodes interconnect the communication links and subnets to enable transmission of data between the end nodes, such as personal computers or workstations. A local area network (LAN) is an example of a subnet that provides relatively short distance communication among the interconnected nodes, whereas a wide area network (WAN) enables long distance communication over links provided by public or private telecommunications facilities. The Internet is an example of a WAN that connects dSParate computer networks throughout the world, providing global communication between nodes on various networks.
Communication software executing on the nodes correlate and manage data communication with other nodes. The nodes typically communicate by exchanging discrete messages or packets of data according to predefined protocols, such as the Transmission Control Protocol/Internet Protocol (TCP/IP). In this context, a protocol consists of a set of rules defining how the nodes interact with each other. In addition, network routing software executing on the intermediate nodes allows expansion of communication to other nodes. Collectively, these hardware and software components comprise a collection of computer networks.
Since management of computer networks can prove burdensome, smaller groups of one or more computer networks can be maintained as separate routing domains or autonomous systems (AS's). In this context, a routing domain is broadly construed as a collection of interconnected nodes within a common address space (e.g., a level, area or AS), and an AS is a routing domain managed by a single administrative entity, such as a company, an academic institution or a branch of government. To interconnect dSPersed networks and/or provide Internet connectivity, many organizations rely on the infrastructure and facilities of Internet Service Providers (hereinafter “Service Provider” or “SP”).
An SP is an example of an AS that typically owns one or more “backbone” networks configured to provide high-speed connection to the Internet. To interconnect private routing domains that are geographically diverse, an organization (customer) may subscribe to one or more SPs and couple its private domain networks to the SP's equipment. Here, an intermediate network node, such as a switch or router, may be utilized to interconnect a plurality of private networks to an IP backbone network.
A main component in a router is a routing information base (RIB). The RIB is a process that manages a routing table that may hold many (e.g., thousands) routes computed by different protocols, including both interior gateway protocols (IGP) and exterior gateway protocols (EGP). IGP protocols, such as conventional link-state protocols, are intra-domain routing protocols that define the manner with which routing information and network-topology information are exchanged and processed in a routing domain, such as an SP backbone network. Examples of conventional link-state protocols include, but are not limited to, the Open Shortest Path First (OSPF) protocol and the Intermediate-System-to-Intermediate-System (ISIS) protocol. The OSPF protocol is described in more detail in Request for Comments (RFC) 2328, entitled OSPF Version 2, dated April 1998, which is incorporated herein by reference in its entirety. The ISIS protocol is described in more detail in RFC 1195, entitled Use of OSI IS-IS for Routing in TCP/IP and Dual Environments, dated December 1990, which is incorporated herein by reference in its entirety.
Each router running IGP maintains an identical link-state database (LSDB) describing the topology of the routing domain. Each piece of the LSDB is a particular router's local state, e.g., the router's usable interfaces and reachable neighbors or adjacencies. As used herein, neighboring routers (or “neighbors”) are two routers that have interfaces to a common network, wherein an interface is a connection between a router and one of its attached networks. Moreover, an adjacency is a relationship formed between selected neighbors for the purpose of exchanging routing information and abstracting the network topology. One or more router adjacencies may be established over an interface. Each router distributes its local state throughout the domain in accordance with an initial LSDB synchronization process and a conventional flooding algorithm.
On the other hand, EGP's are inter-domain routing protocols that define how information is exchanged between autonomous systems. One well known EGP is the Border Gateway Protocol version 4 (BPG). To implement the BGP protocol, each routing domain (e.g., AS) includes at least one “border” router through which it communicates with the other interconnected AS's. Before transmitting messages, however, the routers cooperate to establish a logical “peer” connection (session). BGP generally operates over a reliable transport protocol, such as TCP. The peer BGP's exchange routing (reachability) information among the neighboring autonomous systems. The BGP processes exchange routing information with other BGP processes that are not in the same AS using an external form of BGP, and with BGP processes within the same AS using an internal form of BGP.
The routing information exchanged by BGP neighbors typically includes destination address prefixes, i.e., the portions of destination addresses used by the routing protocol to render routing (“next hop”) decisions, and associated path attributes. Examples of such destination addresses include Internet Protocol (IP) version 4 (IPv4) and version 6 (IPv6) addresses. An example of a path attribute is a next-hop address. Note that the combination of a set of path attributes and a prefix is referred to as a “route”; the terms “route” and “path” may be used interchangeably herein. The BGP routing protocol is well known and described in detail in RFC 1771, by Y. Rekhter and T. Li (1995), Internet Draft <draft-ietf-idr-bgp4-20.txt> titled, A Border Gateway Protocol 4 (BGP-4) by Y. Rekhter and T. Li (April 2003) and Interconnections, Bridges and Routers, by R. Perlman, published by Addison Wesley Publishing Company, at pages 323-329 (1992), all disclosures of which are hereby incorporated by reference.
Service Providers (SP's) are one example of sites that generally have highly valuable resources in their networks, for example, content servers, data storage servers, media gateways, media servers, etc. Every border point of the SP network is potentially an entry into the SP network for a malicious user attacking the valuable resources. For example, a denial of service (DOS) attack floods the resource with requests so that legitimate requests are ignored or at best responded to after long delays. In effect the resource is rendered useless.
An SP or other AS network manager with valuable resources, typically, need only fear malicious users that are sending packets toward the valuable resources from an external interface. Such an interface is external if the IGP has no adjacency over it, for example, if the source is not on the SP's backbone. One known approach to protect those resources is by using Access Control Lists (ACL's). An ACL acts as a filters by controlling whether routed packets are forwarded or blocked at the router's interface. Each packet is examined based on pre-specified criteria found in the ACL. If the criteria are met, the packet is forwarded in a normal fashion. Note, an ACL may be used negatively where if pre-specified criteria is met the packet is dropped and/or logged. But, herein ACL's are assumed to be used in a positive sense. The criteria used to route or block in an ACL is very flexible and may include: source or destination addresses or ranges thereof, and protocols, where each protocol may have is own specific set of criteria. At the end of the list, if a packet matches no criteria it is dropped and/or logged, etc.
Still, in an AS having many border routers, keeping ACL's up-to-date is a laborious and operationally intensive task since the ACL's or other such devices need to be loaded into each and every border router, typically by a network manager. The present invention is directed towards making the protection of a network's valuable resources more automatic, simpler and less laborious.