The present invention is related generally to data communications networks, and in particular to security features of such networks.
In a typical prior art data communications network, each user of the network is coupled to a corresponding node that provides access to the network and the nodes in turn are coupled to each other by physical network media such as copper or fiber cable. For example, the nodes may be network switches responsible for establishing connections among various network segments interconnecting the users, as well as for establishing connections between the users and the inter-nodal medium. The users are computers, such as workstations, that use the network to exchange data in the form of files, mail messages, etc. The network is a collection of users, nodes, media, and other devices and interconnections that are centrally managed via a network management station (NMS) connected to the medium.
At any given time, the network has a configuration, one aspect of which is the distribution of addresses that uniquely identify network components. In general, each user is identified by a single unique address. The nodes may have associated therewith items known as prefixes commonly used for purposes of routing data through the network. Each prefix represents a portion of an address that is common to a set of users coupled to the respective node. For example, a pair of users on a given node having addresses 16165551212 and 16161234567 share the common prefix 1616. The prefix scheme allows for routing to be hierarchical, that is, for different parts of connections to be established by different elements in the network. In the example above, if a calling user is attempting to connect to a called user having the address 16161234567, the connection would first be routed to the node to which the called user is coupled, based solely on the 1616 prefix. The node would then extend the connection to the called user based on the remaining address portion 1234567.
The prefixes are stored in data structures on the nodes. in general there may be more than one prefix per node, depending of course on the configuration of addresses of the users coupled thereto. Additionally, there may be cases in which each node stores full addresses either in addition to or instead of prefixes. For such addresses, routing is performed in a non-hierarchical manner, i.e., each node examines the entire address in order to route connections. Because of the potentially mixed nature of the routing information at each node, the data structure in which the prefix or address resides on a node is referred to as an "address/prefix structure". Each node contains an address/prefix structure for routing purposes.
The typical network discussed above may be either of two known types. One type of network is referred to as a "packet-switched" network. In such a network, there never exists a dedicated channel between two users over which data is freely passed. Rather, data streams are segmented into discrete blocks known as "packets", and each packet is routed independently through the network over a series of "hops", or short interconnections. An example of such a protocol is the Internet Protocol (IP). In the other type of network, referred to as a "connection-based" network, data is transferred between users in streams of arbitrary length. A connection is set up between a calling user and a called user, then data is freely exchanged between them over the connection as though they were connected by a single private channel. This type of network is analogous to the public switched telephone network, in which two participants in a phone call enjoy an uninterrupted private connection for the duration of the call. An example of a connection-based network is Asynchronous Transfer Mode or ATM.
The present invention applies to connection-based network protocols such as those employed in an ATM network.
One extension of the ATM protocol is known as Closed User Group (CUG) functionality. In an ATM system having CUG support, sets of users form distinct entities called closed user groups, or CUGs, having properties that enable certain security measures to be used during network operation. The basic function enabled by using CUGs is the selective authorization of "calls", or connection requests, among network users. In general, a user A that is a member of a CUG can both call and receive calls from a user B that is a member of the same CUG, but cannot call or receive calls from a user C that is not a member of the same CUG. Through the use of CUGs, a network manager can establish sub-groups in the network within which communication is freely allowed, while restricting communications outside of such groups. An example of a network in which CUG functionality might be useful is a network having a portion dedicated to use by one company and another portion used by a joint venture in which that company and another company participate. The desire is for free data exchange among users within the company and among users within the joint venture, but limited and controlled exchange between the two organizations. To accomplish these goals, a different CUG could be established for each organization. Then one or more additional CUGs overlapping these two could be established to allow specific groups of users from the two organizations to communicate. CUGs have network-wide scope, and are therefore managed on a network-wide basis by the network management system or NMS. Each CUG has a unique identifier in the network and additional properties more fully discussed below. Formally, a CUG is a set of addresses and/or regular expressions each of which is known as a "CUG member" or a "CUG member rule". Each CUG has a set of member rules associated with it, and each member rule defines a characteristic possessed by the addresses of users who belong to that CUG. Most commonly, the member rules define prefixes. The membership of a CUG is the set of network users whose addresses all satisfy at least one of the member rules for that CUG. The structure, arrangement and use of member rules is described in more detail below.
In a network having CUG functionality, calls between users are authorized by determining the CUG membership of the calling user and called user, and then determining if they are members of any common CUGs. If so, the call is allowed to proceed, and if not, the call is rejected. This call-authorization process is transparent to the users except for the possibility of having a call request rejected, a possibility that exists whether CUGs are supported or not. The call authorization process is carried out within the network, and involves in particular two nodes termed the "ingress node" and the "egress node". An ingress node is a node at which a call request is first received from a calling user, i.e., the node to which the calling user is coupled. Likewise, an egress node is the node from which the call request is forwarded on to a called user coupled to that node after being authorized.
The traditional manner in which CUG calls are authorized proceeds as follows. During the initialization of the network (or subsequent re-configuration, as necessary), each node receives from the NMS all the CUG member rules that might affect the CUG membership of users attached to that node; in general, each node may receive numerous rules and the received rules may be associated with many different CUGs. When a call is placed, each ingress and egress node carries out the following actions:
1) Find all member rules affecting the CUG membership of the calling and called users;
2) Determine which CUGs the calling and called users belong to;
3) Determine whether the calling and called users belong to at least one common CUG, in which case the call is authorized;
4) If the call is authorized, forward the call on toward the called user, and if not, drop the call and return a call rejection message to the calling user.
The general technique for call authorization described above requires significant processing at the time of a call, especially in larger networks having numerous users and potentially numerous CUGs and their associated member rules.
For this reason, a node such as a switch, for example, that offers CUG support using the traditional call-authorization technique has generally lower performance (as measured in connections established per second) than a similar switch having no CUG support. As a general matter, then, network managers have heretofore been required to sacrifice performance, or to achieve it at additional expense and complexity, in order to incorporate the desirable security-enhancing functionality of CUGs into their networks.