1. Field of the Invention
This invention relates to the field of information networks, and more particularly relates to a method and apparatus for inspecting the bindings created by a packet of an inter-layer binding protocol.
2. Description of the Related Art
The arsenal of tools available for both protecting and penetrating networking environments is impressive in both quantity and ability. Some of these tools are highly specialized, while other are multipurpose and serve as building blocks for larger toolkits. One such tool is the network “sniffer.” Network “sniffing,” in its most generic form, consists of intercepting communications (e.g., frames or packets) from the network and viewing their contents. The ability to do this has been widespread for some time and has been employed by network administrators (e.g., troubleshooting problems), so-called “crackers” (those intercepting passwords and files) and others. It will be noted that, in relative terms, it is only recently that network sniffing has become possible on a switched network. As might be expected, tools that allow network sniffing on switched networks have now surfaced. A brief explanation of the manner in which non-switched networks operate, as well as how such networks can be sniffed, as well as the manner in which switched networks operate and how these networks can also be sniffed.
FIG. 1A is a block diagram illustrating generally the architecture of a non-switched network environment, depicted in FIG. 1A as a network 100. Included in network 100 are a number of nodes (nodes 102(1)-(N)) that are coupled to a router 104 by a hub 106. Each of nodes 102(1)-(N) is coupled to a respective port of hub 106 (not shown). In the non-switched network environment depicted in FIG. 1A, the concept of a network segment exists. A segment is a network architecture that resides behind a router, bridge, hub or switch, in which every node is directly addressable from every other node. This is also referred to in certain networks as a sub-net. Nodes 102(1)-(N), then, are depicted in FIG. 1A as being in a segment (depicted in FIG. 1A as a sub-net 108).
In a non-switched environment, frames are handled in a broadcast manner. That is, when one node transmits a frame, it is ‘seen’ by every node on the segment. Each node, in turn, briefly examines the frame to see if the frame is addressed to the given node. If not, the given node discards the frame. However, if the node is the intended recipient, the node accepts the frame for processing. For the purposes of this discussion, node 102(2) is designated as the host that employs a sniffing agent. Nodes 102(1) and 102(3) represent the ‘innocents’ who are merely trying to communicate with one another.
FIG. 1B is a flow diagram illustrating the flow of traffic in a non-switched network when one or more datastreams in the network are sniffed. In order for a node to be used as a sniffing agent, the node's network interface is set to ‘promiscuous’ mode. Setting this mode typically requires root or administrator access at the node. After this mode is set, the node's network interface will no longer drop network frames which are addressed to other hosts. Rather, the node's network interface will pass these frames up to the higher network layers with the expectation that some software at a higher layer will process such frames.
The process depicted in FIG. 1B begins with node 102(1) transmitting a frame, and indicating in the frame that the frame is being transmitted to node 102(3) (step 150). Hub 106 then broadcasts the frame to each of its active ports (step 155). Node 102(2) receives the frame and examines the destination address in the frame (steps 160 and 165). Because node 102(2) is set to ‘promiscuous’ mode (step 170), node 102(2) accepts the frame (although not addressed to node 102(2)) (step 175). As noted, setting the node's network interface to ‘promiscuous’ mode allows the network interface to accept any frames, regardless of the address (e.g., MAC (Media Access Control) address) in the frame. However, even though the interface will save the frame, some higher level software is typically required to process the data. Next, others of nodes 102(1)-(N) (e.g., other nodes coupled to active ports on hub 106) receive the frame and determine that they are not the intended host (steps 160, 165 and 170), and so discard the frame (step 180). (Of course, were the network interface of node 102(2) not set to ‘promiscuous’ mode, node 102(2) would ignore the packet, as well.) In the case of the intended destination (node 102(3)), node 102(3) also receives the frame and examines the frame's destination address (steps 160 and 165). After node 102(3) determines that it is the intended host (step 125), node 102(3) processes the frame further (step 185).
For completeness, it should be noted that the actions of steps 160/165/170/180, 160/165/170/175, and 160/165/185 may variously be transposed or occur simultaneously, as the prediction as to which node will receive the frame first is not important for purposes of this discussion. For practical purposes, it can be assumed that these operations occur at the same time, without loss of generality.
From FIGS. 1A and 1B, it can be seen that a non-switched environment is susceptible to sniffing. Such an environment requires little extra effort on the part of the sniffing agent, because the hub broadcasts the frames to all active ports. As alluded to earlier, several such sniffing utilities exist, and are publicly available. Such capabilities allow unscrupulous parties to view information as the information is passed between “innocent” nodes, unnoticed by those nodes or their users, in an arrangement referred to as a “man-in-the-middle” attack. Moreover, once a hacker sniffing the datastream have inserted themselves between the innocent parties, the hacker is at liberty to generate all manner of replies to either side, in a completely transparent manner.
FIG. 2A is a block diagram illustrating generally the architecture of a switched network environment, depicted in FIG. 2A as a network 200. In a switched network environment, the concept of a network segment continues to exist, but such a network segment includes only the switch and the node concerned, and frames are handled in a direct manner. That is, frames from a first node to a second node are only sent across the circuits in the switch that are necessary to complete a connection between the first and second nodes.
Included in network 200 are a number of nodes (nodes 202(1)-(N)) that are coupled to a router 204 by a switch 206. Each of nodes 202(1)-(N) is coupled to a respective port of switch 206 (not shown). In the switched network environment depicted in FIG. 2A, the concept of a network segment exists. A segment is a network architecture that resides behind a router, bridge, switch or switch, in which every node is directly addressable from every other node. This is also referred to in certain networks as a sub-net. Nodes 202(1) and 202(3), then, are depicted in FIG. 2A as being in a segment (depicted in FIG. 2A as a sub-net 208).
FIG. 2B is a flow diagram illustrating the normal flow of traffic in a switched network. First, node 202(1) transmits a frame, and indicates in the frame that the frame is being transmitted to node 202(3) (step 210). Switch 206 then examines the frame and determines to which node (port) a connection should be made (step 220). Once this determination has been made, switch 206 configures a connection between the ports to which nodes 202(1) and 202(3) are coupled, respectively (step 230). Switch 206 then forwards the frame to its intended node, node 202(3) (step 240). Once node 202(3) receives the frame, node 202(3) examines the frame's destination address to determine if node 202(3) is the frame's intended destination (step 250). If this address determination indicates that node 202(3) is not the proper destination, the frame is not processed. Otherwise, node 202(3) performs whatever processing is a matter of course for the frame (step 260).
This mode of operation carries some intrinsic benefits:
1) Lower network traffic because frames are not broadcasted to each node, which translates to a higher bandwidth through a reduction in the collision domain.
2) Lower node processing overhead as a result of each node only having to process frames that are meant for that node.
However, there are some tradeoffs. For example, the switch is burdened with higher overhead processing requirements because the switch must create, on the fly, virtual connections between machines.
As can be seen, a switched network is not as exposed to sniffing as a non-switched network because a non-switched network does not broadcast most frames. However, several methods are available to sniff switched networks. An example of such methods is address resolution protocol (ARP) spoofing, which is briefly discussed below.
One of the basic operations of the internet protocol (IP) revolves around ARP (Address Resolution Protocol) requests and replies. In general, when a first node wants to communicate with a second node on the network, the first node sends an ARP request. The second node will send an ARP reply that includes its MAC address. Even in a switched environment, this initial ARP request is sent in a broadcast manner. It is possible for a third node to craft and send an unsolicited, fake ARP reply to the first node. This fake ARP reply will specify that the third node has the IP address of the second node. The first node then unwittingly sends the traffic to the third node since the third node has represented itself to have the intended IP address. Some available tools are specialized for sending fake ARP replies to classes of machines (e.g., NFS servers, HTTP servers and the like). One such tool is “dsniff” and works well in sniffing for specific types of traffic. Other tools listen for the general ARP request and send the fake ARP reply at that time, and serve well to sniff an entire network. For this type of attack to work, the ability to forward the frames received on to their intended destination. This is most commonly achieved through some type of IP forwarding, either at the kernel or application level.
While there are several methods to protect again such attacks, each is not without its own disadvantages. (It will be noted that some of these methods are applicable to both non-switched and switched network environments.) These solutions include IP filtering, port security, and routing security.
By enabling IP filtering on the switch, a user directly specifies which traffic is allowed to flow to and from each port. While potentially effective, such an approach can be a monumental effort to put in place and manage, especially if the environment is dynamic.
Alternatively, if the hub or switch has the ability to enable port security, such measures can help to protect the network's nodes from both MAC flooding and MAC spoofing attacks. This feature effectively prevents the hub or switch from recognizing more than one MAC address on a physical port. However, this, like many security procedures, restricts the environment and amplifies the need for a management process, as well as an auditing process.
Moreover, pushing security to the network node level is undesirable for a variety of reasons. First, it makes the source of security available to anyone with access to such nodes. Also, it greatly amplifies the task of managing such security measures, because each node must be separately configured to support such security measures. This proves particularly challenging in network environments where nodes' connectivity changes dynamically (e.g., the laptop example).