1. Technical Field
The present invention is related generally to the configuration of a computer system for operation on a network. In particular, the present invention allows for automatic configuration of a computer for operation on different local area networks.
2. Description of Related Art
Modern telecommunications depends on networks. A network is a set of interconnected machines (network elements) that allow data to be relayed across the set of machines from a source to a destination. Networks may be classified according to the geographic area they occupy. A local area network (LAN) is usually defined as a network that is physically limited to a relatively small area, such as a building or group of buildings. A wide area network (WAN) is a general term for a network of larger size.
An internetwork, or internet, is a collection of networks interconnected by routers. Routers are network elements that relay (route) data between networks. Most WANs are internets composed of multiple interconnected LANs. Thus, the term WAN is often used to refer to an internet, while the term LAN is often used to denote a constituent network of an internet or WAN. In this document, the terms WAN and LAN are used in this “internetworking” sense, with the caveat that in a significant amount of computing and telecommunications literature the terms LAN and WAN is also used in the previously mentioned “geographical” sense.
The “worldwide Internet” or simply “Internet” (uppercase), which provides the backbone for the World Wide Web, is perhaps the best-known internet (lowercase), and the protocols and standards (e.g., the TCP/IP protocol suite, discussed below) that define the Internet also provide the basic model for most of current networking technology. Thus, in general, technical concepts that apply to the Internet generally find application in other networks and network technologies, as well.
Networking protocols, which define the rules for communication between network elements, are typically designed to work in layers, where each layer performs a slightly different role in data transmission. TCP/IP (Transmission Control Protocol/Internet Protocol) is a collection of protocols (called a protocol suite) that forms the basis for the Internet and many other networks. TCP/IP is generally considered to follow a four-layer protocol model.
The lowest layer of the TCP/IP protocol suite is referred to as the “Link Layer” and it represents the physical interface for supporting a connection to a physical network media, such as a cable or wireless link. The hardware that provides this interface is generally referred to as a “network adapter” (NA). In general, each NA will have a unique “hardware address” that distinguishes the NA from other NAs operating on the same physical network. Communications between network elements on the same physical network typically use these hardware addresses in order to address the communications to the correct NAs (and hence, the correct network elements, which employ those NAs).
The Network Layer, the next highest layer in the four-layer model, handles the movement of data packets around the network. Internet Protocol (IP) is the primary Network Layer protocol of the TCP/IP protocol suite. There are two main versions of IP currently in use, version 4 (IPv4), which is defined in RFC 791, and version 6 (IPv6), which is defined in RFC 1883). IP allows packets of data to be sent from a numerical source address in the network to a numerical destination address specified in the packet's header. Typically, these packets are “encapsulated” in the packets of whatever Link Layer protocol is involved. This means that the IP packets are carried as data payload within the packets generated by a Link Layer protocol.
These numerical addresses in the TCP/IP protocol suite are therefore generally referred to as “IP addresses,” although the generic, non-IP-specific term is “network addresses.” Network addresses are different from hardware addresses, because network addresses are used to identify a network element over an entire WAN, rather than to identify an NA among NAs on the same LAN. Another name for a hardware address is a “MAC address.” MAC stands for “Media Access Control” and refers to the fact that the MAC address is associated with the hardware that controls access to the physical network medium.
In IP and other Network Layer protocols, special destination IP addresses are defined to allow broadcasting of packets over one or more LANs. When a packet is broadcast over a LAN, all network elements in the LAN receive the packet. For example, in IP, when a packet that is addressed to IP address “255.255.255.255” is sent over a LAN, the packet will be received by all network elements on that LAN. To distinguish from broadcasting, the process of sending a packet to a single destination network address is called “unicasting.”
Internet Control Message Protocol version 4 (ICMPv4) (RFC 792) is another Network Layer protocol that is used in conjunction with IPv4 for sending control and error messages. A new version of the protocol, ICMPv6 (RFC 1885), is used in conjunction with IPv6.
The next level up in the four-layer model is the Transport Layer, which is concerned with how packets are sent and received at a single host. TCP/IP uses two main Transport Layer protocols, Transmission Control Protocol (TCP) (RFC 793) and User Datagram Protocol (UDP) (RFC 768), which provide additional functionality on top of IP.
The top layer, the Application Layer, represents the functionality for supporting a particular network application. There are many Application Layer protocols for supporting network applications, such as electronic mail.
Additional protocols within the TCP/IP protocol suite provide mechanisms for dynamic configuration of network elements when new network elements are added to a network. Some of these are discussed below.
Reverse Address Resolution Protocol (RARP) (RFC 903), allows a network element that is newly added to the network to obtain its assigned network address. The network element broadcasts a request packet containing the network element's hardware address. Another network element, typically a router, unicasts a reply packet to the requesting network element to provide the requesting network element with its assigned IP address. RARP can be used by diskless “network computers” or graphical terminals, which contain no facility for permanently storing a network address, to obtain a network address. RARP can also be used to dynamically assign network addresses from a set of network addresses to hosts that enter a network.
Bootstrap Protocol (BOOTP) (RFC 951) and Dynamic Host Configuration Protocol (DHCP) (RFC 1541), an enhanced variant of BOOTP, are two additional protocols that, like RARP, may be used by a host to obtain its IP address. These protocols are more versatile than RARP, because BOOTP and DHCP allow a host to obtain additional configuration information besides a network address, such as the location of a boot image. A request in either of these two protocols is made by broadcasting a request packet over the requesting network element's LAN. A BOOTP or DHCP “server” receives the request and sends back a reply.
BOOTP was designed to be extendable to allow additional information and features to be added to the protocol. DHCP is a protocol that is interoperable with BOOTP, but which allows a larger amount and variety of configuration data to be obtained by a requesting host. Also, DHCP allows a host to submit an identifier in its request, to allow the DHCP server to return configuration information specific to the particular host.
The dynamic configuration protocols just discussed were designed to allow a diskless “network computer” or terminal to boot an operating system or other code from a network without the need for a boot disk. These protocols may also be used in network elements that are only temporarily connected to a network, in order to allow a network address to be temporarily assigned to the network element and for additional configuration information to be transmitted to the network element.
These dynamic configuration protocols, however, suffer from a number of security weaknesses, because they are designed to freely distribute network configuration information in an unprotected form. For example, these protocols do not prevent a malicious user from setting up an unauthorized protocol server (such as a DHCP server) and then send false or potentially disruptive information to clients that can be used to compromise affected systems. Likewise, these protocols do not prevent unauthorized clients to obtain network information or tie up network resources.
RFC 1541, which defines DHCP, suggests that at least one reason current dynamic configuration protocols are insecure is that they were designed to work with diskless hosts, and the task of configuring diskless hosts to support authentication is prohibitively difficult and inconvenient. As mobile and wireless networking become more prevalent, however, both the need for dynamic configuration and the need for information security increase, since mobile and wireless devices (including those of malicious users) can readily move from one network to another. Thus there is a need for a secure way of automatically configuring a computing device for use with multiple networks.