This invention relates to transmission of information between multiple digital devices on a network and between multiple networks on an internetwork. More particularly, this invention relates to a method and apparatus for providing secure network communications on a per-packet level in a network system.
Related technology is discussed in co-assigned copending U.S. patent applications Ser. Nos. 08/502,835, and 08/542,157, entitled METHOD AND APPARATUS FOR TRANSPARENT INTERMEDIATE SYSTEM BASED FILTERING ON A LAN OF MULTICAST PACKETS, filed Oct. 12, 1995.
Networking Devices Standards PA0 FIG. 1 PA0 Packets PA0 Drivers, Adaptors, and LAN Topology PA0 Other Network Devices PA0 Layers PA0 Inherent Insecurity of packet communication
This specification presumes some familiarity with the general concepts, protocols, and devices currently used in LAN networking applications and in WAN internetworking applications such as protocols used for networking within a LAN , for example, the IEEE 802 protocol suite available from the IEEE (Institute for Electrical and Electronics Engineers). These IEEE 802 protocols have been revised and reissued by the International Organization For Standardization (ISO) with the designation ISO 8802. Among the protocols specified in IEEE 802 are the LAN protocols (IEE 802.3) commonly referred to as Ethernet. A separate set of protocols used in internetworking, i.e., connecting multiple LANs, may be referred to as the TCP/IP Protocol Suite. (TCP and IP are acronyms for Transmission Control Protocol and Internet Protocol.) The TCP/IP Suite is promulgated in a series of documents released by the Internet Engineering Task Force. These standards are publicly available and discussed in more detail in the above-referenced patent applications and will not be fully discussed here.
FIG. 1 illustrates a local area network (LAN) 40 of a type that might be used today in a moderate-sized office or academic environment and as an example for discussion purposes of one type of network in which the present invention may be effectively employed. LANs are arrangements of various hardware and software elements that operate together to allow a number of digital devices to exchange data within the LAN and also may include internet connections to external wide area networks (WANs) such as WANs 82 and 84. Typical modern LANs such as 40 are comprised of one to many LAN intermediate systems (ISs) such as ISs 60-62 that are responsible for data transmission throughout the LAN and a number of end systems (ESs) such as ESs 50a-d, 51a-c, and 52a-g, that represent the end-user equipment. The ESs may be familiar end-user data processing equipment such as personal computers, workstations, and printers and additionally may be digital devices such as digital telephones or real-time video displays. Different types of ESs can operate together on the same LAN. In one type of LAN, LAN ISs 60-61 are referred to as bridges and WAN ISs 64 and 66 are referred to as routers, however many different LAN configurations are possible, and the invention is not limited in application to the network shown in FIG. 1.
The LAN shown in FIG. 1 has segments 70a-e, 71a-e, and 72a-e, and 73a. A segment is generally a single interconnected medium, such as a length of contiguous wire, optical fiber, or coaxial cable or a particular frequency band. A segment may connect just two devices, such as segment 70a, or a segment such as 72d may connect a number of devices using a carrier sense multiple access/collision detect (CSMA/CD) protocol or other multiple access protocol such as a token bus or token ring. A signal transmitted on a single segment, such as 72d, is simultaneously heard by all of the ESs and ISs connected to that segment.
In a LAN such as 40, data is generally transmitted between ESs as independent packets, with each packet containing a header having at least a destination address specifying an ultimate destination and generally also having a source address and other transmission information such as transmission priority. ESs generally listen continuously to the destination addresses of all packets that are transmitted on their segments, but only fully receive a packet when its destination address matches the ES's address and when the ES is interested in receiving the information contained in that packet. An ES such as 52g may transmit data to any other device on the LAN by transmitting a data packet containing a destination address for the intended destination. If the intended destination is directly connected to the same segment, such as ES 52d, then ES 52d hears and receives the packet as it is being transmitted by 52g. If, however, the destination ES is not directly connected to the same segment as the source ES, then LAN 40 is responsible for transmitting the data to a segment to which the destination ES is connected. Generally, a source ES is not aware of whether a destination ES in its LAN is directly connected to its segment. The source simply transmits the packet with a destination address and assumes that eventually the destination will hear the packet. Transmissions within the LAN are generally source driven, i.e., the LAN will deliver a data packet from a source to the destination address specified in the packet regardless of whether that destination ES actually wants to receive the packet. In general, packets contain user data that the user of an ES wishes to receive, such as portions of a data file or video or audio data stream which will be reassembled at the ES after all packets that make that file are received, or portions of a video stream which will be displayed to the user. In some prior art systems, the data packet may contain information that the ES formerly wished to receive, but no longer wishes to receive, such as packets for a video conference that the ES is no longer connected to. Packets may also be control packets, containing control information that is used to facilitate communication within the network.
Each of the ISs and ESs in FIG. 1 includes one or more adaptors and a set of drivers. An adaptor generally includes circuitry and connectors for communication over a segment and translates data from the digital form used by the computer circuitry in the IS or ES into a form that may be transmitted over the segment, e.g., electrical signals, optical signals, radio waves, etc. An ES such as 50b will have one adaptor for connecting to its single segment. A LAN IS such as 61 will have five adaptors, one for each segment to which it is connected. A driver is a set of instructions resident on a device that allows the device to accomplish various tasks as defined by different network protocols. Drivers are generally software programs stored on the ISs or ESs in a manner that allows the drivers to be modified without modifying the IS or ES hardware.
LANs may vary in the topology of the interconnections among devices. In the context of a communication network, the term "topology" refers to the way in which the stations attached to the network are interconnected. Common topologies for LANs are bus, tree, ring, and star. LANs may also have a hybrid topology made up of a mixture of these. The overall LAN pictured in FIG. 1 has essentially a tree topology, but incorporates one segment, 72d, having a bus topology. A ring topology is not shown in FIG. 1, but it will be understood that the present invention may be used in conjunction with LANs having a ring topology.
The LAN ISs in LAN 40 include bridges 60-63. Bridges are understood in the art to be a type of computer optimized for very fast data communication between two or more segments. A bridge according to the prior art generally makes no changes to the packets it receives on one segment before transmitting them on another segment. Bridges are not necessary for operation of a LAN and, in fact, in prior art systems are generally invisible to the ESs to which they are connected and sometimes to other bridges and routers. Even at the most simple level, a bridge such as 60 tends to isolate network traffic on segments and reduces the chance of collision between packets. Modern bridges also provide filtering functions whereby a bridge learns the LAN addresses of all ESs that may be reached through each of its ports and forwards packets only out of the port to which the destination ES of that packet is connected.
FIG. 2 depicts a packet as it may be transmitted to or from router 64 on LAN segment 73a. The packet is essentially an Ethernet packet, having an Ethernet header 202 and a 48-bit Ethernet address (such as 00:85:8C:13:AA) 204, and an Ethernet trailer 230. Within the Ethernet packet 200 is contained, or encapsulated, an IP packet, represented by IP header 212, containing a 32 bit IP address 214 (such as 199.22.120.33). Packet 200 contains a data payload 220 which holds the data the user is interested in receiving or holds a control message used for configuring the network.
An additional background concept important to understanding network communications is the concept of layered network protocols. Modern communication standards, such as the TCP/IP Suite and the IEEE 802 standards, organize the tasks necessary for data communication into layers. At different layers, data is viewed and organized differently, different protocols are followed, and different physical devices handle the data traffic. FIG. 3 illustrates one example of a layered network standard having a number of layers, which we will refer to herein as the Physical Layer, the Data Link Layer, the Routing Layer, the Transport Layer and the Application Layer. These layers correspond roughly to the layers as defined within the TCP/IP Suite. (The 802 standard has a different organizational structure for the layers and uses somewhat different names.) At the Physical Layer, data is treated as an unformatted bit stream transmitted from one transmitter to one or more receivers over a single segment. ES and IS hardware generally interact with the physical layer through adaptors that accept binary data from the IS or ES and translate that data into signals transmittable on the medium. The adaptors include the circuitry and connections necessary for communication over the medium. Adaptors for PCs are commonly available as standard bus cards which plug into a PC parallel bus and have a connector for connecting to the medium on which network signals are transmitted.
At the Data Link Layer (DLL) (sometimes referred to as Layer 2 or the MAC layer), data is treated as a series of independent packets, each packet containing its own destination address and fields specifying packet length, priority, and codes for error checking.
At the Routing Layer (sometimes referred to as Layer 3), data is treated as a series of independent routing packets. A routing packet contains information necessary for correct delivery of the packet over a large WAN such as the internet. This information is used at the Routing Layer to transfer the packet through the network to its destination.
At the transport layer, data is seen as a connection between two hosts on the network. Transport layer protocol in TCP/IP includes TCP and UDP.
The Application layer includes programs that a user interacts with to use network functions, such as e-mail, ftp, remote login, or http. Data at the application layer is often viewed as files.
An important ideal in layered standards is the ideal of layer independence. A layered protocol suite specifies standard interfaces between layers such that, in theory, a device and protocol operating at one layer can coexist with any number of different protocols operating at higher or lower layers, so long as the standard interfaces between layers are followed.
A problem that has increasingly arisen the LAN and WAN network environments is that in most prior art networks packet traffic on the line is fundamentally insecure. In a LAN segment such as 72d, for example, every ES on that LAN segment will hear every packet sent to any ES on that segment. In general, each ES in the network has a unique Ethernet (or MAC) address, and an ES will listen to any packet on the transmission channel and discard any packets it hears that are not addressed to its MAC address.
However, ESs are not forced by the network to discard packets not addressed to them. In general, adaptors placed into ESs such as 52g-d can be configured to operate in promiscuous mode during power-up or when debugging the network. In promiscuous mode, the adaptor reads every packet it hears on the network and passes that packet up the protocol stack to higher layer software running in the ES. During configuring or debugging, these packets are examined to the extent necessary to perform the legitimate task required.
However, promiscuous mode operation also can be used by an ES to read and examine all the network traffic on the network without authorization, even traffic not addressed to that ES. This activity is sometimes known in the art as sniffing. In most existing LAN environments and with most existing hardware, sniffing can be accomplished by a user running software on an ES such as 52f that can reset the ESs Ethernet receive addresses or put the adaptor in promiscuous mode. This software is sometimes referred to in the art as cracking software. Using this software, versions of which are now widely available, an employee or other legitimate user of a LAN, can gain unauthorized access to other data on the LAN, using the existing hardware and network connections. In a worst case, this sniffing will be completely undetectable to the person whose traffic is being spied on or to network management.
A related security problem can occur during transmissions from a LAN whereby software running on the LAN can send the outgoing packet addresses to mimic another ES's packets. This technique is known in the art as spoofing. An unscrupulous user spoofing another's packets can introduce unwanted data, such as viruses, into a packet stream being transmitted from the ES, or can hijack a user's network session and gain unauthorized access to other system resources.
There are, however, some times when an ES or other network device will want to legitimately send out a packet with a different MAC address. As one example, on Ethernet there is a concept known as transparent bridging in which an ES acts as a transparent forwarder of packets for some other ES. In some prior art systems, an adaptor can take the source address from a register and insert it into a packet in order to force the MAC address. Older token ring cards also may forcibly insert a source address.
A number of techniques have been proposed or implemented to thwart sniffing and spoofing. These techniques largely rely on verification of either the MAC address or the IP address of the packet. These techniques are limited, however, because there is no guarantee that packets being transmitted on the network have a valid MAC or IP address in their packet header. Some of these techniques are based on a lookup table (LUT) implementation, where MAC addresses and IP addresses are compared to data stored in a LUT. LUT implementations based on the IP address of a packet are limited because even when an IP address is valid, the MAC address may not be and may indicate a spoofed address. LUT implementations have also proven very expensive to implement in terms of the additional hardware that must be incorporated into each adaptor card. Another disadvantage of an a LUT verification strategy is that each adaptor's LUT would have to be updated each time a new MAC address was added to the network.
While some of these techniques can be effective in certain networking environments, all of them have certain important limitations, including cost. What is needed is a simple, inexpensive, technique for insuring packet security in a LAN system, a technique that does not require ES adaptors to be modified each time a new ES is added to the network.
For purposes of clarity, the present discussion refers to network devices and concepts in terms of specific examples. However, the method and apparatus of the present invention may operate with a wide variety of types of network devices including networks dramatically different from the specific examples illustrated in FIG. 1 and described below. It is therefore not intended that the invention be limited except as done so in the attached claims.