There exists a general need in implementing network protocols to recognize and reduce the harmful effects of unauthorized (bogus, erroneous, corrupted) messages transmitted on a network. Such messages have been handled in the past by, for example, firewalls that store state information relating to requests and block responses and/or other messages from a network that are inconsistent with the state information.
It is also noted that many networks incorporate communication protocols wherein network nodes propagate messages between a requesting node and a respondent node. In such networks, the requesting node issues a request message that is received and then forwarded by one or more nodes within the network. The network nodes pass the request to one or more other nodes until the request reaches the respondent node. The respondent node thereafter formulates and transmits a response to the requesting node via one or more intermediate nodes.
Intermediate nodes vary in their degree of participation in network protocols. Some merely route requests, without applying any intelligence. However, in certain types of networks (e.g., peer-to-peer) it is desirable for such intermediate nodes to filter/read information conveyed within the packets that pass through the nodes and incorporate information contained within the packets into their data stores. An example of a protocol executed on networks that generally employ intermediate nodes to pass requests to a networked respondent node, and wherein the intermediate nodes incorporate selected information within certain forwarded packets (e.g., name resolution responses) is the Peer-to-peer Name Resolution Protocol (PNRP).
PNRP facilitates resolving a unique, 256-bit PRNP identification embedded within a request to particular Internet Protocol (IP) address and port contained in a response packet passed back to the originator of a request. PNRP does not utilize a centralized authority, but rather relies upon multiple, de-centralized name resolution authorities to provide IP address responses to PNRP requests. An originator of a request passes a name (ID) resolution request to one or more intermediate nodes that, in turn propagate the request (embedded within an outgoing packet) to a name resolution facility. One of potentially many name resolution facilities on the network determines a corresponding IP address and port. The corresponding IP address and port are placed within a response message (embedded within an incoming packet) that is returned to the originator of the request via potentially one or more of the “listening” intermediate nodes. In accordance with PNRP, network entities (including clients on intermediate nodes) are permitted to listen for published name/address pairing information transmissions (e.g., naming responses) on the network. Such name/address information proliferation increases the likelihood of successfully locating a named entity's address/port at some later time. In particular, in a PNRP environment, network clients acquire address knowledge by reading name resolution responses received by a node containing the network client. Since there is no centralized authority, it is important for the nodes to maintain accurate name/address information.
However, the network name/address knowledge acquisition method described above for a peer-to-peer network name resolution environment exposes listening clients on the network nodes to contamination of their name/address resolution information by network entities that publish name resolution responses containing false/inaccurate address information. Such false information is then stored within the name resolution data storage space of listening network clients when such clients update their name/address information in accordance with the unsolicited/false naming responses. Such vulnerability to false responses presents a high degree of risk to networks that allow building a name resolution cache on an intermediate node by listening to naming response packets.
It is known for firewalls and other packet-filtering mechanisms to examine state information when a packet is initially transmitted. In addition to determining whether to block transmission of the packet, the packet-filtering mechanisms maintain the state information for purposes of processing subsequent responses to ensure that they are authorized. Packet filtering using state information of course presents a cost to the computing node implementing such measures. In particular, generating, storing and removing state information becomes costly and a potentially significant burden upon the systems resources when thousands of such states are simultaneously maintained by a network node.