FIG. 1 is a schematic illustration of IP networks 101, 106 including nodes. The figure illustrates two optional network topologies while those versed in the art will appreciate that many other topologies are possible and hence the illustrated topologies are not limiting. Hereinafter, every physical element connected to the network constitutes a node. The illustrated network 101 constitutes a Local Area Network (LAN), which is connected to the Internet 102 via a router 103. The router 103 can connect directly to end nodes 104, including workstations, such as a personal computer (PC), servers such as UNIX workstations, terminals such as X-terminals etc. Alternatively, the router 103 can connect to one or more hubs 105, to which additional end nodes 104 can connect. It is noted that the hub 105, in this case, is a simple hub (i.e., it is a non-switched hub) and hence the nodes connected thereto are in the same broadcast domain as the end nodes connected to the router 103. Furthermore, those versed in the art would appreciate that a router can have more than one network interface card, connecting it to different networks or portions of networks, hence it should be appreciated that hereinafter (throughout the specification) the router 103 represents one interface, connecting the router to the network 101. It is also noted that routers (such as router 103), hubs (such as hub 105), end nodes 104 and other physical elements including a network interface constitute together “nodes”. 106 is another example of an IP network, which includes a switch 107 to which end nodes 104 are connected. It is appreciated that like network 101, network 106 also constitutes one broadcast domain. In addition, those versed in the art would appreciate that it is possible to connect network 106 to the Internet via a router (such as router 103), yet, it was already indicated that the router may have several network interface cards, and indeed in FIG. 1 two such network interface cards exist, one for connecting the router to the network 106 and one for connecting it to the Internet 102. Hence, only the NIC connecting the router to the network 106 is considered to be a member in the broadcast domain and therefore in FIG. 1 it appears that only part of the router is part of the network while another part thereof is external thereto.
There are several network protocols known in the art, which allow different functionalities in a communication network. For example, Request For Comments (RFC) 826 (published in 1982), which is publicly available and incorporated herein by reference, deals with converting protocol addresses (e.g. IP addresses) to local network addresses (e.g., Ethernet addresses), a protocol known as Address Resolution Protocol (ARP).
According to RFC 826, when a packet is sent down through the network layers, routing determines the protocol address of the next hop for the packet and on which piece of hardware it expects to find the station with the immediate target protocol address. In the case of the 10 Mbit Ethernet, address resolution is needed and some lower layer (probably the hardware driver) must consult the Address Resolution module (perhaps implemented in the Ethernet support module) to convert the <protocol type, target protocol address> pair to a 48.bit Ethernet address. The Address Resolution module tries to find this pair in a “translation table” or “ARP cache”. If it finds the pair, it gives the corresponding 48.bit Ethernet address back to the caller (hardware driver) which then transmits the packet. If it does not find the pair, it probably informs the caller that it is throwing the packet away (on the assumption the packet will be retransmitted by a higher network layer). It then causes this packet to be broadcast to all stations on the Ethernet cable originally determined by the routing mechanism.
When an address resolution packet is received, the receiving Ethernet module gives the packet to the Address Resolution module, which merges the <protocol type, sender protocol address, sender hardware address> triplet into its local translation table before checking whether it should generate a reply. Note that if an entry already exists for the <protocol type, sender protocol address> pair, then the new hardware address supersedes the old one. Then, if the opcode is a REQUEST and the target protocol address matches the protocol address of the receiving machine, the receiving machine generates a REPLY, transmitting it to the machine that generated the REQUEST. In addition, it is noted that upon communicating with a machine remote to the LAN, it is the router's physical address that is resolved instead of the machine's address.
According to RFC 826, it sometimes happens that a host goes down or moves (e.g., when the protocol address (such as an IP address) is reassigned to a different physical piece of hardware). In order to keep the translation table up-to-date, it is possible to perform timeouts, wherein after a suitable timeout constituting an “ARP-check-timeout”, the machine considers removing an entry therefrom. It may send an address resolution packet with opcode REQUEST (i.e., an ARP request) directly to the Ethernet address in the table. If a REPLY (i.e., an ARP reply) is not seen in a short amount of time, the entry is deleted from the translation table.
It should be noted that according to RFC 826, the Address Resolution Protocol and packet format described therein are allowed to be used for non-10 Mbit Ethernets. Therefore, hereinafter, instead of referring to an “Ethernet address”, reference is made to a “physical address”, which is more general.
It is noted that according to several address resolution protocols, operating systems maintain two different predetermined values for ARP-check-timeout, namely, an in-session-ARP-check-timeout and an out-of-session-ARP-check-timeout, wherein the in-session-ARP-check-timeout is longer than the out-of-session-ARP-check-timeout. For example, Microsoft Windows® operating systems (including, e.g., Microsoft Windows 2000®, Microsoft Windows XP® and Microsoft Windows 2003®) maintain an in-session-ARP-check-timeout of 10 minutes, i.e., these operating systems maintain an entry in their translation table for 10 minutes (while in session) before they send an ARP request to this entry's respective target node and before they remove the entry from the translation table. If no session is presently in the middle, Microsoft® Windows® operating systems (including, e.g., Microsoft Windows 2000®, Microsoft Windows XP® and Microsoft Windows 2003®) maintain an out-of-session-ARP-check-timeout of 2 minutes.
In addition, according to several address resolution protocols, when sending an address resolution packet with opcode REQUEST before removing an entry from the translation table, the address resolution packet is broadcasted instead of sending it directly to the physical address in the table.
U.S. Pat. No. 7,124,197 (“Security apparatus and method for local area networks”, published in 2006) describes a method and apparatus for controlling data link layer access to protected servers on a computer network by a client device. Address resolution requests broadcast on the network by the client device seeking access to any network device are received and then processed to determine whether the client device is unknown. If the client device is unknown, restriction address resolution replies are transmitted to the protected devices to restrict access by the client device to the protected devices and allow access to an authentication server. The authentication server is monitored to determine if the client device is authorized or unauthorized by the authentication server. If the client device is authorized, access is allowed to the protected devices. If the client device is unauthorized, blocking address resolution replies are transmitted on the computer network to block access by the client device to all other network devices.
WO2005/053230 (“Method and system for collecting information relating to a communication network”, published in 2005) discloses a method and a system for collecting information relating to a communication network. Data conveyed by nodes operating in the communication network is detected in a manner that is transparent to the nodes. The detected data is analyzed for identifying information relating to the communication network and for identifying missing information. According to WO2005/053230, in order to complete the missing information, one or more of the nodes are queried.