1. Field of the Invention
The present invention relates to communication networks and, more particularly, to a method and apparatus for verification of at least a portion of a packet's header information.
2. Description of the Related Art
Data communication networks may include various computers, servers, nodes, routers, switches, bridges, hubs, proxies, and other network devices coupled to and configured to pass data to one another. These devices will be referred to herein as “network elements.” Data is communicated through the data communication network by passing datagrams, such as Internet Protocol (IP) packets, and other logical associations of bits/bytes of data, between the network elements by utilizing one or more communication links between the devices. A particular datagram may be handled by multiple network elements and cross multiple communication links as it travels between its source and its destination over the network. As used herein, the term “packet” will be used to refer to layer 2 (link layer) and layer 3 (routing layer) datagrams, not just IP packets.
Different types of data may need to be handled differently to enable particular services to be provided by a communication network. For example, packets of data containing voice conversations and video transmissions may need to be transmitted with less jitter than other types of data traffic that will not be perceived by the end user in real time. In a data communication network, special treatment for particular packets may be signaled to the network by setting Quality of Service (QoS) bits in the packet headers. When a router receives a packet with the QoS bits set to higher level, it is supposed to give that packet priority processing treatment to speed transmission of that packet through the network.
The Internet has been developed to enable many different communication networks to communicate with each other. However, because many different networks and network elements introduce traffic onto the Internet, the routers on the Internet generally don't provide differentiated treatment to different classes of packets. More particularly, the routers on the Internet have no way of knowing whether QoS bits in a particular packet were authorized to be set or were set maliciously by an end user trying to obtain unauthorized higher priority service. Since there is no way of checking where the QoS bits were set, or who set the QoS bits, it is common to ignore those bits in an untrusted network environment such as the Internet, and at times even in private networks.
In addition to these QoS issues, it is generally not possible to determine a source of a particular packet when a packet is received. Although the Internet Protocol provides an indication of a source IP address in the header of each packet, the source IP address may be changed intentionally (spoofed) by the sending computer or another network element. Thus, the source address may not provide accurate information that can be relied upon by other network elements to identify the actual source of the packet. Where the source IP address is used in part to admit traffic to a network or network service, spoofing may be used to gain access by making it appear that the traffic originate at a trusted source when, in fact, it did not.