Packet-based transmission of digitally encoded information between different parties over IP (Internet Protocol) networks is used for a variety of communication services, such as e-mail messaging, Internet browsing, voice and video telephony, content streaming, games, and so forth. Digitally encoded information is arranged into data packets at a sending party, which are then transmitted towards a targeted receiving party over a transmission path. The transmission path between the sending party and the receiving party may include various networks, switches, gateways, routers and interfaces. The communicating parties are often referred to as “end-hosts” which may be any type of equipment capable of packet-based IP communication, such as fixed and mobile telephones, computers, servers, game stations, etc. In this description, the term end-host will generally represent any such communication equipment.
An end-host connected to the Internet has typically been assigned a forwarding identity in the form of an IP address needed for routing any data packets directed to that end-host along the transmission path. Typically, the end-host has also been assigned a more or less intelligible name in a text string, e.g. a conventional e-mail address or web address, such as user@operator.com, which is associated with the assigned IP address. A DNS (Domain Name Server) system comprising a hierarchy of DNS servers is used for retrieving the current IP address of a particular host name. Thus, an end-host can query the DNS system with a host name to communicate with, and the DNS will then reply by providing the current IP address of the corresponding end-host. This type of query is sometimes referred to as a destination query, identity query or address query, the latter being used in throughout this description.
Data packets are basically configured with a data field containing payload data and a header field in which the sending end-host inserts the destination address of the target end-host, i.e. the IP address obtained from the DNS system. Thus, each data packet is routed over multiple network nodes, often referred to as IP routers, along the transmission path based on the destination address in the packet's header field.
In addition to simply receiving and forwarding data packets, an IP router may also be capable of other functions such as security control, packet scheduling, and translation of addresses and protocols. Further, end-hosts may have a firewall functionality for determining whether incoming data packets should be admitted or discarded, e.g. according to settings made by the user.
Each router in an IP network typically comprises ingress and egress units acting as interfaces for receiving and sending data packets, respectively. The router also comprises a routing or forwarding function for determining which router an incoming data packet should be sent to as a “next hop”, based on a forwarding table defined in the router. As is well-known in this field, a data packet can often be routed along multiple alternative paths depending on the network topology and the current traffic load.
Links to the nearest neighbouring routers are provided in each router by means of corresponding ports, and a forwarding architecture is also configured in the routers based on the distribution of topology information and link information. Each port can have an IP address and an IP mask configured on its interfaces and routing protocols are used to distribute this information among the routers in the network in a configuring procedure. From the distributed topology information, each router then calculates its own forwarding table, containing multiple destination IP-addresses and associated outgoing ports. As each incoming data packet has a destination IP-address in its header, the forwarding table is used to find the suitable entry in the forwarding table from that IP-address. The main function of the forwarding table is thus to determine the appropriate outgoing port for each incoming packet.
In FIG. 1, the basic structure of a conventional IP router 100 is shown, when situated in an IP network. Among other things, IP router 100 comprises an ingress part 100a, an egress part 100b and a forwarding function here schematically represented by a forwarding table 100c. The egress part 100b comprises a plurality of outgoing ports PA, PB, PC, . . . leading to different neighbouring routers A, B, C, . . . , respectively, to which router 100 is directly connected. Any incoming data packet 102 has a payload field PL and a header H, the latter containing the destination address for the packet.
The forwarding table 100c is comprised of multiple entries each containing an IP mask, an IP address and an outgoing port number. The IP mask may be defined in terms of a hexadecimal encoded string such as, e.g., FF.FF.FF.0, or FF.FF.8.0, etc. Briefly described, the destination address in header H is compared with the IP masks in forwarding table 100c by applying a logic “AND”-operation, in order to detect a matching entry with the same IP address. Once a matching entry is found, the packet can be sent out on the outgoing port according to the port number of that entry.
The incoming data packet 102, which may have been forwarded from a previous router (not shown) to router 100, is thus first received at the ingress unit 100a. It is then determined which next router the packet should be sent to, based on the destination address in header H and using the forwarding table 100c and the above logic “AND”-operation. In this example, the incoming packet 102 has a destination IP address that, when combined with the mask, matches the IP address of an entry in forwarding table 100c having port number PC. The packet 102 is therefore sent out on the corresponding port which is connected to router C.
As mentioned above, a routing protocol is used to distribute topology and link information among the routers in an IP network. The currently used routing protocols are configured to obtain “resilience”, i.e. packets must be re-routed in a different path in the case of link or node failure in the original path. The routing protocols are also configured to facilitate router management, since configuring routers is typically a cumbersome task which is generally desirable to simplify. Thus, in case of link or node failure, the routing protocol will reconfigure the forwarding table in affected routers and at the same time distribute the information to the routers, thereby simplifying the management.
In order to obtain scalability, which otherwise is an inherent problem in the routing architecture, the routing process can be based on a hierarchical bit-mask scheme. FIG. 2 illustrates an example of such a hierarchical bit-mask scheme, where the bit-masked IP addresses form a hierarchic structure by partly bit-masking a least significant part of the addresses. Thus, an exemplary top level bit-masked IP address is shown as “1.x.x.x”, and on a next level in the structure three exemplary bit-masked address are shown as “1.1.1.x”, “1.1.2.x”, and “1.1.3.x” each covering a set of unmasked IP addresses on the lowest level of the hierarchy. This type of hierarchical bit-mask scheme is typically used in the routing architecture to facilitate the above-described matching operation in the forwarding table.
However, a major problem in IP-networks and the Internet is that the security support is generally insufficient, as explained below. The current routing architecture and protocols were originally designed for a “friendly” environment, i.e. assuming that there are no “illicit” or “corrupt” users communicating in IP networks. Nevertheless, various security solutions have been added to the IP architecture in order to protect the communicated data, such as IP-sec on a low layer and also TLS (Transport Layer Security) on a higher layer. Further, MPLS (Multiprotocol Label Switching) is a solution for building Layer 3 VPNs (Virtual Private Networks) to ensure secure communication. In the VPN case when an intranet is used, private addressing is required and the network is somewhat isolated from the public Internet such that external un-authorized hosts are not allowed to reach and communicate with the hosts attached to the intranet.
Other prior solutions for providing security in the routing protocol include: secure communication between routers such that no illicit entity can eavesdrop, manipulate or imitate a router, the establishment of IP-sec tunnels between router ports to protect the transport of packets between routers, and link security on the layer 2. Various authentication procedures and cryptographic keys can also be used, e.g. according to DNSSec (DNS Security), HIP (Host Identity Protocol) and CGA (Cryptographically Generated Addresses), to enhance the security. While protection against unwanted traffic is used for certain applications (e.g. spam filtering for e-mails), no basic protection against violating end-hosts and unwanted data packets has been generally provided in the public IP infrastructure, though.
Since the internal forwarding identities, i.e. IP addresses, are publicly distributed end-to-end in the manner described above, any end-host is basically able to send messages and data packets to any other end-host over the Internet, resulting in the well-known problems of flooding, spamming, virus, fraud and so-called “Denial-of-service” (DoS) threats. Hence, it is generally a problem that any end-host can get across data packets totally out of control of the receiving end-host, and that public IP networks such as the Internet have no mechanism in the IP infrastructure for preventing that data packets from potentially illicit or corrupt end-users are routed to the receiver. As a result, more or less complex functionality must be added at the end-host or in the link layer, such as firewalls or the like, in order to limit the connectivity. Moreover, these solutions are “last line of defence” solutions, meaning that unwanted data can still consume resources along the entire sender-receiver path, only to be discarded at the receiver.