This present application relates generally to automatic detection of the address range of IP (Internet Protocol) networks. Mechanisms are provided for detecting the IP address range from data on network traffic flows, and automatically configuring a device with the address range to permit a distinction between IP addresses inside and outside the network in operation of the device. Self-configuring network devices which monitor traffic, detect the network address range, and then process traffic flows accordingly are also provided.
In IP networking, devices in each network of a TCP/IP (Transport Control Protocol/Internet Protocol) network system are identified by unique IP addresses. Packets are routed across the network based on the IP address of the destination device. In accordance with the TCP/IP Version 4 system currently employed in IP networks, IP addresses are represented as 32 bits, usually written as four decimal numbers separated by periods. (The upcoming IP Version 6 provides 128 bits for IP addresses but the processes to be described are otherwise analogous). Each decimal number has a value from 0 to 255, being the decimal value of one of the four successive eight-bit segments of the 32-bit address. An IP address effectively consists of two parts, one identifying a network and the other identifying a device in that network. IP addresses of devices in the same network have an initial portion in common. This initial portion identifies the network, in effect defining the address range of all devices in that network. That is, a device belongs to the network if it has an address in the range of possible IP addresses with the appropriate network address prefix. A network address range can be further partitioned if the network is divided into subnetworks (subnets). In this case, a further portion of the IP address is used as the subnet address. The network address plus the subnet address then defines the address range of devices in the subnet, the IP address of each of these devices having an initial portion containing both the network and subnet address.
Devices may need to distinguish between IP addresses inside and outside a network (which may be an entire network or a subnetwork) for a variety of reasons. For example, network devices may need to filter inter-network traffic flows from wholly intra-network flows, or to distinguish such flows for various classification purposes. Such filtering or classifying processes might be used, for instance, for security in firewall or other systems, for rule-based flow control generally, or for flow-based traffic monitoring. In the case of flow-based traffic monitoring, for example, it may be necessary to focus on specific traffic such as traffic sent from network X, or to filter out internet traffic from network-internal traffic, to record details of specific flows only.
Currently devices are manually configured to distinguish between IP addresses inside and outside a network. That is, an operator programs the address range of the network in question into any devices, such as routers, switches or other network devices, which are to process traffic flows accordingly. This operation is repeated each time network addresses change, for example when network segments are added or removed as the network develops or due to network restructuring.