The approaches described in this section could be pursued, but are not necessarily approaches that previously have been conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
For various reasons, it is often desirable to restrict access to a computer network, such as a local area network (LAN), wide area network (WAN), or inter-network. For example, a provider of computer network services may wish to allow only subscribing users to access the provider's computer network. By restricting access in this way, the provider can obtain compensation from the subscribing users in exchange for computer network access. Additionally, by restricting access in this way, the provider can prevent the quality of the computer network's services from being diluted by non-subscribing users.
In certain computer network configurations, all data traffic between a user and a provider's computer network is communicated through a network access point in the provider's computer network. A network access point may comprise a network router that comprises a Dynamic Host Configuration Protocol (DHCP) server. DHCP is described in the Internet Engineering Task Force (IETF) Request For Comments (RFC) 2131. When a user's device initially connects to a provider's computer network through the network access point, the user's device obtains, dynamically, from the DHCP server, a network layer address selected from a set of legitimate network layer addresses. The network layer address is assigned to the user's device. This dynamically assigned network layer address identifies the user's device to the provider's computer network. In the provider's computer network, all data that is to be sent to the user is addressed to the dynamically assigned network layer address, which may be, for example, an Internet Protocol (IP) address.
An entry is added to the network router's ARP table. ARP is described in IETF RFC 826. The entry indicates a binding between the dynamically assigned network layer address and a data link layer address, such as a Media Access Control (MAC) address, of the user's device. Whenever the network router receives a data packet that is addressed to the network layer address, the network router consults the ARP table to find the entry that contains the network layer address. From the entry, the network router determines the data link layer address that is bound to the network layer address. The network router then encapsulates the data packet into a frame that indicates the data link layer address, and sends the frame to the device that is associated with the data link layer address; i.e., the user's device. Without the entry in the ARP table, the network router would be unable to deliver the data packet to the user's device.
In an effort to restrict computer network access solely to subscribing users, the provider may implement a security mechanism such as a login procedure. The security mechanism may request a username and associated password from the user. If the user provides a username and associated password that the security mechanism recognizes, then the security mechanism may allow the user to access the computer network for a specified amount of time or until the user elects to logout. Alternatively, if the user fails to provide a username and associated password that the security mechanism recognizes, then the security mechanism may prevent the user from accessing the computer network.
If the user successfully provides a recognized username and associated password, then the security mechanism associates the dynamically assigned network layer address with the username. Therefore, any network activity attributable to the network layer address is attributable to the username. To receive compensation for such network activity, the provider may bill the user associated with the username. When the user logs off through a provided mechanism, then the username is no longer associated with the network layer address.
Unfortunately, even after a legitimate network layer address has been associated with an authenticated username, it is relatively easy for a rogue user to cause a different data link layer address to be bound to the legitimate network layer address in the network router's ARP table. The rogue user only needs to send, to the network router, a forged ARP message that indicates that the legitimate network layer address is associated with the data link layer address of the rogue user's device. In response to receiving the forged ARP message, the network router ignorantly updates the network router's ARP table to contain a binding between the legitimate network layer address and the data link layer address of the rogue user's device. Thereafter, the rogue user can access the provider's computer network, and the rogue user's network activities will be attributed to the authenticated username.
This is just one of several ways in which access restrictions can be circumvented. Additionally, a user may guess or otherwise determine a legitimate network layer address within the provider's computer network, and use that network layer address instead of the network layer address that was dynamically assigned by the DHCP server. In that case, the entry added to the network router's ARP table indicates a binding between the data link layer address of the user's device and a network layer address which, although legitimate, was not assigned by the DHCP server. Some network activity tracking systems cannot detect that a user has logged off or otherwise disconnected from a network unless the user's device is associated with a network layer address assigned by the DHCP server. As a result, the user may remain logged on to the provider's network even after the user thought that he had logged off using a provided mechanism. This can cause internal processing errors or result in incorrect billing of service to the user.
The problems described above are at least partially a consequence of a lack of restrictions imposed on ARP table updates. Based on the foregoing, there is a clear need for a method of restricting ARP table updates to updates originating from authorized subsystems.