Packet-based data communication systems are securely established. Packets which are employed for the conveyance of message or control data in such systems normally include at relevant times a header which contains media access control data and protocol or network address data. The former corresponds to ‘layer 2’ and the latter to ‘layer 3’ of the conventional OSI model. Protocol data is employed, for example by devices known as routers, to determine the network to which a message packet should be sent and usually also to a device identified by a sub-network address within that destination network.
Media access control addresses are intended for the local control of the forwarding of packets and a packet encapsulated with a media access control address data will contain a source address identifying a device from which the packet has come and except in such cases as for example broadcast packets as discussed later, a destination address identifying the next device for which the packet is intended.
Network communication devices such as switches and hubs necessarily include, whatever their particular architecture may be, some forwarding mechanism by means of which a packet received at one or other of the ports is directed to at least one other port of the device, subject, for example, to possible discard owing to congestion or to rejection owing to data corruption detected by a CRC check. A hub normally provides no selective examination of address data because its main purpose is to ensure that a packet received at one or other of the ports is forwarded from all the other ports of the hub. A hub may include memory for the temporary storage of packets if, for example, the hub needs to perform some contention resolution process which gives some classes of packet priority over other classes of packet.
A switch will normally include a forwarding mechanism which relies on a forwarding database which may be selectively controllable to provide some initial addresses but which is normally built up by an examination of address data in received packets. In particular, a forwarding database may examine received packets for their source MAC address and perform a look-up in the forwarding database for that particular source address. If the source address obtained from the packet is not in the database then the switch will make an entry of that source address in the database and also include such other data, such as the port number, associating the device having that source address with a port of the communication device. The counterpart to this establishment of addresses is the examination of a destination address in a received packet to determine whether that address exists in the database so that a packet having a destination address corresponding to a source address in the database can be directed accordingly, for example to the port associated with the address. Where however the received packet has an unknown destination address it is customary to ‘flood’ the packet to all ports, in the expectation that the packet will reach the intended destination if that exists anywhere on the network.
A switch may operate either on media access control addresses or network addresses. Where the switch primarily operates on media access control addresses it is frequently termed a bridge and is customarily employed for the connection of two or more local area networks each of which may comprise for example a hub connected to a multiplicity of users. It is known for a bridge to discard a packet of which the destination address is found in the bridge's forwarding database to be associated with the same port at which the packet was received. This feature is employed to ensure that a packet is not unnecessarily returned to its source.
It is known in network communication systems to provide security against unauthorised or undesirable access to a network by means of a ‘firewall’ which will permit the forwarding of packets only if the protocol or network data within the header of the packet conforms to various rules.
It is known from EP-0431751-A1 (Carter et al) to provide a repeater that corrupts a packet if all or part of a destination address and/or source address do not conform to access rules defined by an address database and it is known from U.S. Pat. No. 5,640,393 (Lo) to scramble packets which do not have a destination address permitted for a particular port.