The present invention relates generally to data packet security within a local area network and more specifically to an address mapping matrix for improved security within a network that uses multi-port repeaters.
Networks of computers are commonly used in today's business environment. One common network system structure uses one or more repeaters. The repeater typically includes several ports. A particular data packet received at one port is retransmitted from the other ports of the repeater. Each repeater restores timing and amplitude degradation of data packets received on one port and retransmits them to all other ports, and hence over the network. For networks employing a CSMA/CD-type of network, such as an Ethernet network, every data packet passes through every repeater. Network administrators are thereby able to conveniently use each repeater as a device on the network from which to gather information concerning the operation of the network.
In traditional Ethernet (802.3 10BASE5) and Cheapernet (802.3 10BASE2), a coaxial cable provides a linear bus to which all nodes of a local area network are connected.A standard promulgated by the IEEE (IEEE Standard 802.3) defines various functionality for computer networks. This standard is expressly incorporated by reference for all purposes. Signaling is accomplished using a current synch technique wherein a center conductor of the coaxial cable is used for a signal and a shield conductor of the coaxial cable is used for a reference voltage (typically ground). Twisted pair Ethernet (802.3 10BASE-T) uses a standard voice grade telephone cable rather than the coaxial cable. The telephone cable uses separate pairs of conductive wires for transmission and reception.
When using twisted pair Ethernet, the network configuration is a star topology. The star topology provides for several end stations or data terminal equipment (DTE) devices all coupled to a multi-port repeater located at a center of the star. The repeater performs signal amplitude and timing restoration. The repeater receives a bitstream at one of its ports and restores signal amplitude levels and timing requirements. The repeater repeats the reshaped and retimed input bitstream to all of its other ports. In one sense, the repeater acts as a logical coaxial cable, permitting every node connected to the twisted pair network to receive each transmission from any other node, just as when a coaxial cable is used. The pairs of conductors use differential signaling, one pair for transmission and another pair for reception.
While a repeater is used in a traditionally wired coaxial Ethernet network as a mechanism to extend the physical distance limit of the network, in the IEEE 802.3 10BASE-T, the standard mandates the use of a repeater to provide connectivity between nodes whenever more than two nodes are present. Although physical signaling on the cabling differs between the traditional Ethernet-type of repeater and the twisted pair-type of repeater, the functionality of the repeaters are identical, as is a frame or packet format that is used to pass messages between the participating nodes on the network.
The frame commences with a preamble sequence which is an alternating ("1" and "0") pattern. The preamble sequence provides a single frequency on the network, in this case five MegaHertz (MHz) at the start of each frame, allowing a receiver to acquire and lock onto the associated bitstream. The preamble sequence is followed by a start of packet identifier that immediately precedes the data portion of the transmission. Either a start of frame delimiter (802.3) or synch sequence (Ethernet) delineates the start of the data portion of the message. Following the start of packet identifier are two address fields: a destination address (DA) and a source address (SA). These addresses are both forty-eight bit values and are transmitted least significant bit (LSB) first.
A media access controller (MAC) associated with each DTE uses the destination address to determine whether an incoming packet is addressed to the node it is associated with. When a receiving node detects a match between its own node address and an address transmitted in the destination address field, it attempts to receive the packet. Nodes having a MAC that does not detect a matching address typically ignore a remainder of the packet.
There are three types of destination addressing supported by the 802.3 standards:
1. Individual. The DA field contains an individual and unique address assigned to a single node on the network. PA1 2. Multicast. When the first bit (LSB) of the DA is set, the remainder of the DA includes a group address. The group of nodes that are actually addressed is determined by a higher layer function. In general, use of a group address is designed to transmit a message to a logically similar subset of nodes on the network. PA1 3. Broadcast. The broadcast is a special form of multicast address wherein the DA field is set to all "1"s. This address is reserved, and all nodes on the network must be capable of receiving a broadcast message.
The MAC that transmits a data packet writes its own address into the SA field. This allows the transmitting MAC to identify those packets which it originates. The 802.3 standards do not require that a receiving MAC take any action based upon the SA field. In some applications, such as management, security or configuration, the SA field may be tracked and monitored.
A two-byte length/type field follows the SA field. The choice of length or type is dependent upon whether the frame is compatible with the IEEE 802.3 or the Ethernet standard. A higher order byte of the length/type field is transmitted first, with the LSB of each byte transmitted first.
A data field contains actual packet data that is transferred between end stations and is between forty-six to fifteen hundred bytes in length. A logical link control (LLC) function is responsible for fragmenting data into block sizes suitable for transmission over the network. Data bytes are transmitted sequentially with the LSB of each byte transmitted first.
A frame check sequence (FCS) is a four-byte field that contains a cyclic redundancy check (CRC) for the entire frame. The transmitting station computes the CRC throughout the DA, the SA, the length/type field, and data field. The transmitting station appends the FCS as the last four bytes of the frame. A receiving station uses the same CRC algorithm to compute the CRC for a received frame. The receiving station compares the CRC value it computes with the CRC value in the transmitted FCS. A mismatch indicates an error, such as a corrupted data frame. CRC bits of the FCS are transmitted in order: most significant bit (MSB) to LSB.
FIG. 1 and FIG. 2 are diagrams illustrating frame formats for an IEEE 802.3 Standard compliant frame and an Ethernet frame, respectively. Comparing the frame formats illustrates that a primary difference between the frame types is that the start of frame delimiter (SFD) for 802.3 is defined as a byte that has a "1 0 1 0 1 0 1 1 " pattern whereas the start frame (synch) of Ethernet is a "11" sequence. Even so, in both cases, a total number of bits for the preamble plus the start of frame indication is sixty-four bits long.
The 802.3 and Ethernet standards both specify that a frame must be in the range of sixty-four to fifteen hundred eighteen bytes (excluding preamble/SFD). However, the actual data field in the 802.3 system is permitted to be smaller than the forty-six byte value that is necessary to ensure this minimum size. To handle a smaller size data field, the MAC of a transmitting station appends pad characters to the LLC data field before sending data over the network. The Ethernet standard assumes that an upper layer ensures that the minimum data field is forty-six bytes before passing data to the MAC, therefore the existence of appended pad characters is unknown to the MAC implementing an Ethernet format.
The 802.3 standard also uses a length field that indicates the number of data bytes that are in the data field only. Ethernet, on the other hand, uses a type field in the same two bytes to identify the message protocol type. Since valid Ethernet type fields are always assigned outside of the valid maximum 802.3 packet length size, both 802.3 and Ethernet packets can coexist on the same network. Hence, it has been found that it is important to be able to track and monitor the addresses for a variety of reasons. For example, for secure networks it may be important that authentication is required to ensure that the appropriate nodes on the network receive the information. In addition, as networks change in the number of nodes attached thereto, it becomes important to be able to associate an address with a particular port or the like within the network.
It is also important in secure networks to prevent a node from receiving such address and/or packet information. One preferred way to implement security features is to use a secure repeater.
Further, it is important to provide a mechanism to associate the addresses of each port of a repeater with the actual port number or identity of the device. Typically, conventional repeaters have been devices that are just used for signal amplitude and timing restoration. In all of the above-mentioned modes, the secure repeater must also be provided with the capability to detect and interpret the various fields within data packets transmitted on the network.
Every data packet transmitted in the computer network includes a destination address to identify the recipient of the data packet. A secure repeater in a secure network may have one or more end stations attached to each port. Each end station typically has one unique, individual address assigned, and possibly one or more multicast addresses. The secure repeater maintains a list of associated end station addresses for each output port.
The security systems identified in the incorporated references use the destination address field from each data packet to route a data packet to only those output ports associated with the destination address. Output ports of the secure repeater associated with a destination address not matching the destination address receive a modified, or disrupted, data packet.
The security system functions well for data packets addressed using the individual addresses. The security systems in the prior art maintained a list of individual addresses of the associated end stations for each output port, by storing only one address (the individual address) per port.
One potential drawback is that a port could correspond to not only one individual address but also possibly multiple individual addresses or one or more multicast addresses. Therefore, the security systems of the prior art are limited to comparing a received address at a port to the stored individual addresses. When these systems encounter a "0" as the first bit (LSB) of a received address at a port, indicating that the received address is an individual address, the security system would operate well. However, upon encountering a "1" as the first bit (LSB) of a received address at a port, indicating the received address is a multicast address, the security system would merely pass the received data packet unmodified to all of the ports. Messages sent to targeted DTEs sharing a particular multicast address would not be disrupted at any ports, and thus non-targeted DTES could potentially eavesdrop, leading to a security breach.
Other security exposures may arise when the security system passes data packets having multicast addresses to all ports without disruption. For instance, an intruder could disconnect (or mimic) an authorized DTE, having an address that was stored previously in the secure repeater. The substitute device could be plugged into the repeater port previously used by the authorized DTE (which may or may not be disconnected). By sending a data packet with a multicast address in the destination address field, the intruder obtains a defined source address (either because the repeater updates the source address at ports having a received source address different from a stored address associated with that port, or because the intruder mimics a source address already stored in the repeater). The intruder then receives data packets that are not intended for the intruder or that are intended for the mimicked DTE.
Special procedures are required in order to deal with the multicast packets. If multicast addresses are used on the network, more than one register may be needed to store the end station addresses for each port. Ideally, a secure repeater would have enough registers to store multiple addresses (corresponding to all the individual as well as possibly several multicast addresses) per port, and thereby be able to compare any received destination address (individual or multicast) to the stored addresses for each port in order to disrupt data packets to non-targeted DTEs. Since a 48-bit register is required to store each address, adding a register for each additional address for each port would be relatively expensive and inefficient.