1. Field of the Invention
The present invention relates to local area networks. More particularly, the present invention relates to a system and method for testing whether duplicate address responses are proper.
2. Related Art
It is common for computers operating on a local area network (LAN) or similar environment to acquire data files from other computers located on the LAN. For example, three computers (not shown), a computer A, a computer B, and a computer C may operate on the same LAN (not shown). A user operating computer C may receive data from computer A. In conventional LAN systems a source address will then be encoded in the data received from computer A. Computer A's source address will remain encoded in the data that computer C has acquired. However, when computer C later communicates using the data it received from computer A on the LAN to another computer B, for instance, it will appear to computer B and any other device monitoring the LAN that computer A is communicating to computer B. Whereas, in reality, computer C is talking to computer B.
In order to solve this problem, network managers monitor and test the LAN or interconnected LANs for devices using duplicate source addresses. However, when network managers monitor a LAN with interconnecting devices connected to the LAN (such as routers and gateways, which connect networks), the network manager is unable to distinguish between proxy address replies (to be described below) of interconnecting devices and two or more computers with duplicate source addresses.
A conventional approach used to solve this problem will be described with reference to FIG. 1. FIG. 1 shows a representative block diagram of a multiple interconnected network system 101. The system 101 has a network analyzer 102, a LAN 104, nodes 106, 108 and 110, routers 112 and 114, an internet environment 116 and stations 118 and 120. The stations 118 and 120 may comprise further LANs, nodes, or the like.
The multiple interconnected network system 101 uses Address Resolution Protocol (ARP). ARP allows nodes 106-110 to find one another via Internet Protocol (IP) addressing in an internet environment 116 in a conventional fashion familiar to those skilled in the art. For example, when node 106 on the LAN 104 attempts to find node 108 using the LAN 104, node 106 sends an ARP request packet on to the LAN 104.
A simplified representation of an ARP request packet 201, is shown in FIG. 2A. The ARP request packet 201 is sent out on the LAN 104 to all devices located on the LAN 104. Every device looks at the ARP request packet 201 via address 202 and discards the ARP request packet 201 unless specifically identified by an IP target address 208. The IP source address 206 identifies which device sent the ARP request packet 201.
In this example, node 106 would attempt to find node 108 by sending an ARP request packet 201 containing an IP target address 208 for node 108. Only node 108 should respond to this ARP request packet 201 by sending a reply packet.
A simplified representation of a reply packet 211 is shown in FIG. 2B. The reply packet 211 contains node 106's IP destination address 218 with node 108's IP source address 216.
If node 108 and node 110 had responded to the IP target address 208 of node 106, the network analyzer 102 would suspect a problem, since duplicate IP source addresses 216 of node 108 would be sent by both node 108 and node 110. At the IP address layer, it is not possible to determine which device is node 108. Therefore, network analyzer 102 would need to evaluate the two reply packets 203 sent by node 108 and node 110 by examining the Ethernet address (physical layer address) 214 of the reply packets 211.
The physical layer source addresses 204 and 214 of packets 201 and 211 provide unique identifiers of particular hardware device (node 106 and node 108, respectively). Most devices do not monitor the physical layer address of packets. As a consequence, the physical layer address is not well cataloged and is often difficult to locate within a network.
Interconnecting devices such as routers 112 and 114 may also use duplicate IP source addresses 216 when replying to an ARP request packet 201 of a particular node 106-110. These replies also appear as a duplicate IP source address problem to the network analyzer 102. However, this is a standard, non-problematic response, and is not caused by more than one node having duplicate IP source addresses.
For instance, routers 112 and 114 are both configured to operate with proxy ARP. Proxy ARP allows nodes 106-110 to find stations 118 and 120 in an internet environment 116. For example, when node 108 attempts to contact station 118 by sending an ARP request packet 201 on to the LAN 104, routers 112 and 114 will respond in proxy for station 118. In other words, routers 112 and 114 act as an agent for station 118, which may be located on a different network than nodes 106-110. Router 112 and router 114 will both send an IP source address reply 216 in proxy for station 118. Node 118 will establish contact with whichever router 112 or 114 first responds to node 108's ARP request for an IP target address 208 of station 118.
In this example, the network analyzer 102 receives two reply packets 211 with an IP source address 216, of target 118 from node 108's ARP request packet 201. Network analyzer 102 interprets the replies as an indication that two hardware devices, router 112 and router 114, are using the same IP source address 216 (that of station 118) when routers 112 and 114 reply in proxy.
A network manager would classify this example as a "ribald rogue router reply." The term "ribald rogue router reply" symbolizes a crude, mischievous joke performed by routers 112 and 114 (or any interconnecting device) on the network analyzer 102, by making the network analyzer 102 believe there is a duplicate IP source address problem when there actually is no problem.
In order to eliminate the replies from the routers 112 and 114 which are not the result of a duplicate IP source address problem, the network analyzer 102 implements the conventional solution explained above (looking at the ARP packet request 201 and the reply packet 211 to determine their physical layer address). Attempts to extrapolate physical addresses 204 and 214 from packets 201 and 211 given a large number of suspected duplicate IP source addresses, can be difficult if not impossible to resolve. As a result of this process, many false alarms are sent by the network analyzer 102 warning of a duplicate IP source address situation when there actually is no problem (a ribald rogue router). When there actually is a real duplicate IP address problem, the network manager is typically unable to locate an often elusive physical address. Consequently, the problem is not corrected promptly and efficiently.
What is needed is a system and method able to distinguish ribald rogue router (or similar interconnecting device) replies from duplicate IP address replies.