In conveying data over data transport networks, data switching nodes are used to direct the flow of data traffic over interconnecting data links. Each data link is connected to a data switching node via a physical communications port having a port identifier.
The data to be conveyed is typically divided into Payload Data Units (PDUs) such as data packets, frames, cells, etc. Each PDU includes routing information and a payload. The routing information is typically held in a PDU header. For example the routing information includes Media Access Control ADDResses (MAC ADDRs). MAC ADDRs are unique and are associated with data network interfacing equipment associated with data network nodes. An example network interfacing equipment is a Network Interface Card (NIC). Therefore a MAC ADDR is said to represent a data network node identifier. MAC ADDR instances in the routing information are associated with what are known as Source and Destination Addresses.
Data switching nodes make use of the MAC ADDR information for dynamic topology discovery of connected data network nodes and to forward data traffic to particular destination MAC ADDRs. Such a data switching node maintains a switching database and is said to perform “Layer 2 switching”. Layer 2 refers to the Open Systems Interconnection (OSI) protocol stack, which specification is well known in the art of data switching and transport, and is included herein by reference.
An exemplary implementation of a switching database is a table having switching database entries, each entry specifying an association between a MAC ADDR and Port IDentifier (PortID). Any received PDU specifying a MAC ADDRs held in the switching database is switched to the PortID specified in the corresponding database entry.
Without the switching database the data switching node behaves like a hub which broadcasts each PDU over all physical communications ports associated therewith except for the physical communications port on which the PDU was received. This broadcast operation is also known as “flooding”. Having the switching database reduces the incidence of flooding to instances in which received PDUs bear unknown destination MAC ADDRs not present in the switching database.
In constructing a switching database, process also known as topology discovery, a controller associated with the data switching node extracts the source MAC ADDRs of PDUs received on each physical communications port. If the MAC ADDR:PortID pair is not found in the switching database, the controller creates an entry in the switching database storing the new MAC ADDR:PortID association. This ability to construct the switching database also provides a dynamic discovery of data network nodes recently added to data network segments connected to the data switching node. Dynamically discovering data network nodes and constructing a switching database provides a plug-and-play operation of such data switching equipment otherwise requiring extensive human interaction and absolute knowledge of connected data network nodes in the data transport network.
The plug-and-play operation is often extended to enabling the data switching node to keep track of movement of data network nodes as they connect to different segments of the data transport network associated with the data switching node. The association between the MAC ADDR and PortID is changed in the switching database when a PDU having a MAC ADDR specified in an entry is received from a different physical communications port having a different PortID than the PortID specified therein. In such a case, the new PortID is simply written over the previous PortID specification stored in the entry.
While the plug-and-play functionality reduces human involvement in the discovery of data network nodes in the associated data transport network in the construction and, the reconfiguration of the switching database as data network nodes move in the associated data network, the plug-and-play functionality exposes data network nodes to hostile MAC ADDR attacks. An exposure to a hostile environment exists when the data switching node bridges connectivity between two data transport networks, but is not limited thereto.
For example, in a hostile environment, a hostile data network node may try to spy on the traffic destined to a specific MAC ADDR by taking advantage of the automatic switching database reconfiguration feature of the data switching node.
According to an exemplary scenario, the hostile data network node sends towards the data switching node a data packet having a source MAC ADDR corresponding to the MAC ADDR of the data network node to be attacked. The data switching node registers a data network node move and modifies the switching database entry corresponding to the MAC ADDR by overwriting the PortID specification with the PortID corresponding to the physical communications port with which the hostile data network node is associated. Thereafter, all PDUs destined to the MAC ADDR of the attacked data network node are forwarded by the data switching node to the hostile data network node. The MAC ADDR attack can be as extensive as the hostile data network node taking over the functionality of the attacked data network node. The incident fully complies with the intended operation of currently deployed data switching equipment and would otherwise go undetected.
Therefore, there is a need to enable data switching nodes to operate concurrently in friendly and hostile environments while detecting, preventing and reporting incidences of hostile MAC ADDR attacks.