Method and arrangement for preventing illegitimate use of IP addresses
Abstract
Illegitimate use of IP addresses is counteracted. A network ( 1 ) includes a switch ( 5 ) with ports (P 1, P 2, P 3 ) to subscribers ( 6,6 A) and a port (PN) to a core network ( 2 ) with DHCP servers ( 4, 4 a, 4 b). The switch includes a database (MAC 1, MAC 2 ), port numbers (P 1, P 2 ) and VLAN identities (VLAN 1, VLAN 2 ) for the subscribers ( 6, 6 A) and the filter has a list over trusted DHCP servers. Initially only DHCP messages from the subscribers are allowed. When the subscriber ( 6 ) requests (M 1, M 3 ) for an IP address it is checked that it is a DHCP message with valid subscriber values (MAC 1, P 1, VLAN 1 ). A respond (M 2, M 4 ) with an allocated IP address (IP 1 ) and lease time interval (T 1 ) is checked to come from a trusted DHCP server. If so, a list in the filter ( 9 ) with correct information is dynamically generated (MAC 1, P 1, VLAN 1, IP 1, T 1 ). A message (M 5 ) from the subscriber ( 6 ) with false IP address is discarded by the filter. Attempts by the subscriber to use false IP address are counted and a warning signal is generated.
Claims
exact text as granted — not AI-modifiedThe invention claimed is:
1. A method for preventing illegitmate use of an Internet Protocol (IP) address by a subscriber device in an IP network, the network including a switch node and at least one DHCP server, said subscriber device in communication with the switch node, the method including the steps of:
creating a list of trusted ones of the DHCP servers in said switch node; transmitting by the subscriber device a DHCP request message for an IP address; receiving a reply message by said switch node which carries an assigned subscriber IP address; analysing the reply message by said switch node to be a DHCP message and having a source address from one of the trusted DHCP servers; updating a filter dynamically in the switch node, the filter storing an identification of the subscriber device and the assigned subscriber IP address; transmitting a frame from the subscriber device using a source IP address; comparing in the filter said source IP address with the stored subscriber IP address; and, discarding said frame when said source IP address differs from the stored subscriber IP address.
2. The method according to claim 1 , further comprising the step of storing in the filter a subscriber MAC address, a subscriber physical port number, a subscriber virtual LAN identity and a lease time interval for the assigned subscriber IP address.
3. The method according to claim 1 , wherein the subscriber IP address is statically assigned and handled by the DHCP servers.
4. The method according to claim 2 , the method including deleting the subscriber identification and the corresponding assigned subscriber IP address from the filter when the lease time interval is out.
5. The method according to claim 1 , the method further comprising the steps of:
counting a number of attempts (n) from the subscriber to use an illegitimate IP address; comparing the number (n) of the attempts with a threshold number (N); sending a warning signal when the number of attempts exceeds a threshold criteria.
6. A switch node in an Internet Protocol (IP) network adapted to prevent illegitmate use of an IP address by a subscriber device, the switch node including:
at least one port for communication with a subscriber device; an uplink port for communication with DHCP servers in the network; and, a filter device having a list of trusted ones of the DHCP servers, the filter device being associated with the ports; wherein the switch node is operative to: receive a subscriber IP address request message from a subscriber device, analyse it to be a DHCP request message and transmit it on the uplink port; receive a reply message on the uplink port, analyse it to be a DHCP reply message having a source IP address from one of the trusted DHCP servers on the list; dynamically update the filter with an identification of the subscriber device and a corresponding assigned subscriber IP address contained in the DHCP reply message; receive a frame with a source IP address from a subscriber device; compare in the filter said source IP address with the stored subscriber IP address for the subscriber device; and, to discard said frame when said source IP address differs from the stored subscriber IP address.
7. The switch node according to claim 6 , wherein the switch node is further operative to store in the filter a subscriber MAC address, a subscriber physical port number, a subscriber virtual LAN identity and a lease time interval for the assigned subscriber IP address.
8. The switch node according to claim 6 , wherein the subscriber IP address comprises a statically assigned address which is handled by the DHCP servers.
9. The switch node according to claim 7 , wherein the switch node is further operative to delete the subscriber identification and the corresponding assigned subscriber IP address from the filter when the lease time interval is out expires.
10. The switch node according to claim 6 , wherein the filter comprises a counter operative to count a number (n) of discarded frames on the subscriber port, to compare the number (n) of the discarded frames with a threshold number (N), and to send a warning signal when the number of discarded frames exceeds a threshold criterion.
11. A method in a switch node coupled upstream to at least one Dynamic Host Configuration Protocol (DHCP) server and coupled downstream to at least one subscriber device, the method including the steps of:
creating a first table of trusted ones of the DHCP servers in the switch node; receiving, by the switch node, from the at least one subscriber device, a DHCP request message for an IP address transmitting, by the switch node, the DHCP request message to one of the trusted DHCP servers; receiving, by the switch node, a reply message from the trusted DHCP server, the reply including an assigned subscriber IP address; analysing the reply message by the switch node to be a DHCP message and having a source address from one of the trusted DHCP servers according to the first table; updating a second table dynamically in the switch node, the second table storing an identification of the subscriber device and the assigned subscriber IP address; transmitting, by the switch node, to the subscriber device, a reply message which carries the assigned subscriber IP address; receiving, by the switch node, a frame from the subscriber device using a source IP address; comparing the source IP address with the stored subscriber IP address in the second table; discarding the frame when the source IP address differs from the stored subscriber IP address of the second table; and accepting the frame when the source IP address matches the stored subscriber IP address of the second table.
12. The method according to claim 11, further comprising the step of storing in the second table a subscriber MAC address, a subscriber physical port number, a subscriber virtual LAN identity and a lease time interval for the assigned subscriber IP address.
13. The method according to claim 11, wherein the subscriber IP address is statically assigned and handled by the DHCP servers.
14. The method according to claim 12, the method including deleting the subscriber identification and the corresponding assigned subscriber IP address from the second table when the lease time interval is out.
15. The method according to claim 11, the method further comprising the steps of:
counting a number of attempts (n) from the subscriber to use an IP address that does not match that contained in the second table; comparing the number (n) of the attempts with a threshold number (N); sending a warning signal when the number of attempts exceeds the threshold number.
16. A switch node configured to prevent illegitmate use of an IP address by a subscriber device, the switch node comprising:
at least one downlink port for communication with a subscriber device; at least one uplink port for communication with at least one Dynamic Host Configuration Protocol (DHCP) server in a network; and, a first table having a list of trusted ones of the DHCP servers, the first table being associated with the ports; processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, cause the switch node to:
receive a subscriber IP address request message from a subscriber device, analyse it to be a DHCP request message and transmit it on the uplink port;
receive a reply message on the uplink port, analyse it to be a DHCP reply message having a source IP address from one of the trusted DHCP servers in the first table;
dynamically update a second table with an identification of the subscriber device and a corresponding assigned subscriber IP address contained in the DHCP reply message;
receive a frame with a source IP address from a subscriber device;
compare the source IP address with the stored subscriber IP address for the subscriber device in the second table;
discard the frame when the source IP address differs from the stored subscriber IP address; and
accept the frame when the source IP address matches the stored subscriber IP address of the second table.
17. The switch node according to claim 16, wherein the switch node is further operative to store in the second table a subscriber MAC address, a subscriber physical port number, a subscriber virtual LAN identity and a lease time interval for the assigned subscriber IP address.
18. The switch node according to claim 16, wherein the subscriber IP address comprises a statically assigned address which is handled by the DHCP servers.
19. The switch node according to claim 17, wherein the switch node is further operative to delete the subscriber identification and the corresponding assigned subscriber IP address from the filter when the lease time interval expires.
20. The switch node according to claim 16, further comprising a counter operative to count a number (n) of discarded frames on the subscriber port, to compare the number (n) of the discarded frames with a threshold number (N), and to send a warning signal when the number of discarded frames exceeds the threshold number.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.