U.S. patent application number 09/882275 was filed with the patent office on 2002-03-07 for internet protocol (ip) work group routing.
Invention is credited to Cullerot, David L., Dobbins, Kurt A., Haggerty, William T., Negus, Stephen H..
Application Number | 20020029288 09/882275 |
Document ID | / |
Family ID | 23993060 |
Filed Date | 2002-03-07 |
United States Patent
Application |
20020029288 |
Kind Code |
A1 |
Dobbins, Kurt A. ; et
al. |
March 7, 2002 |
Internet protocol (IP) work group routing
Abstract
Apparatus and method wherein multiple router interfaces are
assigned the same IP network address, creating an IP work group.
This enhances host mobility by allowing, in one embodiment, a host
to be relocated anywhere in the work group without requiring
reconfiguration of the host. As a further option, host address
ranges may be specified (i.e., locked) to designated interfaces of
the work group, to enhance security by restricting the allowed host
mobility within the work group. An additional advantage is a
reduced consumption of network and subnet addresses, because now a
single address is used for several physical networks.
Inventors: |
Dobbins, Kurt A.; (Bedford,
NH) ; Cullerot, David L.; (Manchester, NH) ;
Negus, Stephen H.; (Windham, NH) ; Haggerty, William
T.; (Dunstable, MA) |
Correspondence
Address: |
WOLF GREENFIELD & SACKS, PC
FEDERAL RESERVE PLAZA
600 ATLANTIC AVENUE
BOSTON
MA
02210-2211
US
|
Family ID: |
23993060 |
Appl. No.: |
09/882275 |
Filed: |
June 15, 2001 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
09882275 |
Jun 15, 2001 |
|
|
|
09073557 |
May 6, 1998 |
|
|
|
6249820 |
|
|
|
|
09073557 |
May 6, 1998 |
|
|
|
08501324 |
Jul 12, 1995 |
|
|
|
5751971 |
|
|
|
|
Current U.S.
Class: |
709/238 ;
709/230 |
Current CPC
Class: |
H04L 61/5069 20220501;
H04L 12/46 20130101; H04L 61/00 20130101; H04L 69/16 20130101; H04L
61/25 20130101; H04L 69/165 20130101; H04L 9/40 20220501; H04L
69/161 20130101; H04L 2101/677 20220501; H04L 63/0236 20130101;
H04L 12/4625 20130101 |
Class at
Publication: |
709/238 ;
709/230 |
International
Class: |
G06F 015/173; G06F
015/16 |
Claims
1. A method of routing datagrams from a source to a destination in
an IP communications network including routers having multiple
router interfaces connecting multiple physical networks, wherein
the routers forward IP datagrams based upon IP addresses, the
method comprising the steps of: defining an IP work group by
assigning multiple router interfaces to a same IP work group
address; and forwarding IP datagrams through the routers based on
the IP work group address.
2. The method of claim 1 further comprising: specifying IP host
address ranges for different router interfaces; and filtering IP
datagrams based on the host address ranges.
3. The method of claim 1, wherein if an IP datagram contains source
and destination host addresses within the same IP work group,
forwarding the datagram without performing header and address
validation.
4. The method of claim 1, further including configuring a
forwarding information base (FIB) with a route for the IP work
group.
5. The method of claim 1, further comprising assigning a security
level to the IP work group by identifying hosts within the group as
"free" in order to permit forwarding to/from any interface, or
"secured" in order to permit forwarding to/from a designated
interface.
6. The method of claim 5, wherein four levels of security are
provided: in a "low" security work group, a host with any physical
address is free to reside on any interface as long as its IP
address does not lie within specified host address ranges, but if
it does fall in any one of the ranges then it must reside on a
designated interface for that one range; in a "medium" security
work group, a host's IP address must fall within a specified host
address range for a designated interface, but unless a physical
address is also specified, the physical address is not constrained;
in a "high" security work group, a host must have a specified host
IP address for a designated interlace and have a designated
physical address; and in a "none" security work group, all hosts
are free.
7. The method of claim 6, wherein a range table is maintained with
the specified host address ranges and their designated
interfaces.
8. A method of providing security in an IP communications network
include routers having multiple router interfaces connecting
multiple physical networks, wherein the routers forward IP
datagrams based on IP addresses, the method comprising the steps
of: defining an IP work group by specifying IP host address ranges
for different router interfaces; and filtering IP datagrams based
on the host address ranges.
9. The method of claim 8, wherein the defining step includes
specifying an IP host address range for a single physical
address.
10. The method of claim 8, wherein the defining step includes
specifying multiple host address ranges which include the same IP
host address to different router interfaces.
11. A method of increasing host mobility in an IP communications
network including multiple physical networks connected by routers
having multiple router interfaces, wherein the routers forward IP
datagrams based upon IP addresses, the method comprising the steps
of: defining an IP work group by assigning multiple router
interfaces to a same IP work group address and forwarding IP
datagrams based on the IP work group address, and wherein a host is
attachable to any interface in the IP work group without requiring
reconfiguration of the host IP address.
12. The method of claim 11, including maintaining a host table of
IP host addresses and their associated interfaces.
13. The method of claim 12, further comprising reviewing the host
table for duplicate IP host addresses and associated
interfaces.
14. The method of claim 11, further comprising maintaining a count
of known interfaces within the work group.
15. The method of claim 11, further comprising monitoring the hosts
heard on each interface and maintaining a host table of IP host
addresses and associated interfaces on which each host is
heard.
16. The method of claim 11, wherein the host table is maintained as
a cache memory accessible by each router interface.
17. The method of claim 11, further comprising: providing a work
group forwarding agent for each work group.
18. The method of claim 17, further comprising: maintaining a host
table of IP host addresses and their associated interfaces; and
wherein the work group forwarding agent, prior to forwarding a
datagram, accesses the host table for the associated interface.
19. The method of claim 11, wherein: the work group forwarding
agent sends ARP requests to all interfaces in the work group to
resolve an unknown host physical address.
20. The method of claim 19, further comprising: providing an ARP
forwarding agent at each interface of the router, which accesses
the host table.
21. The method of claim 11, further comprising: maintaining a range
table of host IP addresses and associated interfaces on which the
hosts may reside; and prior to forwarding a datagram, accessing the
range table to validate a source or destination host.
22. An IP communications network including multiple physical
networks connected by routers having multiple router interfaces,
the routers forwarding IP datagrams based upon IP addresses, the
network providing increased host mobility and including: means for
defining an IP work group by assigning multiple router interfaces
to a same IP work group address; and means for forwarding IP
datagrams based on the IP work group address, wherein a host is
attachable to any interface in the IP work group without requiring
reconfiguration of the host IP address.
23. An IP communications network including routers having multiple
router interfaces connecting multiple physical networks, the
routers forwarding IP datagrams based on IP addresses, the network
providing enhanced security and including: means for defining an IP
work group by specifying IP host address ranges for different
router interfaces; and means for filtering IP datagrams based on
the host address ranges.
24. A router that provides security for preventing unauthorized
transmissions comprising: a first interface connectable to a first
network; means for assigning a range of valid IP host addresses to
the first interface; and means for forwarding only IP datagrams
transmitted from a host on the first network having a host IP
address within the range of valid host addresses.
25. An apparatus for assigning a plurality of interfaces on an IP
communications network to a work group, comprising: means for
defining an IP work group by assigning an IP workgroup address to a
plurality of interfaces; means for configuring interfaces to the IP
work group; means for configuring ranges of IP host addresses to
associated interfaces of the IP work group; and means for filtering
IP datagrams based upon the host address ranges.
Description
[0001] This application is a Continuation of prior application No:
09/073,557, filed on May 6, 1998, entitled INTERNET PROTOCOL (IP)
WORK GROUP ROUTING, now Pending, which will issue on Jun. 19, 2001
as U.S. Pat. No. 6,249,820, which is a continuation of application
serial no. 08/501,324 filed Jul. 12, 1995 entitled INTERNET
PROTOCOL (IP) WORK GROUP ROUTING, now issued as U.S. Pat. No.
5,751,971 on May 12, 1998, and is incorporated by reference herein
in its entirety.
BACKGROUND OF THE INVENTION
[0002] The present invention relates generally to communications
networks and more particularly to a method and apparatus for IP
work group routing which provides host mobility, conserves on the
assignment of IP subnet addresses, and adds security along with
ease of use to network configuration.
[0003] The original IP addressing scheme assigned a unique 32-bit
internet address to each physical network and required gateways to
keep routing tables proportional to the number of networks in the
internet. This scheme is acceptable for an internet with tens of
networks and hundreds of hosts, but can not handle today's
connected internet with tens of thousands of small networks of
personal computers because: (1) immense administrative overhead is
required merely to manage network addresses; (2) the routing tables
and gateways are extremely large; and (3) the number of IP
addresses available for assignment is dwindling. Thus, the problem
was how to minimize the number of assigned network addresses
without destroying the original addressing scheme. See C. D. Comer,
"Internetworking With TCP/IP, Vol. 1, Principals, Protocols and
Architecture," Prentice Hall, Englewood Cliffs, N.J., 2nd ed.,
Chap. 16, pp. 265-280 (1991).
[0004] A prior art technique for allowing a single network address
to span multiple physical networks, and now a required part of IP
addressing, is "subnet addressing" or "subnetting." This is
illustrated by example in FIG. 1A (taken from Comer, p. 270),
wherein a site uses a single class B network address 128.10.0.0 for
two physical networks. Except for gateway G, all gateways in the
internet route as if there were a single physical net. Once a
packet reaches G, it must be sent across the correct physical
network to its destination. In this case, the manager of the local
site has chosen to use the third octet of the address to
distinguish between the two physical networks. Thus, G examines the
third octet of the destination address and routes datagrams with
value 1 to the network labeled 128.10.1.0 and those with value 2 to
the network labeled 128.10.2.0.
[0005] Adding subnets only changes the interpretation of IP
addresses slightly, as illustrated in FIG. 1B. Instead of dividing
the 32-bit IP address into a network prefix and a host suffix,
subnetting divides the address into an internet portion and a local
portion, where the internet portion identifies a site, and the
local portion identifies a physical network and a host on that
physical network.
[0006] Another change is that a site using subnet addressing must
choose a 32-bit subnet mask for each network. Bits in the subnet
mask are set to 1 if the network treats the corresponding bit in
the IP address as part of the network address, and 0 if it treats
the bit as part of the host identifier. It is recommended that
sites use contiguous subnet masks (i.e., setting contiguous bits to
1) and that they use the same mask throughout an entire set of
physical networks that share an IP address.
[0007] The standard IP routing algorithm is also modified to work
with subnet addresses, known as "subnet routing." The standard
algorithm bases its decision on a table of routes, each table entry
containing a pair of:
[0008] (network address, next hop address)
[0009] where the network address field specifies the IP address of
the destination network, N, and the next hop address field
specifies the address of a gateway to which datagrams destined for
N should be sent. The standard routing algorithm compares the
network portion of a destination address to the network address
field of each entry in the routing table until a match is found.
Because the next hop address field is constrained to specify a
machine that is reachable over a directly connected network, only
one table look-up is needed.
[0010] The modified algorithm for subnet routing maintains one
additional field in each table entry that specifies the subnet mask
for use with that entry:
[0011] (subnet mask, network address, next hop address)
[0012] When choosing routes, the modified algorithm performs a
bit-wise Boolean "AND" of the full 32-bit destination IP address
and the subnet mask, and then checks to see if the result equals
the value in the network address field. If so, it routes the
datagram to the address specified in the next hop address field. If
the IP address of the destination network (extracted from the
datagram) matches a directly connected network address, the
destination IP address from the datagram is resolved to a physical
address, the datagram is encapsulated, and the frame sent out on
the destination network to the destination host.
[0013] With ever increasing numbers of subnets, it would be
desirable if further methods were available to conserve on subnet
addresses. One potential method for doing this would be to put a
bridge on a single router interface to bridge multiple LAN
segments; however, this involves the added cost of a bridge and
loses the protection of router "fire walls", which administrators
set to filter out packets based on destination addresses. Another
potential method would be to increase the granularity of subnets by
taking more bits from the host portion of the IP address for the
subnet mask; however, this approach is very difficult for the
network administrator to maintain as the network configuration
evolves. Thus, neither of these potential methods offers a
satisfactory solution.
[0014] It is an object of the present invention to accomplish one
or more of: increased host mobility; further conserve on the
assignment of network addresses; simplify the configuration of
subnets; and provide an enhanced level of security.
SUMMARY OF THE INVENTION
[0015] The present invention is a method and apparatus for routing
datagrams from a source node to a destination node in an IP
communications network, the network including routers having
multiple router interfaces connecting multiple physical networks.
The method includes the step of assigning multiple router
interfaces to a same IP work group address. This enhances host
mobility by allowing, in one embodiment, a host to be relocated
anywhere in the work group without requiring reconfiguration of the
host. The method further includes the option of specifying (i.e.,
limiting or locking) host address ranges to designated interfaces
of the work group. This step enhances security by restricting the
allowed host mobility within the work group. The method further
includes the optional step of filtering (i.e., dropping) the
datagram if at least one of the source and destination hosts does
not reside on the designated interface of the IP work group.
[0016] In the prior art, each router interface would have a unique
IP address; in the present invention, multiple interfaces are
assigned the same IP address. The hosts and physical networks
connected to the designated multiple interfaces are referred to as
a "work group". There are several advantages to this
arrangement.
[0017] First, there is the advantage of host mobility within the
work group. A designated host may be valid if physically located on
any one of the several interfaces in the work group. Another
advantage is a reduced consumption of network and subnet addresses,
because now a single address is used for several physical networks.
As a result, the administrative burden of servicing physical
networks with several addresses is reduced.
[0018] Another advantage is that it enables a network administrator
to configure a network such that host addresses are allocated in
blocks mirroring the physical structure of the network. For
example, the administrator might allocate a contiguous block of
addresses to each physical network. By providing a block or range
of addresses, room is provided for future growth. In addition, one
can secure the operational behavior of the network along the same
lines as the configuration.
[0019] Security is optionally enhanced by only allowing
transmission of datagrams to or from hosts with certain addresses.
By locking IP (network layer) and MAC (physical layer) addresses,
no one (other than the network administrator) can reconfigure an IP
address to another MAC address. As a result, unauthorized computers
which connect to a network will not be able to transmit datagrams
into or out of the work group.
[0020] For example, in one embodiment a level of security is
assigned to each IP work group by identifying the hosts within the
group as "free", i.e., permitting forwarding to/from any interface,
or "secured", i.e., permitting forwarding to/from only if the host
resides on a designated interface. Hosts may be secured by range or
singly; in the latter case the host's physical address may also be
secured.
[0021] Another feature of this invention which speeds the
forwarding procedure is referred to as "FastPath". If a datagram's
source and destination addresses are both within the same work
group, then header and address validation may be skipped.
[0022] These and other benefits and features of the present
invention will be more particularly described with respect to the
following detailed description and drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
[0023] FIG. 1A is a schematic illustration of a gateway G
connecting two physical networks to the rest of the internet, and
illustrating the prior art IP subnet addressing scheme.
[0024] FIG. 1B illustrates, in the top portion, the original IP
addressing scheme in which a 32-bit class B IP address is
considered to have a 2-octet internet portion and a 2-octet local
portion; in the bottom portion, a modified IP subnet addressing
scheme is illustrated in which a 2-octet internet part identifies a
site, and a 2-octet local part is divided into two parts, one part
identifying a physical network (subnet) and a second part
identifying a host on that subnet.
[0025] FIG. 2 is a schematic illustration of a router, with
multiple interfaces connected to different physical networks and
another interface connected to the rest of the internet.
[0026] FIG. 3 illustrates a Definition table according to one
embodiment of the invention.
[0027] FIG. 4 illustrates an Interface table according to one
embodiment of the invention.
[0028] FIG. 5 illustrates a Range table according to one embodiment
of the invention.
[0029] FIG. 6 illustrates a Host table according to one embodiment
of the invention.
[0030] FIG. 7 illustrates service and forwarding methods of
distributed autonomous forwarding engines.
[0031] FIGS. 8a-8g are a series of flow diagrams illustrating the
forwarding of data packets in accordance with one embodiment of the
invention.
[0032] FIG. 9 shows a general purpose computer and memory for
implementing the invention.
DETAILED DESCRIPTION
[0033] The following definitions are useful in understanding the
present invention (taken from D. Comer, pp. 477-511):
[0034] ARP: (Address Resolution Protocol) The TCP/IP protocol used
to dynamically bind a high level IP address to a low-level physical
hardware address. ARP is only across a single physical network and
is limited to networks that support hardware broadcast.
[0035] directed broadcast address: An IP address that specifies
"all hosts" on a specific network. A single copy of a directed
broadcast is routed to the specified network where it is broadcast
to all machines on that network.
[0036] gateway: A special purpose, dedicated computer that attaches
to two or more networks and routes packets from one to the other.
In particular, an IP gateway routes IP datagrams among the networks
to which it connects. Gateways route packets to other gateways
until they can be delivered to the final destination directly on
one physical network. The term is loosely applied to any machine
that transfers information from one network to another, as in mail
gateway. Although the original literature used the term gateway,
vendors often call them IP routers.
[0037] Host: Any (end-user) computer system that connects to a
network. Hosts range in size from personal computers to
supercomputers. Also see gateway.
[0038] ICMP: (Internet Control Message Protocol) An integral part
of the Internet Protocol that handles error and control messages.
Specifically, gateways and hosts use ICMP to send reports of
problems about datagrams back to the original source that sent the
datagram. ICMP also includes an echo request/reply used to test
whether a destination is reachable and responding.
[0039] Internet: Physically, a collection of packet switching
networks interconnected by gateways along with protocols that allow
them to function logically as a single, large, virtual network.
When written in upper case, Internet refers specifically to the
connected Internet and the TCP/IP protocols it uses.
[0040] Internet: The collection of networks and gateways, including
the MILNET and NSFNET, that use the TCP/IP protocol suite and
function as a single, cooperative virtual network. The Internet
provides universal connectivity and three levels of network
services; unreliable, connectionless packet delivery; reliable,
full duplex stream delivery; and application level services like
electronic mail that build on the first two. The Internet reaches
many universities, government research labs, and military
installations and over a dozen countries.
[0041] IP: (Internet Protocol) The TCP/IP standard protocol that
defines the IP datagram as the unit of information passed across an
internet and provides the basis for connectionless, best-effort
packet delivery service. IP includes the ICMP control and error
message protocol as an integral part. The entire protocol suite is
often referred to as TCP/IP because TCP and IP are the two most
fundamental protocols.
[0042] IP address: The 32-bit address assigned to hosts that want
to participate in a TCP/IP internet. IP addresses are the
abstraction of physical networks. Actually assigned to the
interconnection of a host to a physical network, an IP address
consists of a network portion and a host portion. The partition
makes routing efficient.
[0043] IP datagram: The basic unit of information passed across a
TCP/IP internet. An IP datagram is to an internet as a hardware
packet is to a physical network. It contains a source and
destination address along with data.
[0044] MIB: (Management Information Base) The set of variables
(database) that a gateway running CMOT or SNMP maintains. Managers
can fetch or store into these variables. MIB-II refers to an
industry-standard extended management database that contains
variables common to the configuration of network devices.
[0045] packet: The unit of data sent across a packet switching
network. The term is used loosely. While some TCP/IP literature
uses it to refer specifically to data sent across a physical
network, other literature views an entire TCP/IP internet as a
packet switching network and describes IP datagrams as packets.
[0046] proxy ARP: The technique in which one machine, usually a
gateway, answers ARP requests intended for another by supplying its
own physical address. By pretending to be another machine, the
gateway accepts responsibility for routing packets to it.
[0047] route: In general, a route is the path that network traffic
takes from its source to its destination. In a TCP/IP internet,
each IP datagram is routed separately; the route a datagram follows
may include many gateways and many physical networks.
[0048] router: Generally, any machine responsible for making
decisions about which of several paths network traffic will follow
based on a network level address. When used with TCP/IP, the term
refers specifically to an IP gateway that routes datagrams using IP
destination addresses. In a TCP/IP internet, each IP gateway is a
router because it uses IP destination addresses to choose
routes.
[0049] SNMP: (Simple Network Monitoring Protocol) A standard
protocol used to monitor IP gateways and the networks to which they
attach. SNMP defines a set of variables that the gateway must keep
and specifies that all operations on the gateway are a side-effect
of fetching or storing to the data variables. Also see MIB.
[0050] subnet address: An extension of the IP addressing scheme
that allows a site to use a single IP network address for multiple
physical networks. Outside of the site using subnet addressing,
routing continues as usual by dividing the destination address into
a network portion and local portion. Gateways and hosts inside a
site use subnet addressing to interpret the local portion of the
address by dividing it into a physical network portion and host
portion.
[0051] FIG. 2 illustrates a multi-interface router 11 for
connecting several physical networks to an IP internet The router
11 includes multiple interfaces 12A, 12B, each of which connects to
a physical network 13A, 13B including one or more hosts 14. The
router further includes an interface 15 which connects to the rest
of the internet 16.
[0052] In the prior art, each of the interfaces 12 would have a
unique IP address; in the present invention, both interfaces 12 are
assigned the same IP address. The hosts 14 and networks 13
connected to both interfaces 12 are referred to as a "work
group".
Work Group Tables
[0053] An IP work group contains the managed objects used to set up
and configure the IP router interfaces (ports) into associations
known as work groups. Each work group is a subnet with one address
and security level shared by the associated interfaces.
[0054] In a specific embodiment described herein, the configuration
of IP work groups is done through four tables: Definition,
Interface, Range, and Host. The first three are configuration
tables and the fourth is a read-only status table. Each
configuration table's key begins with "ID", the work group
identifier. These tables are implemented as AVL binary trees; a
tree does not have a predefined size and may grow freely. Prior art
management routines are used to allow network management to set
entries and retrieve them from the tables in serial order in
support of the Simple Network Management Protocol (SNMP).
[0055] The four tables provide the following functions, described
in more detail below:
[0056] Definition table 30 (FIG. 3): each entry defines a work
group and assigns each work group a Host Address 32 and Subnet Mask
33 and a Security level.
[0057] Interface table 40 (FIG. 4): each entry associates an
interface (defined by IfIndex 42) to a work group.
[0058] Range table 50 (FIG. 5): each entry locks a range of host
addresses (BegAddress 52 to EndAd dress 53) to an interface of a
work group.
[0059] Host table 60 (FIG. 6): each entry lists the active (i.e.,
discovered) hosts (Host Address 61) along with their associated
interface and physical address.
[0060] Referring to FIG. 3, the Definition table 30 includes an ID
field 31 which identifies by an integer a separate work group in
each row. For a given row, the work group is assigned a Host
Address (field 32) and a Subnet Mask (field 33) which together
(logical AND) define the subnet (IP subnet address) for a given
work group, e.g., for work group "1", the subnet is
134.141.40.0.
[0061] The Security field 34 sets the level of security for the
work group. Security means the filtering of packet forwarding
through the Range table 50 (FIG. 5). Hosts may be secured by range
or singly. Four levels of security are provided:
[0062] none--all hosts are free and the range table is not
consulted in packet forwarding;
[0063] low--host may be free or secured in the range table;
[0064] medium--host must be secured, by range or singly;
[0065] high--host must be secured singly, with physical address
also configured.
[0066] The FastPath field 35 designates whether this service is
enabled or disabled. If enabled, it speeds up the forwarding of
packets within a work group (i.e., both source and destination in
the same work group) by skipping IP header and address validation.
If disabled, IP header and address validation are performed.
[0067] The RowStatus field 36 is defined in the context of the
SNMPv2 textual convention. The three readable states are:
[0068] active--work group entry is active and usable by the
router;
[0069] notinservice--entry is fully defined but administratively
inactive;
[0070] notready--entry is not yet fully defined (e.g., workgroup
"5" still requires a mask).
[0071] A work group not in the Definition table, or in the
Definition table but with a RowStatus marked "notready," cannot be
used as a key in creating entries in the Interface and Range
tables.
[0072] RowStatus is a status object used to administrate conceptual
rows in the work group tables defined above (FIGS. 3-6). It is an
integer used here in an SNMPv1 MIB, but intended to have the same
semantics as the RowStatus textual convention for SNMPv2.
[0073] RowStatus is used to manage the creation and deletion of
conceptual rows, and has six defined values:
[0074] active--usable by the managed device;
[0075] notInService--unusable, row information complete;
[0076] notReady--unusable, row information incomplete;
[0077] createAndGo--set to create a row in active status;
[0078] createAndWait--set to create a row in either notReady or
notInService status;
[0079] destroy--set to delete existing row.
[0080] The first three values are states which may be retrieved by
a management protocol get operation. The last three values are
actions--they may be written, but not read. All values except
"notReady" may be specified in a set operation. For example, to
temporarily disable a row, set status to "notInService" and
reactivate it later by a set to "active". The agent alone
determines "notReady" status. If a row was created by a set of
"createAndWait" and the agent has enough row information from
instance and default values to complete the row, this status will
be set to "notInService", or else to "notReady".
[0081] The OperStatus field 37 defines the operational status of a
work group definition entry. The four states are:
[0082] ok--operational work group;
[0083] disabled--row status is not active;
[0084] subnetConflict--conflict with IP address of another
interface (existing active entry in this work group definition
table);
[0085] internalError--system problem, e.g., out of memory.
[0086] The NumActiveInt field 38 records the number of interfaces
(ports) in this work group which have an operational status of "OK"
in the interface table (FIG. 4).
[0087] The NumTotalInt field 39 records the number of interfaces in
this work group.
[0088] FIG. 4 shows the Interface table 40. An interface must be
configured in the Interface table before before it can be entered
into the work group. An interface entry is keyed by ID and
IfIndex.
[0089] The ID field 41 identifies the work group, e.g., FIG. 4
shows 2 workgroups: "1" and "43".
[0090] The IfIndex field 42 identifies the router interface by
number; these numbers are defined in accordance with the MIB-II
interfaces group.
[0091] The NumActiveHosts field 43 (read only), identifies the
number of hosts recently active on the interface, e.g., averaging
over the cache age out interval.
[0092] The NumKnownHosts field 44 identifies the number of hosts
seen on the interface since the last reboot.
[0093] The RowStatus field 45 is defined in accordance with the
SNMPv2 textual convention defined above.
[0094] The OperStatus field 46 defines the operational status of
this interface (port) entry. The seven states are:
[0095] ok--entry is operational
[0096] disabled--this entry's row status is not active;
[0097] workgroupInvalid--either there is no work group defined for
this entry or the operational status of the work group in the
definition table is not OK;
[0098] addressConflict--there is a conflict of the work group
address with an address configured in the IP address table;
[0099] resetRequired--no conflict, this entry's row status has just
been activated, and a reset of the router is required to be
operationally OK;
[0100] linkDown--no physical connections on this interface;
[0101] routingDown--routing or forwarding has been administratively
disabled
[0102] internalError--unspecified internal problems.
[0103] FIG. 5 illustrates the Range table. The Range table 50
configures host IP address ranges, assigning them to an existing
interface for a designated work group. A range entry is keyed by ID
51, BegAddress 52, EndAddress 53 and IfIndex 54.
[0104] Entries in the same work group (ID) may not have overlapping
host address ranges, but may have duplicate ranges if for different
interfaces (e.g., see the first two entries in table 50 with same
address range). BegAddress and EndAddress define the beginning and
end of the address range, respectively. BegAddress and EndAddress
may be the same, so that a range comprises a single host. Single
host entries allow for a physical address to be configured in the
PhysAddr field 55. In a "high" security work group, such as work
group "43", all entries must be single hosts and must have the
physical address configured as well to be valid.
[0105] More specifically, the address range must lie within the
subnet defined for a given work group and thus the entry acquires
the security level of that work group. If security is violated,
packets to and from a given host IP address will be filtered out by
the router. The source and destination IP packet addresses are
checked against ranges in the Range table during packet forwarding
and must match as follows:
[0106] For a high security workgroup, a host must match a single
host range entry--it must reside on the port with the physical
address as configured in that entry. For a medium security
workgroup, a host must match a range entry in that it resides on
that port, but unless a physical address is also specified in that
entry, the physical address is not constrained.
[0107] For a low security workgroup, a host is free to reside on
any port with any physical address as long as its IP address does
not lie within the range of any entry in the range table, but if it
does fall in a range then it must completely match that entry, or
another entry with the duplicate range. Match completely means
match the port and, if a physical address is specified, match that
as well. The RowStatus field 56 is defined the same as in the
Interface table. The OperStitus field 57 defines the operational
status of this range table entry.
[0108] The following states apply:
[0109] ok--entry is operational
[0110] disabled--this entry's row status is not active;
[0111] workgroupInvalid--no work group or the operational status
for the work group in the Definition table is not OK;
[0112] interfaceInvalid--interface is not in the Interface table or
operational status of interface entry is not OK;
[0113] physAddrRequired--security level of associated work group is
high and no physical address has been specified;
[0114] internalError--system problem
[0115] FIG. 6 illustrates the Host table. The Host table 60 is read
only, and is similar to the MIBII Net-to-Media Table, except there
are no static entries.
[0116] The entries in the Host table are not configured; rather,
they are learned and show only hosts active on the network. Each
entry is keyed by HostAddress 61 and IfIndex 62, which may be
helpful if the network is misconfigured. For example, if two hosts
on different interfaces are assigned the same IP address, both
entries would show and the problem could then be corrected.
[0117] The HostAddress field 62 identifies the IP address of the
host. The IfIndex field 63 defines the interface number. The ID
field 63 identifies the work group by integer. The PhysAddr field
64 identifies the physical MAC address of the host.
[0118] The HostStatus field 65 may have one of the following
states:
[0119] other, unknown,
[0120] or valid--the entry is valid for forwarding; the host may be
unknown if ARP has not discovered on which interface it
resides;
[0121] invalid-multiple--the same host IP address was later found
duplicated on another interface;
[0122] invalid-physAddr--the host matched an entry in the Range
table with respect to range and interface, but did not match that
entry for physical address; if the work group is high security,
this status would result if no physical address was given in the
range entry;
[0123] invalid-range--in a high or medium security work group, the
host was not in the range of any entry in the Range table, or it
was not in the range of an entry with a matching interface;
[0124] invalid-interface--the interface was physically down or not
in service in the Interface table;
[0125] invalid-workgroup--the work group does not exist or is not
in service in the Definition table;
[0126] invalid-expired--the host became inactive and aged out on
the interface on which it was learned.
Forwarding Mechanism
[0127] FIG. 7 illustrates a distributed router architecture for
forwarding unicast IP packets across router interfaces. It places
an IP FAS (forwarding service) agent, on each interface, rather
than having a single centralized forwarding agent. The distributed
FAS agent architecture utilized in the present embodiment is more
fully described in copending and commonly owned U.S. Pat. No.
08/216,541 entitled "Distributed Autonomous Object Architecture For
Network Layer Routing," filed Mar. 22, 1994 by Kurt Dobbins et al.,
which is hereby incorporated by reference in its entirety. The
distributed object architecture of that application, which is
implemented in an object-oriented programming language such as C++,
defines all of the router's functional aspects in a common
protocol-independent framework which is inherited by every
protocol-specific object upon instantiation. In object-oriented
programming, the data and methods are united into objects, each of
which represents an instance of some class, and which classes are
members of a hierarchy of classes united via inheritance
relationships.
[0128] As illustrated in FIG. 7, each router interface 111, 114,
117 has a forwarding engine 112, 115, 118 sitting on it, and each
forwarding engine knows how to receive and transmit packets on its
own interface. Each forwarding engine accesses a common forwarding
table (FIB) 120. The host interface 117 is treated as an internal
interface with a destination address for "local" delivery into the
host CPU.
[0129] Each forwarding engine has its own data portion 113, 116,
119 that is specific to itself, e.g., interface and media
information, address resolution tables, configuration information,
etc. However, the method portion 112, 115 and 118 of each engine is
common and is shared by all similar engines. The specific goal of
each forwarding engine is to provide for the reception, processing
and forwarding of network layer packets. At a very high level, all
forwarding engines perform the same basic tasks regardless of
protocol or media.
[0130] The operation of the forwarding engine will now be described
with regard to FIG. 7. When an IP packet arrives, physically
addressed to router interface-1, it is delivered to that FAS's
service routine. The service routine validates the IP header and IP
addresses, filters against any access list, and then looks up the
destination address in the forwarding information base (FIB) to
find a route. A route gives: (a) the outgoing interface; (b) the
outgoing FAS, and if the destination is not directly connected to
that interface; (c) the next hop router. If there is a valid route
the service routine passes the packet to the forward routine of the
outgoing FAS.
[0131] The forward routine of the outgoing FAS filters against its
access list if any, and then tries to resolve the destination IP
address or next hop to a physical address suitable for framing by
looking in the ARP (address resolution protocol) cache associated
with that interface. If the address is resolved the packet is
transmitted to that physical address. Otherwise, the packet is
deferred on an ARP entry queue and ARP tries to resolve the address
through protocol request. If resolved, the deferred packet is
dequeued and transmitted by the FAS.
[0132] A cache of packet forwarding history is kept by each FAS,
keyed by destination and source IP addresses. Address validation,
access control filtering and look-up of next hop check the cache
first, and if an entry is found there, the method is quick. If at
any stage an error occurs in forwarding, the packet is dropped and
an ICMP control message is sent back to the source.
[0133] Work group routing in accordance with the present invention
extends the previously defined forwarding procedure for unicast
packet forwarding and for limited broadcast packet forwarding. The
existing procedure is sufficient for subnet broadcast and multicast
packets.
[0134] First of all, proxy ARP is activated for all work group
interfaces. Snooping, if activated in the enterprise MIB, is a
function by which the interface will monitor ARP communication on
its physical network, in order to determine IP addresses and
physical addresses of hosts. With snooping active, the router is
able to load the work group active Host table (FIG. 6) more
quickly.
[0135] If a packet's source and destination addresses are both
within a single work group, and if FastPath is s elected in the
Definition table for that work group, then header and address
validation may be skipped. This speeds up packet forwarding.
[0136] FIB lookup is extended when a work group is implemented. All
interfaces of a work group are represented in the FIB by a single
route. If this is the route chosen when a packet is looked up in
the FIB, the packet is delivered to a special work group FAS which
consults the Host table. If a valid entry exists for that
destination in the Host table, the packet is passed to the
interface FAS given by that entry.
[0137] There is a work group FAS created for each work group, which
performs relay functions. If a packet arrives at the work group FAS
for a host address unknown to the Host table, it creates a
temporary, hidden entry in the Host table. The packet is deferred
on a queue held with that Host table entry. ARP requests are
flooded out to each work group interface in the Interface table, in
order to locate the physical address of the destination host.
[0138] If ARP requests are resolved, a visible entry with the
resolved interface number and physical address is put in the Host
table, the hidden entry is removed, and the deferred packet is
dequeued and passed to the forward routine of the respective
interface FAS to be transmitted. Future packets with the same
source and destination IP addresses are handled by the FAS
forwarding history caches on the normal forwarding path.
[0139] A more detailed flow chart of the forwarding method is
illustrated in FIGS. 8a-8g and will now be described.
Reference FIG. 8a
[0140] Interface-1 and interface-2 are both configured as belonging
to a valid work group in the Definition table 30 and are
operationally active in the Interface table 40. The WG Cache 215 is
part of the Host Table 60.
[0141] Source host 201 on interface-1 wants to send an IP packet to
destination host 202 on interface-2. Both hosts belong to the same
work group subnet, but the IP packet cannot be sent directly
because host 201 does not know the physical address of host 202.
Host 201 therefore initiates an ARP Request attempting to resolve
the IP address of host 202 to a physical address. This request is
not received by host 202 because it is on a different physical
network link. It is received by router 11 however, because ARP
Requests are broadcast on a link.
[0142] ARP-FAS-1 206 receives the ARP request on interface-1 and
checks with WG cache 215 to determine the status of the
destination. Since the destination host 202 is unknown, WG FAS 214
is called to initiate a flood of ARP requests out all interfaces in
this work group.
[0143] Reference FIG. 8b
[0144] The destination host 202, receiving an ARP Request for its
physical address, responds with an ARP Reply to the request source,
i.e. the router 11. The router receives the Reply via interface-2
driver 204, stores the physical address in the ARP Cache 212, and
passes the interface number and physical address to WG Cache 215.
The WG Cache validates the information against user-configured
entries in the Range table 216 and sets the status (valid or
invalid) for the destination host accordingly. This status in the
WG Cache entry is visible through the Host table.
Reference FIG. 8c
[0145] Since ARP requests are tried multiple times according to the
standard implementation of the ARP protocol, the source host 201
sends a second ARP Request for destination 202. This time, when ARP
FAS-1 206 checks with the WG Cache 215 for the destination host, it
finds the host is valid on interface-2. ARP-FAS-1 then does a proxy
ARP Reply to source host 201 pretending to be destination host
202.
Reference FIG. 8d
[0146] Host 201 having received the ARP Reply, sends the IP packet
to the physical address of the router. Interface-1 driver 203 gives
the packet to IP FAS-1 205 which attempts to forward the packet.
First it checks IP Cache-1 209 for a next hop FAS, but the
destination is unknown in this cache so this cache checks with the
FIB 213. The FIB holds a route to the WG FAS for the work group
subnet, so this information is returned through the cache to IP
FAS-1 which forwards the packet to the WG FAS 214.
[0147] WG FAS 214 consults the WG Cache 215, finds that the
destination host 202 is valid on interface-2 and passes the packet
over to IP FAS-2 207. It also updates the IP Cache-1 209 with the
information so that future IP packets from host 201 to host 202 can
go directly to IP FAS-2. IP FAS-2 207 finally sends the packet out
through interface-2 driver 204 to host 202.
Reference FIG. 8e
[0148] Source host 201 continues to send IP packets to destination
host 202. Because of the entry in IP Cache-1 209, these packets are
directly forwarded to IP FAS-2 207.
Reference FIG. 8f
[0149] Eventually the entry in the IP Cache-1 209 ages out. Now
these packets force IP FAS-1 205 to consult the FIB 213 and forward
them instead to the WG FAS 214. The WG FAS tries to find the host
in the WG Cache 215. In the case of the WG Cache entry having aged
out, the packets are deferred in the WG Cache while the WG FAS
again floods out ARP requests on all interfaces in the workgroup.
(FIG. 8d previously described the case of the entry still being in
the WG Cache.)
Reference FIG. 8g
[0150] An ARP Reply is finally received from host 202 and the WG
Cache entry is relearned, the WG Cache 215 validates the host
status with the Range Table 216, and since the host 202 is valid on
interface 2, the WG Cache 215 forwards the deferred packets through
IP FAS-2 207.
[0151] Pseudo code of several routines for implementing this
embodiment is set forth below:
[0152] _ _ _ _ _ _
[0153] SERVICE routine of receiving interface FAS
[0154] if (Work Group FAS and FASTPATH):
[0155] skip IP header validation; else:
[0156] check version, length, check sum and time to live IP header
fields;
[0157] check for martian addresses;
[0158] do Access List Control filter check;
[0159] lookup next hop in FAS cache;
[0160] returns next IP address and next FAS
[0161] FAS cache is loaded from FIB upon cache miss call FORWARD
routine of next FAS
[0162] this could be in Work Group FAS or an Interface FAS.
[0163] FORWARD routine of Work Group FAS
[0164] call find host to lookup in Work Group Cache of Host
Table;
[0165] if (INVALID):
[0166] consume IP packet;
[0167] if (VALID):
[0168] update FAS cache on receiving interface for next hop
Interface FAS;
[0169] call FORWARD routine of next hop Interface FAS;
[0170] if (UNKNOWN):
[0171] packet was deferred in host cache
[0172] flood ARP requests out all interfaces in this Work Group
[0173] for (each interface in this work group) call ARPPRIME.
[0174] FORWARD routine of forwarding Interface FAS
[0175] do Access List Control filter check;
[0176] call ARPRESOLVE to map IP to physical address, pass in
packet;
[0177] if (NOT DEFERRED):
[0178] send out IP packet done.
[0179] for Work Group, proxy ARP and snooping enabled;
[0180] for non Work Group, proxy and snooping are MIB settable.
[0181] SERVICE routine of receiving interface ARP FAS
[0182] if (snooping or
[0183] packet is addressed to one of the router's IP addresses or
proxy is enabled and the PROXY TEST returns OK):
[0184] call ARPSET routine to cache source host from packet;
[0185] if (REQUEST packet addressed to Router or proxy OK):
[0186] send arp REPLY to source address in packet done.
[0187] PROXY TEST routine of interface ARP Agent
[0188] if (not Work Group interface):
[0189] if (FIB has a route with next hop not on subnet of receiving
interface):
[0190] return proxy OK;
[0191] else: return proxy NOTOK;
[0192] if (Work Group interface):
[0193] call FIND HOST in Work Group Cache;
[0194] if (INVALID) or host found on receiving interface):
[0195] return proxy NOTOK;
[0196] if (VALID on different interface) return proxy OK.
[0197] if (UNKNOWN) call ARPPRIME on every interface in this work
group and return proxy NOTOK
[0198] ARPSET routine in interface ARP Cache:
[0199] lookup entry in arp cache with packet's source IP;
[0200] cache the new physical address from source field in received
packet;
[0201] if (arp entry was WAITING):
[0202] send out deferred IP packets;
[0203] if (Work Group Interface):
[0204] call LEARN HOST, pass configuration;
[0205] will cache source host from the ARP packet return
[0206] ARPPRIME routine in interface ARP Cache:
[0207] lookup entry in arp cache with packet's source IP;
[0208] if (not found): set as new entry;
[0209] if (not already on retry queue):
[0210] put on retry queue;
[0211] will retry ARP REQUESTs
[0212] broadcast out arp REQUEST on interface;
[0213] set arp entry status WAITING. return
[0214] ARPRESOLVE routine in interface ARP Cache:
[0215] ARP cache s loaded by ARP protocol or static management via
MIBII Net-to-Media Table.
[0216] lookup host IP address in arp cache;
[0217] if (not found):
[0218] set as new entry with status WAITING;
[0219] if (WAITING):
[0220] defer packet on arp entry packet queue;
[0221] if (not already on retry queue):
[0222] put on retry queue;
[0223] broadcast out arp REQUEST on interface;
[0224] return DEFERRED;
[0225] if (RESOLVED):
[0226] return OK, and physical address.
[0227] FIND HOST routine of Work Group Cache:
[0228] Configuration =interface and physical address.
[0229] Host entries in cache having Range Status field with
values:
[0230] VALID--host matches configuration in Range Table or not in
Range Table but not High Security Work Group.
[0231] INVALID--host violates configuration in Range Table or not
in Range Table and High Security Work Group.
[0232] NOT SET--host configuration not yet resolved by arp or host
aged out on age queue.
[0233] lookup host entry in Work Group Cache of Host Table;
[0234] if (not found):
[0235] set new entry for host IP address in cache;
[0236] set entry's Range Status to NOT SET;
[0237] check host entry's Range Status;
[0238] if (INVALID):
[0239] tell source (via ICMP) that packet was administratively
filtered;
[0240] return INVALID;
[0241] if (VALID):
[0242] return VALID and host interface FAS;
[0243] if (NOT SET):
[0244] defer IP packet on packet queue of host entry;
[0245] return UNKNOWN.
[0246] LEARN HOST routine in Work Group Cache:
[0247] Configuration, interface and physical address, is passed in
lookup host entry in Work Group Cache of Host Table.
[0248] if (not in cache):
[0249] create new entry;
[0250] if (packet configuration not equal to host entry
configuration):
[0251] set new con figuration in entry;
[0252] call VALIDATE HOST in Range Table to get Range Status;
[0253] if (VALID): send deferred packets to source address;
[0254] if (INVALID): flush deferred packets;
[0255] set host entry status to Range Status from Range Table;
[0256] set host entry age queue status to YOUNG.
[0257] Cache entries age with a keepalive attempt,
[0258] age out in less than 10 minutes if not active) return
[0259] VALIDATE HOST routine in Range Table
[0260] lookup host in Range Table;
[0261] if (host not in Range Table):
[0262] return INVALID if High Security Work Group, else return
VALID;
[0263] if (host found in Range Table):
[0264] compare range entry configuration to packet
configuration;
[0265] if (configuration matches): return VALID;
[0266] else return INVALID.
[0267] _ _ _ _ _ _
[0268] The above embodiments may be implemented in a general
purpose computer 70 as shown in FIG. 9. This general purpose
computer may include a Computer Processing Unit (CPU) 71, memory
72, a processing bus 73 by which the CPU can access the memory, and
interface 74 to the rest of the router. Alternatively, the
invention may be a memory 72, such as a floppy disk, compact disk,
or hard drive, that contains a computer program or data structure,
for providing to a general purpose computer instructions and data
for carrying out the functions of the previous embodiments.
[0269] Having thus described a particular embodiment of the
invention, various modifications will readily occur to those
skilled in the art which are intended to be within the scope of
this invention. Accordingly, the foregoing description is by way of
example only, and not intended to be limiting.
* * * * *