U.S. patent application number 09/999655 was filed with the patent office on 2002-05-23 for methods, modems, and systems for blocking data transfers unless including predefined communications to provide access to a network.
Invention is credited to Carlson, Brian, Cooper, Gerald Meade, Kent, James Sheldon.
Application Number | 20020062450 09/999655 |
Document ID | / |
Family ID | 23189423 |
Filed Date | 2002-05-23 |
United States Patent
Application |
20020062450 |
Kind Code |
A1 |
Carlson, Brian ; et
al. |
May 23, 2002 |
Methods, modems, and systems for blocking data transfers unless
including predefined communications to provide access to a
network
Abstract
The transfer of data through a modem can be blocked in the modem
during a safe mode unless the data includes predefined
communications such as a request for a network address to maintain
access to the network for the host system or a response to the
request that includes the network address. Accordingly, the safe
mode can protect a host system from unauthorized access from the
network, while allowing the network service to be maintained for
the host system. In particular, requests for renewals of leases,
such as Dynamic Host Configuration Protocol (DHCP) requests and
responses thereto, on Internet Protocol (IP) addresses used by the
host system may not be blocked by the modem during safe mode.
Furthermore, requests and response for addresses of systems on the
network to which the DHCP requests are transmitted, such as Address
Resolution Protocol (ARP) requests and responses thereto, may also
not be blocked during safe mode. Moreover, in some embodiments
according to the present invention, the blocking is provided at the
modem so that multiple host systems can be protected by the modem.
Related methods, modems, and systems are disclosed.
Inventors: |
Carlson, Brian; (Evington,
VA) ; Cooper, Gerald Meade; (Gretna, VA) ;
Kent, James Sheldon; (Lynchburg, VA) |
Correspondence
Address: |
MYERS BIGEL SIBLEY & SAJOVEC
PO BOX 37428
RALEIGH
NC
27627
US
|
Family ID: |
23189423 |
Appl. No.: |
09/999655 |
Filed: |
October 30, 2001 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
09999655 |
Oct 30, 2001 |
|
|
|
09307363 |
May 7, 1999 |
|
|
|
Current U.S.
Class: |
726/26 |
Current CPC
Class: |
H04L 63/10 20130101;
H04L 12/2801 20130101; H04L 65/80 20130101; H04L 9/40 20220501;
H04L 65/1101 20220501 |
Class at
Publication: |
713/200 |
International
Class: |
H04L 009/00 |
Claims
What is claimed:
1. A method for providing a host system access to a network through
a modem, the method comprising: blocking transfer of data in a
modem during a safe mode of operation of the modem unless the data
transfer includes predefined communications.
2. The method of claim 1 wherein the predefined communications
comprise network access maintenance information.
3. The method of claim 1 wherein the predefined communications
comprise a request for a network address to maintain access to the
network for the host system or a response to the request that
includes the network address.
4. The method of claim 1 further comprising: allowing the transfer
of data other than the predefined communications through the modem
during a normal mode of operation of the modem.
5. The method of claim 3 wherein the request is received from the
host system and the response to the request is received from the
network.
6. The method of claim 3 wherein the blocking transfer of data in a
modem during a safe mode of operation of the modem unless the data
transfer includes predefined communications comprises: blocking
transfer of the data from the host system to the network unless it
is determined that the request comprises an Address Resolution
Protocol (ARP) request for a MAC address of a system on the network
that uniquely identifies the ARP request as originating from the
host system; and blocking transfer of the data from the network to
the host system unless it is determined that the response comprises
an ARP response that includes the MAC address requested by the ARP
request.
7. The method of claim 3 wherein the blocking transfer of data in a
modem during a safe mode of operation of the modem unless the data
transfer includes predefined communications comprises: determining
if data received at the modem from the host system comprises an
Address Resolution Protocol (ARP) request for a MAC address of a
system on the network that uniquely identifies the ARP request as
originating from the host system; associating the MAC address with
the ARP request in the modem and transmitting the ARP request
including the MAC address from the modem to the network upon
determining that the request comprises the ARP request; determining
if data received from the network at the modem comprises an ARP
response including the MAC address associated with the ARP request;
and transmitting the data received from the network to the host
system upon determining that the data received from the network
comprises the ARP response including the MAC address associated
with the ARP request.
8. The method of claim 7 further comprising: disassociating the MAC
address with the ARP request in the modem after transmitting the
data received from the network to the host system.
9. The method of claim 7 wherein the data received from the network
at the modem comprises first data and wherein the ARP response
comprises a first ARP response, the method further comprising:
blocking second data received from the network at the modem after
the first data is received upon determining that the second data
comprises a second ARP response including the MAC address
associated with the first ARP request.
10. The method of claim 7 further comprising: disassociating the
MAC address with the ARP request in the modem upon determining that
the ARP response including the MAC address associated with the ARP
request has not been received from the network within a time-out
interval.
11. The method of claim 10 wherein the ARP request comprises a
first ARP request, the method further comprising: disassociating
the MAC address with the first ARP request in the modem upon
receiving a second ARP request from the host system; and blocking
data received from the network at the modem upon determining that
the data received from the network comprises the first ARP response
including the MAC address associated with the first ARP
request.
12. The method of claim 3 wherein the blocking transfer of data in
a modem during a safe mode of operation of the modem unless the
data transfer includes predefined communications comprises:
blocking transfer of the data from the host system to the network
unless it is determined that the request comprises an Dynamic Host
Control Protocol (DHCP) request for an Internet Protocol (IP)
address for the host system including a Transaction Identifier
(XID) that uniquely identifies the DHCP request as originating from
the host system; and blocking transfer of the data from the network
to the host system unless it is determined that the response
comprises an DHCP response that includes the XID associated with
the DHCP request.
13. The method of claim 3 wherein the blocking transfer of data in
a modem during a safe mode of operation of the modem unless the
data transfer includes predefined communications comprises:
determining if data received at the modem from the host system
comprises a Dynamic Host Control Protocol (DHCP) request for an
Internet Protocol (IP) address for the host system including a
Transaction Identifier (XID) that uniquely identifies the DHCP
request as originating from the host system; associating the XID
with the DHCP request in the modem and transmitting the DHCP
request including the XID from the modem to the network upon
determining that the request comprises the DHCP request;
determining if data received from the network at the modem
comprises a DHCP response including the XID associated with the
DHCP request; and transmitting the data received from the network
to the host system upon determining that the data received from the
network comprises the DHCP response including the XID associated
with the DHCP request.
14. The method of claim 13 further comprising: disassociating the
XID with the DHCP request in the modem after transmitting the data
received from the network to the host system.
15. The method of claim 13 wherein the XID is generated by the host
system.
16. The method of claim 13 wherein the data received from the
network at the modem comprises first data and wherein the DHCP
response comprises a first DHCP response, the method further
comprising: blocking second data received from the network at the
modem after the first data is received upon determining that the
second data comprises a second DHCP response including the XID
associated with the first DHCP request.
17. The method of claim 13 further comprising: disassociating the
XID with the DHCP request in the modem upon determining that no
data received from the network comprises the DHCP response
including the XID associated with the DHCP request within a
time-out interval.
18. The method of claim 17 wherein the DHCP request comprises a
first DHCP request, the method further comprising: disassociating
the XID with the first DHCP request in the modem upon receiving a
second DHCP request from the host system; and blocking data
received from the network at the modem upon determining that the
data received from the network comprises the first DHCP response
including the XID associated with the first DHCP request.
19. The method of claim 1 further comprising: receiving input to
the modem; and ceasing blocking transfer of data in the modem in
response to the input.
20. The method of claim 19 wherein receiving input to the modem
comprises at least one of clicking on a Graphical User Interface
and pushing a safe mode button on the modem.
21. The method of claim 1 wherein the host system comprises a first
host system, the method further comprising: allowing transfer of
data associated with a second host system during a normal mode of
operation of the modem associated with the second host system.
22. The method of claim 1 further comprising: receiving input to
the modem; changing at least one of operation of a firewall
associated with the modem and the safe mode in response to the
input.
23. A modem that transfers data between a network and a host
system, the modem comprising: a processor circuit in the modem that
is configured to block the transfer of data through the modem
during a safe mode of operation of the modem unless the data
includes predefined communications.
24. The modem of claim 23 wherein the predefined communications
comprise network access maintenance information.
25. The modem of claim 23 wherein the predefined communications
comprise a request for a network address to maintain access to the
network for the host system or a response to the request that
includes the network address.
26. The modem of claim 23 wherein the processor circuit is further
configured to allow the transfer of data other than the predefined
communications through the modem during a normal mode of operation
of the modem.
27. The modem of claim 25 wherein the request is received from the
host system and the response to the request is received from the
network.
28. The modem of claim 25 wherein the processor circuit is further
configured to block transfer of the data transfer from the host
system to the network unless it is determined that the request
comprises an Address Resolution Protocol (ARP) request for a MAC
address of a system on the network that uniquely identifies the ARP
request as originating from the host system and to block transfer
of the data from the network to the host system unless it is
determined that the response comprises an ARP response that
includes the MAC address requested by the ARP request.
29. The modem of claim 25 wherein the processor circuit is further
configured to: determine if data received at the modem from the
host system comprises an Address Resolution Protocol (ARP) request
for a MAC address of a system on the network that uniquely
identifies the ARP request as originating from the host system;
associate the MAC address with the ARP request in the modem and
transmitting the ARP request including the MAC address from the
modem to the network upon determining that the request comprises
the ARP request; determine if data received from the network at the
modem comprises an ARP response including the MAC address
associated with the ARP request; and transmit the data received
from the network to the host system upon determining that the data
received from the network comprises the ARP response including the
MAC address associated with the ARP request.
30. The modem of claim 25 wherein the processor circuit is further
configured to: block transfer of the data from the host system to
the network unless it is determined that the request comprises an
Dynamic Host Control Protocol (DHCP) request for an Internet
Protocol (IP) address for the host system including a Transaction
Identifier (XID) that uniquely identifies the DHCP request as
originating from the host system; and block transfer of the data
from the network to the host system unless it is determined that
the response comprises an DHCP response that includes the XID
associated with the DHCP request.
31. The modem of claim 25 wherein the processor circuit is further
configured to: determine if data received at the modem from the
host system comprises a Dynamic Host Control Protocol (DHCP)
request for an Internet Protocol (IP) address for the host system
including a Transaction Identifier (XID) that uniquely identifies
the DHCP request as originating from the host system; associate the
XID with the DHCP request in the modem and transmitting the DHCP
request including the XID from the modem to the network upon
determining that the request comprises the DHCP request; determine
if data received from the network at the modem comprises a DHCP
response including the XID associated with the DHCP request; and
transmit the data received from the network to the host system upon
determining that the data received from the network comprises the
DHCP response including the XID associated with the DHCP
request.
32. A modem that transfers data between a network and a host
system, the modem comprising: means for blocking the transfer of
data through a modem during a safe mode of operation of the modem
unless the data includes predefined communications.
33. The modem of claim 32 wherein the predefined communications
comprise network access maintenance information.
34. The modem of claim 32 wherein the predefined communications
comprise a request for a network address to maintain access to the
network for the host system or a response to the request that
includes the network address.
35. The modem of claim 34 wherein the means for blocking comprises:
means for determining if data received at the modem from the host
system comprises an Address Resolution Protocol (ARP) request for a
MAC address of a system on the network that uniquely identifies the
ARP request as originating from the host system; means for
associating the MAC address with the ARP request in the modem and
transmitting the ARP request including the MAC address from the
modem to the network upon determining that the request comprises
the ARP request; means for determining if data received from the
network at the modem comprises an ARP response including the MAC
address associated with the ARP request; means for transmitting the
data received from the network to the host system upon determining
that the data received from the network comprises the ARP response
including the MAC address associated with the ARP request.
36. The modem of claim 34 wherein the means for blocking comprises:
means for determining if data received at the modem from the host
system comprises a Dynamic Host Control Protocol (DHCP) request for
an Internet Protocol (IP) address for the host system including a
Transaction Identifier (XID) that uniquely identifies the DHCP
request as originating from the host system; means for associating
the XID with the DHCP request in the modem and transmitting the
DHCP request including the XID from the modem to the network upon
determining that the request comprises the DHCP request; means for
determining if data received from the network at the modem
comprises a DHCP response including the XID associated with the
DHCP request; and means for transmitting the data received from the
network to the host system upon determining that the data received
from the network comprises the DHCP response including the XID
associated with the DHCP request.
Description
CLAIM FOR PRIORITY
[0001] This application is a Continuation-In-Part (CIP) of, and
claims priority to, U.S. patent application Ser. No. 09/307,363,
filed May 7, 1999, entitled Cable Modems that Block Data Transfers
During Safe Mode of Operation and Related Methods, which is
commonly assigned to the assignee of the present CIP, the entire
disclosure of which is hereby incorporated herein by reference as
if set forth herein in its entirety.
FIELD OF THE INVENTION
[0002] The present invention relates to the field of communications
in general and more particularly to modems and related methods and
systems.
BACKGROUND
[0003] With the rise in popularity of the Internet, many users are
accessing the Internet through the Public Switched Telephone
Network (PSTN) over a modem connected to a telephone line in the
user's home. Unfortunately, the bandwidth provided by home
telephone lines may prove to be inadequate for some applications on
the Internet. For example, some data sets provided by the Internet
may be so large that it is difficult to transfer the data set over
the telephone line in a given time so that the application operates
in a real-time manner. In particular, current residential telephone
modem technology may be limited to data rates on the order of 56
kilobaud (kb).
[0004] In an attempt to reduce the bandwidth problem associated
with the telephone lines described above, there have been efforts
to provide Internet service over coaxial cables used to provide
cable TV. Accordingly, the user may access the Internet over the
cable system using a cable modem to provide data rates of 42
megabaud or higher. Accessing the Internet via a cable system may
involve initializing the cable modem each time the cable modem is
turned on, during which the cable modem may register with the cable
system. For example, when the user wishes to access the Internet,
the user may turn on the cable modem which then registers with the
cable system.
[0005] As the number of cable modems handled by the cable system
increases, the time needed to register each cable modem may also
increase thereby lengthening the registration time. For example, if
hundreds of cable modems are used in a cable system, the
registration time for a selected cable modem may be several
minutes. Consequently, the user may wish to avoid turning the cable
modem off in an effort to avoid the delay incurred by a lengthy
registration process. For example, if the user turns the cable
modem on just prior to accessing the Internet, the user may need to
wait for the registration process to complete before gaining access
to the Internet. Moreover, cable systems may also provide
television and telephone service to a user's home such as by
routing these services through the cable modem to the television
and telephone. Accordingly, the user may desire that the cable
modem be left on so as not to interrupt telephone or television
service.
[0006] Unfortunately, leaving the cable modem turned on may
decrease the security of the computer to which the cable modem is
attached. In particular, the computer may be more susceptible to
attack via the cable. For example, an unauthorized user may attempt
to gain access to the computer via the cable. Moreover, because the
cable provides relatively high bandwidth, relatively simple
attacks, such as trying a large number of password combinations,
may require only a short time to be successful. In view of the
above, there exists a need to improve the security of cable modems
used to access the Internet via cable systems.
[0007] Accordingly, the present invention may allow improvement in
the security of cable modems by blocking access to the cable modem
from the cable system while the cable modem is in safe mode.
Blocking data transfers may allow the subscriber to leave the host
system connected to the cable modem, thereby possibly avoiding the
delay associated with the registration process while reducing the
security threats posed by maintaining a physical connection to the
cable modem.
SUMMARY OF THE INVENTION
[0008] Embodiments according to the present invention provides
methods, modems, and systems for blocking the transfer of data in a
modem during a safe mode unless the data transfer includes
predefined communications. In some embodiments, the predefined
communications can be network access maintenance information such
as a request for a network address to maintain access to the
network for the host system or a response to the request that
includes a network address. Accordingly, the safe mode can protect
a host system from unauthorized access from the network, while
allowing the network service to be maintained for the host system
during the safe mode of operation.
[0009] In particular, requests for renewals of leases, such as
Dynamic Host Configuration Protocol (DHCP) requests and responses
thereto, on Internet Protocol (IP) addresses used by the host
system may not be blocked by the modem during safe mode.
Furthermore, requests and response for addresses of systems on the
network to which the DHCP requests are transmitted, such as Address
Resolution Protocol (ARP) requests and responses thereto, may also
not be blocked during safe mode. Moreover, in some embodiments
according to the present invention, the blocking is provided at the
modem so that multiple host systems can be protected by the
modem.
BRIEF DESCRIPTION OF THE DRAWINGS
[0010] FIG. 1 is a block diagram of an embodiment of a cable system
according to the present invention.
[0011] FIG. 2 is a block diagram of an embodiment of the cable
modem 100 of FIG. 1.
[0012] FIG. 3 is a flowchart that illustrates operations of a cable
modem according to the present invention.
[0013] FIG. 4 is a block diagram that illustrates embodiments of
cable modems according to the present invention through which host
systems can communicate with the Internet.
[0014] FIG. 5 is a block diagram that illustrates embodiments of
cable modems according to the present invention through which host
systems can communicate with the Internet.
[0015] FIG. 6 is a block diagram that illustrates embodiments of
cable modems according to the present invention through which host
systems can communicate with the Internet.
[0016] FIG. 7 is a block diagram that illustrates embodiments of
cable modems according to the present invention through which host
systems can communicate with the Internet.
[0017] FIGS. 8A and 8B are flowcharts that illustrate embodiments
of methods, cable modems, and systems according to the present
invention through which host systems can communicate with the
Internet.
[0018] FIG. 9 is a flowchart that illustrates cable modems and
methods according to embodiments of the present invention.
DETAILED DESCRIPTION OF THE INVENTION
[0019] The present invention now will be described more fully
hereinafter with reference to the accompanying drawings, in which
preferred embodiments of the invention are shown. This invention
may, however, be embodied in many different forms and should not be
construed as limited to the embodiments set forth herein; rather,
these embodiments are provided so that this disclosure will be
thorough and complete, and will fully convey the scope of the
invention to those skilled in the art. Like numbers refer to like
elements throughout.
[0020] As will be appreciated by one of skill in the art, the
present invention may be embodied as methods, devices, or systems.
Accordingly, the present invention may take the form of an entirely
hardware embodiment, an entirely software embodiment or an
embodiment combining software and hardware aspects all of which may
be generally referred to herein as a "circuit."
[0021] The present invention is also described using flowchart
illustrations. It will be understood that each block of the
flowchart illustrations, and combinations of blocks in the
flowchart illustrations, can be implemented by computer program
instructions. These program instructions may be provided to a
processor, such that the instructions which execute on the
processor create means for implementing the functions specified in
the flowchart block or blocks. The computer program instructions
may be executed by the processor to cause a series of operational
steps to be performed by the processor to produce a computer
implemented process such that the instructions which execute on the
processor provide steps for implementing the functions specified in
the flowchart block or blocks.
[0022] Accordingly, blocks of the flowchart illustrations support
combinations of means for performing the specified functions,
combinations of steps for performing the specified functions and
program instruction means for performing the specified functions.
It will also be understood that each block of the flowchart
illustrations, and combinations of blocks in the flowchart
illustration, can be implemented by special purpose hardware-based
systems which perform the specified functions or steps, or
combinations of special purpose hardware and computer instructions.
In some embodiments according to the present invention, the
functions disclosed in the blocks may occur out of the order
illustrated in the figures. For example, two blocks shown in
succession may, in fact, be executed substantially concurrently, or
the blocks may sometimes be executed in the reverse order,
depending upon the functionality involved.
[0023] It will be understood that the term "coupled" as used herein
to describe arrangements of devices includes arrangements wherein
intervening devices are present between the coupled devices. For
example, where a first device is described as coupled to a second
device, the description will be understood to include other devices
located between and coupled to the first and second devices.
[0024] FIG. 1 is a block diagram of an embodiment of a cable system
according to the present invention. The cable system includes a
Cable Modem Termination System or Cable Modem Terminal Server
(CMTS) 140 and a plurality of cable modems 100. The CMTS 140 can
provide services, such as television service, telephone service,
and internet service, to subscribers of the cable system via cable
modems 100 by transferring data over a cable 110, such as a coaxial
cable. For example, a subscriber may access the Internet through
the respective cable modem 100 from a host 125 such as a Personal
Computer (PC).
[0025] The CMTS 140 manages the services provided to the respective
subscribers in the cable system. For example, a first subscriber
may receive television, telephone, and Internet services while a
second subscriber may receive only Internet service. Moreover,
different subscribers may receive a different quality of service.
For example, a first subscriber may receive Internet service at
relatively low bandwidth while a second subscriber may receive
Internet service at relatively high bandwidth. Accordingly, the
CMTS 140 transmits and receives data to and from the respective
cable modems 100a-f at the rates associated with the respective
subscribers. The CMTS 140 can also adjust parameters of the cable
modems 100a-f used to transfer data such as phase timing,
frequencies and power levels associated with the transfer of data
between the respective cable modems 100a-f and the CMTS 140. For
example, the CMTS 140 can monitor the timing and power levels of
the data transferred from the respective cable modems 100a-f and
instruct each cable modems 100a-f to adjust the timing and power
level of the data transfer performed by the cable modems
100a-f.
[0026] In one embodiment, the Internet service provided by the CMTS
140 includes data transferred between the CMTS 140 and the cable
modem 100a via the cable 110 at respective frequencies. For
example, the subscriber may request information from the Internet,
wherein data is transferred from the host 125 through the cable
modem 100a to the CMTS 140 over the cable 110 at a first frequency.
The CMTS 140 responds to the request for information by
transferring the requested data from the CMTS 140 to the host 125
through the cable modem 100a over the cable 110 at a second
frequency. In another embodiment, the request is transmitted via a
telephone line which is not part of the cable system.
[0027] It will be understood by those of skill in the art, that the
data transfers between the CMTS 140 and the cable modem 100a may be
performed according to standards known in the art. For example,
data transfers between the CMTS 140 and the cable modem 100a may be
performed using a Time Division Multiple Access (TDMA) technique
wherein data is transmitted and received over the cable 110 in
predefined time-slots. Standards for the transfer of data in cable
systems are discussed in the Data Over Cable System Interface
Specification (DOCSIS).
[0028] When the cable modem 100a is turned on, the cable modem 100a
performs an initialization sequence wherein the cable modem 100a
registers with the cable system. In particular, the cable modem
100a transfers an identifier to the CMTS 140 that identifies the
cable modem 100a within the cable system. Accordingly, the CMTS 140
can communicate with the selected cable modem 100a using the cable
modem's respective identifier.
[0029] During registration, the CMTS 140 performs ranging of each
of the cable modems 100a-f registered to adjust for the propagation
delay of that data transferred, to adjust the proper power level of
the data transfer, and to determine the quality of service provided
to the subscriber. If telephone service is provided to the
subscriber via the cable system, the registration process can also
include the determination of parameters for the telephone
service.
[0030] After registration, the CMTS 140 provides services to the
subscriber via the respective cable modem 100a. In operation,
services are provided by data transfers between the CMTS 140 and
the cable modem 100a. In particular, data is transferred from the
CMTS 140 to a selected cable modem 100a using the identifier that
identifies the selected cable modem 100a in the cable system. In
operation, the data transfer to the selected cable modem 100a,
includes the identifier which matches the identifier of the
selected cable modem 100a. For example, if the selected cable modem
100a has an associated identifier of 800, a data transfer including
an identifier of 800 will be accepted by the selected cable modem
100a. A data transfer can include information and/or a command
directed to the selected cable modem 100a.
[0031] FIG. 2 is a block diagram of an embodiment of the cable
modem 100 of FIG. 1. Data is transferred between the CMTS 140 and
the cable modem 100 by a Media Access Controller (MAC) 105 coupled
to the cable 110. The MAC 105 accepts data transfers from the CMTS
140 if the identifier included in the data transfer matches the
identifier of the cable modem 100. The data transfer can include
information intended for a first host 125, a second host 120, a
telephone 107, the cable modem 100, or other device accessed via
the cable modem 100. For example, the data transfer may include
information intended for the first host 125 in response to a
request made by the first host 125 or a range command for the cable
modem 100 to transfer timed information to the CMTS 140. The
functions provided by the MAC 105 may be provided by software
running on processor 115 or by hardware and/or software separate
from the processor. While the processor, media access controller,
host interface controller, and telephone interface controller of
FIG. 2 are illustrated as separate blocks, it will be understood
that one or more of these portions of the modem or sub-portions
thereof, can be implemented using combined hardware and/or
software.
[0032] The data transfer may include an address specifying which
device coupled to the cable modem 100 is the destination of the
data transfer. For example, if the data transfer is intended for
the second host 120, the address included in the data transfer
identifies the second host 120 as the destination. Although not
shown, the MAC 105 may be coupled to a Radio Frequency (RF) tuner
that modulates and demodulates the data included in the data
transfers. For example, data transfers to the CMTS 140 may be
modulated and transferred over a first channel on the cable 110.
The RF tuner demodulates the data transferred from the CMTS 140
over a second channel on the cable 110.
[0033] A processor 115 coordinates operations of the cable modem
100 within the cable system to provide the selected services to the
subscriber. According to the present invention, data transfers to
addressed hosts are blocked by the processor 115 during a safe mode
of operation and not blocked by the processor 115 during normal
mode operation. Moreover, blocking can be preformed on a host
basis. For example, in one embodiment, data transfers addressed to
the first host 125 are blocked while data transfers addressed to
the second host 120 are received and provided to the second host
120. Moreover, data transfers including commands for the cable
modem 100 or addressed to devices other than the hosts are
unaffected by the safe mode of operation. Foe example, a ranging
command issued to the cable modem 100 during safe mode of operation
is accepted and responded by the MAC 105.
[0034] In one embodiment, the safe or normal mode of operation is
selected using software that maintains a safe mode flag that is set
to one of a safe mode state or a normal state flag to indicate the
selected mode of operation. For example, the flag can be set to the
safe mode state to indicate the safe mode of operation and set to
the normal mode sate to indicate the normal mode of operation. In
one embodiment, the mode of operation is selected by pressing a
safe mode button 108 on the housing of the cable modem 100a. The
safe mode button 108 can be momentary switch that causes the
processor 115 to toggle the mode of operation.
[0035] In another embodiment, the mode of operation is selected via
a command issued by the host. For example, the subscriber may cause
a command to be issued to the cable modem 100 whereupon the cable
modem 100a changes the mode of operation. In still another
embodiment, the mode of operation is selected based on a level of
activity at the host. For example, the safe mode of operation can
be selected after a period of inactivity at the first example, the
safe mode of operation can be selected after a period of inactivity
at the first host 125 is observed over a predetermined time
interval. The cable modem 100a can resume the normal mode of
operation upon the resumption of activity at the first host 125.
Accordingly, the mode of operation can be selected based on the
subscriber's use of the host coupled to the cable modem 100a.
Moreover, the cable modem 100a need not be located near the
subscriber for the mode of operation to be selected. For example,
the cable modem 100 may be located in the basement of the
subscriber's home while the host is located in the subscriber's
home office.
[0036] A Host Interface Controller (HIC) 135 provides the data
received by the processor 115 to the addressed host and provides
data from the host to the processor 115 for transfer to the CMTS
140. The HIC 135 can be a controller suitable for interfacing to at
least one host, such as an Ethernet controller, Universal Serial
Bus (USB) or other type of interface known to those of skill in the
art.
[0037] A telephone interface 116 provides telephone data from a
telephone 107, such a Data Telephone Equipment (DTE), to the
processor 115 and provides data transferred from the CMTS 140 to
the telephone 107. As described above, data transfers to the
telephone 107 from the CMTS 140 are unaffected by safe mode of
operation.
[0038] FIG. 3 is a flowchart illustrating operations of a cable
modem 100 according to the present invention. According to FIG. 3,
the cable modem 100 performs initialization upon being turned on or
reset (block 300). The processor 115 reads the stored value of the
safe mode flag to determine which mode of operation is selected
(block 305) and resets a host inactivity timer that indicates the
elapsed time since host activity was last detected.
[0039] If the safe mode flag indicates that safe mode of operation
is selected (block 310) for host 115, the processor determines if
data transfers from the CMTS 140 to host 125 are currently enabled
(block 320). If data transfers are not enabled (block 320) to the
host 125, the processor 115 waits for host activity to be detected
(block 340) at host 125. Otherwise, if data transfers are currently
enabled (block 320) to host 125, the processor 115 disables data
transfers (block 335) and then waits for host activity at host 125
to be detected (block 340).
[0040] The cable modem 100 continues to operate in the safe mode of
operation until host activity is detected at host 125 whereupon the
safe mode flag is cleared and the host inactivity timer is reset
(block 345), or until a safe mode button is pushed (block 350)
thereby changing the safe mode of operation to the normal mode of
operation (block 360) and resetting the host inactivity timer.
[0041] When the normal mode of operation is enabled (block 310),
due to the commencement of activity at the host 125 (block 345) or
by pressing the safe mode button (block 360), the processor
determines if data transfers from the CMTS 140 are currently
disabled (block 315). If data transfers are disabled (block 315),
the processor 115 enables data transfers and waits for the host
inactivity timer to expire (block 330). Otherwise the processor 115
waits for the host inactivity timer to expire (block 330).
[0042] The cable modem 100 continues to operate in the normal mode
of operation until the host inactivity timer expires (block 330)
whereupon the safe mode flag is set, or until the safe mode button
is pushed (block 350) thereby changing the normal mode of operation
to safe mode of operation (block 360).
[0043] Pursuant to further embodiments according to the present
invention, the transfer of data through the modem can be blocked
during safe mode unless the data transfer includes a request for a
network address to maintain access to the network for the host
system or a response to the request that includes the network
address. Accordingly, the safe mode can protect a host system from
unauthorized access from the network, while allowing the network
service to be maintained for the host system during the safe mode
of operation.
[0044] In particular embodiments according to the present
invention, requests for renewals of leases, such as Dynamic Host
Configuration Protocol (DHCP) requests and responses thereto, of
Internet Protocol (IP) addresses used by the host system are not be
blocked by the modem during safe mode. Furthermore, requests and
responses for addresses of systems on the network to which the DHCP
requests are transmitted, such as Address Resolution Protocol (ARP)
requests and responses thereto, may also not be blocked during safe
mode. Moreover, in some embodiments according to the present
invention, the blocking is provided at the modem so that multiple
host systems can be protected by the modem.
[0045] In contrast, blocking all data transfers through the modem
may prevent the host system from renewing a lease on an Internet
Protocol (IP) address. Failure to renew the lease may cause an
interruption in Internet service to the host system until the host
system can reacquire a new IP address so that Internet service can
be restored.
[0046] Although embodiments according to the present invention are
disclosed herein with reference to cable modems, it will be
understood that the invention can be embodied in any device which
provides a connection between a network and a host system.
Furthermore, although embodiments according to the present
invention are disclosed herein with reference to the Internet, it
will be understood that the present invention may be practiced with
any type of network that provides "always on" connections using
network addresses which are renewed over time.
[0047] As used herein the term "network address" can include
logical addresses of systems on a network, such as Internet
Protocol (IP) addresses that make up an Internet address. An IP
address (also called an IP number) can be a number which uniquely
identifies a computer system (or host system) that uses the
Internet. The IP address is used, for example, by servers on the
Internet to direct data to the host system associated with the IP
address.
[0048] The term "network address" can also include a physical
address on a network, such as a MAC address of a host system
connected to a Local Area Network (LAN), or the like. The MAC
address (also called an Ethernet address or an IEEE MAC address) is
a number (typically written as twelve hexadecimal digits, 0 through
9 and A through F, or as six hexadecimal numbers separated by
periods or colons, i.e. 0080002012EF, 0:80:0:2:20:EF) which can
uniquely identify a host system that connects to the network via an
Ethernet interface or a network interface, such as a Universal
Serial Bus (USB) that can emulate an Ethernet interface.
[0049] FIG. 4 is a block diagram that illustrates embodiments of
cable modems according to the present invention through which host
systems can communicate with the Internet. As illustrated in FIG.
4, first and second host systems 420, 425 transmit predefined
communications to a modem 400 which may be transferred to the
Internet 440. The modem 400 can also receive predefined
communications from the Internet 440 which may be transferred to
the host systems 420, 425. In some embodiments according to the
present invention, the predefined communications is network access
maintenance information that is used to maintain access to the
Internet 440 for the host system 420, 425. In some embodiments
according to the present invention, the modem 400 is a cable
modem.
[0050] The modem 400 can operate in a normal mode wherein all data
received at the cable modem 400 is transferred through the modem
400 to the Internet 440 or the first and second host systems 420,
425, including the predefined communications. The modem 400 can
also operate in safe mode wherein data transfers through the modem
400 are blocked unless the data transfer includes the predefined
communications. Blocking can be performed on a per host basis. For
example, in some embodiments according to the present invention,
data transfers addressed to the first host 420 are blocked while
data transfers addressed to the second host 425 are allowed.
[0051] As discussed above, the safe mode can be enabled by setting
a flag in software. For example, in some embodiments according to
the present invention, the safe mode of operation is selected by
"clicking" or otherwise providing input to a Graphical User
Interface (GUI) that is interfaced to the modem 400, such as a web
page. For example, the subscriber may cause click on a button on a
web page to issue a command to the modem 400 whereupon the modem
400 changes the mode of operation of the modem 400.
[0052] The first host system 425 can transmit a request 445 for a
network address to the modem 400 that is needed to maintain its
connection to the Internet 440. The modem 400 determines that the
request 445 includes the request for a network address and does not
block the data transfer of request 445 to the Internet 440.
Subsequently, if the modem 400 receives a response 450 to the
request 445 from the Internet 440, the modem 400 will not block the
transfer of the response 450 to the first host system 420.
[0053] Still referring to FIG. 4, the second host system 425 can
also transmit a request 455 for a network address to the modem 400
that is needed to maintain its connection to the Internet 440. The
modem 400 determines that the request 455 includes the request for
a network address and does not block the data transfer of request
455 to the Internet 440. Subsequently, if the modem 400 receives a
response 460 to the request 455 from the Internet 440, the modem
400 will not block the transfer of the response 460 to the second
host system 425.
[0054] In contrast, the modem 400 can block the transfer of a data
transmission 465 from the second host system 425 to the Internet
upon determining that the data transmission 465 does not include a
request for a network address to maintain its connection to the
Internet 440. The modem 400 can also block a data transmission 470
from the Internet 440 upon determining that the data transmission
470 does not include a response to a request for a network address
to maintain a connection to the Internet 440 associated with the
first or second host systems 420, 425.
[0055] In some embodiments according to the present invention, the
network access maintenance information can be requests for a
network address to maintain access to the Internet 440 for the host
system 420, 425 or a response to the request that includes the
network address. The requests and responses can be ARP requests and
ARP responses thereto. The ARP requests can be generated by the
host systems to determine a physical address of another system with
which the host systems communicates. When a host system needs to
send data to another device on the Internet using TCP/IP, the host
system can check to see if it has the hardware address (or MAC
address) associated with the destination IP address. If the
destination system's hardware address is not known to the host
system, then the host system can request the MAC address of the
destination using an ARP request.
[0056] The ARP request can include the IP address of the system for
which the MAC address is sought. The system that is using the IP
address included in the ARP request can respond by transmitting an
ARP response to the host system. The ARP response can include the
MAC address of the host system to which the ARP response is
directed. In some embodiments according to the present invention,
the ARP response can be Unicast over the Internet to the host
system.
[0057] For example, the first host system 420 may need to have the
MAC address of a CMTS included in the cable system which provides
access to the Internet 440. Accordingly, the request 445 can be an
ARP request transmitted to the modem 400 by the first host system
420 whereupon the modem 400 can transfer the ARP request to the
CMTS according to the present invention.
[0058] The CMTS can transmit an ARP response, such as the ARP
response 450, to the modem 400 that includes the MAC address of the
CMTS. The modem 400 transfers the ARP response 450 to the first
host system 420 upon determining that the ARP request 445 sent by
the first host system 420 is still pending.
[0059] The requests and responses can also be DHCP requests and
DHCP responses thereto. DHCP is based on a client-server paradigm,
in which a DHCP client, such as the first and second host systems
420, 425 of FIG. 4, can contact a DHCP server for configuration
parameters.
[0060] One configuration parameter that can be provided by DHCP is
an IP address. In general, a host system is initially assigned a
specific IP address that is appropriate to the network on which the
host system is located. If the host system moves to a new network,
it can be assigned a new IP address for that new network. DHCP can
include other configuration parameters such as a subnet mask, a
default router, a Domain Name System (DNS) server, and the
like.
[0061] DHCP can provide IP addresses to the host systems on a
"leased" basis. A DHCP lease is the amount of time that the DHCP
server allows the host system (or DHCP client) permission to use
the IP address before the IP address expires. A DHCP lease can
typically provide an IP address to a host system for several hours
or longer. The host system having the leased IP address can request
a renewal of the lease on the IP address to extend its use of the
IP address. In some embodiments, the host system may begin
requesting a renewal of the lease about half way through the lease
period. Accordingly, an IP address currently leased to the host
system will expire after the lease period expires unless the lease
associated with the IP address is renewed by the DHCP client or at
the DHCP server. Otherwise, the host system may lose access to the
Internet 440.
[0062] For example, the request 445 in FIG. 4 can be a DHCP request
generated by the first host system 420 for renewal of a lease on
its current IP address. The modem 400 determines that the request
445 includes the DHCP request and transfers the data to the
Internet 440. The DHCP request 445 is transmitted on the Internet
440 to a DHCP server that has control over the IP address currently
being used by the fist host system 420. The DHCP server can
transmit a DHCP response, such as response 450, that renews the
lease of the IP address. The modem 400 transfers the data
transmitted by the DHCP server to the first host system 420 upon
determining that the data includes the DHCP response to the
currently pending DHCP request. Although a single response 450 to
the request 455 is described above, in some embodiments according
to the present invention, multiple DHCP servers may respond by
issuing respective responses 450 to the request 445, whereupon the
first host system 420 can accept one of the responses 450.
[0063] FIG. 5 is a block diagram that illustrates embodiments of
cable modems 500 according to the present invention through which a
host system 520 can communicate with the Internet 540 using ARP
requests and ARP responses using the MAC address of the host system
520. According to FIG. 5, the host system 520 can transmit an ARP
request 545 that includes the MAC address of the host system 520.
The cable modem 500 determines that the data received from the host
system 520 includes an ARP request and records that the ARP request
545 is pending. The cable modem 500 associates the MAC address with
the pending ARP request 545 recorded in the cable modem 500 and
transfers the ARP request 545 to the Internet 540. For example, the
cable modem 500 can maintain a table that indicates which ARP
requests are currently pending and what MAC addresses is associated
with each pending ARP requests. In some embodiments according to
the present invention, a learn table included in the cable modem
500 can be extended to include the MAC addresses associated with
the ARP requests.
[0064] Upon receiving data from the Internet 540, the cable modem
500 determines whether the data includes an ARP response. If the
cable modem 500 determines that the data includes an ARP response,
the cable modem 500 determines if a MAC address included with the
ARP response matches the MAC address associated with the ARP
request 545 that is pending in the cable modem 500. For example,
the cable modem 500 can check the table used to record which ARP
requests are pending and the MAC addresses associated with each. If
the ARP response includes a MAC address which matches the MAC
address associated with any of the pending APR requests, the cable
modem 500 can transfer the ARP response to the host system having
the MAC address associated with the ARP request.
[0065] It will be understood that ARP requests made by other host
systems and responses thereto can also be processed by the cable
modem 500. For example, a second host system can transmit ARP
requests including a second MAC address to the cable modem 500. The
cable modem 500 can associate the ARP requests from the second host
system with a second MAC address in the same table used to
associate the ARP request 545 with the MAC address of the host
system 520.
[0066] After transferring the data, the cable modem 500 can
disassociate the MAC address with the pending ARP request so that
any subsequent data received from the Internet can be blocked by
the cable modem 500 even if the data appears to be an ARP response
that includes the MAC address that was associated with the previous
ARP request. For example, if ARP response 570 is received by the
cable modem 500 after receiving ARP response 550 and is determined
to include the same MAC address that was included with ARP response
550, ARP response 570 will be blocked by the cable modem 500.
[0067] In some embodiments according to the present invention, the
MAC address can be disassociated from the pending ARP request by
deleting the ARP request from the table or by deleting the MAC
address from the table, or otherwise indicating that a
corresponding response for the pending ARP request has already been
received and transferred by the cable modem 500.
[0068] FIG. 6 is a block diagram that illustrates embodiments of
cable modems 600 according to the present invention through which a
host system 620 can communicate with a DHCP server 640 using DHCP
requests and DHCP responses including Transaction Identifiers (XID)
generated by the host system 620 that uniquely identify the DHCP
requests and responses. According to FIG. 6, the host system 620
can transmit a DHCP request 645 that includes an XID generated by
the host system 620. The cable modem 600 determines that the data
received from the host system 620 includes a DHCP request and
records that the DHCP request 645 is currently pending. The cable
modem 600 associates the XID with the pending DHCP request 645
recorded in the cable modem 600 and transfers the DHCP request 645
to the DHCP server 640. For example, the cable modem 600 can
maintain a table that indicates which DHCP requests are currently
pending and what XID is associated with each of the pending DHCP
requests. In some embodiments according to the present invention,
the learn table included in the cable modem 600 can be extended to
include the XID associated with the DHCP requests.
[0069] Upon receiving data from the DHCP server 640, the cable
modem 600 determines whether the data includes a DHCP response. If
the cable modem 600 determines that the data includes a DHCP
response, the cable modem 600 determines if an XID included with
the DHCP response corresponds to the XID associated with any of the
DHCP requests that is currently pending in the cable modem 600. For
example, the cable modem 600 can compare the XID included with the
DHCP response 650 with the XID associated with DHCP request 645. If
the DHCP response includes an XID which matches the XID associated
with any of the pending DHCP requests, the cable modem 600 can
transfer the DHCP response to the host system having the XID
associated with the DHCP request.
[0070] It will be understood that DHCP requests made by other host
systems and responses thereto can also be processed by the cable
modem 600. For example, a second host system can transmit DHCP
requests including a second XID to the cable modem 600. The cable
modem 600 can associate the DHCP requests from the second host
system with the second XID in the same table used to associate the
DHCP request 645 with the XID of the first host system 620.
[0071] After transferring the data, the cable modem 600 can
disassociate the XID with the pending DHCP request so that any
subsequent data received can be blocked by the cable modem 600 even
if the data appears to be a DHCP response that includes an XID
previously associated with a once pending DHCP request. For
example, if DHCP response 670 is received by the cable modem 600
after receiving DHCP response 650 and is determined to include the
same XID that was included with DHCP response 650, DHCP response
670 will be blocked by the cable modem 600.
[0072] In some embodiments according to the present invention, the
XID can be disassociated from the pending DHCP request by deleting
the DHCP request from the table, by deleting the XID from the
table, or otherwise indicating that a corresponding response for
the pending DHCP request has already been received and transferred
by the cable modem 600. In some embodiments according to the
present invention, the XID can be disassociated from a pending DHCP
request when a second DHCP request is received from the same host
system before a DHCP response is received to the first (currently
pending) DHCP request. For example, if the cable modem 600 receives
a second DHCP request from the host system 620 before the DHCP
response 650 is received by the cable mode 600, the cable modem can
disassociated the XID from the DHCP request 645 in the cable modem
600. Subsequently, when the DHCP response 650 is received it will
be blocked by the cable modem 600.
[0073] As illustrated in FIG. 7 is a block diagram that illustrates
embodiments of cable modems 700 according to the present invention
through which a host system 720 can transmit and receive ARP
requests and responses and DHCP requests and responses. As
discussed above, the host system 720 can include a MAC address in
the ARP requests and include an XID in the DHCP requests so that
each of the requests can be uniquely identified when determining
whether an ARP/DHCP response matches a currently pending ARP/DHCP
request in the cable modem 700.
[0074] According to FIG. 7, the host system 720 transmits an ARP
request 745 to determine the MAC address of a CMTS 710. The MAC
address of the host system can be included in an ARP request 745
and can be associated with the ARP request 745 in the cable modem
700. The ARP request 745 can be transmitted to the CMTS 710 which
can transmit an ARP response 750 to provide the MAC address
requested in the ARP request 745. The cable modem 700 determines
that the ARP response 750 includes the same MAC address that is
associated with the ARP request 745 in the cable modem 700,
transfers the data received from the CMTS 710 to the host system
720, and disassociates the MAC address with the ARP request 745 in
the cable modem so that any subsequent ARP responses having the
same MAC address can be blocked by the cable modem 700.
[0075] The host system 720 transmits a DHCP discover request 755 to
a DHCP server 740 for an IP address. The DHCP discover request 755
can include an XID1 that the cable modem 700 associates with the
DHCP discover request 755. The cable modem 700 transfers the DHCP
discover request 755, including the XID1, to the DHCP server 740
via the CMTS 710. The DHCP server 740 can transmit a DHCP offer 760
of an IP address, including XID1, to the cable modem 700 via the
CMTS 710. The cable modem 700 determines that the DHCP offer 760
includes the XID1 that is associated with the currently pending
DHCP discover request 755 in the cable modem 700, transfers the
DHCP offer 760 to the host system 720, and disassociates the DHCP
discover request 755 with the XID1 in the cable modem so that any
subsequent DHCP responses that include XID1 can be blocked by the
cable modem 700.
[0076] If the host system decides to accept the IP address included
in the DHCP offer 760, the host system 720 transmits a DHCP request
765, including an XID2, to the DHCP server 740 that requests the IP
address in the DHCP offer 760. The cable modem 700 associates the
DHCP request 765 with the XID2 in the cable modem 700 and transfers
the DHCP request 765, including the XID2, to the DHCP server 740
via the CMTS 710. The DHCP server 740 can transmit a DHCP ACK 770,
including XID2, to the cable modem 700 via the CMTS 710 granting
the host system 720 the use the requested IP address. The cable
modem 700 determines that the DHCP ACK 770 includes the XID2 that
is associated with the currently pending DHCP request 765 in the
cable modem 700, transfers the DHCP ACK 760 to the host system 720,
and disassociates the DHCP request 765 with the XID2 in the cable
modem so that any subsequent DHCP ACKs that include XID2 can be
blocked by the cable modem 700.
[0077] The host system 720 can renew the lease on the IP address by
transmitting a new DHCP request before the lease expires.
Typically, leases provided by a DHCP server can last several hours.
The host system 720 may transmit the DHCP renewal request to the
DHCP server 740 about halfway through the current lease. For
example, if the current lease will expire about fours hours after
the DHCP server 740 transmits the DHCP ACK 770, the host system 720
may transmit a DHCP renewal request about two hours after the DHCP
server 740 transmitted the DHCP ACK 770.
[0078] Before transmitting the DHCP renewal request, the host
system 720 may transmit an ARP request 775 to ensure that the host
system 720 is using the most current MAC address when communicating
with the CMTS 710 and the DHCP server 740. The host system 720
transmits an ARP request 775 to determine the MAC address of the
CMTS 710. The MAC address of the host system 720 can be included in
the ARP request 775 and can be associated with the ARP request 775
in the cable modem 700. The ARP request 775 can be transmitted to
the CMTS 710 which can transmit an ARP response 780 to provide the
MAC address requested by the ARP request 775. The cable modem 700
determines that the ARP response 780 includes the same MAC address
that is associated with the ARP request 775 in the cable modem 700,
transfers the data received from the CMTS 710 to the host system
720, and disassociates the MAC address from the ARP request 775 in
the cable modem 700 so that any subsequent ARP responses having the
same MAC address can be blocked by the cable modem 700.
[0079] The host system 720 can transmit a DHCP renewal request 785
for the current IP address to the DHCP server 740 via the CMTS 710.
The DHCP renewal request 785 can include an XID3 that the cable
modem 700 associates with the DHCP renewal request 785. The cable
modem 700 transfers the DHCP renewal request 785, including the
XID3, to the DHCP server 740 via the CMTS 710. The DHCP server 740
can transmit a DHCP ACK 790 to the cable modem 700, including the
XID3, to grant the renewal of the lease on the current IP address.
The cable modem 700 determines that the DHCP ACK 790 includes the
XID3 that is associated with the currently pending DHCP renewal
request 785 in the cable modem 700, transfers the DHCP ACK 790 to
the host system 720, and disassociates the DHCP renewal request 785
from the XID3 in the cable modem 700 so that any subsequent DHCP
responses that include XID3 can be blocked by the cable modem
700.
[0080] FIGS. 8A and 8B are flowcharts that illustrate embodiments
of methods and systems of cable modems according to the present
invention. Upon receiving data from a host system while in safe
mode, the cable modem determines whether the received data includes
an ARP request (block 800) or a DHCP request (block 805).
Otherwise, the data is blocked (block 810). In some embodiments
according to the present invention, the ARP and DHCP requests can
be determined using functions illustrated by the following pseudo
code example:
1 Input: EthPkt - Pointer to Ethernet (layer 2) packet Length -
Length of packet Returns: TRUE - Packet should be forwarded (at
least continue processing) FALSE - Packet is discarded Pseudo Code:
RetValue = FALSE if safemode is enabled AND modem is in OPERATIONAL
state if Packet is ARP if SetARPPending(SRC MAC) successful
Retvalue = TRUE Else if Packet is IP Initialize pointer to IP part
of packet if IP->Protocol = UDP Initialize pointer to UDP part
of Packet iif UDP->Destination Port = BOOTP SERVER (67)
Initialize Pointer to Bootp/DHCP packet (same header) if
SetDHCPPending (SRC MAC, DHCP->XID) successful RetValue = TRUE
Return RetValue
[0081] If the data is determined to include an ARP request (block
800), the MAC included therewith is associated with the pending ARP
request in the cable modem and is transferred to the network in
conjunction with setting a time-out interval timer (block 815). In
some embodiments according to the present invention, the ARP
request can be made pending and associated with the MAC address
using functions illustrated by the following pseudo code
example:
2 Set Arp Pending Input: CpeMAC -Pointer to CPE MAC (Ethernet)
address Returns: TRUE -ARP pending flag set for valid CPE, FALSE if
not Pseudo Code: RetValue = FALSE ! Assume no entry ! Unlearned
entries will be 0:0:0:0:0:0 and shouldn't match For I = 0 to I <
(Maximum # of hosts supported) if LearnTable [i] .EthAddr = HostMAC
LearnTable [i] .ArpPending = TRUE RetValue = TRUE Return
RetValue
[0082] If the data is determined to include a DHCP request (block
805), the XID included therewith is associated with the pending
DHCP request in the cable modem and is transferred to the network
in conjunction with setting a time-out interval timer (block 820).
In some embodiments according to the present invention, the DHCP
request can be made pending and associated with the XID using
functions illustrated by the following pseudo code example:
3 Set DHCP Pending Input: HostMAC -Pointer to CPE MAC (Ethernet)
address XID -DHCP Message Transaction ID will be the same through a
complete sequence Returns: TRUE -DHCP XID set for valid CPE, FALSE
if not Pseudo Code: RetValue = FALSE ! Assume no entry ! Unlearned
entries will be 0:0:0:0:0:0 and shouldn't match For I = 0 to I <
(Maximum # of hosts supported) if LearnTable[i] .EthAddr = HostMAC
Learn Table [i] .DHCPXID = XID RetValue = TRUE Return RetValue
[0083] Upon receiving data from network while in safe mode, the
cable modem determines whether the received data includes an ARP
response (block 825) or a DHCP response (block 830). Otherwise, the
data is blocked (block 835). In some embodiments according to the
present invention, the ARP and DHCP responses can be determined
using functions illustrated by the following pseudo code
example:
4 Input: EthPkt - Pointer to ethernet (layer 2) packet Length -
Length of packet Returns: TRUE - Packet should be forwarded FALSE -
Packet is discarded Pseudo Code: RetValue = FALSE if safemode is
enabled AND modem is in OPERATIONAL state if Packet is ARP ! Note
that this clears pending data found if IsARPPending(DST MAC)
successful Retvalue = TRUE Else if Packet is IP Initialize pointer
to IP part of packet if IP->Protocol = UDP Initialize pointer to
UDP part of Packet if UDP->Source Port = BOOTP SERVER (67)
Initialize Pointer to Bootp/DT-ICP packet (same header) ! Note that
this clears pending data if found if IsDHCPPending(DST MAC,
DHCP->XID) successful RetValue = TRUE Return RetValue
[0084] If the data is determined to include an ARP response (block
825), the MAC address included therewith is checked to determine if
it matches the MAC address associated with the pending ARP request
in the cable modem (block 840). If the a match occurs, the DHCP
response is transferred to the host system in conjunction with
resetting the time-out interval timer (block 845). If the MAC
addresses do not match, the data is blocked (block 835). In some
embodiments according to the present invention, the ARP response
can be processed using functions illustrated by the following
pseudo code example:
5 Is Arp Pending Input: CpeMAC - Pointer to CPE MAC (ethernet)
address Returns: Value of ARP pending flag if found, FALSE
otherwise Pseudo Code: RetValue = FALSE ! Assume no entry For I = 0
to I < (Maximum # hosts supported) if LearnTable[i] .EthAddr =
CpeMAC RetValue = LearnTable [i] .ArpPending Learn Table [i]
.ArpPending = FALSE; Return RetValue
[0085] If the data is determined to include an DHCP response (block
830), the XID included therewith is compared to the XID associated
with the currently pending DHCP request in the cable modem (block
850). If the XIDs match, the DHCP response is transferred to the
host system and the DHCP request is disassociated with the XID in
the cable modem in conjunction with resetting a time-out interval
timer (block 855). In some embodiments according to the present
invention, the DHCP request can be made pending and associated with
the XID using functions illustrated by the following pseudo code
example:
6 Is DHCP Pending Input: XID - Transaction ID from DHCP response
Returns: TRUE if XID found in table, FALSE otherwise Pseudo Code:
RetValue = FALSE ! Assume no enty ! Unlearned entries will be
0:0:0:0:0:0 and shouldn't match For I = 0 to I < (Maximum #
hosts supported) if LearnTable(i] .DHCPXID = XID RetValue = TRUE
Learn Table [i] .DHCPXID = 0 Return RetValue
[0086] If one of the time-out interval timers expires before
receiving an acceptable ARP or DHCP response (block 860), the
currently pending request associated with the time-out interval
timer that expired is disassociated with the MAC or XID so that any
subsequent ARP or DHCP responses including the MAC address or XID
can be blocked by the cable mode.
[0087] FIG. 9 is a flowchart that illustrates cable modems and
methods according to embodiments of the present invention. In
particular, embodiments of modems according to the present
invention can include a safe mode according to the present
invention and a firewall mode. The respective states of the
firewall mode and the safe mode in the cable modem can be changed
by, for example, pushing the safe mode button 108.
[0088] It will be understood by those having skill in the art that,
in some embodiments according to the present invention, the
firewall mode can be provided by commercially available software,
such as software marketed by BVRP Software, 1 bis rue Collange,
92593 Levallois Perret Cedex, France and on the web at
www.vicomsoft.com. It will be understood by those having skill in
the art that a firewall can examine traffic routed between the host
system and the Internet if the traffic meets certain criteria.
Firewalls can filter data using address filtering, protocol
filtering, etc.
[0089] As shown in FIG. 9, the cable modem powers-up so that the
safe mode is disabled and the firewall is off (block 900). When
input is provided to the cable modem (block 905), the firewall is
enabled and the safe mode is disabled (block 910). When input is
again provided (block 915), the safe mode is enabled (block 920).
When input is again provided (block 925) the cable modem disables
the firewall and the safe mode (block 900). The safe mode and the
firewall operation can continue to be cycled each time input is
provided to the cable modem.
[0090] Input can be provided to the cable modem by pushing the safe
mode button 108 on the modem housing or by clicking on a GUI as
described above. In some embodiments according to the present
invention, the user changes the firewall/safe mode by depressing
the safe mode button 108 for about a predetermined time and
releasing the safe mode button 108. For example, the user can
change the firewall/safe mode by depressing the safe mode button
108 for about four seconds and then releasing the safe mode button
108.
[0091] In the drawings and specification, there have been disclosed
typical embodiments of the invention and, although specific terms
are employed, they are used in a generic and descriptive sense only
and not for purposes of limitation, the scope of the invention
being set forth in the following claims.
* * * * *
References