Multiplex communications – Pathfinding or routing – Switching a message which includes an address header
Reexamination Certificate
1999-05-12
2002-11-26
Vanderpuye, Ken (Department: 2732)
Multiplex communications
Pathfinding or routing
Switching a message which includes an address header
C370S397000
Reexamination Certificate
active
06487204
ABSTRACT:
FIELD OF THE INVENTION
The invention relates to communication networks and more particularly, to preventing third party intrusions attempting to divert information being communicated on the network between parties.
BACKGROUND OF THE INVENTION
A set of signalling and routing protocols called Private Network-to-Network Interface (PNNI) standards is used on Asynchronous Transfer Mode (ATM) networks. PNNI is a comprehensive signalling standard providing dynamic routing capabilities and supporting Quality of Service (QoS) parameters for ATM networks. PNNI standards have been approved by the ATM Forum in 1996 and are described in a March 1966 publication by the ATM Forum called“Private Network to Network Interface Specification Version 1.0”. This publication is hereby incorporated by reference.
In order to establish and update routing paths and to reroute a path in case of link failure ATM network switches have to know the network's topology. It is necessary for a switch to know whether there is an available network path through it that has the required bandwidth and can support end-to-end QoS before that switch can accept a call without compromising the call's integrity. To this end, each switch maintains a database of the networks topology. To reduce the amount of information each switch has to maintain in its database about the topology of the network, the PNNI standard provides that the network can be logically defined as a hierarchy with nodes on each level of the hierarchy arranged in peer groups.
Under PNNI, the switches exchange information with one another on a regular basis to inform every switch about changes in the topology of the network. The information exchange is performed using a process called“flooding”. Flooding involves a hop-by-hop propagation of topology information in packets to all the switches in a peer group and to adjoining switches of other peer groups. Information about network topology is provided in PNNI Topology State Elements (PTSEs). When a PTSE is received at a switch, it is acknowledged by sending an acknowledgement packet back to the sending switch. If the PTSE contains information which is new or of more recent origin than that stored in the database of a receiving switch, that data is placed in the database for the receiving switch and the PTSE is transmitted to all neighbor switches of the receiving switch except the one from which the PTSE was received.
Along with other information, certain PTSE's contain reachablility information of the sending switch. Reachability information comprises the sending switches identity, address prefixes which describe the destinations that can be handled by the sending switch, and the length of the address prefixes. Thanks to the protocol, all the switches in a given peer group have the same vision of the network. That is, the topology databases of each of the switches belonging to the same peer group are identical in steady state. As a consequence, all the switches in a peer group know the reachability of the other switches of their peer group. Therefore, a malicious user through use of an intervening switch in a peer group knows exactly the reachabilities advertised by the other switches in that peer group, and can advertise the right prefixes in the intervening switch to“overwrite” other switches in the peer group to thereby divert information through the intervening switch so that the user can obtain access to it. The diversion of the information is transparent to the sending party and an intended receiving party as long as information is transmitted to the receiving party through the intervening switch without changing the characteristics of the connection (throughput bandwidth, cost, etc.).
Therefore, it is an object of the present invention to protect the secrecy of information communicated on a PNNI network
It is another object of the present invention to provide protection against the use of overlapping reachabilities to divert information communicated on the network.
It is a further object of the invention to provide an improved PNNI network.
BRIEF DESCRIPTION OF THE INVENTION
In accordance with the present invention, the operation of switches in the network are divided into two phases, a learning mode phase and an active mode phase. During learning mode phase, each time a receivability is advertised by a sending switch, the reachability is recorded in the database of the receiving switch and the received reachability is sent to other switches in the same peer group. At the end of the learning mode phase, the database of each of the switches of the peer group contains the reachabilities advertised by all the switches of the peer group received during the learning mode group phase. During the active mode, each time a reachability is received from a sending switch, the receiving switch checks to see if the reachability had been already advertised in the past by that sending switch. If it has, the reachability is considered to be valid and the receiving node waits for receipt of the next reachability. on the other hand, if the particular reachability has never been announced before by the sending switch, the receiving switch compares it to the reachabilities in the database for all other switches of the peer group in order to determine if the reachability causes another switch in the peer group to be overlapped.
A switch is overlapped when the reachability of another switch in its peer group exceeds its reachability. one reachability exceeds another when its prefix is longer than the other. In its basic form, the intrusion algorithm examines the length of the prefixes and triggers an alarm when it detects that the new reachability is an overlapping reachability. However, to limit the number of alarms that are triggered, the switch determines if the overlapping reachability is suspicious before triggering the alarm to have the network supervisor intercede and determine if the overlapping reachability is problematic.
REFERENCES:
patent: 5831975 (1998-11-01), Chen et al.
patent: 5999517 (1999-12-01), Koning et al.
patent: 6078575 (2000-06-01), Dommety et al.
patent: 6115753 (2000-09-01), Joens
patent: 6151319 (2000-11-01), Dommety et al.
patent: 6262984 (2001-07-01), Rochberger
patent: 6333918 (2001-12-01), Hummel
“Private Network to Network Interface Specification Version 1.0” Mar. 1996—ATM Forum.
Dacier Marc
Scotton Paolo
Heusch Christian
Vanderpuye Ken
LandOfFree
Detectable of intrusions containing overlapping reachabilities does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Detectable of intrusions containing overlapping reachabilities, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Detectable of intrusions containing overlapping reachabilities will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2957404