KR100195641B1 - Method of security problem in computer network using ip/atm - Google Patents

Abstract

The present invention uses an IP over ATM that determines whether to connect using a database for LIS internal hosts provided in an ATMARP server in an LIS when a first host outside the LIS requests a connection to a second host in the LIS. A security problem solving method for a computer network, comprising: accepting a connection request from a first host by a second host; Sending, by the second host, an InATMARP_Request message to the first host, and in response to the first host, putting the IP address of the first host in the InATMARP_response message and transmitting it to the second host; The second host sends the IP address of the first host to an ATMARP_Request message and sends it to the ATMARP server. The ATMARP server uses an internal database to store the IP address and ATM address of the first host in this LIS. Searching for the presence of the first host, and sending the ATM address or NAK message of the first host to an ATMARP_response message to the second host; The second host includes the step of initiating communication when the ATM address of the first host is included in the ATMARP_response message transmitted from the ATMARP server, and releasing the connection when the NAK message is loaded.

Description

Complementary solution to computer networks using IP over ATM

1 is a schematic block diagram illustrating the operation of IP over ATM.

2 shows a LIS model.

3 is a flowchart of a security problem solving method according to an embodiment of the present invention in a computer network using IP over ATM.

* Explanation of symbols for main parts of the drawings

11: Host 1 12: Host 2

13: ATMARP Server

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a computer network using an asynchronous transfer mode (hereinafter referred to as ATM), and more particularly to a method for solving a security problem in a computer network using an IP (Internet Protocol) over ATM. .

ATM is being standardized as the final mode of transmission for the implementation of the Broadband Intergrated Services Digital Network (BISDN). ATM is recognized for its high flexibility and efficiency due to its unique asynchronous channel allocation method, but there is a potential risk of overcongestion of the network due to statistical multiplexing. In addition, due to the influence of the high data rate, propagation delay time and processing time are relatively increased, and the burst characteristics of multimedia traffic are very diverse, which makes traffic control very difficult.

The Internet Engineering Task Force (IETF) is using RFC1577 and RFC1483 to deliver LAN traffic over ATM links. This is also called classical IP over ATM. It is a method that can be easily implemented by LAN emulation and is operated on almost all ATM LANs. IPover ATM conceals higher-level applications from the ATM layer by delivering IP Protocol Data Units (PDUs) through the ATM to the other party's IP layer with minimal overhead. That is, existing applications running on the IP protocol can use the transparent high bandwidth provided by ATM without knowing that its lower layer is ATM. And since there is no need to maintain compatibility with the existing Media Access Control (MAC) layer, the maximum frame size can be 9000 bytes or more, which is advantageous in large data transmission. However, there is a disadvantage that only the IP protocol is supported and the connection with the existing LAN equipment must be via a bridge or a router.

In order to transmit IP PDUs directly through ATM, two problems need to be solved. First, the problem is how to separate IP PDUs on the VCC (Virtual Circuit Channel) set up with the other host. This is a method of mapping a destination IP address to a 20 byte ATM address.

In order to solve this problem, RFC1483 defines a method of delivering different connectionless protocol PDUs in an ATM network, multiplexing PDUs over one ATM VC (Virtual Channel), and a method of delivering each protocol through a different VC. Currently, RFC1577 recommends LLC (Logical Link Control) / SNAP (Sub Network Access Protocol) encapsulation to multiplex different types of PDUs into a single VC.

RFC1577 is a protocol for translating IP addresses into network physical addresses, and defines ATM Adress Resolution Protocol (ATMARRP) and Inverse ATM Address Resolution Protocol (InATMARP). Here, ATMARP converts an IP address into an ATM address and InATMARP reversely converts an ATM address into an IP address. In order to solve an address resolution problem in an ATM network that does not support broadcasting, an existing ARP (REC826) protocol is used. ), A modification of the InARP (RFC1293) protocol.

On the other hand, the operation of the computer network using the IP over ATM will be described with reference to FIG.

First, during system booting, each host 11 establishes a connection that supports LLC / SNAP encapsulation to ATMARP server 13 using VC, and ATMARP server 13 sends an IP address to the originating host. Send request InATMARP_Request message. When the host 11 sends its IP address InATMARP_response message to the ATMARP server 13, the ATMARP server 13 checks whether the host is on a subnet managed by the host 11, and then caches its ATMARP cache. Store in

When a host wants to connect with another host 15 in the subnet, the ATMARP server 13 sends an ATMARP_Request message containing the other party's IP address. The ATMARP server 13 searches its ATMARP cache and receives the received IP address. The ATM address corresponding to the message is transmitted through an ATMARP_response message. If the destination IP host does not exist in the ATMARP table cache of the ATMARP server 13, it responds with an ATMARP NAK (Negative Acknowledge) message. Thereafter, the originating host associates the ATM address obtained from the ATMARP_response message with {IP address, ATM address} and stores it in its ATMARP cache, and makes a connection by signaling the ATM address.

In this case, when implementing logical IP LAN on ATM physical network, LIS model is used. According to this model, all ATM hosts form a logical IP subnet in which ATM connectivity can be established with each other. According to RFC1577, IP hosts on one ATM subnet must pass through an IP gateway in order to connect to IP hosts on another subnet. There is a problem with accessing the host within.

For example, if a host outside the subnet establishes an ATM VC connection to host ② inside the subnet and sends an InATMARP_Request message, the host ② sends its own IP address as defined by RFV1577's InATMARP protocol. Notify external host ① through This means that IP communication can be performed without going through the IP gateway of the other host of the internal host ②. Since not passing through the IP gateway means that it penetrates security measures such as a firewall, a fatal situation for network management or security management Occurs.

In order to solve this security problem, if a host has a database of hosts in its LIS, and a connection request occurs from the other host, it checks whether it is a host in its LIS by using this database. There is a way to only accept connections, but if the configuration of this LIS changes, all hosts have to change this database.

Accordingly, an object of the present invention is to ensure that the server only has information about security in the LIS in the IP over ATM switch in order to solve the above-mentioned problems, and takes only two more messages while maintaining the protocol and message format defined in RFC1577. This provides a simple way to solve security related problems.

The present invention for achieving the above object, when requesting a connection from the first host outside the LIS to the second host inside the LIS, determining whether to connect using a database for the LIS internal hosts provided in the ATMARP server of the LIS A method for solving a security problem in a computer network using IP over ATM, the method comprising: accepting a connection request from a first host by the second host; Sending, by the second host, an InATMARP_Request message to the first host, and in response to the first host, putting the IP address of the first host in the InATMARP_response message and transmitting it to the second host; The second host sends the IP address of the first host to an ATMARP_Request message and sends it to the ATMARP server. The ATMARP server uses an internal database to store the IP address and ATM address of the first host in this LIS. Searching for the presence of ATM, and sending the ATM address or NAK message of the first hosts to an ATMARP_response message to the second host; The second host includes the step of initiating communication when the ATM address of the first host is included in the ATMARP_response message transmitted from the ATMARP server, and releasing the connection when the NAK message is loaded.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings.

3 is a flowchart for explaining a security problem solving method according to the present invention in a computer network using IP over ATM.

Referring to FIG. 3, when the host① outside the LIS requests a connection to the host② inside the LIS, the host② inside the LIS once accepts the connection request from the host① outside the LIS (step 31). The host① sends an InATMARP_Request message (step 32). In response to the InATMARP_Request message of the internal host ②, the external host ① puts its IP address in the InATMARP_ response message and sends it to the host ②, whereby the host ② obtains the IP address of the host ① (Third 33 step).

The internal host ② sends the IP address of the host ① to the ATMARP server in its LIS in the ATMARP_Request message (step 34). The ATMARP server has a database of all hosts in the LIS where the server is located, so if the IP address and ATM address of the host ① are in this LIS, check if the IP address and ATM address of the host ① are in the LIS. The ATM address of the message is sent to the host ② by being loaded into the ATMARP_response message. On the other hand, if the IP address and ATM address of the host ① are not in the LIS, a NAK (Negative Acknowledge) message is loaded into the ATMARP_response message and transmitted to the host ②.

Therefore, after the host ② receives the ATMARP_response message from the ATMARP server (step 35), if the ATMARP_response message includes the ATM address of the host ①, the host starts communication (step 38), and the ATMARP_response message. If there is a NAK message, the connection is disconnected (step 37).

As described above, in a computer network using IP over ATM, the security problem solving method according to the present invention does not require that all hosts have information about security in the LIS, that is, whether a host is a host in the LIS. Having only a server and taking two more messages while maintaining the protocol and message format defined in RFC1577 has the advantage of simplifying security concerns.

Claims (1)

When the first host outside the LIS requests a connection to the second host inside the LIS, it connects to a computer network using IP over ATM that determines whether to connect using a database of LIS internal hosts provided in the LIS ATMARP server. A security problem solving method comprising the steps of: the second host accepting a connection request from a first host; Sending, by the second host, an InATMARP_Request message to the first host, and in response to the first host, putting the IP address of the first host in the InATMARP_response message and transmitting it to the second host; The second host sends the IP address of the first host to an ATMARP_Request message and sends it to the ATMARP server. The ATMARP server uses an internal database to store the IP address and ATM address of the first host in this LIS. Searching for the presence of ATM, and sending the ATM address or NAK message of the first hosts to an ATMARP_response message to the second host; And the second host initiates communication when the ATM address of the first host is included in an ATMARP_response message transmitted from the ATMARP server, and disconnects when the NAK message is loaded. A security problem solution for computer networks using over ATM.