KR100195642B1 - Method of security problem in computer network using ip/atm - Google Patents

Abstract

The present invention uses an IP over ATM that determines whether to connect using a database for LIS internal hosts provided in an ATMARP server in an LIS when a first host outside the LIS requests a connection to a second host in the LIS. A method for solving a security problem in a computer network, the method comprising: accepting a connection request from a first host by a second host; Sending, by the second host, the ATM address of the first host to the ATMARP server in an InATMARP_request message; The ATMARP server uses an internal database to search whether the IP address corresponding to the ATM address of the first host is in this LIS, and then loads the IP address or NAK message of the first host into an InATMARP_response message. Transmitting to a second host; The second host includes the step of initiating communication when the IP address of the first host is included in the InATMARP_response message transmitted from the ATMARP server, and disconnecting when the NAK message is loaded. Thus, while keeping the number of messages exchanged at 2, it is possible to concentrate protocol-related information on the server while being protocol compatible with the host using the existing RFC1577.

Description

How to Troubleshoot Security Problems in Computer Networks Using IP Over ATM

1 is a schematic block diagram illustrating the operation of IP over ATM.

2 shows a LIS model.

3 is a flowchart of a security problem solving method according to the present invention in a computer network using IP over ATM.

* Explanation of symbols for main parts of the drawings

11: Host 1 12: Host 2

13: ATMARP Server

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to asynchronous transfer mode (hereinafter referred to as ATM), and more particularly to a method for solving security problems in a computer network using IP (Internet Protocol) over ATM.

ATM is being standardized as the final mode of transmission for the implementation of the Broadband Intergrated Services Digital Network (BISDN). ATM is recognized for its high flexibility and efficiency due to its unique asynchronous channel allocation method, but there is a potential risk of overcongestion of the network due to statistical multiplexing. In addition, due to the influence of the high data rate, propagation delay time and processing time are relatively increased, and the burst characteristics of multimedia traffic are very diverse, which makes traffic control very difficult.

The Internet Engineering Task Force (IETF) is using RFC1577 and RFC1483 to deliver LAN traffic over ATM links. This is also called classical IP over ATM. It is a method that can be easily implemented by LAN emulation and is operated on almost all ATM LANs. IPover ATM conceals higher-level applications from the ATM layer by delivering IP Protocol Data Units (PDUs) through the ATM to the other party's IP layer with minimal overhead. That is, existing applications running on the IP protocol can use the transparent high bandwidth provided by ATM without knowing that its lower layer is ATM. In addition, since there is no need to maintain compatibility with the existing media access control (MAC) layer, the maximum frame size can be set to 9000 bytes or more, which is advantageous for large data transmission. However, there is a disadvantage that only the IP protocol is supported and the connection with the existing LAN equipment must be via a bridge or a router.

In order to transmit IP PDUs directly through ATM, two problems need to be solved. First, the problem is how to separate IP PDUs on the VCC (Virtual Circuit Channel) set up with the other host. This is a method of mapping a destination IP address to a 20 byte ATM address.

In order to solve this problem, RFC1483 defines a method of delivering different connectionless protocol PDUs in an ATM network, multiplexing PDUs over one ATM VC (Virtual Channel), and a method of delivering each protocol through a different VC. Currently, RFC1577 recommends LLC (Logical Link Control) / SNAP (Sub Network Access Protocol) encapsulation to multiplex different types of PDUs into a single VC.

RFC1577 is a protocol for translating IP addresses into network physical addresses and defines ATM Adress Resolution Protocol (ATMARRP) and Inverse ATM Address Resolution Protocol (InATMARP). Here, ATMARP converts an IP address into an ATM address and InATMARP conversely converts an ATM address into an IP address. In order to solve an address resolution problem in an ATM network that does not support broadcasting, an existing ARP (REC826) protocol is used. ), A modification of the InARP (RFC1293) protocol.

On the other hand, the operation of the computer network using the IP over ATM will be described with reference to FIG.

First, during system booting, each host 11 establishes a connection that supports LLC / SNAP encapsulation to ATMARP server 13 using VC, and ATMARP server 13 sends an IP address to the originating host. Send request InATMARP_Request message. When the host 11 sends its IP address InATMARP_response message to the ATMARP server 13, the ATMARP server 13 checks whether the host is on a subnet managed by the host 11, and then caches its ATMARP cache. Store in

When a host wants to connect with another host 15 in the subnet, the ATMARP server 13 sends an ATMARP_Request message containing the other party's IP address. The ATMARP server 13 searches its ATMARP cache and receives the received IP address. The ATM address corresponding to the message is transmitted through an ATMARP_response message. If the destination IP host does not exist in the ATMARP table cache of the ATMARP server 13, it responds with an ATMARP NAK (Negative Acknowledge) message. Thereafter, the originating host associates the ATM address obtained from the ATMARP_response message with {IP address, ATM address} and stores it in its ATMARP cache, and makes a connection by signaling the ATM address.

In this case, when implementing logical IP LAN on ATM physical network, LIS model is used. According to this model, all ATM hosts form a logical IP subnet in which ATM connectivity can be established with each other. According to RFC1577, IP hosts on one ATM subnet must pass through an IP gateway in order to connect to IP hosts on another subnet. There is a problem with accessing the host within.

For example, if a host outside the subnet establishes an ATM VC connection to host ② inside the subnet, and sends an InATMARP_Request message, the internal host ② returns its IP address as defined by the InATMARP protocol of RFV1577. Notify external host ① through message. This means that the internal host ② can communicate with each other without going through the other's IP gateway. If the internal host does not go through the IP gateway, it means that it will penetrate through security measures such as a firewall. Occurs.

In order to solve this security problem, if a host has a database of hosts in its LIS, and a connection request occurs from the other host, the host is searched if it is a host in its LIS by using this database. There is a way to only accept connections, but if the configuration of this LIS changes, all hosts have to change this database.

Accordingly, an object of the present invention is to provide a protocol compatible with the host using the existing RFC1577 while maintaining the number of messages exchanged at the IP over ATM exchanger in order to solve the above-mentioned problems, and to concentrate the information related to the supplementation on the server. To provide a way to do this.

The present invention for achieving the above object, when requesting a connection from the first host outside the LIS to the second host inside the LIS, determines whether to connect using a database for the LIS internal hosts provided in the ATMARP server of the LIS A method for solving a security problem in a computer network using IP over ATM, the method comprising: accepting a connection request from a first host by the second host; Sending, by the second host, the ATM address of the first host to the ATMARP server in an InATMARP_request message; The ATMARP server uses an internal database to search whether the IP address corresponding to the ATM address of the first host is in this LIS, and then loads the IP address or NAK message of the first host into an InATMARP_response message. Transmitting to a second host; The second host includes the step of initiating communication when the IP address of the first host is included in the InATMARP_response message transmitted from the ATMARP server, and disconnecting when the NAK message is loaded.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings.

3 is a flowchart for explaining a security problem solving method according to the present invention in a computer network using IP over ATM.

Referring to FIG. 3, when the host① outside the LIS requests a connection to the host② inside the LIS, the host② once accepts the connection request from the external host① (step 31). InATMARP_Request message is sent to the ATMARP server in step 32. At this time, through the connection request and the connection request acceptance process of step 31, the host ② knows the ATM address of the host ① in advance. Therefore, when the host ② sends an InATMARP_Request message to the ATMARP server, the host ② loads and sends the ATM address of the host ①.

The ATMARP server has a database of all hosts in the LIS where the server is located. Therefore, after receiving the ATM address of host ①, the ATMARPT server checks whether the IP address corresponding to the ATM address of host ① is in this LIS. If there is an IP address corresponding to the ATM address of the host ①, the ATM address of the host ① is sent to the host ② by being loaded into the InATMARP_response message.

On the other hand, if the IP address corresponding to the ATM address of the host ① is not in the LIS, a NAK (Negative Acknowledge) message is loaded into the InATMARP_response message and transmitted to the host ②.

Therefore, after the host ② receives the ATMARP_response message from the ATMARP server (step 33), if the IP address of the host ① is included in the InATMARP_response message (step 34), communication starts (step 36). If a NAK message is included in the InATMARP_response message, the connection is released (step 35).

As described above, in the computer network using IP over ATM, the security problem solving method according to the present invention maintains the number of messages exchanged at two, and becomes compatible with the host using the RFC1577 and provides information related to security. There is an advantage to focusing on the server.

Claims (1)

When the first host outside the LIS requests a connection to the second host inside the LIS, it connects to a computer network using IP over ATM that determines whether to connect using the database of LIS internal hosts provided in the ATMARP server in the LIS. A security problem solving method comprising the steps of: the second host accepting a connection request from a first host; Sending, by the second host, the ATM address of the first host to the ATMARP server in an InATMARP_request message; The ATMARP server uses an internal database to search whether the IP address corresponding to the ATM address of the first host is in this LIS, and then loads the IP address or NAK message of the first host into an InATMARP_response message. Transmitting to a second host; And the second host initiates communication when the InATMARP_response message transmitted from the ATMARP server includes the IP address of the first host, and disconnects when the NAK message is loaded. A security problem solution for computer networks using over ATM.