WO2004080024A1 - A packet forwarding apparatus - Google Patents

A packet forwarding apparatus Download PDF

Info

Publication number
WO2004080024A1
WO2004080024A1 PCT/AU2004/000269 AU2004000269W WO2004080024A1 WO 2004080024 A1 WO2004080024 A1 WO 2004080024A1 AU 2004000269 W AU2004000269 W AU 2004000269W WO 2004080024 A1 WO2004080024 A1 WO 2004080024A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet forwarding
network
components
forwarding apparatus
address
Prior art date
Application number
PCT/AU2004/000269
Other languages
French (fr)
Inventor
Darren James Reed
Kenneth George Baker
Original Assignee
Intelliguard I.T. Pty Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Intelliguard I.T. Pty Ltd filed Critical Intelliguard I.T. Pty Ltd
Publication of WO2004080024A1 publication Critical patent/WO2004080024A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/60Software-defined switches
    • H04L49/602Multilayer or multiprotocol switching, e.g. IP switching

Definitions

  • the present invention relates to a packet forwarding apparatus, a routing process executed by the apparatus, a process for generating a routing table for use by the apparatus, and a routing table for use by the apparatus.
  • a firewall 102 is a device that is placed between two networks 104, 106, and restricts access from one network to the other, in particular from an insecure, typically public, network 104 to a relatively secure, typically private, network 106.
  • Network traffic from the insecure network 104 is typically directed to the firewall 102 by a router 107.
  • network services such as email, web, domain name, and file serving services to the insecure network 104.
  • These services can be provided by respective network servers in the private local area network 106, such as a web server 108, a public file server 109, and an email server 110.
  • the firewall 102 between these network servers 108 to 110 and the insecure network 104 protects them from certain forms of attack.
  • various forms of network traffic are allowed past the firewall 102 in order for the network servers 108 to 110 to provide the appropriate services to the insecure network 104.
  • the private network 106 typically includes additional systems such as a private file server 112, other servers 111, and desktop computer systems 114 that should be isolated from the insecure network 104 as much as possible in order to provide an appropriate degree of security. Consequently, a second firewall device 202 can be used to provide a higher level of security to the private network 106, and the network servers 108 to 110 are provided in an intermediate network segment 204 between the two firewalls 102, 202, as shown in Figure 2.
  • the intermediate network segment 204 can provide services to both the insecure network 104 and the private network 106, and is therefore also referred to as the service provision network 204.
  • the first firewall 102 provides an intermediate level of security to allow the necessary network access to the public servers 108 to 110 in the intermediate service provision network 204
  • the second firewall 202 provides a higher level of security to the private network 106, protecting the private file server 112, the desktop systems 114, and the other servers 111 from attacks originating in the insecure network 104 or indeed the public servers 108 to 110 themselves, should any of these be successfully attacked.
  • firewalls 102, 202 themselves may be vulnerable to attack from the insecure network 104, the public servers 108 to 110, or even the private network 106, compromising the security of the private network 106 and the network systems 111, 112, 114 on the private network 106.
  • a further difficulty of such an arrangement arises from the challenge of correctly configuring and managing each firewall device.
  • the need to maintain the two separate firewalls 102, 202 increases the likelihood of configuration errors which could compromise the security of the private network 106.
  • a packet forwarding apparatus including at least two autonomous packet forwarding components having respective external interfaces for connection to respective external networks, and respective internal interfaces for connection to a network internal to said apparatus and interconnecting said at least two packet forwarding components, the internal interfaces being addressable only by link layer addresses or addresses in a subnet of a loopback network.
  • the present invention also provides a packet forwarding apparatus, including at least two packet forwarding components having respective external interfaces for connection to respective external networks, and respective internal interfaces for interconnecting said at least two packet forwarding components, said internal interfaces being addressable only internally to said apparatus.
  • the present invention also provides a routing process, including: receiving a data packet including a destination address; determining an address of a network corresponding to said destination address; and determining a link layer address of a next-hop node corresponding to the address of said network, said next-hop node only being assigned a link layer address.
  • the present invention also provides a routing table for use in selecting a next-hop node for a received network packet, each entry of said routing table including an address of a destination network and a link layer address of a next-hop node for said destination network.
  • the present invention also provides a process for generating a routing table, including: generating, at a network component having a first network interface and a second network interface, said first network interface having a network layer address and a link layer address, and said second network interface having only a link layer address, an announcement message including a network layer address of a network connected to said first network interface, and said link layer address of said second network interface.
  • Figure 1 is a block diagram of a first prior art network configuration having a firewall connected between an insecure communications network and a private communications network;
  • Figure 2 is a block diagram of a second prior art network configuration having two firewalls connected between the insecure communications network and a private communications network, and providing an intermediate network for providing services to the other networks;
  • Figure 3 is a block diagram of a preferred embodiment of a packet forwarding apparatus connected between three communications networks;
  • FIG 4 is a block diagram of a network interface module (NIM) of the packet forwarding apparatus
  • Figure 5 is a schematic diagram illustrating network packet flows in one configuration of the packet forwarding apparatus having four NIMs;
  • NIM network interface module
  • Figure 6 is a schematic diagram of an alternative embodiment of a packet forwarding apparatus
  • Figure 7 is a schematic diagram of a NIM of yet a further alternative embodiment of a packet forwarding apparatus
  • Figure 8 is a block diagram of the packet forwarding apparatus connected between an insecure network, a private network, and a service provision network;
  • Figure 9 is a flow diagram of a routing process executed by the packet forwarding apparatus. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • a packet forwarding apparatus 300 includes three network interface modules (NIMs) 302, 304, 306, interconnected by an interconnect 308.
  • the network modules 302, 304, 306 are connected to respective communications networks 310, 312, 314. Alternatively, if there is no requirement for attaching the third network 314, the third NIM 306 can be omitted if desired.
  • each of the NIMs 302 to 306 includes a network interface connection (NIC) 402 for connection to a network 402 external to the packet forwarding apparatus 300, and an interconnect connection interface (ICI) 404 for connection to the interconnect 308.
  • NIC network interface connection
  • ICI interconnect connection interface
  • a packet processor 406 processes network packets received from one of the interfaces 402, 404, and forwards packets to the other interface, as described below.
  • the ICIs 404 of the NIMs 302 to 306 are not addressable from outside the packet forwarding apparatus 300, as described below.
  • a storage device 408 is used to store log files containing statistics and other data derived from the traffic received by the NIM.
  • a configuration manager 410 on each NIM 302 to 306 provides a single user interface that allows a user to configure and manage the entire packet forwarding apparatus 300, including all of the NIMs 302 to 306.
  • Each of the NIMs 302 to 306 operates as an autonomous packet forwarding device, executing packet forwarding and routing processes independently of the other NIMs, and configured and administered as an independent entity.
  • each NIM discovers the presence of the other NIMs in the packet forwarding apparatus 300 by way of communication across the interconnect 308 using discovery processes analogous to those used by standard networked computer systems to discover peers on a network.
  • the advantage of this distributed processing arrangement is that any compromise or failure of any one NIM does not necessarily impact the other NIMs, which would not be the case if the NIMs were operating in a centralised environment; as part of a single operating system environment, for example.
  • the interconnect 308 is Ethernet.
  • the interconnect 308 can be any one of a variety of alternative networks, including an optical network using optical fibres, for example, with appropriate substitution of the ICI 404. It will also be apparent that the interconnect 308 can include an intelligent device capable of switching network traffic between the NIMs 302 to 306, or a hub. In the case of an Ethernet network, an otherwise standard Ethernet switch or hub can be used, modified as described below.
  • Each of the NIMs 302 to 306 is assigned only one IP address: that for its external network port or NIC 402.
  • the ICI 404 used for communication between the NIMs 302 to 306 is not assigned an IP address, as described below.
  • Modern communications networks transmit packets of information using a layered structure of protocols to separate the technical aspects of communication embodied in the lowest protocol layers from the higher layers used by applications and high level transport protocols.
  • networks based on the Internet Protocol (IP) use an Internet layer as a third layer over two lower protocol layers.
  • the lowest layer is a physical or hardware layer and the second layer is a link or medium access control (MAC) layer for communication over a shared network link.
  • MAC medium access control
  • a source node transmits link layer frames including a unique link layer (i.e., layer 2), MAC, or hardware address to address a particular to a destination node on the shared link.
  • a link layer frame begins with a 14-byte frame header, followed by a 46-1500-byte data payload, followed by a 4-byte cyclic redundancy check (CRC).
  • the frame header comprises 6-byte link layer destination and source addresses and a 2-byte type field that identifies the protocol type of the data payload.
  • a type of 0x0800 identifies an IP protocol payload.
  • the payload includes an IP datagram, including an IP header providing the Internet layer (i.e., layer 3) IP addresses of the source and destination nodes.
  • a node on a local area or wide area network can generally send an IP packet to any other node on the network by sending IP packets with a destination address set to the IP address assigned to the desired node. Unless the destination node shares the same network segment as the sending or source node, the IP packets are sent in a series of hops between nodes topologically located between the source and destination nodes.
  • Each network segment connecting two nodes has its own network address, and each node maintains a routing table that associates the IP addresses of nodes on the same network segment with addresses of network segments accessible through those nodes, and the respective network masks for those network segments.
  • Table 1 represents a prior art routing table having two interfaces connected to external networks.
  • a first interface has been assigned an IP address of 10.0.0.1 and is connected to a network with an IP address of 10.0.0.0.
  • a second interface has been assigned an IP address of 10.0.0.254 and is the default gateway to other networks (i.e., if no other match is found), as indicated by the 'default gateway' network address and network mask value of 0.0.0.0.
  • the node that received the IP datagram determines the next hop node using its routing table.
  • the destination IP address of the datagram is combined with a network mask (e.g., 255.255.255.0) from the routing table using a bitwise AND operation to determine a corresponding network segment address. If the resulting network address matches the network address in the routing table (e.g., 10.0.0.0), then the corresponding next hop address provides the IP address of the next hop node (or gateway) for the packet.
  • a network mask e.g., 255.255.255.0
  • the corresponding layer 2 or MAC address of the next hop node is determined using the current node's address resolution protocol (ARP) or hardware address table, as shown in Table 2, which provides a mapping between IP addresses and link layer addresses for nodes on the same network segment.
  • ARP address resolution protocol
  • Table 2 which provides a mapping between IP addresses and link layer addresses for nodes on the same network segment.
  • the ARP table is maintained by receiving ARP replies from nodes on the same network segment. Consequently, the link layer addresses of nodes on a network segment are only known to nodes on that segment, and it is only possible to communicate with a node on another segment using a layer 3 address, such as an IP address in the case of an IP network.
  • Prior art systems such as the firewall system shown in Figure 2 use standard Ethernet/IP to communicate between the firewalls 102, 202. Accordingly, IP addresses are assigned to the internal interfaces of the firewalls 102, 202, which are therefore potentially vulnerable to attack from the insecure and private networks 104, 106.
  • each ICI 04 of the packet forwarding apparatus 300 is not assigned any address other than a link layer address. Consequently, the ICIs 404 are not addressable from outside the packet forwarding apparatus 300. That is, a network packet cannot be addressed from outside the packet forwarding apparatus 300 in such a way that any of the ICIs 404 is the packet's addressee or final destination, as the ICIs 404 do not have a network layer address, and link layer addressing only applies to each individual physical connection between two systems - i.e. it is not possible to target ICIs 404 via their link layer address from outside of system 300.
  • each NIM is a standard computer system, such as an IntelTM-based server with two standard Ethernet ports and executing a UnixTM operating system.
  • the packet forwarding apparatus 300 could alternatively be a blade server that has one external network port for a network cable and another port on the backplane that joins all the blades together, where each NIM is a single blade.
  • the packet processing and routing processes are implemented as software modules stored in nonvolatile storage (e.g., magnetic disk) associated with the packet forwarding apparatus 300.
  • nonvolatile storage e.g., magnetic disk
  • ASICs application-specific integrated circuits
  • the networking software of each NIM (and any switches or hubs included in the interconnect 308) is modified from the standard arrangement so that the routing process matches a destination IP address in an IP datagram with the link layer address of the appropriate NIM directly, without requiring an IP address or an ARP table.
  • the routing table used by the packet forwarding apparatus 300 to deliver packets from one NIM to another NIM includes only a hardware or MAC layer address for each ICI, as shown in Table 3.
  • the packet forwarding apparatus 300 executes a routing process, as shown in Figure 9.
  • a network packet is received and its destination network layer (IP) address determined.
  • IP network layer
  • the first entry in the routing table is then selected at step 906. If the result of a bitwise AND operation on the packet's destination address and the network mask ('netmask') in the selected entry is not equal to the network layer (IP) address of that entry (step 908), then the process loops back to select the next routing table entry at step 906. If, however, the result does match, then the link (MAC) layer address in the selected entry is selected at step 910.
  • This address is the link layer address of the ICI 404 of the NIM whose NIC 402 is connected to the network whose network layer (IP) address matched the result of the bitwise AND operation.
  • the selected link layer address is then included in an Ethernet frame that is generated from the packet at step 912, and at step 914 the frame is then transmitted on the interconnect 308 for receipt by the NIM. If no match is found, then the link layer address of the default route NIM is selected at step 918.
  • the default route is indicated by a routing table entry including a network address that is 0.0.0.0.
  • the NEVIs 302 to 306 communicate using a management protocol to send and receive management information. For example, each of the NIMs 302 to 306 uses this protocol to announce routing information on a periodic basis. Each announcement contains a list of all the destination network addresses the NIM provides connectivity for, providing they all fit within the transmitted frame. If the complete list of announcements does not fit in a single frame, then one or more further, continuation frames are sent containing the remaining data. Receipt of this routing announcement from a particular NIM indicates that that NIM is active and "alive".
  • any applications e.g., email, DNS, proxying, etc
  • the configuration of any applications is also performed using the internal NIM protocol.
  • control messages Ether--, n troi
  • IP data
  • control messages form two groups: those related to the configuration of the packet forwarding apparatus 300, and those related to obtaining other types of information from a NIM (statistics, etc.) and their management. It will be apparent that an IP datagram forwarded over the interconnect 308 from an external network is never treated in a manner that allows it to be processed as control data.
  • Various methods are undertaken in the software to prevent access to the network by any applications in a manner that would allow them to send messages from one NIM to another NIM, as, for example, a hacker might attempt to do in order to subvert/break into/bypass another NIM if the hacker gained control over one of them.
  • the operating system kernel of each NIM is modified to prevent low-level access to the network, so that Ethernet frames cannot be generated and sent directly by a user process, and packet sniffing applications cannot be executed in user space, with other various security mechanisms used to prevent ad-hoc access to the Interconnect network between the NIMs.
  • Access to the network is restricted to sending and receiving TCP, UDP, and ICMP packets.
  • control protocol provides a default route announcement from the first NIM 302 for an IPv4 network is as follows: Ether control (Network Advertisement
  • the routing table comprises entries that include a network address (used as the lookup key), a network mask, and the next hop address.
  • the next hop address is either a layer 2 or 3 network address, depending on whether layer 3 loopback addresses are being used by the NIMs 302 to 306 for internal communication.
  • the routing table of the first NIM 302 would then include an entry associating the link layer address of the second NIM 304 with the network address 10.0.0.0/8.
  • the first NIM 302 would be used for the default route.
  • the following messages are typical of those that would be exchanged between the first NIM 302 and the second NIM 304:
  • the packets carrying announcements from each NIM 302, 304, 306 have the following structure:
  • the "type” field is set to 0x7878
  • the "len” (length) field is set to the length of the data following the "type” field (16)
  • the "cmd” field is set to a value that other NIMs understand to mean “add an ip-address/mac address pair to the routing table"(say, 1)
  • the "num” field provides the number of mac-address/ip- address pairs (in this example, 1).
  • the NIMs 302 to 306 can be configured with a shared secret that is used, along with the contents of the data being sent in each control message, to generate a hash value using a one-way hashing function such as MD5 or SHA-1 appended to the control message. NIMs receiving such messages use the hash value to determine that the message has been correctly sent and received, protecting against generic communication errors and fraudulent messages.
  • public key cryptography can be used, whereby each of the NIMs 302 to 306 has the public keys for all the other NIMs and uses its private key to encrypt messages sent to the other NIMs individually, rather than broadcasting.
  • the NIMs 302 to 306 in the packet forwarding apparatus 300 operate independently of each other as autonomous entities, the configuration manager modules 410 of the NIMs 302 to 306 allow them to be managed collectively as part of the entire system 300 rather than as separate entities.
  • the packet forwarding apparatus 300 thus appears as a single piece of hardware so far as management is concerned by virtue of data exchange between the NIMs 302, 304, 306.
  • a typical manner in which the apparatus 300 is administered is to select a NIM, such as the first NIM 302, as the primary component or master NIM through which to interact with the apparatus 300 when initialising the apparatus 300 for use. Thereafter, further management activity by an administrator is undertaken through the first NIM 302 with the other NIMs 304, 306, acting as slave devices and being configured by the first NIM 302 through the exchange of control messages over the interconnect 308.
  • Configuration commands provided to the master NIM are used by the master NIM to generate and send slave configuration messages to one or more of the slave NIMs.
  • This arrangement also makes the packet forwarding apparatus 300 more robust, because if the master NIM detects that one or more of the slave NIMs has failed or is acting suspiciously, the master NIM can attempt to disable those NIMs, and can effectively eliminate them from packet forwarding and routing processes by removing the routing table entries for those NIMs from the master NIMs routing table, and instructing any other slave NIMs to do the same.
  • the master NIM can then generate an alert message to alert an administrator to the status of the disabled NIMs. Upon receiving such an alert, the administrator can then investigate the problem further. If additional NIMs are added to the packet forwarding apparatus 300, the administrator can disconnect the network from the NICs of the disabled NIMs, and connect them to the NICs of any spare NIMs.
  • the master NIM can be configured to automatically select the spare NIMs and configure them to perform the functions of the disabled NIMs, and inform the administrator that the appropriate network cables can be disconnected from the disabled NIMs and connected to the newly configured NIMs.
  • two or more layer 3 loopback network addresses are used for the internal interconnection interfaces between two NIMs, rather than using link layer communications.
  • Host addresses 127.0.0.x are reserved for loopback interfaces, with network 127,x.x.x being regarded as a loopback network.
  • a loopback interface is a virtual network interface that loops back to the source node. A packet sent to a loopback interface is never sent out on a physical network, but is simply looped back to the network input queue on the same host.
  • a node's loopback interface is therefore not addressable from outside the node itself, because loopback addresses cannot be used on a physical network.
  • the loopback network 127.x.x.x is subnetted to allow addresses within it to be used as addresses in the interconnect 308, and the ICI 404 on each of the NIMs 302 to 306 is assigned an IP address in that subnet.
  • the netmask of the loopback interface for each NIM 302 to 306 would become 255.255.255.0 - its IP address is 127.0.0.1 — as would that for each ICI 404.
  • an ICI 404 has an IP address in a different subnet, such as 127.0.1.0/24, of 127.0.1.1.
  • Other NIMs have different addresses on the same subnet (e.g., 127.0.1.2, 127.0.1.3, and so on, as required).
  • the ICIs 404 are not addressable from the insecure network 104 or the private network 106 for a number of reasons.
  • an IP packet with a destination address in the standard loopback network i.e., 127.x.x.x.
  • a remote node of the insecure network 104 When sent from a remote node of the insecure network 104, such a packet will not match any entry in the routing tables of that node or any intermediate nodes, and will therefore be continually forwarded on the default route of each node.
  • the packet address does not match an address assigned to the loopback interface of any node, in which case the packet would not be forwarded because it would be handled locally.
  • the packet is unlikely to ever reach the packet forwarding apparatus 300.
  • the destination address is an illegal address for an IP packet outside a host, the packet will be dropped or filtered by a node, as described in RFC 1122.
  • the packet will not be forwarded on the interconnect 308 because each NIM is configured to drop packets with addresses of 127.x.x.x received at the NIM's external NIC 402. The same applies if the packet originated from the private network 106, the packet was not dropped, and the default route included the packet forwarding apparatus 300.
  • This embodiment provides much of the same functionality as the preferred embodiment based on link layer addresses, but at the expense of providing an attackable point if an attacker should compromise a NIM because it would then be possible to target applications that use TCP/IP on other NIMs.
  • each NIM 302, 304, 306 can optionally execute standard packet filtering and/or proxy processing processes on network packets received from one of the interfaces 402, 404.
  • each of the NIMs 302 to 306 can optionally perform security validation on all packets received and transmitted, and any packets that are not dropped are forwarded to the other interface.
  • This allows the packet forwarding apparatus 300 to define a protected zone 802, including a server network 804 for providing network services to an insecure network 806 connected to the first NIM 302 and a private network 808 connected to the second NIM 304.
  • the third NIM 306 provides a path to publicly accessible servers in the server network 804, including the web server 108, the public file server 109, and the email server 110.
  • the physical construction of the interconnect 308 can, through its wiring, be a part of the embodiment of the security policy.
  • the transmit pin(s) from ICI 404 on each of the first and second NIMs 302 and 304 can be connected only to the receive pin(s) of the third NIM 306, and the transmit pin(s) of the third NIM 306 can be connected to the receive pin(s) of the first and second NIMs 302 and 304, making it impossible for data to be transmitted from the first NIM 302 to the second NIM 304 directly.
  • each NIM 302, 304, 306 can also allow each NIM 302, 304, 306 to perform more complex roles, such as acting as an email gateway or cache.
  • the third NIM 306 can again be omitted if desired.
  • additional NIMs, such as the third NIM 306, can also be used to provide additional security by configuring other NIMs, such as the first NIM 302 and/or the third NIM 304, to pass traffic through all three NIMs 302 to 306 for packet filtering, as described below.
  • Each of the NIMs 302 to 306 can also provide VPN (Virtual Private Network) or other gateway functionality, such as providing DNS (Domain Name System), mail filtering, etc, if desired.
  • a packet passing through the packet forwarding apparatus 300 passes through the security policies of at least two of the NIMs 302 to 306 before exiting the system 300.
  • the packet forwarding apparatus 300 can be provided with additional NIMs to control packet flows through the system 300 in a variety of ways.
  • Figure 5 shows a packet forwarding apparatus 500 with a fourth NIM 502 in addition to the three NIMs 302 to 306 shown in Figure 3.
  • the packet forwarding apparatus 500 is configured to direct packets flowing through the packet forwarding apparatus 500 to pass through three NIMs (i.e., 302, 304, and either 502 or 306, depending on the packet direction); there is no direct connectivity between the insecure network 104 and the private network 106.
  • the web server 108, public file server 109, and email server 110 can be accessed from both the insecure network 104 and the private network 106, they cannot be accessed from the other network 504 connected to the fourth NIM 502.
  • each of the NIMs 302 to 306 of the packet forwarding apparatus 300 has been described above as being based on a standard computer system with two network interfaces, it is preferable that the entire packet forwarding apparatus be provided in a single housing or chassis containing all of the NIMs 302 to 306 and the interconnect 308. This can be achieved by installing the major components of each computer system in a single chassis and sharing a single power supply.
  • NIMs are provided as components on one or more removable cards for placement in a single computer system, whereby the NIMs communicate over a bus of the computer system rather than over a network.
  • the NIMs still operate autonomously, and in particular, operate independently of the operating system of the host computer system; the NIMs do not use any part of the host computer system for RAM, CPU or storage.
  • NIMs can be provided on a single removable card 602 for installation in a computer system, as shown in Figure 6.
  • the PCI card 602 includes a first NIM 604 connected to the insecure network 104 through a first NIC 606, and a second NIM 608 connected to the private network 106 through a second NIC 610.
  • a third NIM 612 provides access to a protected zone.
  • Each NIM 604, 608, 612 includes random access memory (RAM) 614, a microprocessor 616, and a non-volatile storage device 618 such as flash memory.
  • the NIMs 604, 608, 612 are interconnected by an interconnect 620 on the card 602.
  • the card's PCI bus connection 622 provides the external interface to the third NIM 612.
  • the computer providing the interface can also provide network services from the protected zone. It will be apparent that any number of NIMs can be provided on a single card, subject to physical space limitations.
  • NIMs are provided as a single hardware component, such as an ASIC.
  • Figure 7 shows a schematic diagram of a single chip NIM 700 including a network interface com ection (NIC) 702, a CPU 704, random access memory 706, non-volatile storage 708, and an interconnect connection interface 710.
  • NIC network interface com ection
  • CPU 704 random access memory 706, non-volatile storage 708, and an interconnect connection interface 710.
  • each NIM can be provided in its own virtual machine executed by a single host computer.
  • the virtual machines could be provided by software products such as VMWare, available from http ://www. vm ware . com .
  • Each VMWare instance provides one NIM.
  • VMWare's networking services can be used to provide the interconnect required for internal communication between NIMs.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A packet forwarding apparatus (300), including at least two autonomous packet forwarding components (302, 304, 306) having respective external interfaces for connection to respective external networks (310, 312, 314), and respective internal interfaces for connection to a network internal to said apparatus and interconnecting (308) said at least two packet forwarding components (302, 304, 306), the internal interfaces being addressable only by link layer addresses or addresses in a subnet of a loopback network.

Description

A PACKET FORWARDING APPARATUS
FIELD OF THE INVENTION
The present invention relates to a packet forwarding apparatus, a routing process executed by the apparatus, a process for generating a routing table for use by the apparatus, and a routing table for use by the apparatus.
BACKGROUND
Local area networks requiring access to an insecure network such as the Internet are usually protected from the insecure network by a firewall. As shown in Figure 1, a firewall 102 is a device that is placed between two networks 104, 106, and restricts access from one network to the other, in particular from an insecure, typically public, network 104 to a relatively secure, typically private, network 106. Network traffic from the insecure network 104 is typically directed to the firewall 102 by a router 107.
In many cases, it is desired to provide network services such as email, web, domain name, and file serving services to the insecure network 104. These services can be provided by respective network servers in the private local area network 106, such as a web server 108, a public file server 109, and an email server 110. In such cases, the firewall 102 between these network servers 108 to 110 and the insecure network 104 protects them from certain forms of attack. However, various forms of network traffic are allowed past the firewall 102 in order for the network servers 108 to 110 to provide the appropriate services to the insecure network 104. Although this intermediate level of security is necessary to provide access to these servers 108 to 112, the private network 106 typically includes additional systems such as a private file server 112, other servers 111, and desktop computer systems 114 that should be isolated from the insecure network 104 as much as possible in order to provide an appropriate degree of security. Consequently, a second firewall device 202 can be used to provide a higher level of security to the private network 106, and the network servers 108 to 110 are provided in an intermediate network segment 204 between the two firewalls 102, 202, as shown in Figure 2. The intermediate network segment 204 can provide services to both the insecure network 104 and the private network 106, and is therefore also referred to as the service provision network 204. In this configuration, the first firewall 102 provides an intermediate level of security to allow the necessary network access to the public servers 108 to 110 in the intermediate service provision network 204, and the second firewall 202 provides a higher level of security to the private network 106, protecting the private file server 112, the desktop systems 114, and the other servers 111 from attacks originating in the insecure network 104 or indeed the public servers 108 to 110 themselves, should any of these be successfully attacked.
Moreover, the firewalls 102, 202 themselves may be vulnerable to attack from the insecure network 104, the public servers 108 to 110, or even the private network 106, compromising the security of the private network 106 and the network systems 111, 112, 114 on the private network 106.
A further difficulty of such an arrangement arises from the challenge of correctly configuring and managing each firewall device. The need to maintain the two separate firewalls 102, 202 increases the likelihood of configuration errors which could compromise the security of the private network 106.
It is desired to provide a packet forwarding apparatus, a routing process, a process for generating a routing table, and a routing table that alleviate one or more difficulties of the prior art, or at least provide a useful alternative.
SUMMARY OF THE INVENTION
In accordance with the present invention, there is provided a packet forwarding apparatus, including at least two autonomous packet forwarding components having respective external interfaces for connection to respective external networks, and respective internal interfaces for connection to a network internal to said apparatus and interconnecting said at least two packet forwarding components, the internal interfaces being addressable only by link layer addresses or addresses in a subnet of a loopback network.
The present invention also provides a packet forwarding apparatus, including at least two packet forwarding components having respective external interfaces for connection to respective external networks, and respective internal interfaces for interconnecting said at least two packet forwarding components, said internal interfaces being addressable only internally to said apparatus.
The present invention also provides a routing process, including: receiving a data packet including a destination address; determining an address of a network corresponding to said destination address; and determining a link layer address of a next-hop node corresponding to the address of said network, said next-hop node only being assigned a link layer address.
The present invention also provides a routing table for use in selecting a next-hop node for a received network packet, each entry of said routing table including an address of a destination network and a link layer address of a next-hop node for said destination network.
The present invention also provides a process for generating a routing table, including: generating, at a network component having a first network interface and a second network interface, said first network interface having a network layer address and a link layer address, and said second network interface having only a link layer address, an announcement message including a network layer address of a network connected to said first network interface, and said link layer address of said second network interface. BRIEF DESCRIPTION OF THE DRAWINGS
Preferred embodiments of the present invention are hereinafter described, by way of example only, with reference to the accompanying drawings, wherein:
Figure 1 is a block diagram of a first prior art network configuration having a firewall connected between an insecure communications network and a private communications network;
Figure 2 is a block diagram of a second prior art network configuration having two firewalls connected between the insecure communications network and a private communications network, and providing an intermediate network for providing services to the other networks;
Figure 3 is a block diagram of a preferred embodiment of a packet forwarding apparatus connected between three communications networks;
Figure 4 is a block diagram of a network interface module (NIM) of the packet forwarding apparatus; Figure 5 is a schematic diagram illustrating network packet flows in one configuration of the packet forwarding apparatus having four NIMs;
Figure 6 is a schematic diagram of an alternative embodiment of a packet forwarding apparatus;
Figure 7 is a schematic diagram of a NIM of yet a further alternative embodiment of a packet forwarding apparatus;
Figure 8 is a block diagram of the packet forwarding apparatus connected between an insecure network, a private network, and a service provision network; and
Figure 9 is a flow diagram of a routing process executed by the packet forwarding apparatus. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
As shown in Figure 3, a packet forwarding apparatus 300 includes three network interface modules (NIMs) 302, 304, 306, interconnected by an interconnect 308. The network modules 302, 304, 306 are connected to respective communications networks 310, 312, 314. Alternatively, if there is no requirement for attaching the third network 314, the third NIM 306 can be omitted if desired.
As shown in Figure 4, each of the NIMs 302 to 306 includes a network interface connection (NIC) 402 for connection to a network 402 external to the packet forwarding apparatus 300, and an interconnect connection interface (ICI) 404 for connection to the interconnect 308. A packet processor 406 processes network packets received from one of the interfaces 402, 404, and forwards packets to the other interface, as described below. In order to enhance security, the ICIs 404 of the NIMs 302 to 306 are not addressable from outside the packet forwarding apparatus 300, as described below. A storage device 408 is used to store log files containing statistics and other data derived from the traffic received by the NIM. A configuration manager 410 on each NIM 302 to 306 provides a single user interface that allows a user to configure and manage the entire packet forwarding apparatus 300, including all of the NIMs 302 to 306.
Each of the NIMs 302 to 306 operates as an autonomous packet forwarding device, executing packet forwarding and routing processes independently of the other NIMs, and configured and administered as an independent entity. As described below, each NIM discovers the presence of the other NIMs in the packet forwarding apparatus 300 by way of communication across the interconnect 308 using discovery processes analogous to those used by standard networked computer systems to discover peers on a network. The advantage of this distributed processing arrangement is that any compromise or failure of any one NIM does not necessarily impact the other NIMs, which would not be the case if the NIMs were operating in a centralised environment; as part of a single operating system environment, for example. In the described embodiments, the interconnect 308 is Ethernet. However, it will be apparent that the interconnect 308 can be any one of a variety of alternative networks, including an optical network using optical fibres, for example, with appropriate substitution of the ICI 404. It will also be apparent that the interconnect 308 can include an intelligent device capable of switching network traffic between the NIMs 302 to 306, or a hub. In the case of an Ethernet network, an otherwise standard Ethernet switch or hub can be used, modified as described below. Each of the NIMs 302 to 306 is assigned only one IP address: that for its external network port or NIC 402. The ICI 404 used for communication between the NIMs 302 to 306 is not assigned an IP address, as described below.
Modern communications networks transmit packets of information using a layered structure of protocols to separate the technical aspects of communication embodied in the lowest protocol layers from the higher layers used by applications and high level transport protocols. For example, networks based on the Internet Protocol (IP) use an Internet layer as a third layer over two lower protocol layers. The lowest layer is a physical or hardware layer and the second layer is a link or medium access control (MAC) layer for communication over a shared network link. In an Ethernet link, a source node transmits link layer frames including a unique link layer (i.e., layer 2), MAC, or hardware address to address a particular to a destination node on the shared link. A link layer frame begins with a 14-byte frame header, followed by a 46-1500-byte data payload, followed by a 4-byte cyclic redundancy check (CRC). The frame header comprises 6-byte link layer destination and source addresses and a 2-byte type field that identifies the protocol type of the data payload. A type of 0x0800 identifies an IP protocol payload. In the case of IP, the payload includes an IP datagram, including an IP header providing the Internet layer (i.e., layer 3) IP addresses of the source and destination nodes.
A node on a local area or wide area network can generally send an IP packet to any other node on the network by sending IP packets with a destination address set to the IP address assigned to the desired node. Unless the destination node shares the same network segment as the sending or source node, the IP packets are sent in a series of hops between nodes topologically located between the source and destination nodes. Each network segment connecting two nodes has its own network address, and each node maintains a routing table that associates the IP addresses of nodes on the same network segment with addresses of network segments accessible through those nodes, and the respective network masks for those network segments.
For example, Table 1 represents a prior art routing table having two interfaces connected to external networks. A first interface has been assigned an IP address of 10.0.0.1 and is connected to a network with an IP address of 10.0.0.0. A second interface has been assigned an IP address of 10.0.0.254 and is the default gateway to other networks (i.e., if no other match is found), as indicated by the 'default gateway' network address and network mask value of 0.0.0.0.
Table 1
Figure imgf000009_0001
When a node receives an IP datagram destined for a node on another network segment, the node that received the IP datagram determines the next hop node using its routing table. The destination IP address of the datagram is combined with a network mask (e.g., 255.255.255.0) from the routing table using a bitwise AND operation to determine a corresponding network segment address. If the resulting network address matches the network address in the routing table (e.g., 10.0.0.0), then the corresponding next hop address provides the IP address of the next hop node (or gateway) for the packet. The corresponding layer 2 or MAC address of the next hop node is determined using the current node's address resolution protocol (ARP) or hardware address table, as shown in Table 2, which provides a mapping between IP addresses and link layer addresses for nodes on the same network segment. The ARP table is maintained by receiving ARP replies from nodes on the same network segment. Consequently, the link layer addresses of nodes on a network segment are only known to nodes on that segment, and it is only possible to communicate with a node on another segment using a layer 3 address, such as an IP address in the case of an IP network.
Table 2
Figure imgf000010_0001
Prior art systems such as the firewall system shown in Figure 2 use standard Ethernet/IP to communicate between the firewalls 102, 202. Accordingly, IP addresses are assigned to the internal interfaces of the firewalls 102, 202, which are therefore potentially vulnerable to attack from the insecure and private networks 104, 106.
In contrast, each ICI 04 of the packet forwarding apparatus 300 is not assigned any address other than a link layer address. Consequently, the ICIs 404 are not addressable from outside the packet forwarding apparatus 300. That is, a network packet cannot be addressed from outside the packet forwarding apparatus 300 in such a way that any of the ICIs 404 is the packet's addressee or final destination, as the ICIs 404 do not have a network layer address, and link layer addressing only applies to each individual physical connection between two systems - i.e. it is not possible to target ICIs 404 via their link layer address from outside of system 300.
The ICIs 404 are therefore protected from direct attacks from the insecure network 104 and/or the private network 106 because any IP datagram originating from outside the packet forwarding apparatus 300 and received by the ICI 404 of one of the NIMs 302 to 306 is passed on to the output processing of ICI 402, where it will be either forwarded or dropped. In a first preferred embodiment, each NIM is a standard computer system, such as an Intel™-based server with two standard Ethernet ports and executing a Unix™ operating system. However, the packet forwarding apparatus 300 could alternatively be a blade server that has one external network port for a network cable and another port on the backplane that joins all the blades together, where each NIM is a single blade. The packet processing and routing processes are implemented as software modules stored in nonvolatile storage (e.g., magnetic disk) associated with the packet forwarding apparatus 300. However, it will be apparent that at least parts of the packet processes can be alternatively implemented by dedicated hardware components, such as application-specific integrated circuits (ASICs), as described below.
Because IP addresses are not assigned to the ICIs 404, the networking software of each NIM (and any switches or hubs included in the interconnect 308) is modified from the standard arrangement so that the routing process matches a destination IP address in an IP datagram with the link layer address of the appropriate NIM directly, without requiring an IP address or an ARP table. Thus the routing table used by the packet forwarding apparatus 300 to deliver packets from one NIM to another NIM includes only a hardware or MAC layer address for each ICI, as shown in Table 3.
Table 3
Figure imgf000011_0001
The packet forwarding apparatus 300 executes a routing process, as shown in Figure 9. At steps 902 and 904, a network packet is received and its destination network layer (IP) address determined. The first entry in the routing table is then selected at step 906. If the result of a bitwise AND operation on the packet's destination address and the network mask ('netmask') in the selected entry is not equal to the network layer (IP) address of that entry (step 908), then the process loops back to select the next routing table entry at step 906. If, however, the result does match, then the link (MAC) layer address in the selected entry is selected at step 910. This address is the link layer address of the ICI 404 of the NIM whose NIC 402 is connected to the network whose network layer (IP) address matched the result of the bitwise AND operation. The selected link layer address is then included in an Ethernet frame that is generated from the packet at step 912, and at step 914 the frame is then transmitted on the interconnect 308 for receipt by the NIM. If no match is found, then the link layer address of the default route NIM is selected at step 918. The default route is indicated by a routing table entry including a network address that is 0.0.0.0.
In addition to forwarding IP datagrams received from external networks, the NEVIs 302 to 306 communicate using a management protocol to send and receive management information. For example, each of the NIMs 302 to 306 uses this protocol to announce routing information on a periodic basis. Each announcement contains a list of all the destination network addresses the NIM provides connectivity for, providing they all fit within the transmitted frame. If the complete list of announcements does not fit in a single frame, then one or more further, continuation frames are sent containing the remaining data. Receipt of this routing announcement from a particular NIM indicates that that NIM is active and "alive". If no such announcement is seen in a period of time that is longer than the configured interval for announcing such information, then the other NIMs consider the last received announcement to be stale and it is discarded. The configuration of any applications (e.g., email, DNS, proxying, etc) on the NIMs 302 to 306 is also performed using the internal NIM protocol.
For communication across Ethernet, two new protocol type codes are used so that the packets cannot be confused with ordinary IP traffic: one for control messages (Ether--,ntroi) and one for data (IP) messages (Etherdata) • The control messages form two groups: those related to the configuration of the packet forwarding apparatus 300, and those related to obtaining other types of information from a NIM (statistics, etc.) and their management. It will be apparent that an IP datagram forwarded over the interconnect 308 from an external network is never treated in a manner that allows it to be processed as control data. Various methods are undertaken in the software to prevent access to the network by any applications in a manner that would allow them to send messages from one NIM to another NIM, as, for example, a hacker might attempt to do in order to subvert/break into/bypass another NIM if the hacker gained control over one of them. For example, the operating system kernel of each NIM is modified to prevent low-level access to the network, so that Ethernet frames cannot be generated and sent directly by a user process, and packet sniffing applications cannot be executed in user space, with other various security mechanisms used to prevent ad-hoc access to the Interconnect network between the NIMs. Access to the network is restricted to sending and receiving TCP, UDP, and ICMP packets.
For example, the control protocol provides a default route announcement from the first NIM 302 for an IPv4 network is as follows: Ethercontrol (Network Advertisement
(Network o.o.o.o/o, MAC 02:00:00:01:01:35)). similarly, the second NIM 304 might announce Ethercontroi (Network Advertisement (Network 10 . 0 . 0 .0 /8 , MAC
04:01 :51 :F3:00:03 ) ) , providing the IP address of the private network 106. Each NIM uses the information it learns from other NIMs to build its own routing table. The routing table comprises entries that include a network address (used as the lookup key), a network mask, and the next hop address. The next hop address is either a layer 2 or 3 network address, depending on whether layer 3 loopback addresses are being used by the NIMs 302 to 306 for internal communication. In the above example, the routing table of the first NIM 302 would then include an entry associating the link layer address of the second NIM 304 with the network address 10.0.0.0/8. The first NIM 302 would be used for the default route.
As a further example, in order to start a TCP connection from a host of the second network 312 to a web server in the first network 310, the following messages are typical of those that would be exchanged between the first NIM 302 and the second NIM 304: The second NIM 304: Etherdata(IP(l 0.43.1.6,203.15.66.3)TCP(SYN,DPORT=80))
The first NIM 302: Etherdata(IP(203.15.66.3,10.43.1.6)TCP(SYN-ACK,SPORT=80)) Further packets in this TCP session are exchanged in a similar manner.
The packets carrying announcements from each NIM 302, 304, 306 have the following structure:
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 +—+—+—+—+—+—+—+—+—+—+—+—+—+—+—+—+ I mac address | mac address | type | len | +—+—+—+—+—+—+—+—+—+—+—+—+—+—+—+—+ I cmd I num. | mac address | ip address |
As an example of the exchange between NIMs, the "type" field is set to 0x7878, the "len" (length) field is set to the length of the data following the "type" field (16), the "cmd" field is set to a value that other NIMs understand to mean "add an ip-address/mac address pair to the routing table"(say, 1) and the "num" field provides the number of mac-address/ip- address pairs (in this example, 1).
For added security, the NIMs 302 to 306 can be configured with a shared secret that is used, along with the contents of the data being sent in each control message, to generate a hash value using a one-way hashing function such as MD5 or SHA-1 appended to the control message. NIMs receiving such messages use the hash value to determine that the message has been correctly sent and received, protecting against generic communication errors and fraudulent messages. To further improve security, public key cryptography can be used, whereby each of the NIMs 302 to 306 has the public keys for all the other NIMs and uses its private key to encrypt messages sent to the other NIMs individually, rather than broadcasting.
From a management perspective, although the NIMs 302 to 306 in the packet forwarding apparatus 300 operate independently of each other as autonomous entities, the configuration manager modules 410 of the NIMs 302 to 306 allow them to be managed collectively as part of the entire system 300 rather than as separate entities. The packet forwarding apparatus 300 thus appears as a single piece of hardware so far as management is concerned by virtue of data exchange between the NIMs 302, 304, 306. However, it is also possible to interact with each at an individual level if desired by establishing a command session from a master NIM to another NIM.
A typical manner in which the apparatus 300 is administered is to select a NIM, such as the first NIM 302, as the primary component or master NIM through which to interact with the apparatus 300 when initialising the apparatus 300 for use. Thereafter, further management activity by an administrator is undertaken through the first NIM 302 with the other NIMs 304, 306, acting as slave devices and being configured by the first NIM 302 through the exchange of control messages over the interconnect 308. Configuration commands provided to the master NIM are used by the master NIM to generate and send slave configuration messages to one or more of the slave NIMs.
This arrangement also makes the packet forwarding apparatus 300 more robust, because if the master NIM detects that one or more of the slave NIMs has failed or is acting suspiciously, the master NIM can attempt to disable those NIMs, and can effectively eliminate them from packet forwarding and routing processes by removing the routing table entries for those NIMs from the master NIMs routing table, and instructing any other slave NIMs to do the same. The master NIM can then generate an alert message to alert an administrator to the status of the disabled NIMs. Upon receiving such an alert, the administrator can then investigate the problem further. If additional NIMs are added to the packet forwarding apparatus 300, the administrator can disconnect the network from the NICs of the disabled NIMs, and connect them to the NICs of any spare NIMs. Alternatively, the master NIM can be configured to automatically select the spare NIMs and configure them to perform the functions of the disabled NIMs, and inform the administrator that the appropriate network cables can be disconnected from the disabled NIMs and connected to the newly configured NIMs. In an alternative embodiment, two or more layer 3 loopback network addresses are used for the internal interconnection interfaces between two NIMs, rather than using link layer communications. Host addresses 127.0.0.x are reserved for loopback interfaces, with network 127,x.x.x being regarded as a loopback network. A loopback interface is a virtual network interface that loops back to the source node. A packet sent to a loopback interface is never sent out on a physical network, but is simply looped back to the network input queue on the same host. A node's loopback interface is therefore not addressable from outside the node itself, because loopback addresses cannot be used on a physical network. In this embodiment, the loopback network 127.x.x.x is subnetted to allow addresses within it to be used as addresses in the interconnect 308, and the ICI 404 on each of the NIMs 302 to 306 is assigned an IP address in that subnet. As an example, the netmask of the loopback interface for each NIM 302 to 306 would become 255.255.255.0 - its IP address is 127.0.0.1 — as would that for each ICI 404. However, an ICI 404 has an IP address in a different subnet, such as 127.0.1.0/24, of 127.0.1.1. Other NIMs have different addresses on the same subnet (e.g., 127.0.1.2, 127.0.1.3, and so on, as required).
In this embodiment, the ICIs 404 are not addressable from the insecure network 104 or the private network 106 for a number of reasons. Consider an IP packet with a destination address in the standard loopback network (i.e., 127.x.x.x). When sent from a remote node of the insecure network 104, such a packet will not match any entry in the routing tables of that node or any intermediate nodes, and will therefore be continually forwarded on the default route of each node. This assumes that the packet address does not match an address assigned to the loopback interface of any node, in which case the packet would not be forwarded because it would be handled locally. Thus the packet is unlikely to ever reach the packet forwarding apparatus 300. Also, because the destination address is an illegal address for an IP packet outside a host, the packet will be dropped or filtered by a node, as described in RFC 1122.
Moreover, even if a hacker compromised a host on the same external network segment as a NIM and sent an IP packet with a destination address of 127.0.1.x, corresponding to an address assigned to an ICI 404 on the interconnect 308, the packet will not be forwarded on the interconnect 308 because each NIM is configured to drop packets with addresses of 127.x.x.x received at the NIM's external NIC 402. The same applies if the packet originated from the private network 106, the packet was not dropped, and the default route included the packet forwarding apparatus 300.
This embodiment provides much of the same functionality as the preferred embodiment based on link layer addresses, but at the expense of providing an attackable point if an attacker should compromise a NIM because it would then be possible to target applications that use TCP/IP on other NIMs.
In addition to the above, the packet processor 406 of each NIM 302, 304, 306 can optionally execute standard packet filtering and/or proxy processing processes on network packets received from one of the interfaces 402, 404. Thus each of the NIMs 302 to 306 can optionally perform security validation on all packets received and transmitted, and any packets that are not dropped are forwarded to the other interface. This allows the packet forwarding apparatus 300 to define a protected zone 802, including a server network 804 for providing network services to an insecure network 806 connected to the first NIM 302 and a private network 808 connected to the second NIM 304. The third NIM 306 provides a path to publicly accessible servers in the server network 804, including the web server 108, the public file server 109, and the email server 110.
The physical construction of the interconnect 308 can, through its wiring, be a part of the embodiment of the security policy. For example, in a network with separate transmit and receive connections, the transmit pin(s) from ICI 404 on each of the first and second NIMs 302 and 304 can be connected only to the receive pin(s) of the third NIM 306, and the transmit pin(s) of the third NIM 306 can be connected to the receive pin(s) of the first and second NIMs 302 and 304, making it impossible for data to be transmitted from the first NIM 302 to the second NIM 304 directly.
Furthermore, the storage device 408 in each NIM 302, 304, 306 can also allow each NIM 302, 304, 306 to perform more complex roles, such as acting as an email gateway or cache. Alternatively, if there is no requirement for attaching an additional network such as the server network 312, the third NIM 306 can again be omitted if desired. However, additional NIMs, such as the third NIM 306, can also be used to provide additional security by configuring other NIMs, such as the first NIM 302 and/or the third NIM 304, to pass traffic through all three NIMs 302 to 306 for packet filtering, as described below. Each of the NIMs 302 to 306 can also provide VPN (Virtual Private Network) or other gateway functionality, such as providing DNS (Domain Name System), mail filtering, etc, if desired. A packet passing through the packet forwarding apparatus 300 passes through the security policies of at least two of the NIMs 302 to 306 before exiting the system 300.
The packet forwarding apparatus 300 can be provided with additional NIMs to control packet flows through the system 300 in a variety of ways. For example, Figure 5 shows a packet forwarding apparatus 500 with a fourth NIM 502 in addition to the three NIMs 302 to 306 shown in Figure 3. The packet forwarding apparatus 500 is configured to direct packets flowing through the packet forwarding apparatus 500 to pass through three NIMs (i.e., 302, 304, and either 502 or 306, depending on the packet direction); there is no direct connectivity between the insecure network 104 and the private network 106. In addition, although the web server 108, public file server 109, and email server 110 can be accessed from both the insecure network 104 and the private network 106, they cannot be accessed from the other network 504 connected to the fourth NIM 502.
Although each of the NIMs 302 to 306 of the packet forwarding apparatus 300 has been described above as being based on a standard computer system with two network interfaces, it is preferable that the entire packet forwarding apparatus be provided in a single housing or chassis containing all of the NIMs 302 to 306 and the interconnect 308. This can be achieved by installing the major components of each computer system in a single chassis and sharing a single power supply.
In a further alternative embodiment, NIMs are provided as components on one or more removable cards for placement in a single computer system, whereby the NIMs communicate over a bus of the computer system rather than over a network. However, as in the embodiments described above, the NIMs still operate autonomously, and in particular, operate independently of the operating system of the host computer system; the NIMs do not use any part of the host computer system for RAM, CPU or storage. For example, NIMs can be provided on a single removable card 602 for installation in a computer system, as shown in Figure 6. In this embodiment, the PCI card 602 includes a first NIM 604 connected to the insecure network 104 through a first NIC 606, and a second NIM 608 connected to the private network 106 through a second NIC 610. A third NIM 612 provides access to a protected zone. Each NIM 604, 608, 612 includes random access memory (RAM) 614, a microprocessor 616, and a non-volatile storage device 618 such as flash memory. The NIMs 604, 608, 612 are interconnected by an interconnect 620 on the card 602. The card's PCI bus connection 622 provides the external interface to the third NIM 612. The computer providing the interface can also provide network services from the protected zone. It will be apparent that any number of NIMs can be provided on a single card, subject to physical space limitations.
In yet a further embodiment, one or more NIMs are provided as a single hardware component, such as an ASIC. For example, Figure 7 shows a schematic diagram of a single chip NIM 700 including a network interface com ection (NIC) 702, a CPU 704, random access memory 706, non-volatile storage 708, and an interconnect connection interface 710.
In yet another further embodiment, each NIM can be provided in its own virtual machine executed by a single host computer. The virtual machines could be provided by software products such as VMWare, available from http ://www. vm ware . com . Each VMWare instance provides one NIM. VMWare's networking services can be used to provide the interconnect required for internal communication between NIMs.
Although embodiments of the invention have been described above in terms of IP version 4 network protocols and addresses, it will be apparent that other network protocols and addresses (including IP version 6) can alternatively be used. Furthermore, although embodiments of the invention have been described as being connected between one or more communications networks, it will be apparent that one or more of the NIMs can be alternatively connected to a corresponding single system, host or node.
Many modifications will be apparent to those skilled in the art without departing from the scope of the present invention as herein described with reference to the accompanying drawings.

Claims

CLAIMS:
1. A packet forwarding apparatus, including at least two autonomous packet forwarding components having respective external interfaces for connection to respective external networks, and respective internal interfaces for connection to a network internal to said apparatus and interconnecting said at least two packet forwarding components, the internal interfaces being addressable only by link layer addresses or addresses in a subnet of a loopback network.
2. A packet forwarding apparatus as claimed in claim 1, wherein said at least two packet forwarding components are adapted to disallow association of said internal interfaces with addresses for network protocol layers higher than a link layer.
3. A packet forwarding apparatus as claimed in claim 1, wherein said internal interfaces are interconnected by an optical interconnect or an electrical interconnect.
4. A packet forwarding apparatus as claimed in claim 1, wherein said interconnect includes a device adapted to route packets between said internal interfaces on the basis of link layer addresses of said packets.
5. A packet forwarding apparatus as claimed in claim 1, wherein said internal interfaces are interconnected by a network.
6. A packet forwarding apparatus as claimed in claim 1, wherein said interconnect includes an Ethernet network, and the internal interfaces of said at least two packet forwarding components are adapted to transmit Ethernet frames.
7. A packet forwarding apparatus as claimed in claim 6, wherein said Ethernet frames include control frames and data frames having respective type codes.
8. A packet forwarding apparatus as claimed in claim 7, wherein said control frames are encrypted.
9. A packet forwarding apparatus as claimed in claim 7, wherein said control frames include a hash field for ensuring data integrity and authenticity.
10. A packet forwarding apparatus as claimed in claim 7, wherein said control frames include a digital signature for ensuring data integrity and authenticity.
11. A packet forwarding apparatus as claimed in claim 7, wherein said type codes are not used by any protocol available on said external networks.
12. A packet forwarding apparatus as claimed in claim 1, wherein said packet forwarding components communicate using a protocol that is not available on said external networks.
13. A packet forwarding apparatus as claimed in claim 12, wherein said protocol allows said packet forwarding components to be individually addressed.
14. A packet forwarding apparatus as claimed in claim 1, including at least three of said packet forwarding components.
15. A packet forwarding apparatus as claimed in claim 14, wherein said packet forwarding apparatus is configured to route packets through at least three of said at least three packet forwarding components.
16. A packet forwarding apparatus as claimed in claim 1, wherein said packet forwarding components are adapted to allow a selected one of said packet forwarding components to act as a master component for configuring said apparatus, and the other packet forwarding components to act as slave components of said master component.
17. A packet forwarding apparatus as claimed in claim 16, wherein said master component is adapted to detect failure or compromise of at least one of said slave components, and to adapt one or more routing tables of said packet forwarding components to redirect packets to another of said slave components.
18. A packet forwarding apparatus as claimed in claim 17, wherein said master component is adapted to generate an alert for an administrator of said packet forwarding apparatus.
19. A packet forwarding apparatus as claimed in claim 1, wherein the components of said apparatus are mounted in a single housing or chassis.
20. A packet forwarding apparatus as claimed in claim 1, wherein one or more of said packet forwarding components are provided on a removable card for a computer system.
21. A packet forwarding apparatus as claimed in claim 1, wherein one or more of said packet forwarding components are provided by one or more dedicated hardware components.
22. A packet forwarding apparatus as claimed in claim 21, wherein said one or more dedicated hardware components includes one or more application-specific integrated circuits (ASICs).
23. A packet forwarding apparatus as claimed in claim 1, wherein at least one of said packet forwarding components is adapted to perform packet filtering on packets received by the at least one packet forwarding component.
24. A packet forwarding apparatus as claimed in claim 1, wherein one or more of said at least two packet forwarding components are adapted to operate as firewalls.
25. A packet forwarding apparatus as claimed in claim 1, wherein said packet forwarding apparatus is adapted generate a routing table including one or more entries, wherein each of said entries includes a hardware address of a packet forwarding component of said apparatus, a layer 3 network address of a network connected to the external interface of said packet forwarding component , and a network mask for said network.
26. A routing table for use in selecting a next-hop node for a received network packet, each entry of said routing table including an address of a destination network and a link layer address of a next-hop node for said destination network.
27. A routing process, including: receiving a data packet including a destination address; determining an address of a network corresponding to said destination address; and determining a link layer address of a next-hop node corresponding to the address of said network, said next-hop node only being assigned a link layer address.
28. A process for generating a routing table, including: generating, at a network component having a first network interface and a second network interface, said first network interface having a network layer address and a link layer address, and said second network interface having only a link layer address, an announcement message including a network layer address of a network connected to said first network interface, and said link layer address of said second network interface.
29. A packet forwarding apparatus having components for executing the steps of claim 27 or claim 28.
30. A computer-readable storage medium having stored thereon program code for executing the steps of claim 27 or claim 28.
31. A packet forwarding apparatus, including at least two packet forwarding components having respective external interfaces for connection to respective external networks, and respective internal interfaces for interconnecting said at least two packet forwarding components, said internal interfaces being addressable only internally to said apparatus.
32. A packet forwarding apparatus as claimed in claim 31, wherein said at least two packet forwarding components are autonomous.
33. A packet forwarding apparatus as claimed in claim 31, wherein said internal interfaces are only addressable by link layer addresses.
34. A packet forwarding apparatus as claimed in claim 1, wherein said internal interfaces are assigned addresses in a subnet of a loopback network.
35. A packet forwarding apparatus as claimed in claim 1, wherein transmit and receive connections between said internal interfaces are configured to restrict communications between said internal interfaces.
PCT/AU2004/000269 2003-03-03 2004-03-03 A packet forwarding apparatus WO2004080024A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AU2003900991 2003-03-03
AU2003900991A AU2003900991A0 (en) 2003-03-03 2003-03-03 A firewall system

Publications (1)

Publication Number Publication Date
WO2004080024A1 true WO2004080024A1 (en) 2004-09-16

Family

ID=31500036

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU2004/000269 WO2004080024A1 (en) 2003-03-03 2004-03-03 A packet forwarding apparatus

Country Status (2)

Country Link
AU (1) AU2003900991A0 (en)
WO (1) WO2004080024A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1662718A1 (en) * 2004-11-30 2006-05-31 Alcatel Alsthom Compagnie Generale D'electricite Flow-aware Ethernet Digital Subscriber Line Access Multiplexer DSLAM
EP1986374A1 (en) * 2007-04-27 2008-10-29 Interuniversitair Microelektronica Centrum (Imec) Gateway with improved QoS awareness
US8059530B1 (en) * 2005-09-30 2011-11-15 GlobalFoundries, Inc. System and method for controlling network access

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5917820A (en) * 1996-06-10 1999-06-29 Cisco Technology, Inc. Efficient packet forwarding arrangement for routing packets in an internetwork
EP1024627A2 (en) * 1999-01-29 2000-08-02 Lucent Technologies Inc. A method and apparatus for managing a firewall
WO2000051298A1 (en) * 1999-02-26 2000-08-31 Redstone Communications, Inc. Network router search engine using compressed tree forwarding table
US20020039357A1 (en) * 2000-09-29 2002-04-04 Jaakko Lipasti Addressing and routing in mobile ad hoc networks
US20030002438A1 (en) * 2001-07-02 2003-01-02 Hitachi, Ltd. Packet forwarding apparatus with packet controlling functions
US20040008675A1 (en) * 2002-07-09 2004-01-15 International Business Machines Corporation Method and router for forwarding internet data packets
US20040042456A1 (en) * 2002-08-27 2004-03-04 International Business Machines Corporation Method and system for processing data packets

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5917820A (en) * 1996-06-10 1999-06-29 Cisco Technology, Inc. Efficient packet forwarding arrangement for routing packets in an internetwork
EP1024627A2 (en) * 1999-01-29 2000-08-02 Lucent Technologies Inc. A method and apparatus for managing a firewall
WO2000051298A1 (en) * 1999-02-26 2000-08-31 Redstone Communications, Inc. Network router search engine using compressed tree forwarding table
US20020039357A1 (en) * 2000-09-29 2002-04-04 Jaakko Lipasti Addressing and routing in mobile ad hoc networks
US20030002438A1 (en) * 2001-07-02 2003-01-02 Hitachi, Ltd. Packet forwarding apparatus with packet controlling functions
US20040008675A1 (en) * 2002-07-09 2004-01-15 International Business Machines Corporation Method and router for forwarding internet data packets
US20040042456A1 (en) * 2002-08-27 2004-03-04 International Business Machines Corporation Method and system for processing data packets

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1662718A1 (en) * 2004-11-30 2006-05-31 Alcatel Alsthom Compagnie Generale D'electricite Flow-aware Ethernet Digital Subscriber Line Access Multiplexer DSLAM
WO2006058611A1 (en) * 2004-11-30 2006-06-08 Alcatel Lucent Flow-aware ethernet digital subscriber line access multiplexer dslam
US7599366B2 (en) 2004-11-30 2009-10-06 Alcatel Flow-aware ethernet digital subscriber line access multiplexer DSLAM
CN1783846B (en) * 2004-11-30 2010-05-05 阿尔卡特公司 Flow-aware Ethernet digital subscriber line access multiplexer dslam
US8059530B1 (en) * 2005-09-30 2011-11-15 GlobalFoundries, Inc. System and method for controlling network access
US8184550B2 (en) 2007-04-26 2012-05-22 Imec Gateway with improved QoS awareness
EP1986374A1 (en) * 2007-04-27 2008-10-29 Interuniversitair Microelektronica Centrum (Imec) Gateway with improved QoS awareness

Also Published As

Publication number Publication date
AU2003900991A0 (en) 2003-03-20

Similar Documents

Publication Publication Date Title
US10084751B2 (en) Load balancing among a cluster of firewall security devices
US9270639B2 (en) Load balancing among a cluster of firewall security devices
US7360245B1 (en) Method and system for filtering spoofed packets in a network
US7373660B1 (en) Methods and apparatus to distribute policy information
RU2269873C2 (en) Wireless initialization device
US7792990B2 (en) Remote client remediation
US20070283429A1 (en) Sequence number based TCP session proxy
CN113132342A (en) Method, network device, tunnel entry point device, and storage medium
US20040196843A1 (en) Protection of network infrastructure and secure communication of control information thereto
CN112688873B (en) Deploying secure neighbor discovery in EVPN
WO2006120751A1 (en) Peer-to-peer communication method and system enabling call and arrival
Thaler Evolution of the IP Model
JP2020137006A (en) Address resolution control method, network system, server device, terminal and program
US7551559B1 (en) System and method for performing security actions for inter-layer binding protocol traffic
US8146144B2 (en) Method and system for the transparent transmission of data traffic between data processing devices, corresponding computer program product, and corresponding computer-readable storage medium
Abdou et al. A framework and comparative analysis of control plane security of SDN and conventional networks
US8078758B1 (en) Automatic configuration of source address filters within a network device
WO2004080024A1 (en) A packet forwarding apparatus
ENISA ENISA
Cisco Introduction to Cisco MPLS VPN Technology
Carthern et al. Advanced Routing
Chang et al. Using resource public key infrastructure for secure border gateway protocol
Gross et al. RFC 8926: Geneve: Generic Network Virtualization Encapsulation
Carthern et al. Advanced Troubleshooting
EP1998509A1 (en) Transparent backup IP router in a local area network

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase