US008356334B2
`
`(12) United States Patent
`(10) Patent No.:
`US 8,356,334 B2
`Yik et a].
`
`(45) Date of Patent:
`Jan. 15, 2013
`
`(54) DATA NETWORK NODE HAVING
`ENHANCED SECURITY FEATURES
`
`(75)
`
`Inventors: James Ching-Shau Yik, Mission Viejo,
`CA (US); Eric Lin, Hacienda Heights,
`CA (US)
`
`(73) Assignee: Conexant Systems, Inc., Newport
`Beach, CA (US)
`
`6,069,889 A *
`5/2000 Feldman et a1.
`.............. 370/351
`6,870,844 B2 *
`3/2005 Tuck et al.
`......
`.. 370/390
`
`7,065,644 B2*
`6/2006 Daniellet al.
`..
`.. 713/166
`.. 713/193
`2002/0147916 A1 * 10/2002 Strongin et al.
`
`.. 709/224
`.....
`2002/0156888 A1 * 10/2002 Lee et al.
`1/2003 Anderson eta .
`.. 713/201
`2003/0014665 A1*
`
`OTHER PUBLICATIONS
`
`Badger, MR. and Murphy, S.L. Digitial Signature Protection of the
`OSPF Routing Protocol, 1996 IEEE, pp. 93-102.*
`
`( * ) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 3275 days.
`
`* cited by examiner
`
`Primary Examiner 7 Edan Orgad
`Assistant Examiner 7 Roderick Tolentino
`
`(21) Appl.No.: 09/866,259
`
`(22)
`
`Filed:
`
`May 25, 2001
`
`(65)
`
`Prior Publication Data
`
`US 2003/0208571 A1
`
`Nov. 6, 2003
`
`(51)
`
`Int. Cl.
`(2006.01)
`G06F 7/04
`(52) US. Cl.
`................ 726/3; 726/2; 380/247; 380/248;
`380/249; 380/250; 709/225
`(58) Field of Classification Search .................. 709/208,
`709/225; 713/162; 726/2, 3; 380/247, 248,
`380/249, 250
`See application file for complete search history.
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`(74) Attorney, Agent, or Firmilackson Walker L.L.P.;
`Christopher J. Rourk
`
`(57)
`
`ABSTRACT
`
`An apparatus and methods for securely forwarding data pack-
`ets at a data switching node in a data transport network is
`provided. The data switching node maintains a switching
`database of switching entries. Each switching entry has a
`modification protection feature preventing its modification
`when activated. Dynamic topology discovery of data network
`nodes can be disabled via topology discovery control flags
`associated with individual physical communications ports of
`the data switching node. Unknown destination flood data
`traffic is not replicated to physical communications ports
`having topology discovery disabled or specifying the sup-
`pression of replication of such unknown destination data
`traffic thereto. The advantages are derived from a data switch-
`ing node being enabled to operate concurrently in friendly
`and hostile environments while detecting, preventing and
`reporting incidences of hostile MAC ADDR attacks.
`
`l/l990 Lubarsky et a1.
`4,893,340 A *
`5,996,021 A * 11/1999 Civanlar et al.
`
`............. 709/208
`............... 709/238
`
`20 Claims, 3 Drawing Sheets
`
`101
`
`102
`
`Data I 0
`Switching
`SW
`Node
`DB
`
`10:1
`
`10:2
`
`10:3
`
`lD:N
`
`Phy
`' art
`
`Phy
`For
`
`Phy
`Port
`
`Phy
`P0
`
`100
`
`106
`
`108
`
`106
`
`106
`
`106
`
`B
`
`
`
`104
`Network Node B
`MAC ADDR Y
`(Friendly)
`
`5321‘}
`104 Network Node E
`MAC ADDR Y
`( Hostile)
`
`104
`
`__+
`
`i;
`Network Node A
`MAC ADDR X
`(Friendly)
`
`110
`
`104
`
`1“-“
`-%i
`Network Node C
`MAC ADDR W
`( Friendly )
`
`E m
`7
`A =:'
`
`2i
`Network Node D
`MAC‘ADDR 2
`( Friendly )
`
`NETWORK-1 N1-2007
`
`

`

`U.S. Patent
`
`Jan. 15, 2013
`
`Sheet 1 of 3
`
`US 8,356,334 B2
`
`A235:3>«53922m282£362
`
`oorDOV
`
`mczozam
`
`ocoz
`
`wpmo
`
`.ImCE-Illl.
`rfimdmlk
`
`
`
` A2:8:V>53032m282{9532«A:
`
`mmflE
`
`A2.23:".VN«59..052a£62x8362
`
`OFF
`
`vow
`
`A225:“:3moo<9:20282x8282
`A2252”.vx59..04.2<£32£9,302a.I.D
`
`w.0_u_
`
`
`

`

`U.S. Patent
`
`Jan. 15, 2013
`
`Sheet 2 of 3
`
`US 8,356,334 B2
`
`
`
`87/.5.GE
`
`
`
`22:80.320
`
`
`
`3200203238.
`
`
`
`:ozgzmmoEsocxca
`
`
`
`cornmaaamnooE
`
`
`
`29:503920
`
`mfimcmcozomuoi
`
`x055.mQQ<03>.
`
`o;
`
`J.mv.OE
`
`.3325
`
`o.to".
`
`
`
`US).8.50m
`
`$935
`
`BEmmczzom
`
`
`
`mEEm:ozofloi
`
`H332..H302%H
`
`33355::
`
`NoN
`
`NON
`
`NoN
`
`NON
`
`
`
`228::me2255.2:>mo_oao._.EQEEA
`
`
`
`
`
`
`3335
`
`
`
` 852mI35%233H:ofiwoaqsm302“.390359tom
`
` 352m8585I.
`
`
`
`
`
`
`
`
`

`

`U.S. Patent
`
`Jan. 15, 2013
`
`Sheet 3 of 3
`
`US 8,356,334 B2
`
`so30m$3qu
`
`850m
`
` Eton
`
`
`
`mugsow“8%:—
`
`moo<U<E
`
`.8335
`
`
`
`>Lm>oomE..
`
`
`
`E0:o>oEwm
`
`m.EE
`
`=m8soncoo:
`
`$332“.5metal
`
`
`
`55?.5.23:.
`
`850m
`
`wm0>>mEmoa<05>.
`
`02
`
`#om
`
`F520
`
`hue—each
`
`290030
`
`$63me
`
`@arm
`
`oz
`
`
`
`
`
`
`9.26;Eton.63:00uooEmtamozmetom>Lo>oom5
`=mwwjuooi€226:EBEmmo>320%
`
`30.82.auofimcwokuoouo..«:89:.2333%
`
`
`
`mDEomm>oEmm0.20m>565.30%;:26:UU<
`
`
`
`
`
`
`
`63.82“.:5:
`
`850mo>oEom
`
`:5:Eton
`
`7.330:
`
`628
`
`35mona:5.
`
`$3.82“.m
`
`.ummn
`
`
`
` wmo>>mEIDD<0(5—
`
`
`
`62:0QO2Dan.353,6“.
`
`Qtom
`
`
`
`umfimcm3:200EEmmciozammoo<052mo3w2@007.m£>mcE:ozmo__:omamcozmczmmoBENmchxgm
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`1
`DATA NETWORK NODE HAVING
`ENHANCED SECURITY FEATURES
`
`FIELD OF THE INVENTION
`
`The invention relates to data switching in a data transport
`network and in particular to methods and apparatus providing
`enhanced networking security.
`
`BACKGROUND OF THE INVENTION
`
`In conveying data over data transport networks, data
`switching nodes are used to direct the flow of data traffic over
`interconnecting data links. Each data link is connected to a
`data switching node via a physical communications port hav-
`ing a port identifier.
`The data to be conveyed is typically divided into Payload
`Data Units (PDUs) such as data packets, frames, cells, etc.
`Each PDU includes routing information and a payload. The
`routing information is typically held in a PDU header. For
`example the routing information includes MediaAccess Con-
`trol ADDResses (MAC ADDRs). MAC ADDRs are unique
`and are associated with data network interfacing equipment
`associated with data network nodes. An example network
`interfacing equipment is a Network Interface Card (NIC).
`Therefore a MAC ADDR is said to represent a data network
`node identifier. MAC ADDR instances in the routing infor-
`mation are associated with what are known as Source and
`Destination Addresses.
`
`Data switching nodes make use of the MAC ADDR infor-
`mation for dynamic topology discovery of connected data
`network nodes and to forward data traffic to particular desti-
`nation MAC ADDRs. Such a data switching node maintains a
`switching database and is said to perform “Layer 2 switch-
`ing”. Layer 2 refers to the Open Systems Interconnection
`(OSI) protocol stack, which specification is well known in the
`art of data switching and transport, and is included herein by
`reference.
`
`An exemplary implementation of a switching database is a
`table having switching database entries, each entry specifying
`an association between a MAC ADDR and Port IDentifier
`
`(PortID). Any received PDU specifying a MAC ADDRs held
`in the switching database is switched to the PortID specified
`in the corresponding database entry.
`Without the switching database the data switching node
`behaves like a hub which broadcasts each PDU over all physi-
`cal communications ports associated therewith except for the
`physical communications port on which the PDU was
`received. This broadcast operation is also known as “flood-
`ing”. Having the switching database reduces the incidence of
`flooding to instances in which received PDUs bear unknown
`destination MAC ADDRs not present in the switching data-
`base.
`
`In constructing a switching database, process also known
`as topology discovery, a controller associated with the data
`switching node extracts the source MAC ADDRs of PDUs
`received on each physical communications port. If the MAC
`ADDRzPortID pair is not found in the switching database, the
`controller creates an entry in the switching database storing
`the new MAC ADDRzPortID association. This ability to con-
`struct the switching database also provides a dynamic discov-
`ery of data network nodes recently added to data network
`segments connected to the data switching node. Dynamically
`discovering data network nodes and constructing a switching
`database provides a plug-and-play operation of such data
`switching equipment otherwise requiring extensive human
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`US 8,356,334 B2
`
`2
`
`interaction and absolute knowledge of connected data net-
`work nodes in the data transport network.
`The plug-and-play operation is often extended to enabling
`the data switching node to keep track of movement of data
`network nodes as they connect to different segments of the
`data transport network associated with the data switching
`node. The association between the MAC ADDR and PortID is
`
`changed in the switching database when a PDU having a
`MAC ADDR specified in an entry is received from a different
`physical communications port having a different PortID than
`the PortID specified therein. In such a case, the new PortID is
`simply written over the previous PortID specification stored
`in the entry.
`While the plug-and-play functionality reduces human
`involvement in the discovery of data network nodes in the
`associated data transport network in the construction and, the
`reconfiguration of the switching database as data network
`nodes move in the associated data network, the plug-and-play
`functionality exposes data network nodes to hostile MAC
`ADDR attacks. An exposure to a hostile environment exists
`when the data switching node bridges connectivity between
`two data transport networks, but is not limited thereto.
`For example, in a hostile environment, a hostile data net-
`work node may try to spy on the traffic destined to a specific
`MAC ADDR by taking advantage of the automatic switching
`database reconfiguration feature of the data switching node.
`According to an exemplary scenario, the hostile data net-
`work node sends towards the data switching node a data
`packet having a source MAC ADDR corresponding to the
`MAC ADDR of the data network node to be attacked. The
`
`data switching node registers a data network node move and
`modifies the switching database entry corresponding to the
`MAC ADDR by overwriting the PortID specification with the
`PortID corresponding to the physical communications port
`with which the hostile data network node is associated.
`Thereafter, all PDUs destined to the MAC ADDR of the
`attacked data network node are forwarded by the data switch-
`ing node to the hostile data network node. The MAC ADDR
`attack can be as extensive as the hostile data network node
`
`taking over the functionality of the attacked data network
`node. The incident fully complies with the intended operation
`of currently deployed data switching equipment and would
`otherwise go undetected.
`Therefore, there is a need to enable data switching nodes to
`operate concurrently in friendly and hostile environments
`while detecting, preventing and reporting incidences of hos-
`tile MAC ADDR attacks.
`
`SUMMARY OF THE INVENTION
`
`In accordance with an aspect ofthe invention, a secure data
`switching node is provided. The data switching node main-
`tains a switching database having switching database entries.
`Each database entry is provided with a corresponding entry
`protection flag. Each entry protection flag is used to selec-
`tively disable the editing of the corresponding database entry
`and enable the data switching node to operate securely con-
`currently in friendly and hostile data networking environ-
`ments.
`
`In accordance with another aspect ofthe invention, a secure
`data switching node is provided. The data switching node
`forwards data traffic between a plurality of physical commu-
`nications ports and particularly between data network nodes
`connected to data network segments reachable via physical
`communications ports. Each physical communications port
`has an associated Port IDentifier (PortID). A data network
`topology discovery feature of the data switching node can be
`
`

`

`US 8,356,334 B2
`
`3
`disabled on a PortID-by-PortID basis via the use of topology
`discovery disable flags each of which is associated with a
`PortID. The topology discovery disable feature prevents hos-
`tile data network nodes from participating in the data trans-
`port network enabling the data switching node to operate
`securely concurrently in friendly and ho stile data networking
`environments.
`In accordance with a further aspect of the invention, a
`secure data switching node is provided. When receiving data
`traflic an having unknown destination, the data switching
`node forwards the data traffic using a selective flood control
`mechanism. When the selective flood control mechanism is
`
`activated the data traflic is flooded to all physical communi-
`cations ports except to: the source physical communications
`port; and PortID having the topology discovery disable fea-
`ture enabled. The selective flood control mechanism prevents
`hostile data network nodes from listening to unknown desti-
`nation data traflic enabling the data switching node to operate
`securely concurrently in friendly and ho stile data networking
`environments.
`
`The advantages are derived from a data switching node
`being enabled to operate concurrently in friendly and hostile
`environments while detecting, preventing and reporting inci-
`dences of hostile MAC ADDR attacks.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The features and advantages of the invention will become
`more apparent from the following detailed description of the
`preferred embodiment(s) with reference to the attached dia-
`grams wherein:
`FIG. 1 is a schematic network diagram showing intercon-
`nected data network elements operating concurrently in
`friendly and hostile networking environments;
`FIG. 2 is a schematic diagram showing a detail of a switch—
`ing database maintained by a data switching node, the switch-
`ing database having switching database entry protection fea-
`tures in accordance with an exemplary embodiment of the
`invention;
`FIG. 3 is a schematic diagram showing a detail of a switch-
`ing database maintained by a data switching node, the switch-
`ing database having control features for each physical com-
`munications
`port
`in
`accordance with
`exemplary
`embodiments of the invention;
`FIG. 4 is a schematic diagram showing control features of
`the data switching node in accordance with the exemplary
`embodiment of the invention; and
`FIG. 5 is a flow diagram showing a secure PDU forwarding
`process implementing MAC ADDR attack detection, preven-
`tion and reporting at a data switching node in accordance with
`the exemplary embodiment of the invention.
`It will be noted that in the diagrams like features bear
`similar labels.
`
`DETAILED DESCRIPTION OF THE
`EMBODIMENTS
`
`FIG. 1 is a schematic network diagram showing intercon-
`nected data network elements operating concurrently in
`friendly and hostile data networking environments.
`A data switching node 100 having a controller 101 main-
`tains a SWitching DataBase (SW DB) 102. The SW DB 102,
`described in detail with reference to FIG. 2, FIG. 3 and FIG.
`4, stores a current configuration (topology) of data network
`segments connected to the data switching node 100. The
`topology information stored in the SW DB 102 specifies
`which data network node 104 is reachable via which physical
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`4
`
`port 106. Data network node configurations exist in which
`more than one data network node 104 is associated with a
`
`physical port 106 as data network segments may have more
`than one data network node.
`Individual data network nodes 104 connect to an individual
`
`physical communications port 106 via a dedicated commu-
`nications link such as a network cable 108 as is shown for data
`
`network node 104-B. The invention applies equally to: bus-
`network segments 110, ring-network segments 112, etc. con-
`nected to the data switching node 100, as shown in FIG. 1.
`The data switching node 100 is shown to operate concur-
`rently in friendly and hostile data networking environments.
`In particular, data network nodes 104-A having MAC ADDR
`X, 104-B having MAC ADDRY, 104-C having MAC ADDR
`W, etc. are friendly, and data network node 104-E “broadcast-
`ing as having” MAC ADDR Y is considered a hostile com-
`puter.
`FIG. 2 is a schematic diagram showing a detail of a switch-
`ing database maintained by a data switching node, the switch-
`ing database having switching database entry protection fea-
`tures in accordance with an exemplary embodiment of the
`invention.
`
`An exemplary implementation of the SW DB 102 is a
`look-up table generally depicted at 200. The table 200 con-
`tains row switching database entries 202; each entry storing a
`MAC ADDR, an associated PortID and a switching database
`entry protection indicator also known as a flag.
`As depicted in FIG. 2, table 200 holds the network con-
`figuration presented in FIG. 1 where: entry 202-0 corresponds
`to the data network node 104-A having MAC ADDR X and
`being connected to physical communications port 106-1,
`entry 202-1 corresponds to the data network node 104-B
`having MAC ADDRY and being connected to physical com-
`munications port 106-2, entry 202-2 corresponds to the data
`network node 104-C having MAC ADDR W and being con-
`nected to physical communications port 106-3, entry 202-3
`corresponds to the data network node 104-D having MAC
`ADDR Z and being connected to physical communications
`port 106-3, etc.
`In the art, each entry protection status flag may be referred
`to as a database entry protection bit. Each entry protection
`status flag specifies, for example, that the associated switch-
`ing database entry 202 is protected when the protection bit is
`set and that the associated entry 202 is unprotected when the
`protection bit is reset. In particular, FIG. 2 shows the entry
`protection bit set for entries 202-1 and 202-3. Protected
`switching database entries having the associated protection
`bits set cannot be changedithus locking the association
`between the MAC ADDR and PortID.
`
`Should the ho stile data network node 1 04 -E attempt to send
`a PDU having MAC ADDRY on PortID N, controller 101 of
`the data switching node 100 consults the SW DB 102 and
`attempts to modify the entry 202-1 corresponding to MAC
`ADDRY to change the PortID association from 2 to N. The
`attempt is prevented by the entry protection bit being set. The
`failed attempt is detected as a potential intrusion incident and
`is reported using methods well known in the art such as alert
`generation and alert dissemination methods.
`The switching database entry protection feature is equiva-
`lent to and provides security provisions inherent of a manu-
`ally set switching database entry in an operator provisioned
`switching table where the association between a data network
`node and the data switching node is explicitly defined.
`The entry protection status flags may be set via a control
`interface such as a management console. Other methods exist
`including the loading into the switching database 102 of
`protected entries form a secure long-term storage such as a
`
`

`

`US 8,356,334 B2
`
`5
`hard drive, Electronically (Erasable and) Programmable
`Read Only Memory E(E)PROM, but not limited thereto.
`Should an entry in the SW DB 102 be protected as shown
`above, it does not prevent other MAC ADDRs from being
`associated with the same PortID as seen in the entries 202-2
`and 202-3. More than one MAC ADDR can be associated
`
`with a PortID when the physical communications port 106 of
`the data switching node 100 is connected to a multi-node data
`network segment (112, 110).
`Typically, only a limited number of entries can be stored
`due to storage limitations imposed on the table 200. Should a
`new source MAC ADDR be received at the data switching
`node 100 having reached its maximum number of entries in
`the table 200, either the oldest or least used entry is removed
`from the SW DB 102 to accommodate the new MAC ADDR.
`
`The hostile data network node 104-E may attempt to spy on
`data traflic passing through the data switching node 100 by
`sending a large number of PDUs having bogus MAC ADDRs
`which are then learned by the data switching node 100 ulti-
`mately discarding legitimate entries in the SW DB 102. This
`process is known as “flushing” legitimate MAC ADDRs out
`ofthe SW DB 102.
`
`Once legitimate routing entries are discarded, PDUs hav-
`ing legitimate MAC ADDRs destinations, corresponding to
`the discarded routing entries are flooded to all physical com-
`munications ports including the physical communications
`port to which the hostile data network node is connected.
`Thereby the hostile data network node is able to spy on the
`data traffic processed by the data switching node 100.
`FIG. 3 is a schematic diagram showing a detail of a switch-
`ing database maintained by a data switching node, the switch-
`ing database having control features for each physical com-
`munications port
`in accordance with the
`exemplary
`embodiment of the invention.
`A topology discovery disable feature may be implemented
`using control bits (or flags), each control bit being associated
`with a PortIDiother implementations are possible and are
`not limited to the tabular representation 300 shown. When
`topology discovery is disabled for a particular PortID, such as
`is done for PortID 3, additional switching database entries
`associated with the PortID are prevented from being added to
`the SW DB 102.
`
`For example, topology discovery may be used at network
`setup and then disabled to prevent further changes to the SW
`DB 102 associated with a particular PortID. Alarms can be
`generated should additional source MAC ADDRs be received
`at the data switching node 100 on the physical communica-
`tions port having its topology discovery feature disabled.
`In accordance with another embodiment of the invention,
`the topology discovery control may allow MAC ADDRs
`associated with a physical communications port to be added
`dynamically up to an upper limit enforced on a per PortID
`basis thus enabling a controlled amount of discovery but
`preventing flushing all legitimate entries in the SW DB 102.
`An Lmknown destination flood control feature, also shown
`may be implemented as a control bit (or flag) per communi-
`cations port but not limited thereto. When the control bit is set,
`the unknown destination flood control feature is enabled and
`disabled when the control bit is reset.
`The unknown destination flood control feature is used to
`
`prevent the replication of PDU to selected communication
`ports. The feature prevents hostile data network nodes con-
`necting to the selected communications ports from listening
`to unknown destination data traflic.
`
`FIG. 4 is a schematic diagram showing control features of
`the data switching node in accordance with other exemplary
`implementations of the invention.
`
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`In accordance with another implementation of the inven-
`tion control features have a global scope enforcing security
`resources for all physical communications ports of the data
`switching node.
`The global control features are generally shown at 400
`including a global typology discovery control bit. When the
`global typology discovery control bit is set to no switching
`database entries may be added to the SW DB 102 automati-
`cally.
`Of course switching database entries added via a manage-
`ment console are not affected. When the global typology
`discovery control bit is reset, typology discovery control is
`enforced on a port-by-port basis as shown above.
`A global unknown destination flood control feature also
`shown in FIG. 4A is used in conjunction with the topology
`discovery disable feature and provides the following advan-
`tage.
`Having discovered all data network nodes connected to a
`particular physical port it is unnecessary to flood unknown
`destination PDUs to that communications port because all
`data network nodes connected thereto are known. This
`
`reduces the amount of PDU processing in replicating such
`PDUs to physical communications ports.
`In accordance with yet another implementation of the
`invention all control features presented above may be acti-
`vated via a single control bit as shown in FIG. 4.
`FIG. 5 is a flow diagram showing a secure PDU forwarding
`process implementing MAC ADDR attack detection, preven-
`tion and reporting at a data switching node in accordance with
`the exemplary embodiment of the invention.
`The secure PDU forwarding process is started in step 500
`by receiving a PDU from a source physical communications
`port having a source PortID. The controller 101 associated
`with the data switching node 100 inspects the header of the
`received PDU for routing information, extracting at least a
`source MAC ADDR in step 502. The SW DB 102 is queried
`based on the source MAC ADDR in step 504.
`If a switching database entry corresponding to the source
`MAC ADDR is found in the SW DB 102 in step 504, the
`process proceeds, in step 506, with determining whether the
`PortID stored in the entry and the source PortID match.
`Ifthe PortIDs match in step 506, the process proceeds with
`forwarding the PDU from step 508.
`If the PortIDs do not match in step 506, the process pro-
`ceeds by attempting to modify the switching database entry in
`step 512 if the entry is not protected, fact ascertained in step
`510.
`
`If the switching entry is not found to be protected in step
`510, the entry is modified in step 512 and the process pro-
`ceeds from step 508 with forwarding the PDU.
`If the switching entry is found to be protected in step 510,
`the process proceeds from step 514, triggering an alarm. The
`process continues by discarding the PDU and resuming from
`step 500.
`If a switching database entry corresponding to the source
`MAC ADDR is not found in the SW DB 102 in step 504, the
`process attempts to add a new entry to the SW DB 102 subject
`to whether topology discovery is suppressed for the source
`PortID which is enforced in steps 515 and 516.
`If topology discovery is disabled globally for the entire
`data switching node 100, then the process resumes from step
`514 by triggering an alarm; otherwise topology discovery
`control is enforced for the source PortID.
`
`If topology discovery is enabled for the source PortID in
`step 516, a new entry to the SW DB 102 is added in step 518
`and the process continues from step 508 with forwarding the
`PDU.
`
`

`

`US 8,356,334 B2
`
`7
`Iftopology discovery is suppressed for the source PortlD in
`step 516, the process resumes from step 514 by triggering an
`alarm.
`
`ln forwarding the PDU, the controller 101 inspects the
`PDU routing information extracting at least the destination
`MAC ADDR. The process queries the SW DB 102 based on
`the destination MAC ADDR in step 520.
`If the SW DB 102 contains a switching entry correspond-
`ing to the destination MAC ADDR, then the PDU is for-
`warded to the PortlD specified in that entry in step 522.
`Subsequent to forwarding the PDU in step 522, the process
`resumes from step 500.
`If the SW DB 102 does not contain a switching entry
`corresponding to the destination MAC ADDR, then a port
`flood list containing all physical communications ports is
`generated in step 524 and the source PortlD is removed there-
`from in step 526. In step 527, all PortlD’s having the port
`unknown destination flood control bit set are also removed
`
`from the port flood list.
`Subject to the global unknown destination flood control
`feature being activated, fact ascertained in step 528 the PDU
`is replicated and flooded to physical communications ports in
`the port flood list in step 532.
`If the global unknown destination flood control feature is
`enabled, all ports having topology discovery disabled are
`removed from the port flood list in step 530 prior to flooding
`all physical communications ports in step 532.
`Subsequent to flooding the PDU to all ports in the remain-
`ing flood list, the process resumes from step 500.
`The embodiment presented is exemplary only and persons
`skilled in the art would appreciate that variations to the above-
`described embodiment may be made without departing from
`the spirit of the inventionithe scope of the invention being
`solely defined by the appended claims.
`
`We claim:
`
`1. A secure data switching node comprising:
`a. a plurality of communications ports;
`b. a switching database having a plurality of switching
`entries, each one of the plurality of switching entries
`specifying an association between one or more data
`network node identifiers and one or more respective
`communications ports;
`c. a plurality of switching entry protection flags, corre-
`sponding to the plurality of switching entries, each ofthe
`plurality of switching entry protection flags configured
`with a predetermined value that determines whether
`each of the switching entries is protected from update;
`and
`
`d. a controller executing a secure switching database
`update process, for at least one of the switching entries,
`wherein executing a secure switching database update
`process includes determining, from at least one of the
`switching entry protection flags, whether the at least one
`of the switching entries is protected from update and
`receiving a modification instruction including a change
`of at least one of the respective communications ports
`for at least one of the data network node identifiers,
`whereby an attempt by a hostile data network node to
`effect a modification of the at least one communication
`
`port of a protected switching entry is prevented when the
`protection flag is set, enabling the data switching node to
`operate securely concurrently in friendly and hostile
`data networking environments.
`2. A secure data switching node as claimed in claim 1,
`wherein the communication ports are represented in the
`switching entries via port identifiers.
`
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`8
`3. The secure data switching node of claim 1, further com-
`prising an alarm configured for trigger if at least one of the
`switching entries is protected from update.
`4. A secure data switching node comprising:
`a. a plurality of physical communications ports;
`b. a switching database having a plurality of switching
`entries, each one of the plurality of switching entries
`specifying an association between one or more data
`network node identifiers and one or more of the respec-
`tive physical communications ports;
`c. a plurality of topology discovery disable flags corre-
`sponding to the plurality of switching entries, each ofthe
`plurality of topology discovery disable flags configured
`with a predetermined value that determines whether
`additional switching entries are prevented from being
`added to the switching database; and
`d. a controller executing a secure data transport network
`topology update process for at least one of the switching
`entries, wherein executing a secure data transport net-
`work topology update includes determining, from at
`least one of the topology discovery disable flags,
`whether switching entries are prevented from being
`added to the switching database and receiving an addi-
`tion instruction including a change of at least one of the
`respective communications ports for at least one of the
`data network node identifiers, whereby attempts by a
`hostile data network node to effect at least one addition
`
`of a switching entry specifying a communications port
`associated with a topology discovery disabled physical
`communications port are prevented, enabling the data
`switching node to operate securely concurrently in
`friendly and hostile data networking environments.
`5. The secure data switching node of claim 4, further com-
`prising an alarm configured for trigger if switching entries are
`prevented from being added to the switching database.
`6. A secure data switching node comprising:
`a. a plurality of physical communications ports;
`b. a switching database having a plurality of switching
`entries, each one of the plurality of switching entries
`specifying an association between a data network node
`identifier and a communications port;
`c. a plurality of topology discovery disable flags, corre-
`sponding to the plurality of switching entries, each ofthe
`plurality of topology discovery disable flags configured
`with a predetermined value that determines whether
`additional switching entries are prevented from being
`added to the switching database;
`d. a global unknown destination flood control flag; and
`('D
`. a controller implementing a secure Payload Data Unit
`(PDU) forwarding process, the PDU forwarding process
`including a modification instruction including a change
`of at least one communication port for at least one ofthe
`data network node identifiers, a received PDU having a
`destination data node identifier not stored in the switch-
`
`ing database is replicated only to physical communica-
`tions ports having reset topology discovery disable flags
`preventing ho stile data network nodes connected thereto
`from listening to unknown destination data traflic,
`wherein implementing a secure Payload Data Unit
`(PDU) forwarding process includes determining, from
`at least one of the topology discovery disable flags,
`whether switching entries are prevented from being
`added to the switching database.
`7. The secure data switching node of claim 6, further com-
`prising an alarm configured for trigger if switching entries are
`prevented from being added to the switching database.
`
`

`

`US 8,356,334 B2
`
`9
`8. A secure data switching node comprising:
`a. a plurality of physical communications po