发明授权
- 专利标题: Method and apparatus for incrementally deploying ingress filtering on the Internet
- 专利标题(中): 在因特网上递增部署入口过滤的方法和装置
-
申请号: US12244340申请日: 2008-10-02
-
公开(公告)号: US07861292B2公开(公告)日: 2010-12-28
- 发明人: Jose′ C Brustoloni
- 申请人: Jose′ C Brustoloni
- 申请人地址: US NJ Murray Hill
- 专利权人: Alcatel-Lucent USA Inc.
- 当前专利权人: Alcatel-Lucent USA Inc.
- 当前专利权人地址: US NJ Murray Hill
- 代理机构: Wall & Tong, LLP
- 主分类号: G06F9/00
- IPC分类号: G06F9/00 ; G06F17/00 ; H04L9/00
摘要:
Ingress filtering has been adopted by the IETF as a methodology for preventing denial of service congestive attacks that spoof the source address in packets that are addressed to host server victims. Unless universally adopted by all ISPs on the Internet, however, a packet's source address cannot be totally trusted to be its actual source address. To take advantage of benefits of ingress filtering as it is gradually deployed by ISPs around the Internet, differentiated classes of service are used to transport packets whose source address can be trusted and packets whose source address cannot be trusted. A packet received by an access or edge router at an ISP that supports ingress filtering and has a source address that is properly associated with port on which it is received is forwarded in a privileged class of service and are dropped otherwise. A packet received by access or edge router at an ISP that does not support ingress filtering and whose source address cannot therefore be trusted is transported in an unprivileged class of service. At an intermediate exchange router within an intermediate ISP, where ISPs exchange packets, a packet received from an ISP that doesn't support ingress filtering is forwarded using the unprivileged class of service while a packet received from an ISP that does support ingress filtering is forwarded using the same class of service in which it is already marked.
公开/授权文献
信息查询