公开(公告)号：US08533823B2

公开(公告)日：2013-09-10

申请号：US12392422

申请日：2009-02-25

申请人： Ronald W. Szeto ,  Nitin Jain ,  Ravindran Suresh ,  Philip Kwan

发明人： Ronald W. Szeto ,  Nitin Jain ,  Ravindran Suresh ,  Philip Kwan

IPC分类号： G06F12/00

CPC分类号： H04L63/0263 ,  H04L63/101 ,  H04L63/1441 ,  H04L2463/146

摘要： A system and method that provides for using source IP addresses and MAC addresses in a network to provide security against attempts by users of the network to use false source IP addresses in data packets. The system and method provide for analyzing MAC addresses and source IP addresses at the datalink (layer 2) level, and to use the information derived from such analysis to block access through a port where a host device is using a false, or spoofed, source IP address in transmitted data packets. Further, the system and method provide for validating initially learned source IP addresses, and for determining whether the number of unsuccessful attempts to validate new source IP addresses exceeds a threshold level, and where the number does exceed the threshold number the system and method can provide for operation in a possible attack mode.

公开(公告)号：US20090260083A1

公开(公告)日：2009-10-15

申请号：US12392422

申请日：2009-02-25

申请人： Ronald W. Szeto ,  Nitin Jain ,  Ravindran Suresh ,  Philip Kwan

发明人： Ronald W. Szeto ,  Nitin Jain ,  Ravindran Suresh ,  Philip Kwan

IPC分类号： G06F7/04 ,  G06F15/18

CPC分类号： H04L63/0263 ,  H04L63/101 ,  H04L63/1441 ,  H04L2463/146

摘要： A system and method that provides for using source IP addresses and MAC addresses in a network to provide security against attempts by users of the network to use false source IP addresses in data packets. The system and method provide for analyzing MAC addresses and source IP addresses at the datalink (layer 2) level, and to use the information derived from such analysis to block access through a port where a host device is using a false, or spoofed, source IP address in transmitted data packets. Further, the system and method provide for validating initially learned source IP addresses, and for determining whether the number of unsuccessful attempts to validate new source IP addresses exceeds a threshold level, and where the number does exceed the threshold number the system and method can provide for operation in a possible attack mode.

摘要翻译： 提供在网络中使用源IP地址和MAC地址的系统和方法来提供安全性以防止网络用户在数据分组中使用虚拟源IP地址的尝试。 该系统和方法提供用于分析数据链路（层2）级别的MAC地址和源IP地址，并且使用从这种分析导出的信息阻止通过主机设备正在使用虚假或欺骗源的端口的访问 传输数据包中的IP地址。 此外，系统和方法提供用于验证初始学习的源IP地址，并且用于确定验证新的源IP地址的不成功尝试的次数是否超过阈值水平，并且其中该数量超过阈值数目，系统和方法可以提供 用于在可能的攻击模式下操作。

公开(公告)号：US07516487B1

公开(公告)日：2009-04-07

申请号：US10850505

申请日：2004-05-20

申请人： Ronald W. Szeto ,  Nitin Jain ,  Ravindran Suresh ,  Philip Kwan

发明人： Ronald W. Szeto ,  Nitin Jain ,  Ravindran Suresh ,  Philip Kwan

IPC分类号： G06F7/04

CPC分类号： H04L63/0263 ,  H04L63/101 ,  H04L63/1441 ,  H04L2463/146

摘要： A system and method that provides for using source IP addresses and MAC addresses in a network to provide security against attempts by users of the network to use false source IP addresses in data packets. The system and method provide for analyzing MAC addresses and source IP addresses at the datalink (layer 2) level, and to use the information derived from such analysis to block access through a port where a host device is using a false, or spoofed, source IP address in transmitted data packets. Further, the system and method provide for validating initially learned source IP addresses, and for determining whether the number of unsuccessful attempts to validate new source IP addresses exceeds a threshold level, and where the number does exceed the threshold number the system and method can provide for operation in a possible attack mode.

摘要翻译： 提供在网络中使用源IP地址和MAC地址的系统和方法来提供安全性以防止网络用户在数据分组中使用虚拟源IP地址的尝试。 该系统和方法提供用于分析数据链路（层2）级别的MAC地址和源IP地址，并且使用从这种分析导出的信息阻止通过主机设备正在使用虚假或欺骗源的端口的访问 传输数据包中的IP地址。 此外，系统和方法提供用于验证初始学习的源IP地址，并且用于确定验证新的源IP地址的不成功尝试的次数是否超过阈值水平，并且其中该数量超过阈值数目，系统和方法可以提供 用于在可能的攻击模式下操作。

公开(公告)号：US09030943B2

公开(公告)日：2015-05-12

申请号：US13548116

申请日：2012-07-12

申请人： Ravindran Suresh ,  Adoor V. Balasubramanian

发明人： Ravindran Suresh ,  Adoor V. Balasubramanian

IPC分类号： G06F11/00 ,  H04L12/46 ,  G06F11/07

CPC分类号： H04L12/4625 ,  G06F11/0712

摘要： Methods of detecting and recovering from communication failures within an operating network switching device that is switching packets in a communication network, and associated structures. The communication failures addressed involve communications between the packet processors and a host CPU over a shared communications bus, e.g., PCI bus. The affected packet processor(s)—which may be all or a subset of the packet processors of the network switch—may be recovered without affecting hardware packet forwarding through the affected packet processors. This maximizes the up time of the network switching device. Other packet processor(s), if any, of the network switching device, which are not affected by the communication failure, may continue their normal packet forwarding, i.e., hardware forwarding that does not involve communications with the host CPU as well as forwarding or other operations that do involve communications with the host CPU.

摘要翻译： 在通信网络中切换分组的操作网络交换设备内的通信故障检测和恢复的方法以及相关联的结构。 解决的通信故障涉及通过共享通信总线（例如PCI总线）在分组处理器与主机CPU之间的通信。 受影响的分组处理器（其可以是网络交换机的分组处理器的全部或子集）可以被恢复，而不影响通过受影响的分组处理器的硬件分组转发。 这样可以最大限度地提高网络交换设备的启动时间。 不受通信故障影响的网络交换设备的其他分组处理器（如果有的话）可以继续正常的分组转发，即不涉及与主机CPU通信的硬件转发，以及转发或 涉及与主机CPU通信的其他操作。

公开(公告)号：US20120275294A1

公开(公告)日：2012-11-01

申请号：US13548116

申请日：2012-07-12

申请人： Ravindran Suresh ,  Adoor V. Balasubramanian

发明人： Ravindran Suresh ,  Adoor V. Balasubramanian

IPC分类号： H04L12/24

CPC分类号： H04L12/4625 ,  G06F11/0712

摘要： Methods of detecting and recovering from communication failures within an operating network switching device that is switching packets in a communication network, and associated structures. The communication failures addressed involve communications between the packet processors and a host CPU over a shared communications bus, e.g., PCI bus. The affected packet processor(s)—which may be all or a subset of the packet processors of the network switch—may be recovered without affecting hardware packet forwarding through the affected packet processors. This maximizes the up time of the network switching device. Other packet processor(s), if any, of the network switching device, which are not affected by the communication failure, may continue their normal packet forwarding, i.e., hardware forwarding that does not involve communications with the host CPU as well as forwarding or other operations that do involve communications with the host CPU.

摘要翻译： 在通信网络中切换分组的操作网络交换设备内的通信故障检测和恢复的方法以及相关联的结构。 解决的通信故障涉及通过共享通信总线（例如PCI总线）在分组处理器与主机CPU之间的通信。 受影响的分组处理器（其可以是网络交换机的分组处理器的全部或子集）可以被恢复，而不影响通过受影响的分组处理器的硬件分组转发。 这样可以最大限度地提高网络交换设备的启动时间。 不受通信故障影响的网络交换设备的其他分组处理器（如果有的话）可以继续正常的分组转发，即不涉及与主机CPU通信的硬件转发，以及转发或 涉及与主机CPU通信的其他操作。

公开(公告)号：US08238255B2

公开(公告)日：2012-08-07

申请号：US11831950

申请日：2007-07-31

申请人： Ravindran Suresh ,  Adoor V. Balasubramanian

发明人： Ravindran Suresh ,  Adoor V. Balasubramanian

IPC分类号： G06F11/00

CPC分类号： H04L12/4625 ,  G06F11/0712

摘要： Methods of detecting and recovering from communication failures within an operating network switching device that is switching packets in a communication network, and associated structures. The communication failures addressed involve communications between the packet processors and a host CPU over a shared communications bus, e.g., PCI bus. The affected packet processor(s)—which may be all or a subset of the packet processors of the network switch—may be recovered without affecting hardware packet forwarding through the affected packet processors. This maximizes the up time of the network switching device. Other packet processor(s), if any, of the network switching device, which are not affected by the communication failure, may continue their normal packet forwarding, i.e., hardware forwarding that does not involve communications with the host CPU as well as forwarding or other operations that do involve communications with the host CPU.

摘要翻译： 在通信网络中切换分组的操作网络交换设备内的通信故障检测和恢复的方法以及相关联的结构。 解决的通信故障涉及通过共享通信总线（例如PCI总线）在分组处理器与主机CPU之间的通信。 受影响的分组处理器（其可以是网络交换机的分组处理器的全部或子集）可以被恢复，而不影响通过受影响的分组处理器的硬件分组转发。 这样可以最大限度地提高网络交换设备的启动时间。 不受通信故障影响的网络交换设备的其他分组处理器（如果有的话）可以继续正常的分组转发，即不涉及与主机CPU通信的硬件转发，以及转发或 涉及与主机CPU通信的其他操作。

公开(公告)号：US20090279423A1

公开(公告)日：2009-11-12

申请号：US11831950

申请日：2007-07-31

申请人： Ravindran Suresh ,  Adoor V. Balasubramanian

发明人： Ravindran Suresh ,  Adoor V. Balasubramanian

IPC分类号： G01R31/08

CPC分类号： H04L12/4625 ,  G06F11/0712

摘要： Methods of detecting and recovering from communication failures within an operating network switching device that is switching packets in a communication network, and associated structures. The communication failures addressed involve communications between the packet processors and a host CPU over a shared communications bus, e.g., PCI bus. The affected packet processor(s)—which may be all or a subset of the packet processors of the network switch—may be recovered without affecting hardware packet forwarding through the affected packet processors. This maximizes the up time of the network switching device. Other packet processor(s), if any, of the network switching device, which are not affected by the communication failure, may continue their normal packet forwarding, i.e., hardware forwarding that does not involve communications with the host CPU as well as forwarding or other operations that do involve communications with the host CPU.

摘要翻译： 在通信网络中切换分组的操作网络交换设备内的通信故障检测和恢复的方法以及相关联的结构。 解决的通信故障涉及通过共享通信总线（例如PCI总线）在分组处理器与主机CPU之间的通信。 受影响的分组处理器（其可以是网络交换机的分组处理器的全部或子集）可以被恢复，而不影响通过受影响的分组处理器的硬件分组转发。 这样可以最大限度地提高网络交换设备的启动时间。 不受通信故障影响的网络交换设备的其他分组处理器（如果有的话）可以继续正常的分组转发，即不涉及与主机CPU通信的硬件转发，以及转发或 涉及与主机CPU通信的其他操作。