US20120069845A1 - Sanitizing packet headers - Google Patents

Sanitizing packet headers Download PDF

Info

Publication number
US20120069845A1
US20120069845A1 US12/883,243 US88324310A US2012069845A1 US 20120069845 A1 US20120069845 A1 US 20120069845A1 US 88324310 A US88324310 A US 88324310A US 2012069845 A1 US2012069845 A1 US 2012069845A1
Authority
US
United States
Prior art keywords
packet
headers
header
fragment
sequence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US12/883,243
Other versions
US8824472B2 (en
Inventor
Mark D. CARNEY
Dante Pacella
Harold J. Schiller
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Verizon Patent and Licensing Inc
Original Assignee
Verizon Patent and Licensing Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Verizon Patent and Licensing Inc filed Critical Verizon Patent and Licensing Inc
Priority to US12/883,243 priority Critical patent/US8824472B2/en
Assigned to VERIZON PATENT AND LICENSING INC. reassignment VERIZON PATENT AND LICENSING INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CARNEY, MARK D., PACELLA, DANTE, SCHILLER, HAROLD J.
Publication of US20120069845A1 publication Critical patent/US20120069845A1/en
Application granted granted Critical
Publication of US8824472B2 publication Critical patent/US8824472B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/60Router architectures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies

Definitions

  • IPv4 packet header A typical size of an Internet Protocol version 4 (IPv4) packet header is 128 bytes.
  • An IPv4 packet header includes a version field, header length field, differentiated services field, packet length field, packet identification field, flags field, fragment offset field, time-to-live field, protocol field, header checksum field, source field, and destination field.
  • IPv4 packet header can also include an options field, which may increase the size of the packet, the options field is infrequently used and, often, network devices do not support its use.
  • FIG. 1 illustrates an exemplary format of a packet
  • FIG. 2 illustrates an exemplary network in which the concepts described herein may be implemented
  • FIG. 3 shows exemplary components of a router of FIG. 2 ;
  • FIG. 4 is a block diagram illustrating exemplary functional components of the router of FIG. 2 ;
  • FIG. 5 illustrates an overview of an exemplary process associated with sanitizing packet headers
  • FIG. 6 further illustrates an overview of another process associated with sanitizing packet headers
  • FIG. 7 is a flow diagram of an exemplary process associated with sanitizing a packet with multiple copies of a header
  • FIG. 8 is a flow diagram of an exemplary process associated with sanitizing a packet with out-of-sequence headers.
  • FIG. 9 is a flow diagram of an exemplary process associated with sanitizing a packet with an invalid fragment header.
  • packet may refer to an IP packet, datagram, cell, a fragment of an Internet Protocol (IP) packet, or other types of data that may be carried at a specified communication layer.
  • IP Internet Protocol
  • the term “router” may refer to a network layer 2 or layer 3 (e.g., an IP layer) router or switch (e.g., Multiprotocol Label Switching (MPLS) router). In some contexts, the term “router” may also refer to layer 4-7 application/devices.
  • MPLS Multiprotocol Label Switching
  • a device may sanitize a bad packet.
  • a bad packet may include, for example, duplicate headers or two or more headers of the same type, out-of-sequence headers, and/or an invalid fragment header.
  • the device may prevent the packet from, for example, accessing an otherwise secure network, destroying and/or damaging files, stealing information, creating security holes, spreading computer viruses and/or malware, etc.
  • FIG. 1 illustrates an exemplary format of a packet.
  • packet 100 may include an IPv4 packet with options field or additional headers (e.g., multiprotocol label switch (MPLS) headers), in the following description, packet 100 will be described as an IPv6 packet.
  • MPLS multiprotocol label switch
  • packet 100 may include a basic header, extension headers 104 - 1 through 104 -R (individually “extension header 104 or 104 - x ,” or collectively, “extension headers 104 ”), and a load 106 .
  • packet 100 may include different headers and/or fields.
  • packet 100 when packet 100 is implemented as a MPLS packet, packet 100 may include a MPLS label stack between extension header 104 -R and load 106 .
  • Basic header 102 may include a version field, traffic class field, flow label field, payload length field, next header field, hop limit field, source address field, and destination address field.
  • the version field may identify the version of IP protocol. This field may be set to 6 for IPv6.
  • the traffic class field may allow a source node or router to distinguish between different priorities of packets.
  • the flow label field may identify a flow (e.g., a group of packets that have the same source and destination addresses) to which packet 100 belongs.
  • the payload length field specifies the length of the payload of packet 100 .
  • the payload of packet 100 may include extension headers 104 and load 106 .
  • the next header field may identify extension header 104 - 1 (i.e., the header that immediately follows header 102 ).
  • the hop limit field indicates the maximum number of hops that packet 100 can be forwarded.
  • the source address field and the destination address field may identify the source and destination addresses for packet 100 .
  • Extension header 104 may define one or more parameters that describe packet 100 .
  • Extension header 104 may include, for example, a hop-by-hop header, routing header, fragment header, authentication header, destination options header, etc.
  • IPv6 Internet Engineering Task Force
  • extension headers 104 must be in a specific order. For example, the hop-by-hop header must precede the fragment header.
  • the hop-by-hop header may include optional information that must be examined by every network device/node along packet 100 's path.
  • the routing header may list network devices/nodes that are to be visited by packet 100 on its path toward its destination.
  • the fragment header may describe a relative location, within an original packet from which a fragment is derived, of the fragment that packet 100 carries.
  • the source node may have fragmented the original packet into several fragment packets, for example, due to the size of the original packet.
  • the fragment packets may be reassembled into the original packet at the destination of packet 100 .
  • the authentication header may specify a method by which authentication may be performed.
  • the authentication header may include information that may be used for the authentication.
  • Destination options header may include information that needs to be examined by the destination node.
  • extension header 104 may include other types of headers, they are not described for simplicity.
  • Load 106 may include data that packet 100 carries. Load 106 may or may not include additional headers or header-related information.
  • packet 100 may be “bad” when extension headers 104 include one or more duplicate copies of an extension header or two or more of one type of header (e.g., hop-by-hop header, routing header, etc.) with conflicting information. Packet 100 may also be bad when extension headers 104 are out-of-sequence. In a valid IPv6 packet, extension packet headers 104 must be in a specific sequence (e.g., a hop-by-hop header, if present in packet 100 , must precede other extension headers 104 ). Further, packet 100 may be bad when packet 100 includes an invalid fragment header. For example, the fragment header of packet 100 may incorrectly specify that data in payload 106 of packet 100 is a fragment of data whose portions are carried by three other packets.
  • one type of header e.g., hop-by-hop header, routing header, etc.
  • FIG. 2 illustrates an exemplary network 200 in which concepts described herein may be implemented.
  • network may include network 202 and honeynet 204 (or honey net 204 ).
  • honeynet 204 or honey net 204
  • network 200 may include additional, fewer, different, or a different arrangement of networks and devices than those illustrated in FIG. 2 .
  • Network 202 may include the Internet, an intranet, a local area network (LAN), a wide area network (WAN), a metropolitan area network (MAN), a cellular network, a public switched telephone network (PSTN), an optical network, a wireless network (e.g., Wi-Fi, WiMax, etc.), a wired network, a packet switched network (e.g., IPv6 and/or IPv4), an ad hoc network, any other network, or a combination of one or more networks.
  • LAN local area network
  • WAN wide area network
  • MAN metropolitan area network
  • PSTN public switched telephone network
  • IPv6 packet switched network
  • IPv6 packet switched network
  • ad hoc network any other network, or a combination of one or more networks.
  • Honey net 204 may include one or more network devices or resources (e.g., files, records, etc.) for trapping or recording packet activities. By monitoring such packets, honey net 204 may determine the purpose and/or effect that the packets may have in a network.
  • network devices or resources e.g., files, records, etc.
  • network 202 may include network devices 206 - 1 through 206 -M (network devices 206 ).
  • Network device 206 may include, for example, a router, switch, gateway, server, personal computer, mobile computer (e.g., mobile router, laptop computer, tablet computer, cellular phone, etc.), etc.
  • IP Internet Protocol
  • network device 206 is described in terms of a router (e.g., router 206 or routers 206 ).
  • Router 206 may perform routing, forwarding, and packet header sanitization. In performing the routing function, router 206 may exchange messages with other network devices through routing protocols to discover information about reachability of destinations, the network topology, and costs associated with routes. This information is stored in the Routing Information Base (RIB). Best paths for the destinations and their associated egress interfaces (e.g., line cards) are determined and stored in the forwarding information base (FIB).
  • RIB Routing Information Base
  • Best paths for the destinations and their associated egress interfaces e.g., line cards
  • router 206 may receive packets from one or more physical communication interfaces/ports, classify the packets, and determine required processing (e.g., deep packet inspection and/or packet header sanitization) based on the packet headers.
  • required processing e.g., deep packet inspection and/or packet header sanitization
  • router 206 may determine their destinations, and transmit the packets on one or more physical or logical communication interfaces/ports in accordance with the determined destinations or other properties of the packets based on information provided by the FIB. To sanitize the packets, router 206 may examine the packet header for duplicate headers or multiple instances of a particular header type, out-of-sequence headers, fragment header, etc.
  • FIG. 3 is a block diagram illustrating exemplary components of router 206 .
  • router 206 may include a processor 302 , network interface 304 , memory 306 , and storage 308 . These components may be distributed over different line cards (e.g., ingress line cards for receiving packets, egress line cards for sending packets, etc.), service modules for processing packet headers (e.g., sanitizing packets, etc.), a control module (e.g., a central module for controlling the line cards and/or service modules, for performing the routing function, etc.), etc.
  • line cards e.g., ingress line cards for receiving packets, egress line cards for sending packets, etc.
  • service modules for processing packet headers (e.g., sanitizing packets, etc.)
  • a control module e.g., a central module for controlling the line cards and/or service modules, for performing the routing function, etc.
  • router 206 may include additional, fewer, or different components
  • Processor 302 may include one or more processors, microprocessors, Application Specific Integrated Circuits (ASICs), and/or Field Programmable Gate Arrays (FPGAs), and/or other processing logic. In some implementations, processor 302 may include processors that are dedicated to specific functions, such as packet processing, packet forwarding, memory management, etc.
  • ASICs Application Specific Integrated Circuits
  • FPGAs Field Programmable Gate Arrays
  • Network interface 304 may include one or more physical or logical communication ports that enable router 206 to communicate with other devices. Via the physical ports, network interface 304 may communicate via a network, such as the Internet, a terrestrial wireless network (e.g., a WLAN), a satellite-based network, etc.
  • a network such as the Internet, a terrestrial wireless network (e.g., a WLAN), a satellite-based network, etc.
  • Memory 306 may include a static memory, such as read only memory (ROM), and/or dynamic memory, such as random access memory (e.g., DRAM, SDRAM, SRAM, etc.), content addressable memory (CAM), or onboard cache, for storing data and machine-readable instructions.
  • ROM read only memory
  • dynamic memory such as random access memory (e.g., DRAM, SDRAM, SRAM, etc.), content addressable memory (CAM), or onboard cache, for storing data and machine-readable instructions.
  • a component of memory 306 may provide, for example, space for queuing packets, packet headers, etc., before the packets are sent toward one or more egress line cards/service modules via a switch fabric.
  • Storage 308 may include a hard disk drive, solid state drive, flash drive, floppy disk, CD ROM, CD read/write (R/W) disc, digital video disc (DVD) reader/writer, as well as other types of storage devices for storing data and/or machine-readable instructions (e.g., a program, script, etc.).
  • machine-readable instructions e.g., a program, script, etc.
  • the term “memory,” “storage,” “storage device,” and/or “storage unit” may be used interchangeably.
  • a “computer-readable storage device” may refer to both a memory and/or storage device.
  • FIG. 4 is a block diagram illustrating exemplary functional components of router 206 .
  • router 206 may include routing logic 402 , packet processing logic 404 , and header sanitization logic 406 .
  • router 206 may include additional, fewer, or different components than those illustrated in FIG. 4 .
  • router 206 may include a component for storing/measuring flow statistics.
  • router 206 may include other components, such as a RIB or FIB, they are not illustrated for simplicity.
  • Routing logic 402 may gather or disseminate routing information from/to other routers 206 in accordance with routing/signaling protocols (e.g., open shortest path first (OSPF), interior gateway routing protocol (IGRP), multiprotocol label switching (MPLS) protocol, etc.), organize the routing information in a lookup table, such as a RIB, a label information base (LIB), etc.
  • routing logic 402 may create a lookup table (e.g., a FIB, a forwarding label information base (FLIB), etc.) and distribute the lookup table to line cards, on which packet processing logic 404 may be implemented.
  • routing/signaling protocols e.g., open shortest path first (OSPF), interior gateway routing protocol (IGRP), multiprotocol label switching (MPLS) protocol, etc.
  • OSPF open shortest path first
  • IGRP interior gateway routing protocol
  • MPLS multiprotocol label switching
  • routing logic 402 may create a lookup table (e.g.,
  • Packet processing logic 404 may place packets that are received at a line card/service module in queues where they are temporarily held, and forward them to an egress line card or another service module based on information in a FIB or based on packet headers. Packet processing logic 404 may also perform other processing, such as classifying packets, collecting flow statistics, logging, etc.
  • Header sanitization logic 406 may sanitize packet headers. In one implementation, header sanitization logic 406 may fix, drop, and/or re-route packets with duplicate headers or multiple headers of a same type, out-of-sequence headers, and/or invalid fragment headers. Depending on the implementation, header sanitization logic 406 may also sanitize other types of errors, such as an invalid extension header other than fragment header (e.g., invalid hop-by-hop header, authentication header, etc.), bad labels, bad routing headers (e.g., not all addresses in the routing header are valid), etc.
  • an invalid extension header other than fragment header e.g., invalid hop-by-hop header, authentication header, etc.
  • bad labels e.g., not all addresses in the routing header are valid
  • header sanitization logic 406 may be implemented on a single service module or distributed over several components. In the latter implementations, headers of a packet may “bounce” from one service module to another via a switch fabric until all of the headers are processed and sanitized. Thereafter, header sanitization logic 406 may drop the packet or send the packet to a deep inspection module, honey net 204 , etc.
  • FIG. 5 illustrates an overview of an exemplary process associated with sanitizing packet headers.
  • header sanitization logic 406 may process packet 502 to produce packet 504 , packet 506 , or packet 508 .
  • header sanitization logic 406 may perform other types of packet sanitization (e.g., detecting other types of invalid extension headers).
  • packet 502 may include a basic header 510 , extension header A 512 , extension header B 514 , extension header A 516 , extension header C 518 , and load 520 .
  • Extension header A 516 may either be a duplicate of extension header A 512 or the same type of header as extension header A 512 .
  • Extension header A 512 / 516 may include, for example, a hop-by-hop header, routing header, authentication header, etc. It is assumed that extension headers A 512 and 516 are not destination options headers in the following order: once before a routing header of IPv6 and an upper-layer header of IPv6.
  • header sanitization logic 406 may process packet 502 in one of three ways. For example, header sanitization logic 406 may strip duplicate extension header A 516 from packet 502 to produce packet 504 . In FIG. 5 , this is illustrated by extension header A 516 being shown via the dotted arrow originating from packet 504 and pointing to a garbage can icon 522 . In addition, header sanitization logic 406 may send packet 504 to its destination device 524 (e.g., via an egress line card), as illustrated by a solid arrow pointing from packet 504 to destination device 524 .
  • destination device 524 e.g., via an egress line card
  • sanitization logic 406 may remove both extension header A 512 and extension header A 516 from packet 502 to obtain packet 506 . In FIG. 5 , this is illustrated by headers A 512 and headers A 516 being shown via the dotted arrows that originate from packet 506 and point to garbage can icon 522 .
  • header sanitization logic 406 may send packet 506 to destination device 524 via an egress line card, as illustrated by the solid arrow from packet 506 to destination device 524 .
  • sanitization logic 406 may retain original packet 502 , which is also shown as packet 508 in FIG. 5 . Subsequently, header sanitization logic 406 may drop packet 508 , as illustrated by the dotted arrow from packet 508 to garbage can icon 522 , or alternatively, send packet 508 to honey net 204 , as illustrated by the dotted arrow from packet 508 to honey net 204 . In honey net 204 , a honey pot and/or other devices may analyze packet 508 , observe packet 508 's behavior, and/or obtain other properties of packet 508 .
  • FIG. 6 illustrates an overview of another exemplary process associated with sanitizing packet headers.
  • header sanitization logic 406 may process packet 602 to produce packet 604 , packet 606 , or packet 608 .
  • header sanitization logic 406 may perform other types of packet sanitization.
  • packet 602 may include a basic header 510 , extension header B 514 , extension header A 512 , extension header C 518 , and payload 520 .
  • extension header B 514 , extension header A 514 , and extension header C 518 are out-of-sequence.
  • header sanitization logic 406 may process packet 602 in one of three ways. For example, header sanitization logic 406 may re-sequence extension header B 514 , extension header A 512 , and extension header C 518 in packet 602 to obtain packet 604 . In packet 604 , the extension headers are in the following sequence: extension header A 512 , extension header B 514 , and extension header C 518 . In addition, header sanitization logic 406 may send packet 604 to destination device 524 , as illustrated by the solid arrow originating from packet 604 to destination device 524 .
  • header sanitization logic 406 may remove extension header B 514 from packet 602 to obtain packet 606 , which includes extension header A 512 and extension header C 518 .
  • the header removal is illustrated by header B 514 via the dotted arrow that originates from packet 606 and points to garbage can icon 522 .
  • header sanitization logic 406 may remove header A 512 from packet 602 instead of header B 514 to sanitize packet 602 .
  • header sanitization logic 406 may send packet 606 to destination device 524 , as illustrated by the solid arrow from packet 606 to destination device 524 .
  • sanitization logic 406 may retain original packet 602 , which is also shown as packet 608 in FIG. 6 . Subsequently, header sanitization logic 406 may drop packet 608 , as illustrated via the dotted arrow from packet 608 to garbage can icon 522 , or alternatively, send packet 608 to honey net 204 , as illustrated by the dotted arrow from packet 608 to honey net 204 .
  • FIGS. 7 through 9 are flow diagrams of exemplary processes whose overview are illustrated by FIG. 5 and FIG. 6 .
  • FIG. 7 is a flow diagram of an exemplary process 700 associated with sanitizing a packet with multiple copies of a header or multiple headers of the same type. As shown in FIG. 7 , process 700 may begin when router 206 receives a packet (e.g., IPv6 packet). Router 206 may internally pass the packet headers of the received packet to header sanitization logic 406 .
  • a packet e.g., IPv6 packet
  • Header sanitization logic 406 may determine whether the packet includes duplicate headers and/or multiple headers of the same type (block 704 ). If the packet does not include duplicate headers or multiple headers of the same type (block 704 -NO), process 700 may proceed to process 800 , for sanitizing out-of-sequence packet headers. Otherwise (block 704 -YES), process 700 may proceed to block 705 .
  • process 700 may go to process 800 . Otherwise (block 705 -NO), process 700 proceed to block 706 .
  • header sanitization logic 406 may drop the packet (block 708 ). Otherwise (block 706 -NO), process 700 may proceed to block 710 .
  • header sanitization logic 406 may strip off all but one of the duplicate headers or all but one of the same type of headers (block 712 ). In stripping off the headers, header sanitization logic 406 may retain, in the packet, the extension header whose position is valid. For example, in FIG. 5 , header sanitization logic 406 removes header A 516 to obtain packet 504 and does not remove header A 512 . Furthermore, header sanitization logic 406 may rewrite or correct next header fields within the remaining extensions headers, such that the extension headers remain valid. Thereafter, process 700 may proceed to process 800 , for sanitizing out-of-sequence packet headers.
  • header sanitization logic 406 may proceed to block 714 .
  • header sanitization logic 406 may remove all duplicate headers or all of the same type of headers (block 716 ).
  • header sanitization logic 406 may rewrite the next header fields of the remaining extension headers in the packet. Thereafter, process 700 may proceed to process 800 .
  • header sanitization logic 406 may send the received packet to an alternate destination (block 718 ) (e.g., honey net 204 ).
  • FIG. 8 is a flow diagram of an exemplary process 800 associated with sanitizing a packet with out-of-sequence headers.
  • process 800 may start with header sanitization logic 406 determining whether the packet includes headers in a sequence that is compliant with a particular standard or specification (e.g., RFC 2460) (block 802 ). If the packet headers are in an order that is compliant with the standard/specification (block 802 -YES), process 800 may proceed to process 900 , for sanitizing packets with an invalid fragment header. If the packet headers are not in an order compliant with the standard/specification, process 800 may proceed to block 804 .
  • a particular standard or specification e.g., RFC 2460
  • header sanitization logic 406 may fix the out-of-sequence headers (block 804 -YES). If header sanitization logic 406 is configured to fix the out-of-sequence headers (block 804 -YES), header sanitization logic 406 may shuffle or move the headers of the packet and arrange the headers in a correct order (block 806 ). In addition, header sanitization logic 406 may rewrite the next header field in each of the extension headers to reflect the header reorganization. Thereafter, header sanitization logic 406 may apply process 900 , for sanitizing packets with invalid fragment headers, to the packet.
  • header sanitization logic 406 may proceed to block 808 .
  • header sanitization logic 406 may send the packet to an alternate destination (block 810 ) (e.g., honey net 204 ). Otherwise (block 808 -NO), header sanitization logic 406 may drop the packet (block 812 ).
  • FIG. 9 is a flow diagram of an exemplary process 900 associated with sanitizing a packet with an invalid fragment header.
  • Process 900 may begin with header sanitization logic 406 determining whether the packet includes a fragment header (block 902 ). If the packet does not include a fragment header (block 902 -NO), header sanitization logic 406 may send the packet to its destination (block 904 ). If the packet includes a fragment header (block 902 -YES), header sanitization logic 406 may store the packet and/or the packet header (block 906 ) in memory 306 . Header sanitization logic 406 may use the stored packet and/or the header when header sanitization logic 406 examines another packet that carries a fragment from the same original packet as the stored packet.
  • Header sanitization logic 406 may determine whether the fragment header of the packet includes an offset value that, when the value is used to aggregate the fragment from the received packet with other fragments (e.g., from other stored packets), does not result in overwriting the other fragments with the fragment from the received packet.
  • first packet and a second packet carry, respectively, a first fragment and a second fragment of an original packet.
  • each fragment is 1024 bytes long
  • the offset value in the fragment header of the second packet specifies 8 bytes.
  • the second fragment from the second packet may overwrite the fragment from the first packet, in accordance with the offset value. If the first fragment in the first packet includes extension headers, these headers may be overwritten during the reassembly of the fragments. Determining whether such overwriting can occur may be equivalent to determining whether the offset values of successive packets that carry the fragments of the original packet are progressive (i.e., increasing in order).
  • header sanitization logic 406 may forward the packet to the original destination of the received packet (block 910 ). Otherwise (block 908 -NO), process 900 may proceed to block 912 .
  • header sanitization logic 406 may send the packet to the alternate destination (block 914 ) (e.g., honey net 204 ). Otherwise (block 912 -NO), header sanitization logic 406 may drop the packet (block 916 ).
  • network device 206 may sanitize a bad packet.
  • a bad packet may include two or more duplicate headers or headers of the same type, out-of-sequence headers, and/or an invalid fragment header.
  • network device 206 may prevent the packet from, for example, accessing a secure network, destroying and/or damaging files, stealing information, creating security holes, spreading computer viruses and/or malware, etc.
  • network device 206 may perform additional operations. For example, network device 206 may add another header, such as a destination options header to include notes on actions that were performed on the packet (e.g., verification of extension headers, modification of extension headers, re-routing of the packet, etc.) before forwarding the packet to honey net 204 , to its original destination, and/or to another destination. Alternatively, network device 206 may send an Internet Control Message Protocol (ICMP) message or an email message to the original destination of the packet or to another destination, to notify the destination of the operations that were performed. In some implementations, network device 206 may update a file and/or database, which may be on network device 206 or another device, to reflect the operations that were performed on the packet and/or modifications that were made to the packet.
  • ICMP Internet Control Message Protocol

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A network device may receive a packet, determine whether the packet includes two or more headers of a same type, modify the packet to correct for the two or more headers of the same type when the packet includes the two or more headers of the same type, determine whether the packet includes out-of-sequence headers, and modify the packet to correct for the out-of-sequence headers when the packet includes the out-of-sequence headers.

Description

    BACKGROUND INFORMATION
  • A typical size of an Internet Protocol version 4 (IPv4) packet header is 128 bytes. An IPv4 packet header includes a version field, header length field, differentiated services field, packet length field, packet identification field, flags field, fragment offset field, time-to-live field, protocol field, header checksum field, source field, and destination field. Although an IPv4 packet header can also include an options field, which may increase the size of the packet, the options field is infrequently used and, often, network devices do not support its use.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 illustrates an exemplary format of a packet;
  • FIG. 2 illustrates an exemplary network in which the concepts described herein may be implemented;
  • FIG. 3 shows exemplary components of a router of FIG. 2;
  • FIG. 4 is a block diagram illustrating exemplary functional components of the router of FIG. 2;
  • FIG. 5 illustrates an overview of an exemplary process associated with sanitizing packet headers;
  • FIG. 6 further illustrates an overview of another process associated with sanitizing packet headers;
  • FIG. 7 is a flow diagram of an exemplary process associated with sanitizing a packet with multiple copies of a header;
  • FIG. 8 is a flow diagram of an exemplary process associated with sanitizing a packet with out-of-sequence headers; and
  • FIG. 9 is a flow diagram of an exemplary process associated with sanitizing a packet with an invalid fragment header.
    •  DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
  • The following detailed description refers to the accompanying drawings. The same reference numbers in different drawings may identify the same or similar elements.
  • The term “packet,” as used herein, may refer to an IP packet, datagram, cell, a fragment of an Internet Protocol (IP) packet, or other types of data that may be carried at a specified communication layer. As used herein, the term “router” may refer to a network layer 2 or layer 3 (e.g., an IP layer) router or switch (e.g., Multiprotocol Label Switching (MPLS) router). In some contexts, the term “router” may also refer to layer 4-7 application/devices.
  • As described below, a device may sanitize a bad packet. A bad packet may include, for example, duplicate headers or two or more headers of the same type, out-of-sequence headers, and/or an invalid fragment header. By sanitizing the bad packet, the device may prevent the packet from, for example, accessing an otherwise secure network, destroying and/or damaging files, stealing information, creating security holes, spreading computer viruses and/or malware, etc.
  • FIG. 1 illustrates an exemplary format of a packet. Although, in an actual implementation, packet 100 may include an IPv4 packet with options field or additional headers (e.g., multiprotocol label switch (MPLS) headers), in the following description, packet 100 will be described as an IPv6 packet. Because an IPv6 packet can facilitate transport of optional headers and/or fields, a bad IPv6 packet can be readily created, either accidentally or purposefully by a malicious network attacker.
  • As shown, packet 100 may include a basic header, extension headers 104-1 through 104-R (individually “extension header 104 or 104-x,” or collectively, “extension headers 104”), and a load 106. Depending on the implementation, packet 100 may include different headers and/or fields. For example, when packet 100 is implemented as a MPLS packet, packet 100 may include a MPLS label stack between extension header 104-R and load 106.
  • Basic header 102 may include a version field, traffic class field, flow label field, payload length field, next header field, hop limit field, source address field, and destination address field. The version field may identify the version of IP protocol. This field may be set to 6 for IPv6. The traffic class field may allow a source node or router to distinguish between different priorities of packets. The flow label field may identify a flow (e.g., a group of packets that have the same source and destination addresses) to which packet 100 belongs. The payload length field specifies the length of the payload of packet 100. The payload of packet 100 may include extension headers 104 and load 106. The next header field may identify extension header 104-1 (i.e., the header that immediately follows header 102). The hop limit field indicates the maximum number of hops that packet 100 can be forwarded. The source address field and the destination address field may identify the source and destination addresses for packet 100.
  • Extension header 104 may define one or more parameters that describe packet 100. Extension header 104 may include, for example, a hop-by-hop header, routing header, fragment header, authentication header, destination options header, etc. For packet 100 to be compliant with IPv6 standards and/or specifications (e.g., Internet Engineering Task Force (IETF) Request for comments (RFC) 2460), extension headers 104 must be in a specific order. For example, the hop-by-hop header must precede the fragment header.
  • The hop-by-hop header may include optional information that must be examined by every network device/node along packet 100's path. The routing header may list network devices/nodes that are to be visited by packet 100 on its path toward its destination. The fragment header may describe a relative location, within an original packet from which a fragment is derived, of the fragment that packet 100 carries. The source node may have fragmented the original packet into several fragment packets, for example, due to the size of the original packet. The fragment packets may be reassembled into the original packet at the destination of packet 100.
  • The authentication header may specify a method by which authentication may be performed. In addition, the authentication header may include information that may be used for the authentication. Destination options header may include information that needs to be examined by the destination node. Although extension header 104 may include other types of headers, they are not described for simplicity.
  • Load 106 may include data that packet 100 carries. Load 106 may or may not include additional headers or header-related information.
  • In FIG. 1, packet 100 may be “bad” when extension headers 104 include one or more duplicate copies of an extension header or two or more of one type of header (e.g., hop-by-hop header, routing header, etc.) with conflicting information. Packet 100 may also be bad when extension headers 104 are out-of-sequence. In a valid IPv6 packet, extension packet headers 104 must be in a specific sequence (e.g., a hop-by-hop header, if present in packet 100, must precede other extension headers 104). Further, packet 100 may be bad when packet 100 includes an invalid fragment header. For example, the fragment header of packet 100 may incorrectly specify that data in payload 106 of packet 100 is a fragment of data whose portions are carried by three other packets.
  • FIG. 2 illustrates an exemplary network 200 in which concepts described herein may be implemented. As shown, network may include network 202 and honeynet 204 (or honey net 204). Depending on the implementation, network 200 may include additional, fewer, different, or a different arrangement of networks and devices than those illustrated in FIG. 2.
  • Network 202 may include the Internet, an intranet, a local area network (LAN), a wide area network (WAN), a metropolitan area network (MAN), a cellular network, a public switched telephone network (PSTN), an optical network, a wireless network (e.g., Wi-Fi, WiMax, etc.), a wired network, a packet switched network (e.g., IPv6 and/or IPv4), an ad hoc network, any other network, or a combination of one or more networks.
  • Honey net 204 may include one or more network devices or resources (e.g., files, records, etc.) for trapping or recording packet activities. By monitoring such packets, honey net 204 may determine the purpose and/or effect that the packets may have in a network.
  • As further shown, network 202 may include network devices 206-1 through 206-M (network devices 206). Network device 206 may include, for example, a router, switch, gateway, server, personal computer, mobile computer (e.g., mobile router, laptop computer, tablet computer, cellular phone, etc.), etc. Although network device 206 may be implemented as any computer-like network device with an Internet Protocol (IP) stack, in the following description, network device 206 is described in terms of a router (e.g., router 206 or routers 206).
  • Router 206 may perform routing, forwarding, and packet header sanitization. In performing the routing function, router 206 may exchange messages with other network devices through routing protocols to discover information about reachability of destinations, the network topology, and costs associated with routes. This information is stored in the Routing Information Base (RIB). Best paths for the destinations and their associated egress interfaces (e.g., line cards) are determined and stored in the forwarding information base (FIB).
  • In performing the forwarding function and the packet header sanitization function, router 206 may receive packets from one or more physical communication interfaces/ports, classify the packets, and determine required processing (e.g., deep packet inspection and/or packet header sanitization) based on the packet headers.
  • To forward the packets, router 206 may determine their destinations, and transmit the packets on one or more physical or logical communication interfaces/ports in accordance with the determined destinations or other properties of the packets based on information provided by the FIB. To sanitize the packets, router 206 may examine the packet header for duplicate headers or multiple instances of a particular header type, out-of-sequence headers, fragment header, etc.
  • FIG. 3 is a block diagram illustrating exemplary components of router 206. As shown, router 206 may include a processor 302, network interface 304, memory 306, and storage 308. These components may be distributed over different line cards (e.g., ingress line cards for receiving packets, egress line cards for sending packets, etc.), service modules for processing packet headers (e.g., sanitizing packets, etc.), a control module (e.g., a central module for controlling the line cards and/or service modules, for performing the routing function, etc.), etc. Depending on the implementation, router 206 may include additional, fewer, or different components than those illustrated in FIG. 3.
  • Processor 302 may include one or more processors, microprocessors, Application Specific Integrated Circuits (ASICs), and/or Field Programmable Gate Arrays (FPGAs), and/or other processing logic. In some implementations, processor 302 may include processors that are dedicated to specific functions, such as packet processing, packet forwarding, memory management, etc.
  • Network interface 304 may include one or more physical or logical communication ports that enable router 206 to communicate with other devices. Via the physical ports, network interface 304 may communicate via a network, such as the Internet, a terrestrial wireless network (e.g., a WLAN), a satellite-based network, etc.
  • Memory 306 may include a static memory, such as read only memory (ROM), and/or dynamic memory, such as random access memory (e.g., DRAM, SDRAM, SRAM, etc.), content addressable memory (CAM), or onboard cache, for storing data and machine-readable instructions. For example, a component of memory 306 may provide, for example, space for queuing packets, packet headers, etc., before the packets are sent toward one or more egress line cards/service modules via a switch fabric.
  • Storage 308 may include a hard disk drive, solid state drive, flash drive, floppy disk, CD ROM, CD read/write (R/W) disc, digital video disc (DVD) reader/writer, as well as other types of storage devices for storing data and/or machine-readable instructions (e.g., a program, script, etc.). Depending on the context, the term “memory,” “storage,” “storage device,” and/or “storage unit” may be used interchangeably. For example, a “computer-readable storage device” may refer to both a memory and/or storage device.
  • FIG. 4 is a block diagram illustrating exemplary functional components of router 206. As shown, router 206 may include routing logic 402, packet processing logic 404, and header sanitization logic 406. Depending on the implementation, router 206 may include additional, fewer, or different components than those illustrated in FIG. 4. For example, router 206 may include a component for storing/measuring flow statistics. Although router 206 may include other components, such as a RIB or FIB, they are not illustrated for simplicity.
  • Routing logic 402 may gather or disseminate routing information from/to other routers 206 in accordance with routing/signaling protocols (e.g., open shortest path first (OSPF), interior gateway routing protocol (IGRP), multiprotocol label switching (MPLS) protocol, etc.), organize the routing information in a lookup table, such as a RIB, a label information base (LIB), etc. In another example, routing logic 402 may create a lookup table (e.g., a FIB, a forwarding label information base (FLIB), etc.) and distribute the lookup table to line cards, on which packet processing logic 404 may be implemented.
  • Packet processing logic 404 may place packets that are received at a line card/service module in queues where they are temporarily held, and forward them to an egress line card or another service module based on information in a FIB or based on packet headers. Packet processing logic 404 may also perform other processing, such as classifying packets, collecting flow statistics, logging, etc.
  • Header sanitization logic 406 may sanitize packet headers. In one implementation, header sanitization logic 406 may fix, drop, and/or re-route packets with duplicate headers or multiple headers of a same type, out-of-sequence headers, and/or invalid fragment headers. Depending on the implementation, header sanitization logic 406 may also sanitize other types of errors, such as an invalid extension header other than fragment header (e.g., invalid hop-by-hop header, authentication header, etc.), bad labels, bad routing headers (e.g., not all addresses in the routing header are valid), etc.
  • In some implementations, header sanitization logic 406 may be implemented on a single service module or distributed over several components. In the latter implementations, headers of a packet may “bounce” from one service module to another via a switch fabric until all of the headers are processed and sanitized. Thereafter, header sanitization logic 406 may drop the packet or send the packet to a deep inspection module, honey net 204, etc.
  • FIG. 5 illustrates an overview of an exemplary process associated with sanitizing packet headers. In this example, header sanitization logic 406 may process packet 502 to produce packet 504, packet 506, or packet 508. Although not illustrated, depending on the implementation, header sanitization logic 406 may perform other types of packet sanitization (e.g., detecting other types of invalid extension headers).
  • As further shown, packet 502 may include a basic header 510, extension header A 512, extension header B 514, extension header A 516, extension header C 518, and load 520. Extension header A 516 may either be a duplicate of extension header A 512 or the same type of header as extension header A 512. Extension header A 512/516 may include, for example, a hop-by-hop header, routing header, authentication header, etc. It is assumed that extension headers A 512 and 516 are not destination options headers in the following order: once before a routing header of IPv6 and an upper-layer header of IPv6.
  • In FIG. 5, header sanitization logic 406 may process packet 502 in one of three ways. For example, header sanitization logic 406 may strip duplicate extension header A 516 from packet 502 to produce packet 504. In FIG. 5, this is illustrated by extension header A 516 being shown via the dotted arrow originating from packet 504 and pointing to a garbage can icon 522. In addition, header sanitization logic 406 may send packet 504 to its destination device 524 (e.g., via an egress line card), as illustrated by a solid arrow pointing from packet 504 to destination device 524.
  • In another example, sanitization logic 406 may remove both extension header A 512 and extension header A 516 from packet 502 to obtain packet 506. In FIG. 5, this is illustrated by headers A 512 and headers A 516 being shown via the dotted arrows that originate from packet 506 and point to garbage can icon 522. In addition, header sanitization logic 406 may send packet 506 to destination device 524 via an egress line card, as illustrated by the solid arrow from packet 506 to destination device 524.
  • In yet another example, sanitization logic 406 may retain original packet 502, which is also shown as packet 508 in FIG. 5. Subsequently, header sanitization logic 406 may drop packet 508, as illustrated by the dotted arrow from packet 508 to garbage can icon 522, or alternatively, send packet 508 to honey net 204, as illustrated by the dotted arrow from packet 508 to honey net 204. In honey net 204, a honey pot and/or other devices may analyze packet 508, observe packet 508's behavior, and/or obtain other properties of packet 508.
  • FIG. 6 illustrates an overview of another exemplary process associated with sanitizing packet headers. In this example, header sanitization logic 406 may process packet 602 to produce packet 604, packet 606, or packet 608. Although not illustrated, depending on the implementation, header sanitization logic 406 may perform other types of packet sanitization.
  • As further shown, packet 602 may include a basic header 510, extension header B 514, extension header A 512, extension header C 518, and payload 520. In this example, extension header B 514, extension header A 514, and extension header C 518 are out-of-sequence.
  • In FIG. 6, header sanitization logic 406 may process packet 602 in one of three ways. For example, header sanitization logic 406 may re-sequence extension header B 514, extension header A 512, and extension header C 518 in packet 602 to obtain packet 604. In packet 604, the extension headers are in the following sequence: extension header A 512, extension header B 514, and extension header C 518. In addition, header sanitization logic 406 may send packet 604 to destination device 524, as illustrated by the solid arrow originating from packet 604 to destination device 524.
  • In another example, header sanitization logic 406 may remove extension header B 514 from packet 602 to obtain packet 606, which includes extension header A 512 and extension header C 518. The header removal is illustrated by header B 514 via the dotted arrow that originates from packet 606 and points to garbage can icon 522. In a different implementation or configuration, header sanitization logic 406 may remove header A 512 from packet 602 instead of header B 514 to sanitize packet 602. After the removal of extension header B 514 (or extension header A 512), header sanitization logic 406 may send packet 606 to destination device 524, as illustrated by the solid arrow from packet 606 to destination device 524.
  • In yet another example, sanitization logic 406 may retain original packet 602, which is also shown as packet 608 in FIG. 6. Subsequently, header sanitization logic 406 may drop packet 608, as illustrated via the dotted arrow from packet 608 to garbage can icon 522, or alternatively, send packet 608 to honey net 204, as illustrated by the dotted arrow from packet 608 to honey net 204.
  • FIGS. 7 through 9 are flow diagrams of exemplary processes whose overview are illustrated by FIG. 5 and FIG. 6. FIG. 7 is a flow diagram of an exemplary process 700 associated with sanitizing a packet with multiple copies of a header or multiple headers of the same type. As shown in FIG. 7, process 700 may begin when router 206 receives a packet (e.g., IPv6 packet). Router 206 may internally pass the packet headers of the received packet to header sanitization logic 406.
  • Header sanitization logic 406 may determine whether the packet includes duplicate headers and/or multiple headers of the same type (block 704). If the packet does not include duplicate headers or multiple headers of the same type (block 704-NO), process 700 may proceed to process 800, for sanitizing out-of-sequence packet headers. Otherwise (block 704-YES), process 700 may proceed to block 705.
  • If the duplicate headers or the multiple headers of one type are two destination options headers of IPv6 in a specific order (e.g., one of the two destination options appears before a routing header and the other of the two destination options headers appears before an upper-layer header) (block 705-YES), process 700 may go to process 800. Otherwise (block 705-NO), process 700 proceed to block 706.
  • If header sanitization logic 406 is configured to drop the packet with duplicate headers or multiple headers of the same type (block 706-YES), header sanitization logic 406 may drop the packet (block 708). Otherwise (block 706-NO), process 700 may proceed to block 710.
  • If header sanitization logic 406 is configured to strip off all but one of the duplicate headers or all but one of the same type of headers (block 710-YES), header sanitization logic 406 may strip off all but one of the duplicate headers or all but one of the same type of headers (block 712). In stripping off the headers, header sanitization logic 406 may retain, in the packet, the extension header whose position is valid. For example, in FIG. 5, header sanitization logic 406 removes header A 516 to obtain packet 504 and does not remove header A 512. Furthermore, header sanitization logic 406 may rewrite or correct next header fields within the remaining extensions headers, such that the extension headers remain valid. Thereafter, process 700 may proceed to process 800, for sanitizing out-of-sequence packet headers.
  • If header sanitization logic 406 is not configured to strip off all but one of the duplicate header or all but one of the same type of headers (block 710-NO), process 700 may proceed to block 714. At block 714, if header sanitization logic 406 is configured to strip off all of the duplicate headers or all of the same type of headers (block 714-YES), header sanitization logic 406 may remove all duplicate headers or all of the same type of headers (block 716). As at block 712, header sanitization logic 406 may rewrite the next header fields of the remaining extension headers in the packet. Thereafter, process 700 may proceed to process 800.
  • If header sanitization logic 406 is not configured to strip off all of the duplicate headers or all of the same type of headers (block 714-NO), header sanitization logic 406 may send the received packet to an alternate destination (block 718) (e.g., honey net 204).
  • FIG. 8 is a flow diagram of an exemplary process 800 associated with sanitizing a packet with out-of-sequence headers. As shown in FIG. 8, process 800 may start with header sanitization logic 406 determining whether the packet includes headers in a sequence that is compliant with a particular standard or specification (e.g., RFC 2460) (block 802). If the packet headers are in an order that is compliant with the standard/specification (block 802-YES), process 800 may proceed to process 900, for sanitizing packets with an invalid fragment header. If the packet headers are not in an order compliant with the standard/specification, process 800 may proceed to block 804.
  • If header sanitization logic 406 is configured to fix the out-of-sequence headers (block 804-YES), header sanitization logic 406 may shuffle or move the headers of the packet and arrange the headers in a correct order (block 806). In addition, header sanitization logic 406 may rewrite the next header field in each of the extension headers to reflect the header reorganization. Thereafter, header sanitization logic 406 may apply process 900, for sanitizing packets with invalid fragment headers, to the packet.
  • If header sanitization logic 406 is not configured to fix the headers (block 804-NO), process 800 may proceed to block 808. At block 808, if header sanitization logic 406 is configured to send the packet (block 808-YES), header sanitization logic 406 may send the packet to an alternate destination (block 810) (e.g., honey net 204). Otherwise (block 808-NO), header sanitization logic 406 may drop the packet (block 812).
  • FIG. 9 is a flow diagram of an exemplary process 900 associated with sanitizing a packet with an invalid fragment header. Process 900 may begin with header sanitization logic 406 determining whether the packet includes a fragment header (block 902). If the packet does not include a fragment header (block 902-NO), header sanitization logic 406 may send the packet to its destination (block 904). If the packet includes a fragment header (block 902-YES), header sanitization logic 406 may store the packet and/or the packet header (block 906) in memory 306. Header sanitization logic 406 may use the stored packet and/or the header when header sanitization logic 406 examines another packet that carries a fragment from the same original packet as the stored packet.
  • Header sanitization logic 406 may determine whether the fragment header of the packet includes an offset value that, when the value is used to aggregate the fragment from the received packet with other fragments (e.g., from other stored packets), does not result in overwriting the other fragments with the fragment from the received packet.
  • For example, assume that a first packet and a second packet carry, respectively, a first fragment and a second fragment of an original packet. Assume that each fragment is 1024 bytes long, and the offset value in the fragment header of the second packet specifies 8 bytes. When the first and second fragments are reassembled at the destination node of the first and second packets, the second fragment from the second packet may overwrite the fragment from the first packet, in accordance with the offset value. If the first fragment in the first packet includes extension headers, these headers may be overwritten during the reassembly of the fragments. Determining whether such overwriting can occur may be equivalent to determining whether the offset values of successive packets that carry the fragments of the original packet are progressive (i.e., increasing in order).
  • If header sanitization logic 406 determines that an overwriting will not occur (block 908-NO), header sanitization logic 406 may forward the packet to the original destination of the received packet (block 910). Otherwise (block 908-NO), process 900 may proceed to block 912.
  • If header sanitization logic 406 is configured to send the received packet to an alternate destination (block 912-YES), header sanitization logic 406 may send the packet to the alternate destination (block 914) (e.g., honey net 204). Otherwise (block 912-NO), header sanitization logic 406 may drop the packet (block 916).
  • In processes 700, 800, and 900, network device 206 may sanitize a bad packet. A bad packet may include two or more duplicate headers or headers of the same type, out-of-sequence headers, and/or an invalid fragment header. By sanitizing the bad packet, network device 206 may prevent the packet from, for example, accessing a secure network, destroying and/or damaging files, stealing information, creating security holes, spreading computer viruses and/or malware, etc.
  • In this specification, various preferred embodiments have been described with reference to the accompanying drawings. It will, however, be evident that various modifications and changes may be made thereto, and additional embodiments may be implemented, without departing from the broader scope of the invention as set forth in the claims that follow. The specification and drawings are accordingly to be regarded in an illustrative rather than restrictive sense.
  • For example, after having checked a packet's header or having sanitized the packet's headers, network device 206 may perform additional operations. For example, network device 206 may add another header, such as a destination options header to include notes on actions that were performed on the packet (e.g., verification of extension headers, modification of extension headers, re-routing of the packet, etc.) before forwarding the packet to honey net 204, to its original destination, and/or to another destination. Alternatively, network device 206 may send an Internet Control Message Protocol (ICMP) message or an email message to the original destination of the packet or to another destination, to notify the destination of the operations that were performed. In some implementations, network device 206 may update a file and/or database, which may be on network device 206 or another device, to reflect the operations that were performed on the packet and/or modifications that were made to the packet.
  • In the above, while series of blocks have been described with regard to the processes illustrated in FIGS. 7 through 9, the order of the blocks may be modified in other implementations. In addition, non-dependent blocks may represent blocks that can be performed in parallel. Furthermore, some of the blocks may be omitted in different implementations.
  • It will be apparent that aspects described herein may be implemented in many different forms of software, firmware, and hardware in the implementations illustrated in the figures. The actual software code or specialized control hardware used to implement aspects does not limit the invention. Thus, the operation and behavior of the aspects were described without reference to the specific software code—it being understood that software and control hardware can be designed to implement the aspects based on the description herein.
  • No element, block, or instruction used in the present application should be construed as critical or essential to the implementations described herein unless explicitly described as such. Also, as used herein, the article “a” is intended to include one or more items. Further, the phrase “based on” is intended to mean “based, at least in part, on” unless explicitly stated otherwise.

Claims (20)

What is claimed is:
1. A method comprising:
receiving, at a network device, a packet;
determining whether the packet includes two or more headers of a same type;
modifying the packet to correct for the two or more headers of the same type when the packet includes the two or more headers of the same type;
determining whether the packet includes out-of-sequence headers; and
modifying the packet to correct for the out-of-sequence headers when the packet includes the out-of-sequence headers.
2. The method of claim 1, wherein modifying the packet to correct for the two or more headers of the same type includes one of:
removing, from the packet, all but one of the two or more headers of the same type; or
removing all of the two or more headers of the same type from the packet.
3. The method of claim 1, further comprising:
determining whether the packet includes duplicate headers; and one of:
removing, from the packet, all but one of the duplicate headers; or
removing all of the duplicate headers from the packet.
4. The method of claim 1, wherein determining whether the packet includes out-of-sequence headers includes determining whether an order in which extension headers of the packet are placed in the packet complies with an order specified by standards or convention related to a communication protocol.
5. The method of claim 1, wherein modifying the packet to correct for the out-of-sequence headers includes:
reordering, in the packet, the out-of-sequence headers; or
removing, from the packet, one or more of headers in the out-of-sequence headers.
6. The method of claim 5, further comprising:
rewriting next header fields in extension headers of the packet.
7. The method of claim 1, further comprising:
sending the packet to an original destination of the packet; or
sending the packet to an alternate destination.
8. The method of claim 1, further comprising:
dropping the packet, at the network device, when the network device is not configured to send the packet to another device.
9. The method of claim 1, further comprising:
determining whether the packet includes an invalid fragment header; and
sending the packet to another device if the packet does not include an invalid fragment header.
10. The method of claim 9, further comprising:
dropping the packet if the packet includes the invalid fragment header.
11. The method of claim 9, wherein determining whether the packet includes an invalid fragment header includes:
determining whether the packet includes a second fragment that would overwrite a first fragment in another packet if the first fragment and the second fragment are assembled in accordance with an offset value in the invalid fragment header.
12. The method of claim 9, wherein determining whether the packet includes an invalid fragment header includes:
determining whether the packet includes a fragment header; and
when the packet includes the fragment header, storing the packet or a portion of the packet, to determine, at a later time, whether a first fragment in another packet will overwrite a second fragment in the packet if the first fragment and the second fragment are assembled in accordance with an offset value in a fragment header of the other packet.
13. The method of claim 1, further comprising:
determining whether the packet includes an invalid extension header.
14. A device comprising:
a line interface to receive a packet and send the packet;
one or more processors configured to:
determine whether the packet includes two or more headers of a same type;
modify the packet when the packet includes the two or more headers of the same type;
determine whether the packet includes out-of-sequence headers;
modify the packet when the packet includes the out-of-sequence headers;
determine whether the packet includes an invalid fragment header; and
forward the packet to another device when the device is configured to forward the packet and the packet includes the invalid fragment header.
15. The device of claim 14, wherein the device comprises a device that includes an Internet Protocol (IP) stack.
16. The device of claim 14, wherein the packet includes:
an Internet Protocol (IP) packet.
17. The device of claim 14, wherein the other device includes a honey pot for monitoring the packet.
18. The device of claim 14, wherein the two or more headers of the same type include at least one of:
a hop-by-hop header, routing header, or authentication header.
19. The device of claim 14, wherein the one of more processors are further configured to:
rewrite next header fields of extension headers of the packet when the processor modifies the packet for the out-of-sequence headers.
20. A computer-readable storage device, including one or more computer-executable instructions, the computer-executable instructions causing one or more processors executing the instructions to:
receive, at a device, a packet;
determine whether the packet includes duplicate headers;
remove all but one of the duplicate headers from the packet when the packet includes the duplicate headers;
determine whether the packet includes out-of-sequence headers;
reorder, in the packet, the out-of-sequence headers when the packet includes the out-of-sequence headers;
determine whether the packet includes an invalid fragment header; and
send the packet from the device toward a destination of the packet when the packet does not include the invalid fragment header.
US12/883,243 2010-09-16 2010-09-16 Sanitizing packet headers Active 2031-05-17 US8824472B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/883,243 US8824472B2 (en) 2010-09-16 2010-09-16 Sanitizing packet headers

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US12/883,243 US8824472B2 (en) 2010-09-16 2010-09-16 Sanitizing packet headers

Publications (2)

Publication Number Publication Date
US20120069845A1 true US20120069845A1 (en) 2012-03-22
US8824472B2 US8824472B2 (en) 2014-09-02

Family

ID=45817724

Family Applications (1)

Application Number Title Priority Date Filing Date
US12/883,243 Active 2031-05-17 US8824472B2 (en) 2010-09-16 2010-09-16 Sanitizing packet headers

Country Status (1)

Country Link
US (1) US8824472B2 (en)

Cited By (42)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120117267A1 (en) * 2010-04-01 2012-05-10 Lee Hahn Holloway Internet-based proxy service to limit internet visitor connection speed
US20130077530A1 (en) * 2011-09-28 2013-03-28 Cisco Technology, Inc. Scaling IPv6 on Multiple Devices Virtual Switching System with Port or Device Level Aggregation
US20140269721A1 (en) * 2013-03-15 2014-09-18 Cisco Technology, Inc. Segment routing over label distribution protocol
US8948020B2 (en) * 2012-12-11 2015-02-03 International Business Machines Corporation Detecting and isolating dropped or out-of-order packets in communication networks
US9049247B2 (en) 2010-04-01 2015-06-02 Cloudfare, Inc. Internet-based proxy service for responding to server offline errors
US20150188885A1 (en) * 2013-12-31 2015-07-02 Fortinet, Inc EXAMINING AND CONTROLLING IPv6 EXTENSION HEADERS
US9319312B2 (en) 2013-05-17 2016-04-19 Cisco Technology, Inc. Segment routing mapping server for LDP/SR interoperability
US9342620B2 (en) 2011-05-20 2016-05-17 Cloudflare, Inc. Loading of web resources
US9369371B2 (en) 2012-10-05 2016-06-14 Cisco Technologies, Inc. Method and system for path monitoring using segment routing
US9401858B2 (en) 2014-06-30 2016-07-26 Cisco Technology, Inc. Loop avoidance during network convergence in switched networks
US9537769B2 (en) 2013-03-15 2017-01-03 Cisco Technology, Inc. Opportunistic compression of routing segment identifier stacks
US9559954B2 (en) 2013-03-11 2017-01-31 Cisco Technology, Inc. Indexed segment ID
US9565160B2 (en) 2013-03-11 2017-02-07 Cisco Technology, Inc. Advertisement of adjacency segment identifiers
US9749227B2 (en) 2012-10-05 2017-08-29 Cisco Technology, Inc. MPLS segment-routing
US9762488B2 (en) 2014-03-06 2017-09-12 Cisco Technology, Inc. Segment routing extension headers
US9807001B2 (en) 2014-07-17 2017-10-31 Cisco Technology, Inc. Segment routing using a remote forwarding adjacency identifier
US10122614B2 (en) 2015-02-26 2018-11-06 Cisco Technology, Inc. Failure protection for traffic-engineered bit indexed explicit replication
US10171547B2 (en) 2011-10-11 2019-01-01 Cisco Technology, Inc. Neighbor discovery for IPV6 switching systems
US10212076B1 (en) 2012-12-27 2019-02-19 Sitting Man, Llc Routing methods, systems, and computer program products for mapping a node-scope specific identifier
US10263881B2 (en) 2016-05-26 2019-04-16 Cisco Technology, Inc. Enforcing strict shortest path forwarding using strict segment identifiers
JP2019062526A (en) * 2017-08-31 2019-04-18 コニカ ミノルタ ラボラトリー ユー.エス.エー.,インコーポレイテッド Method and system with application for IPV 6 extension header and destination option
US10367737B1 (en) 2012-12-27 2019-07-30 Sitting Man, Llc Routing methods, systems, and computer program products
US10374938B1 (en) 2012-12-27 2019-08-06 Sitting Man, Llc Routing methods, systems, and computer program products
US10397101B1 (en) 2012-12-27 2019-08-27 Sitting Man, Llc Routing methods, systems, and computer program products for mapping identifiers
US10397100B1 (en) 2012-12-27 2019-08-27 Sitting Man, Llc Routing methods, systems, and computer program products using a region scoped outside-scope identifier
US10404583B1 (en) 2012-12-27 2019-09-03 Sitting Man, Llc Routing methods, systems, and computer program products using multiple outside-scope identifiers
US10404582B1 (en) 2012-12-27 2019-09-03 Sitting Man, Llc Routing methods, systems, and computer program products using an outside-scope indentifier
US10411998B1 (en) 2012-12-27 2019-09-10 Sitting Man, Llc Node scope-specific outside-scope identifier-equipped routing methods, systems, and computer program products
US10411997B1 (en) 2012-12-27 2019-09-10 Sitting Man, Llc Routing methods, systems, and computer program products for using a region scoped node identifier
US10419335B1 (en) 2012-12-27 2019-09-17 Sitting Man, Llc Region scope-specific outside-scope indentifier-equipped routing methods, systems, and computer program products
US10419334B1 (en) 2012-12-27 2019-09-17 Sitting Man, Llc Internet protocol routing methods, systems, and computer program products
US10447575B1 (en) 2012-12-27 2019-10-15 Sitting Man, Llc Routing methods, systems, and computer program products
US10476787B1 (en) 2012-12-27 2019-11-12 Sitting Man, Llc Routing methods, systems, and computer program products
US10587505B1 (en) 2012-12-27 2020-03-10 Sitting Man, Llc Routing methods, systems, and computer program products
US20210135986A1 (en) * 2018-07-13 2021-05-06 Huawei Technologies Co., Ltd. Mpls extension headers for in-network services
US11032197B2 (en) 2016-09-15 2021-06-08 Cisco Technology, Inc. Reroute detection in segment routing data plane
US11201820B2 (en) 2018-09-05 2021-12-14 Huawei Technologies Co., Ltd. Segment routing in MPLS network
US20220021648A1 (en) * 2020-07-16 2022-01-20 Twistlock, Ltd. Distributed identity-based firewall policy evaluation
US20220200893A1 (en) * 2019-09-11 2022-06-23 Huawei Technologies Co., Ltd. Data Transmission Control Method and Apparatus
US20220303210A1 (en) * 2021-03-16 2022-09-22 Arris Enterprises Llc Preservation of priority traffic in communications systems
US20220329523A1 (en) * 2016-02-29 2022-10-13 Cisco Technology, Inc. System and method for dataplane-signaled packet capture in ipv6 environment
US11722404B2 (en) 2019-09-24 2023-08-08 Cisco Technology, Inc. Communicating packets across multi-domain networks using compact forwarding instructions

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5716712B2 (en) * 2012-07-24 2015-05-13 横河電機株式会社 Packet transfer apparatus and method
US10264002B2 (en) * 2016-07-14 2019-04-16 Mitsui Bussan Secure Directions, Inc. Program, information processing device, and information processing method

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020042875A1 (en) * 2000-10-11 2002-04-11 Jayant Shukla Method and apparatus for end-to-end secure data communication
US20070147376A1 (en) * 2005-12-22 2007-06-28 Sun Microsystems, Inc. Router-assisted DDoS protection by tunneling replicas
US20070147382A1 (en) * 2005-12-09 2007-06-28 Kim Byoung K Method of storing pattern matching policy and method of controlling alert message
US20090028144A1 (en) * 2007-07-23 2009-01-29 Christopher Douglas Blair Dedicated network interface
US20090183260A1 (en) * 2004-05-04 2009-07-16 Symantec Corporation Detecting network evasion and misinformation
US7602731B2 (en) * 2004-12-22 2009-10-13 Intruguard Devices, Inc. System and method for integrated header, state, rate and content anomaly prevention with policy enforcement
US7626940B2 (en) * 2004-12-22 2009-12-01 Intruguard Devices, Inc. System and method for integrated header, state, rate and content anomaly prevention for domain name service
US20110040897A1 (en) * 2002-09-16 2011-02-17 Solarflare Communications, Inc. Network interface and protocol
US20110173514A1 (en) * 2003-03-03 2011-07-14 Solarflare Communications, Inc. Data protocol
US20120023330A1 (en) * 2000-08-28 2012-01-26 Russell Andrew Fink Method and apparatus for providing adaptive self-synchronized dynamic address translation as an intrusion detection sensor

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120023330A1 (en) * 2000-08-28 2012-01-26 Russell Andrew Fink Method and apparatus for providing adaptive self-synchronized dynamic address translation as an intrusion detection sensor
US20020042875A1 (en) * 2000-10-11 2002-04-11 Jayant Shukla Method and apparatus for end-to-end secure data communication
US20110040897A1 (en) * 2002-09-16 2011-02-17 Solarflare Communications, Inc. Network interface and protocol
US20110173514A1 (en) * 2003-03-03 2011-07-14 Solarflare Communications, Inc. Data protocol
US20090183260A1 (en) * 2004-05-04 2009-07-16 Symantec Corporation Detecting network evasion and misinformation
US7602731B2 (en) * 2004-12-22 2009-10-13 Intruguard Devices, Inc. System and method for integrated header, state, rate and content anomaly prevention with policy enforcement
US7626940B2 (en) * 2004-12-22 2009-12-01 Intruguard Devices, Inc. System and method for integrated header, state, rate and content anomaly prevention for domain name service
US20070147382A1 (en) * 2005-12-09 2007-06-28 Kim Byoung K Method of storing pattern matching policy and method of controlling alert message
US20070147376A1 (en) * 2005-12-22 2007-06-28 Sun Microsystems, Inc. Router-assisted DDoS protection by tunneling replicas
US20090028144A1 (en) * 2007-07-23 2009-01-29 Christopher Douglas Blair Dedicated network interface

Cited By (139)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10855798B2 (en) 2010-04-01 2020-12-01 Cloudfare, Inc. Internet-based proxy service for responding to server offline errors
US9634993B2 (en) 2010-04-01 2017-04-25 Cloudflare, Inc. Internet-based proxy service to modify internet responses
US12001504B2 (en) 2010-04-01 2024-06-04 Cloudflare, Inc. Internet-based proxy service to modify internet responses
US10169479B2 (en) * 2010-04-01 2019-01-01 Cloudflare, Inc. Internet-based proxy service to limit internet visitor connection speed
US9009330B2 (en) * 2010-04-01 2015-04-14 Cloudflare, Inc. Internet-based proxy service to limit internet visitor connection speed
US9049247B2 (en) 2010-04-01 2015-06-02 Cloudfare, Inc. Internet-based proxy service for responding to server offline errors
US11675872B2 (en) 2010-04-01 2023-06-13 Cloudflare, Inc. Methods and apparatuses for providing internet-based proxy services
US20160014087A1 (en) * 2010-04-01 2016-01-14 Cloudflare, Inc. Internet-based proxy service to limit internet visitor connection speed
US11494460B2 (en) 2010-04-01 2022-11-08 Cloudflare, Inc. Internet-based proxy service to modify internet responses
US9548966B2 (en) 2010-04-01 2017-01-17 Cloudflare, Inc. Validating visitor internet-based security threats
US10243927B2 (en) 2010-04-01 2019-03-26 Cloudflare, Inc Methods and apparatuses for providing Internet-based proxy services
US9369437B2 (en) 2010-04-01 2016-06-14 Cloudflare, Inc. Internet-based proxy service to modify internet responses
US10313475B2 (en) 2010-04-01 2019-06-04 Cloudflare, Inc. Internet-based proxy service for responding to server offline errors
US11244024B2 (en) 2010-04-01 2022-02-08 Cloudflare, Inc. Methods and apparatuses for providing internet-based proxy services
US10984068B2 (en) 2010-04-01 2021-04-20 Cloudflare, Inc. Internet-based proxy service to modify internet responses
US10922377B2 (en) * 2010-04-01 2021-02-16 Cloudflare, Inc. Internet-based proxy service to limit internet visitor connection speed
US10872128B2 (en) 2010-04-01 2020-12-22 Cloudflare, Inc. Custom responses for resource unavailable errors
US10853443B2 (en) 2010-04-01 2020-12-01 Cloudflare, Inc. Internet-based proxy security services
US20120117267A1 (en) * 2010-04-01 2012-05-10 Lee Hahn Holloway Internet-based proxy service to limit internet visitor connection speed
US10671694B2 (en) 2010-04-01 2020-06-02 Cloudflare, Inc. Methods and apparatuses for providing internet-based proxy services
US11321419B2 (en) * 2010-04-01 2022-05-03 Cloudflare, Inc. Internet-based proxy service to limit internet visitor connection speed
US10621263B2 (en) * 2010-04-01 2020-04-14 Cloudflare, Inc. Internet-based proxy service to limit internet visitor connection speed
US9565166B2 (en) 2010-04-01 2017-02-07 Cloudflare, Inc. Internet-based proxy service to modify internet responses
US10585967B2 (en) 2010-04-01 2020-03-10 Cloudflare, Inc. Internet-based proxy service to modify internet responses
US10102301B2 (en) 2010-04-01 2018-10-16 Cloudflare, Inc. Internet-based proxy security services
US10452741B2 (en) 2010-04-01 2019-10-22 Cloudflare, Inc. Custom responses for resource unavailable errors
US9628581B2 (en) 2010-04-01 2017-04-18 Cloudflare, Inc. Internet-based proxy service for responding to server offline errors
US9634994B2 (en) 2010-04-01 2017-04-25 Cloudflare, Inc. Custom responses for resource unavailable errors
US9342620B2 (en) 2011-05-20 2016-05-17 Cloudflare, Inc. Loading of web resources
US9769240B2 (en) 2011-05-20 2017-09-19 Cloudflare, Inc. Loading of web resources
US20130077530A1 (en) * 2011-09-28 2013-03-28 Cisco Technology, Inc. Scaling IPv6 on Multiple Devices Virtual Switching System with Port or Device Level Aggregation
US10171547B2 (en) 2011-10-11 2019-01-01 Cisco Technology, Inc. Neighbor discovery for IPV6 switching systems
US10469370B2 (en) 2012-10-05 2019-11-05 Cisco Technology, Inc. Segment routing techniques
US9749227B2 (en) 2012-10-05 2017-08-29 Cisco Technology, Inc. MPLS segment-routing
US9369371B2 (en) 2012-10-05 2016-06-14 Cisco Technologies, Inc. Method and system for path monitoring using segment routing
US10218610B2 (en) 2012-10-05 2019-02-26 Cisco Technology, Inc. MPLS segment routing
US9929946B2 (en) 2012-10-05 2018-03-27 Cisco Technology, Inc. Segment routing techniques
US8948020B2 (en) * 2012-12-11 2015-02-03 International Business Machines Corporation Detecting and isolating dropped or out-of-order packets in communication networks
US10419335B1 (en) 2012-12-27 2019-09-17 Sitting Man, Llc Region scope-specific outside-scope indentifier-equipped routing methods, systems, and computer program products
US10721164B1 (en) 2012-12-27 2020-07-21 Sitting Man, Llc Routing methods, systems, and computer program products with multiple sequences of identifiers
US12058042B1 (en) 2012-12-27 2024-08-06 Morris Routing Technologies, Llc Routing methods, systems, and computer program products
US11784914B1 (en) 2012-12-27 2023-10-10 Morris Routing Technologies, Llc Routing methods, systems, and computer program products
US11196660B1 (en) 2012-12-27 2021-12-07 Sitting Man, Llc Routing methods, systems, and computer program products
US11012344B1 (en) 2012-12-27 2021-05-18 Sitting Man, Llc Routing methods, systems, and computer program products
US10862791B1 (en) 2012-12-27 2020-12-08 Sitting Man, Llc DNS methods, systems, and computer program products
US10841198B1 (en) 2012-12-27 2020-11-17 Sitting Man, Llc Routing methods, systems, and computer program products
US10212076B1 (en) 2012-12-27 2019-02-19 Sitting Man, Llc Routing methods, systems, and computer program products for mapping a node-scope specific identifier
US10805204B1 (en) 2012-12-27 2020-10-13 Sitting Man, Llc Routing methods, systems, and computer program products
US10785143B1 (en) 2012-12-27 2020-09-22 Sitting Man, Llc Routing methods, systems, and computer program products
US10764171B1 (en) 2012-12-27 2020-09-01 Sitting Man, Llc Routing methods, systems, and computer program products
US10757020B2 (en) 2012-12-27 2020-08-25 Sitting Man, Llc Routing methods, systems, and computer program products
US10757010B1 (en) 2012-12-27 2020-08-25 Sitting Man, Llc Routing methods, systems, and computer program products
US10735306B1 (en) 2012-12-27 2020-08-04 Sitting Man, Llc Routing methods, systems, and computer program products
US10708168B1 (en) 2012-12-27 2020-07-07 Sitting Man, Llc Routing methods, systems, and computer program products
US10652133B1 (en) 2012-12-27 2020-05-12 Sitting Man, Llc Routing methods, systems, and computer program products
US10652150B1 (en) 2012-12-27 2020-05-12 Sitting Man, Llc Routing methods, systems, and computer program products
US10367737B1 (en) 2012-12-27 2019-07-30 Sitting Man, Llc Routing methods, systems, and computer program products
US10374938B1 (en) 2012-12-27 2019-08-06 Sitting Man, Llc Routing methods, systems, and computer program products
US10652134B1 (en) 2012-12-27 2020-05-12 Sitting Man, Llc Routing methods, systems, and computer program products
US10382327B1 (en) 2012-12-27 2019-08-13 Sitting Man, Llc Methods, systems, and computer program products for routing using headers including a sequence of node scope-specific identifiers
US10389625B1 (en) 2012-12-27 2019-08-20 Sitting Man, Llc Routing methods, systems, and computer program products for using specific identifiers to transmit data
US10389624B1 (en) 2012-12-27 2019-08-20 Sitting Man, Llc Scoped identifier space routing methods, systems, and computer program products
US10397101B1 (en) 2012-12-27 2019-08-27 Sitting Man, Llc Routing methods, systems, and computer program products for mapping identifiers
US10397100B1 (en) 2012-12-27 2019-08-27 Sitting Man, Llc Routing methods, systems, and computer program products using a region scoped outside-scope identifier
US10404583B1 (en) 2012-12-27 2019-09-03 Sitting Man, Llc Routing methods, systems, and computer program products using multiple outside-scope identifiers
US10404582B1 (en) 2012-12-27 2019-09-03 Sitting Man, Llc Routing methods, systems, and computer program products using an outside-scope indentifier
US10411998B1 (en) 2012-12-27 2019-09-10 Sitting Man, Llc Node scope-specific outside-scope identifier-equipped routing methods, systems, and computer program products
US10411997B1 (en) 2012-12-27 2019-09-10 Sitting Man, Llc Routing methods, systems, and computer program products for using a region scoped node identifier
US10594594B1 (en) 2012-12-27 2020-03-17 Sitting Man, Llc Routing methods, systems, and computer program products
US10419334B1 (en) 2012-12-27 2019-09-17 Sitting Man, Llc Internet protocol routing methods, systems, and computer program products
US10447575B1 (en) 2012-12-27 2019-10-15 Sitting Man, Llc Routing methods, systems, and computer program products
US10587505B1 (en) 2012-12-27 2020-03-10 Sitting Man, Llc Routing methods, systems, and computer program products
US10574562B1 (en) 2012-12-27 2020-02-25 Sitting Man, Llc Routing methods, systems, and computer program products
US10498642B1 (en) 2012-12-27 2019-12-03 Sitting Man, Llc Routing methods, systems, and computer program products
US10476787B1 (en) 2012-12-27 2019-11-12 Sitting Man, Llc Routing methods, systems, and computer program products
US10476788B1 (en) 2012-12-27 2019-11-12 Sitting Man, Llc Outside-scope identifier-equipped routing methods, systems, and computer program products
US9565160B2 (en) 2013-03-11 2017-02-07 Cisco Technology, Inc. Advertisement of adjacency segment identifiers
US9559954B2 (en) 2013-03-11 2017-01-31 Cisco Technology, Inc. Indexed segment ID
US10270664B2 (en) * 2013-03-15 2019-04-23 Cisco Technology, Inc. Segment routing over label distribution protocol
US10764146B2 (en) * 2013-03-15 2020-09-01 Cisco Technology, Inc. Segment routing over label distribution protocol
US9722878B2 (en) 2013-03-15 2017-08-01 Cisco Technology, Inc. Seamless segment routing
US10164838B2 (en) 2013-03-15 2018-12-25 Cisco Technology, Inc. Seamless segment routing
US10469325B2 (en) 2013-03-15 2019-11-05 Cisco Technology, Inc. Segment routing: PCE driven dynamic setup of forwarding adjacencies and explicit path
US11290340B2 (en) * 2013-03-15 2022-03-29 Cisco Technology, Inc. Segment routing over label distribution protocol
US20190222483A1 (en) * 2013-03-15 2019-07-18 Cisco Technology, Inc. Segment routing over label distribution protocol
US20140269721A1 (en) * 2013-03-15 2014-09-18 Cisco Technology, Inc. Segment routing over label distribution protocol
US11424987B2 (en) 2013-03-15 2022-08-23 Cisco Technology, Inc. Segment routing: PCE driven dynamic setup of forwarding adjacencies and explicit path
US11784889B2 (en) 2013-03-15 2023-10-10 Cisco Technology, Inc. Segment routing over label distribution protocol
US11689427B2 (en) * 2013-03-15 2023-06-27 Cisco Technology, Inc. Segment routing over label distribution protocol
US9979601B2 (en) 2013-03-15 2018-05-22 Cisco Technology, Inc. Encoding explicit paths as segment routing segment lists
US9749187B2 (en) 2013-03-15 2017-08-29 Cisco Technology, Inc. Segment routing into a label distribution protocol domain
US9571349B2 (en) 2013-03-15 2017-02-14 Cisco Technology, Inc. Segment routing: PCE driven dynamic setup of forwarding adjacencies and explicit path
US9450829B2 (en) 2013-03-15 2016-09-20 Cisco Technology, Inc. Seamless segment routing
US9369347B2 (en) 2013-03-15 2016-06-14 Cisco Technology, Inc. Service to node resolution
US9537769B2 (en) 2013-03-15 2017-01-03 Cisco Technology, Inc. Opportunistic compression of routing segment identifier stacks
US9485150B2 (en) 2013-03-15 2016-11-01 Cisco Technology, Inc. Fast reroute for segment routing traffic
US20220173976A1 (en) * 2013-03-15 2022-06-02 Cisco Technology, Inc. Segment routing over label distribution protocol
US9491058B2 (en) 2013-03-15 2016-11-08 Cisco Technology, Inc. Label distribution protocol over segment routing
US9537718B2 (en) * 2013-03-15 2017-01-03 Cisco Technology, Inc. Segment routing over label distribution protocol
US9319312B2 (en) 2013-05-17 2016-04-19 Cisco Technology, Inc. Segment routing mapping server for LDP/SR interoperability
US9769119B2 (en) 2013-12-31 2017-09-19 Fortinet, Inc. Examining and controlling IPv6 extension headers
US9300632B2 (en) * 2013-12-31 2016-03-29 Fortinet, Inc. Examining and controlling IPv6 extension headers
US9584478B2 (en) 2013-12-31 2017-02-28 Fortinet, Inc. Examining and controlling IPv6 extension headers
US20150188885A1 (en) * 2013-12-31 2015-07-02 Fortinet, Inc EXAMINING AND CONTROLLING IPv6 EXTENSION HEADERS
US10057213B2 (en) 2013-12-31 2018-08-21 Fortinet, Inc. Examining and controlling IPv6 extension headers
US11374863B2 (en) 2014-03-06 2022-06-28 Cisco Technology, Inc. Segment routing extension headers
US9762488B2 (en) 2014-03-06 2017-09-12 Cisco Technology, Inc. Segment routing extension headers
US11336574B2 (en) 2014-03-06 2022-05-17 Cisco Technology, Inc. Segment routing extension headers
US10063475B2 (en) 2014-03-06 2018-08-28 Cisco Technology, Inc. Segment routing extension headers
US10382334B2 (en) 2014-03-06 2019-08-13 Cisco Technology, Inc. Segment routing extension headers
US9401858B2 (en) 2014-06-30 2016-07-26 Cisco Technology, Inc. Loop avoidance during network convergence in switched networks
US10178022B2 (en) 2014-07-17 2019-01-08 Cisco Technology, Inc. Segment routing using a remote forwarding adjacency identifier
US10601707B2 (en) 2014-07-17 2020-03-24 Cisco Technology, Inc. Segment routing using a remote forwarding adjacency identifier
US9807001B2 (en) 2014-07-17 2017-10-31 Cisco Technology, Inc. Segment routing using a remote forwarding adjacency identifier
US10341222B2 (en) 2015-02-26 2019-07-02 Cisco Technology, Inc. Traffic engineering for bit indexed explicit replication
US10341221B2 (en) 2015-02-26 2019-07-02 Cisco Technology, Inc. Traffic engineering for bit indexed explicit replication
US10693765B2 (en) 2015-02-26 2020-06-23 Cisco Technology, Inc. Failure protection for traffic-engineered bit indexed explicit replication
US10958566B2 (en) 2015-02-26 2021-03-23 Cisco Technology, Inc. Traffic engineering for bit indexed explicit replication
US10122614B2 (en) 2015-02-26 2018-11-06 Cisco Technology, Inc. Failure protection for traffic-engineered bit indexed explicit replication
US20220329523A1 (en) * 2016-02-29 2022-10-13 Cisco Technology, Inc. System and method for dataplane-signaled packet capture in ipv6 environment
US11784928B2 (en) * 2016-02-29 2023-10-10 Cisco Technology, Inc. System and method for dataplane-signaled packet capture in IPv6 environment
US10263881B2 (en) 2016-05-26 2019-04-16 Cisco Technology, Inc. Enforcing strict shortest path forwarding using strict segment identifiers
US11323356B2 (en) 2016-05-26 2022-05-03 Cisco Technology, Inc. Enforcing strict shortest path forwarding using strict segment identifiers
US11671346B2 (en) 2016-05-26 2023-06-06 Cisco Technology, Inc. Enforcing strict shortest path forwarding using strict segment identifiers
US11489756B2 (en) 2016-05-26 2022-11-01 Cisco Technology, Inc. Enforcing strict shortest path forwarding using strict segment identifiers
US10742537B2 (en) 2016-05-26 2020-08-11 Cisco Technology, Inc. Enforcing strict shortest path forwarding using strict segment identifiers
US11032197B2 (en) 2016-09-15 2021-06-08 Cisco Technology, Inc. Reroute detection in segment routing data plane
JP2019062526A (en) * 2017-08-31 2019-04-18 コニカ ミノルタ ラボラトリー ユー.エス.エー.,インコーポレイテッド Method and system with application for IPV 6 extension header and destination option
JP7132028B2 (en) 2017-08-31 2022-09-06 コニカ ミノルタ ラボラトリー ユー.エス.エー.,インコーポレイテッド Method and system with application for IPV6 extension headers and destination options
US11582148B2 (en) * 2018-07-13 2023-02-14 Huawei Technologies Co., Ltd. MPLS extension headers for in-network services
US20210135986A1 (en) * 2018-07-13 2021-05-06 Huawei Technologies Co., Ltd. Mpls extension headers for in-network services
US11201820B2 (en) 2018-09-05 2021-12-14 Huawei Technologies Co., Ltd. Segment routing in MPLS network
US20220200893A1 (en) * 2019-09-11 2022-06-23 Huawei Technologies Co., Ltd. Data Transmission Control Method and Apparatus
US11722404B2 (en) 2019-09-24 2023-08-08 Cisco Technology, Inc. Communicating packets across multi-domain networks using compact forwarding instructions
US11855884B2 (en) 2019-09-24 2023-12-26 Cisco Technology, Inc. Communicating packets across multi-domain networks using compact forwarding instructions
US20220021648A1 (en) * 2020-07-16 2022-01-20 Twistlock, Ltd. Distributed identity-based firewall policy evaluation
US11838267B2 (en) * 2020-07-16 2023-12-05 Twistlock, Ltd. Distributed identity-based firewall policy evaluation
US20220303210A1 (en) * 2021-03-16 2022-09-22 Arris Enterprises Llc Preservation of priority traffic in communications systems
US20240129229A1 (en) * 2021-03-16 2024-04-18 Arris Enterprises Llc Preservation of priority traffic in communications systems

Also Published As

Publication number Publication date
US8824472B2 (en) 2014-09-02

Similar Documents

Publication Publication Date Title
US8824472B2 (en) Sanitizing packet headers
US11374863B2 (en) Segment routing extension headers
US8169910B1 (en) Network traffic analysis using a flow table
EP2944056B1 (en) Distributed traffic inspection in a telecommunications network
US8116213B2 (en) Tracing routes and protocols
US10270691B2 (en) System and method for dataplane-signaled packet capture in a segment routing environment
US10148459B2 (en) Network service insertion
US7953088B2 (en) Method and apparatus for packet classification and rewriting
US20090252161A1 (en) Method And Systems For Routing A Data Packet Based On Geospatial Information
US12095660B2 (en) Method for multi-segment flow specifications
US20190394059A1 (en) Bit index explicit replication (bier) penultimate hop popping
US20110026529A1 (en) Method And Apparatus For Option-based Marking Of A DHCP Packet
CN110932934B (en) A kind of network packet loss detection method and device
US9258213B2 (en) Detecting and mitigating forwarding loops in stateful network devices
CN110620730B (en) Bit indexed explicit copy (BIER) penultimate jump pop-up
US11838178B2 (en) System and method for managing a network device
WO2021240215A1 (en) Reordering and reframing packets
US9917764B2 (en) Selective network address storage within network device forwarding table
CN115442288B (en) SRv6 network data packet inspection method and device
US20240098020A1 (en) Transport of vpn traffic with reduced header information
CN113645207A (en) Method, system, device and storage medium for solving packet fragmentation attack based on VRF
CN118827450A (en) Method, device, equipment, medium and product for processing flow detection information
CN119052354A (en) Message processing method and related device thereof
EP4128667A1 (en) Distributed network flow record

Legal Events

Date Code Title Description
AS Assignment

Owner name: VERIZON PATENT AND LICENSING INC., NEW JERSEY

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CARNEY, MARK D.;PACELLA, DANTE;SCHILLER, HAROLD J.;REEL/FRAME:024996/0154

Effective date: 20100915

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551)

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8

OSZAR »