Internet protocol (IP) work group routing

Abstract

Apparatus and method wherein multiple router interfaces are assigned the same IP network address, creating an IP work group. This enhances host mobility by allowing, in one embodiment, a host to be relocated anywhere in the work group without requiring reconfiguration of the host. As a further option, host address ranges may be specified (i.e., locked) to designated interfaces of the work group, to enhance security by restricting the allowed host mobility within the work group. An additional advantage is a reduced consumption of network and subnet addresses, because now a single address is used for several physical networks.

Description

BACKGROUND OF THE INVENTION

[0002] The present invention relates generally to communications networks and more particularly to a method and apparatus for IP work group routing which provides host mobility, conserves on the assignment of IP subnet addresses, and adds security along with ease of use to network configuration.

[0003] The original IP addressing scheme assigned a unique 32-bit internet address to each physical network and required gateways to keep routing tables proportional to the number of networks in the internet. This scheme is acceptable for an internet with tens of networks and hundreds of hosts, but can not handle today's connected internet with tens of thousands of small networks of personal computers because: (1) immense administrative overhead is required merely to manage network addresses; (2) the routing tables and gateways are extremely large; and (3) the number of IP addresses available for assignment is dwindling. Thus, the problem was how to minimize the number of assigned network addresses without destroying the original addressing scheme. See C. D. Comer, “Internetworking With TCP/IP, Vol. 1, Principals, Protocols and Architecture,” Prentice Hall, Englewood Cliffs, N.J., 2nd ed., Chap. 16, pp. 265-280 (1991).

[0004] A prior art technique for allowing a single network address to span multiple physical networks, and now a required part of IP addressing, is “subnet addressing” or “subnetting.” This is illustrated by example in FIG. 1A (taken from Comer, p. 270), wherein a site uses a single class B network address 128.10.0.0 for two physical networks. Except for gateway G, all gateways in the internet route as if there were a single physical net. Once a packet reaches G, it must be sent across the correct physical network to its destination. In this case, the manager of the local site has chosen to use the third octet of the address to distinguish between the two physical networks. Thus, G examines the third octet of the destination address and routes datagrams with value 1 to the network labeled 128.10.1.0 and those with value 2 to the network labeled 128.10.2.0.

[0005] Adding subnets only changes the interpretation of IP addresses slightly, as illustrated in FIG. 1B. Instead of dividing the 32-bit IP address into a network prefix and a host suffix, subnetting divides the address into an internet portion and a local portion, where the internet portion identifies a site, and the local portion identifies a physical network and a host on that physical network.

[0006] Another change is that a site using subnet addressing must choose a 32-bit subnet mask for each network. Bits in the subnet mask are set to 1 if the network treats the corresponding bit in the IP address as part of the network address, and 0 if it treats the bit as part of the host identifier. It is recommended that sites use contiguous subnet masks (i.e., setting contiguous bits to 1) and that they use the same mask throughout an entire set of physical networks that share an IP address.

[0007] The standard IP routing algorithm is also modified to work with subnet addresses, known as “subnet routing.” The standard algorithm bases its decision on a table of routes, each table entry containing a pair of:

[0008] (network address, next hop address)

[0009] where the network address field specifies the IP address of the destination network, N, and the next hop address field specifies the address of a gateway to which datagrams destined for N should be sent. The standard routing algorithm compares the network portion of a destination address to the network address field of each entry in the routing table until a match is found. Because the next hop address field is constrained to specify a machine that is reachable over a directly connected network, only one table look-up is needed.

[0010] The modified algorithm for subnet routing maintains one additional field in each table entry that specifies the subnet mask for use with that entry:

[0011] (subnet mask, network address, next hop address)

[0012] When choosing routes, the modified algorithm performs a bit-wise Boolean “AND” of the full 32-bit destination IP address and the subnet mask, and then checks to see if the result equals the value in the network address field. If so, it routes the datagram to the address specified in the next hop address field. If the IP address of the destination network (extracted from the datagram) matches a directly connected network address, the destination IP address from the datagram is resolved to a physical address, the datagram is encapsulated, and the frame sent out on the destination network to the destination host.

[0013] With ever increasing numbers of subnets, it would be desirable if further methods were available to conserve on subnet addresses. One potential method for doing this would be to put a bridge on a single router interface to bridge multiple LAN segments; however, this involves the added cost of a bridge and loses the protection of router “fire walls”, which administrators set to filter out packets based on destination addresses. Another potential method would be to increase the granularity of subnets by taking more bits from the host portion of the IP address for the subnet mask; however, this approach is very difficult for the network administrator to maintain as the network configuration evolves. Thus, neither of these potential methods offers a satisfactory solution.

[0014] It is an object of the present invention to accomplish one or more of: increased host mobility; further conserve on the assignment of network addresses; simplify the configuration of subnets; and provide an enhanced level of security.

SUMMARY OF THE INVENTION

[0015] The present invention is a method and apparatus for routing datagrams from a source node to a destination node in an IP communications network, the network including routers having multiple router interfaces connecting multiple physical networks. The method includes the step of assigning multiple router interfaces to a same IP work group address. This enhances host mobility by allowing, in one embodiment, a host to be relocated anywhere in the work group without requiring reconfiguration of the host. The method further includes the option of specifying (i.e., limiting or locking) host address ranges to designated interfaces of the work group. This step enhances security by restricting the allowed host mobility within the work group. The method further includes the optional step of filtering (i.e., dropping) the datagram if at least one of the source and destination hosts does not reside on the designated interface of the IP work group.

[0016] In the prior art, each router interface would have a unique IP address; in the present invention, multiple interfaces are assigned the same IP address. The hosts and physical networks connected to the designated multiple interfaces are referred to as a “work group”. There are several advantages to this arrangement.

[0017] First, there is the advantage of host mobility within the work group. A designated host may be valid if physically located on any one of the several interfaces in the work group. Another advantage is a reduced consumption of network and subnet addresses, because now a single address is used for several physical networks. As a result, the administrative burden of servicing physical networks with several addresses is reduced.

[0018] Another advantage is that it enables a network administrator to configure a network such that host addresses are allocated in blocks mirroring the physical structure of the network. For example, the administrator might allocate a contiguous block of addresses to each physical network. By providing a block or range of addresses, room is provided for future growth. In addition, one can secure the operational behavior of the network along the same lines as the configuration.

[0019] Security is optionally enhanced by only allowing transmission of datagrams to or from hosts with certain addresses. By locking IP (network layer) and MAC (physical layer) addresses, no one (other than the network administrator) can reconfigure an IP address to another MAC address. As a result, unauthorized computers which connect to a network will not be able to transmit datagrams into or out of the work group.

[0020] For example, in one embodiment a level of security is assigned to each IP work group by identifying the hosts within the group as “free”, i.e., permitting forwarding to/from any interface, or “secured”, i.e., permitting forwarding to/from only if the host resides on a designated interface. Hosts may be secured by range or singly; in the latter case the host's physical address may also be secured.

[0021] Another feature of this invention which speeds the forwarding procedure is referred to as “FastPath”. If a datagram's source and destination addresses are both within the same work group, then header and address validation may be skipped.

[0022] These and other benefits and features of the present invention will be more particularly described with respect to the following detailed description and drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

[0023] FIG. 1A is a schematic illustration of a gateway G connecting two physical networks to the rest of the internet, and illustrating the prior art IP subnet addressing scheme.

[0024] FIG. 1B illustrates, in the top portion, the original IP addressing scheme in which a 32-bit class B IP address is considered to have a 2-octet internet portion and a 2-octet local portion; in the bottom portion, a modified IP subnet addressing scheme is illustrated in which a 2-octet internet part identifies a site, and a 2-octet local part is divided into two parts, one part identifying a physical network (subnet) and a second part identifying a host on that subnet.

[0025] FIG. 2 is a schematic illustration of a router, with multiple interfaces connected to different physical networks and another interface connected to the rest of the internet.

[0026] FIG. 3 illustrates a Definition table according to one embodiment of the invention.

[0027] FIG. 4 illustrates an Interface table according to one embodiment of the invention.

[0028] FIG. 5 illustrates a Range table according to one embodiment of the invention.

[0029] FIG. 6 illustrates a Host table according to one embodiment of the invention.

[0030] FIG. 7 illustrates service and forwarding methods of distributed autonomous forwarding engines.

[0031] FIGS. 8 a -8g are a series of flow diagrams illustrating the forwarding of data packets in accordance with one embodiment of the invention.

[0032] FIG. 9 shows a general purpose computer and memory for implementing the invention.

DETAILED DESCRIPTION

[0033] The following definitions are useful in understanding the present invention (taken from D. Comer, pp. 477-511):

[0034] ARP: (Address Resolution Protocol) The TCP/IP protocol used to dynamically bind a high level IP address to a low-level physical hardware address. ARP is only across a single physical network and is limited to networks that support hardware broadcast.

[0035] directed broadcast address: An IP address that specifies “all hosts” on a specific network. A single copy of a directed broadcast is routed to the specified network where it is broadcast to all machines on that network.

[0036] gateway: A special purpose, dedicated computer that attaches to two or more networks and routes packets from one to the other. In particular, an IP gateway routes IP datagrams among the networks to which it connects. Gateways route packets to other gateways until they can be delivered to the final destination directly on one physical network. The term is loosely applied to any machine that transfers information from one network to another, as in mail gateway. Although the original literature used the term gateway, vendors often call them IP routers.

[0037] Host: Any (end-user) computer system that connects to a network. Hosts range in size from personal computers to supercomputers. Also see gateway.

[0038] ICMP: (Internet Control Message Protocol) An integral part of the Internet Protocol that handles error and control messages. Specifically, gateways and hosts use ICMP to send reports of problems about datagrams back to the original source that sent the datagram. ICMP also includes an echo request/reply used to test whether a destination is reachable and responding.

[0039] Internet: Physically, a collection of packet switching networks interconnected by gateways along with protocols that allow them to function logically as a single, large, virtual network. When written in upper case, Internet refers specifically to the connected Internet and the TCP/IP protocols it uses.

[0040] Internet: The collection of networks and gateways, including the MILNET and NSFNET, that use the TCP/IP protocol suite and function as a single, cooperative virtual network. The Internet provides universal connectivity and three levels of network services; unreliable, connectionless packet delivery; reliable, full duplex stream delivery; and application level services like electronic mail that build on the first two. The Internet reaches many universities, government research labs, and military installations and over a dozen countries.

[0041] IP: (Internet Protocol) The TCP/IP standard protocol that defines the IP datagram as the unit of information passed across an internet and provides the basis for connectionless, best-effort packet delivery service. IP includes the ICMP control and error message protocol as an integral part. The entire protocol suite is often referred to as TCP/IP because TCP and IP are the two most fundamental protocols.

[0042] IP address: The 32-bit address assigned to hosts that want to participate in a TCP/IP internet. IP addresses are the abstraction of physical networks. Actually assigned to the interconnection of a host to a physical network, an IP address consists of a network portion and a host portion. The partition makes routing efficient.

[0043] IP datagram: The basic unit of information passed across a TCP/IP internet. An IP datagram is to an internet as a hardware packet is to a physical network. It contains a source and destination address along with data.

[0044] MIB: (Management Information Base) The set of variables (database) that a gateway running CMOT or SNMP maintains. Managers can fetch or store into these variables. MIB-II refers to an industry-standard extended management database that contains variables common to the configuration of network devices.

[0045] packet: The unit of data sent across a packet switching network. The term is used loosely. While some TCP/IP literature uses it to refer specifically to data sent across a physical network, other literature views an entire TCP/IP internet as a packet switching network and describes IP datagrams as packets.

[0046] proxy ARP: The technique in which one machine, usually a gateway, answers ARP requests intended for another by supplying its own physical address. By pretending to be another machine, the gateway accepts responsibility for routing packets to it.

[0047] route: In general, a route is the path that network traffic takes from its source to its destination. In a TCP/IP internet, each IP datagram is routed separately; the route a datagram follows may include many gateways and many physical networks.

[0048] router: Generally, any machine responsible for making decisions about which of several paths network traffic will follow based on a network level address. When used with TCP/IP, the term refers specifically to an IP gateway that routes datagrams using IP destination addresses. In a TCP/IP internet, each IP gateway is a router because it uses IP destination addresses to choose routes.

[0049] SNMP: (Simple Network Monitoring Protocol) A standard protocol used to monitor IP gateways and the networks to which they attach. SNMP defines a set of variables that the gateway must keep and specifies that all operations on the gateway are a side-effect of fetching or storing to the data variables. Also see MIB.

[0050] subnet address: An extension of the IP addressing scheme that allows a site to use a single IP network address for multiple physical networks. Outside of the site using subnet addressing, routing continues as usual by dividing the destination address into a network portion and local portion. Gateways and hosts inside a site use subnet addressing to interpret the local portion of the address by dividing it into a physical network portion and host portion.

[0051] FIG. 2 illustrates a multi-interface router 11 for connecting several physical networks to an IP internet The router 11 includes multiple interfaces 12A, 12B, each of which connects to a physical network 13A, 13B including one or more hosts 14. The router further includes an interface 15 which connects to the rest of the internet 16.

[0052] In the prior art, each of the interfaces 12 would have a unique IP address; in the present invention, both interfaces 12 are assigned the same IP address. The hosts 14 and networks 13 connected to both interfaces 12 are referred to as a “work group”.

Work Group Tables

[0053] An IP work group contains the managed objects used to set up and configure the IP router interfaces (ports) into associations known as work groups. Each work group is a subnet with one address and security level shared by the associated interfaces.

[0054] In a specific embodiment described herein, the configuration of IP work groups is done through four tables: Definition, Interface, Range, and Host. The first three are configuration tables and the fourth is a read-only status table. Each configuration table's key begins with “ID”, the work group identifier. These tables are implemented as AVL binary trees; a tree does not have a predefined size and may grow freely. Prior art management routines are used to allow network management to set entries and retrieve them from the tables in serial order in support of the Simple Network Management Protocol (SNMP).

[0055] The four tables provide the following functions, described in more detail below:

[0056] Definition table 30 (FIG. 3): each entry defines a work group and assigns each work group a Host Address 32 and Subnet Mask 33 and a Security level.

[0057] Interface table 40 (FIG. 4): each entry associates an interface (defined by IfIndex 42) to a work group.

[0058] Range table 50 (FIG. 5): each entry locks a range of host addresses (BegAddress 52 to EndAd dress 53) to an interface of a work group.

[0059] Host table 60 (FIG. 6): each entry lists the active (i.e., discovered) hosts (Host Address 61) along with their associated interface and physical address.

[0060] Referring to FIG. 3, the Definition table 30 includes an ID field 31 which identifies by an integer a separate work group in each row. For a given row, the work group is assigned a Host Address (field 32) and a Subnet Mask (field 33) which together (logical AND) define the subnet (IP subnet address) for a given work group, e.g., for work group “1”, the subnet is 134.141.40.0.

[0061] The Security field 34 sets the level of security for the work group. Security means the filtering of packet forwarding through the Range table 50 (FIG. 5). Hosts may be secured by range or singly. Four levels of security are provided:

[0062] none—all hosts are free and the range table is not consulted in packet forwarding;

[0063] low—host may be free or secured in the range table;

[0064] medium—host must be secured, by range or singly;

[0065] high—host must be secured singly, with physical address also configured.

[0066] The FastPath field 35 designates whether this service is enabled or disabled. If enabled, it speeds up the forwarding of packets within a work group (i.e., both source and destination in the same work group) by skipping IP header and address validation. If disabled, IP header and address validation are performed.

[0067] The RowStatus field 36 is defined in the context of the SNMPv2 textual convention. The three readable states are:

[0068] active—work group entry is active and usable by the router;

[0069] notinservice—entry is fully defined but administratively inactive;

[0070] notready—entry is not yet fully defined (e.g., workgroup “5” still requires a mask).

[0071] A work group not in the Definition table, or in the Definition table but with a RowStatus marked “notready,” cannot be used as a key in creating entries in the Interface and Range tables.

[0072] RowStatus is a status object used to administrate conceptual rows in the work group tables defined above (FIGS. 3-6). It is an integer used here in an SNMPv1 MIB, but intended to have the same semantics as the RowStatus textual convention for SNMPv2.

[0073] RowStatus is used to manage the creation and deletion of conceptual rows, and has six defined values:

[0074] active—usable by the managed device;

[0075] notInService—unusable, row information complete;

[0076] notReady—unusable, row information incomplete;

[0077] createAndGo—set to create a row in active status;

[0078] createAndWait—set to create a row in either notReady or notInService status;

[0079] destroy—set to delete existing row.

[0080] The first three values are states which may be retrieved by a management protocol get operation. The last three values are actions—they may be written, but not read. All values except “notReady” may be specified in a set operation. For example, to temporarily disable a row, set status to “notInService” and reactivate it later by a set to “active”. The agent alone determines “notReady” status. If a row was created by a set of “createAndWait” and the agent has enough row information from instance and default values to complete the row, this status will be set to “notInService”, or else to “notReady”.

[0081] The OperStatus field 37 defines the operational status of a work group definition entry. The four states are:

[0082] ok—operational work group;

[0083] disabled—row status is not active;

[0084] subnetConflict—conflict with IP address of another interface (existing active entry in this work group definition table);

[0085] internalError—system problem, e.g., out of memory.

[0086] The NumActiveInt field 38 records the number of interfaces (ports) in this work group which have an operational status of “OK” in the interface table (FIG. 4).

[0087] The NumTotalInt field 39 records the number of interfaces in this work group.

[0088] FIG. 4 shows the Interface table 40. An interface must be configured in the Interface table before before it can be entered into the work group. An interface entry is keyed by ID and IfIndex.

[0089] The ID field 41 identifies the work group, e.g., FIG. 4 shows 2 workgroups: “1” and “43”.

[0090] The IfIndex field 42 identifies the router interface by number; these numbers are defined in accordance with the MIB-II interfaces group.

[0091] The NumActiveHosts field 43 (read only), identifies the number of hosts recently active on the interface, e.g., averaging over the cache age out interval.

[0092] The NumKnownHosts field 44 identifies the number of hosts seen on the interface since the last reboot.

[0093] The RowStatus field 45 is defined in accordance with the SNMPv2 textual convention defined above.

[0094] The OperStatus field 46 defines the operational status of this interface (port) entry. The seven states are:

[0095] ok—entry is operational

[0096] disabled—this entry's row status is not active;

[0097] workgroupInvalid—either there is no work group defined for this entry or the operational status of the work group in the definition table is not OK;

[0098] addressConflict—there is a conflict of the work group address with an address configured in the IP address table;

[0099] resetRequired—no conflict, this entry's row status has just been activated, and a reset of the router is required to be operationally OK;

[0100] linkDown—no physical connections on this interface;

[0101] routingDown—routing or forwarding has been administratively disabled

[0102] internalError—unspecified internal problems.

[0103] FIG. 5 illustrates the Range table. The Range table 50 configures host IP address ranges, assigning them to an existing interface for a designated work group. A range entry is keyed by ID 51, BegAddress 52, EndAddress 53 and IfIndex 54.

[0104] Entries in the same work group (ID) may not have overlapping host address ranges, but may have duplicate ranges if for different interfaces (e.g., see the first two entries in table 50 with same address range). BegAddress and EndAddress define the beginning and end of the address range, respectively. BegAddress and EndAddress may be the same, so that a range comprises a single host. Single host entries allow for a physical address to be configured in the PhysAddr field 55. In a “high” security work group, such as work group “43”, all entries must be single hosts and must have the physical address configured as well to be valid.

[0105] More specifically, the address range must lie within the subnet defined for a given work group and thus the entry acquires the security level of that work group. If security is violated, packets to and from a given host IP address will be filtered out by the router. The source and destination IP packet addresses are checked against ranges in the Range table during packet forwarding and must match as follows:

[0106] For a high security workgroup, a host must match a single host range entry—it must reside on the port with the physical address as configured in that entry. For a medium security workgroup, a host must match a range entry in that it resides on that port, but unless a physical address is also specified in that entry, the physical address is not constrained.

[0107] For a low security workgroup, a host is free to reside on any port with any physical address as long as its IP address does not lie within the range of any entry in the range table, but if it does fall in a range then it must completely match that entry, or another entry with the duplicate range. Match completely means match the port and, if a physical address is specified, match that as well. The RowStatus field 56 is defined the same as in the Interface table. The OperStitus field 57 defines the operational status of this range table entry.

[0108] The following states apply:

[0109] ok—entry is operational

[0110] disabled—this entry's row status is not active;

[0111] workgroupInvalid—no work group or the operational status for the work group in the Definition table is not OK;

[0112] interfaceInvalid—interface is not in the Interface table or operational status of interface entry is not OK;

[0113] physAddrRequired—security level of associated work group is high and no physical address has been specified;

[0114] internalError—system problem

[0115] FIG. 6 illustrates the Host table. The Host table 60 is read only, and is similar to the MIBII Net-to-Media Table, except there are no static entries.

[0116] The entries in the Host table are not configured; rather, they are learned and show only hosts active on the network. Each entry is keyed by HostAddress 61 and IfIndex 62, which may be helpful if the network is misconfigured. For example, if two hosts on different interfaces are assigned the same IP address, both entries would show and the problem could then be corrected.

[0117] The HostAddress field 62 identifies the IP address of the host. The IfIndex field 63 defines the interface number. The ID field 63 identifies the work group by integer. The PhysAddr field 64 identifies the physical MAC address of the host.

[0118] The HostStatus field 65 may have one of the following states:

[0119] other, unknown,

[0120] or valid—the entry is valid for forwarding; the host may be unknown if ARP has not discovered on which interface it resides;

[0121] invalid-multiple—the same host IP address was later found duplicated on another interface;

[0122] invalid-physAddr—the host matched an entry in the Range table with respect to range and interface, but did not match that entry for physical address; if the work group is high security, this status would result if no physical address was given in the range entry;

[0123] invalid-range—in a high or medium security work group, the host was not in the range of any entry in the Range table, or it was not in the range of an entry with a matching interface;

[0124] invalid-interface—the interface was physically down or not in service in the Interface table;

[0125] invalid-workgroup—the work group does not exist or is not in service in the Definition table;

[0126] invalid-expired—the host became inactive and aged out on the interface on which it was learned.

Forwarding Mechanism

[0127] FIG. 7 illustrates a distributed router architecture for forwarding unicast IP packets across router interfaces. It places an IP FAS (forwarding service) agent, on each interface, rather than having a single centralized forwarding agent. The distributed FAS agent architecture utilized in the present embodiment is more fully described in copending and commonly owned U.S. Pat. No. 08/216,541 entitled “Distributed Autonomous Object Architecture For Network Layer Routing,” filed Mar. 22, 1994 by Kurt Dobbins et al., which is hereby incorporated by reference in its entirety. The distributed object architecture of that application, which is implemented in an object-oriented programming language such as C++, defines all of the router's functional aspects in a common protocol-independent framework which is inherited by every protocol-specific object upon instantiation. In object-oriented programming, the data and methods are united into objects, each of which represents an instance of some class, and which classes are members of a hierarchy of classes united via inheritance relationships.

[0128] As illustrated in FIG. 7, each router interface 111, 114, 117 has a forwarding engine 112, 115, 118 sitting on it, and each forwarding engine knows how to receive and transmit packets on its own interface. Each forwarding engine accesses a common forwarding table (FIB) 120. The host interface 117 is treated as an internal interface with a destination address for “local” delivery into the host CPU.

[0129] Each forwarding engine has its own data portion 113, 116, 119 that is specific to itself, e.g., interface and media information, address resolution tables, configuration information, etc. However, the method portion 112, 115 and 118 of each engine is common and is shared by all similar engines. The specific goal of each forwarding engine is to provide for the reception, processing and forwarding of network layer packets. At a very high level, all forwarding engines perform the same basic tasks regardless of protocol or media.

[0130] The operation of the forwarding engine will now be described with regard to FIG. 7. When an IP packet arrives, physically addressed to router interface-1, it is delivered to that FAS's service routine. The service routine validates the IP header and IP addresses, filters against any access list, and then looks up the destination address in the forwarding information base (FIB) to find a route. A route gives: (a) the outgoing interface; (b) the outgoing FAS, and if the destination is not directly connected to that interface; (c) the next hop router. If there is a valid route the service routine passes the packet to the forward routine of the outgoing FAS.

[0131] The forward routine of the outgoing FAS filters against its access list if any, and then tries to resolve the destination IP address or next hop to a physical address suitable for framing by looking in the ARP (address resolution protocol) cache associated with that interface. If the address is resolved the packet is transmitted to that physical address. Otherwise, the packet is deferred on an ARP entry queue and ARP tries to resolve the address through protocol request. If resolved, the deferred packet is dequeued and transmitted by the FAS.

[0132] A cache of packet forwarding history is kept by each FAS, keyed by destination and source IP addresses. Address validation, access control filtering and look-up of next hop check the cache first, and if an entry is found there, the method is quick. If at any stage an error occurs in forwarding, the packet is dropped and an ICMP control message is sent back to the source.

[0133] Work group routing in accordance with the present invention extends the previously defined forwarding procedure for unicast packet forwarding and for limited broadcast packet forwarding. The existing procedure is sufficient for subnet broadcast and multicast packets.

[0134] First of all, proxy ARP is activated for all work group interfaces. Snooping, if activated in the enterprise MIB, is a function by which the interface will monitor ARP communication on its physical network, in order to determine IP addresses and physical addresses of hosts. With snooping active, the router is able to load the work group active Host table (FIG. 6) more quickly.

[0135] If a packet's source and destination addresses are both within a single work group, and if FastPath is s elected in the Definition table for that work group, then header and address validation may be skipped. This speeds up packet forwarding.

[0136] FIB lookup is extended when a work group is implemented. All interfaces of a work group are represented in the FIB by a single route. If this is the route chosen when a packet is looked up in the FIB, the packet is delivered to a special work group FAS which consults the Host table. If a valid entry exists for that destination in the Host table, the packet is passed to the interface FAS given by that entry.

[0137] There is a work group FAS created for each work group, which performs relay functions. If a packet arrives at the work group FAS for a host address unknown to the Host table, it creates a temporary, hidden entry in the Host table. The packet is deferred on a queue held with that Host table entry. ARP requests are flooded out to each work group interface in the Interface table, in order to locate the physical address of the destination host.

[0138] If ARP requests are resolved, a visible entry with the resolved interface number and physical address is put in the Host table, the hidden entry is removed, and the deferred packet is dequeued and passed to the forward routine of the respective interface FAS to be transmitted. Future packets with the same source and destination IP addresses are handled by the FAS forwarding history caches on the normal forwarding path.

[0139] A more detailed flow chart of the forwarding method is illustrated in FIGS. 8a-8g and will now be described.

Reference FIG. 8a

[0140] Interface-1 and interface-2 are both configured as belonging to a valid work group in the Definition table 30 and are operationally active in the Interface table 40. The WG Cache 215 is part of the Host Table 60.

[0141] Source host 201 on interface-1 wants to send an IP packet to destination host 202 on interface-2. Both hosts belong to the same work group subnet, but the IP packet cannot be sent directly because host 201 does not know the physical address of host 202. Host 201 therefore initiates an ARP Request attempting to resolve the IP address of host 202 to a physical address. This request is not received by host 202 because it is on a different physical network link. It is received by router 11 however, because ARP Requests are broadcast on a link.

[0142] ARP-FAS-1206 receives the ARP request on interface-1 and checks with WG cache 215 to determine the status of the destination. Since the destination host 202 is unknown, WG FAS 214 is called to initiate a flood of ARP requests out all interfaces in this work group.

[0143] Reference FIG. 8b

[0144] The destination host 202, receiving an ARP Request for its physical address, responds with an ARP Reply to the request source, i.e. the router 11. The router receives the Reply via interface-2 driver 204, stores the physical address in the ARP Cache 212, and passes the interface number and physical address to WG Cache 215. The WG Cache validates the information against user-configured entries in the Range table 216 and sets the status (valid or invalid) for the destination host accordingly. This status in the WG Cache entry is visible through the Host table.

Reference FIG. 8c

[0145] Since ARP requests are tried multiple times according to the standard implementation of the ARP protocol, the source host 201 sends a second ARP Request for destination 202. This time, when ARP FAS-1206 checks with the WG Cache 215 for the destination host, it finds the host is valid on interface-2. ARP-FAS-1 then does a proxy ARP Reply to source host 201 pretending to be destination host 202.

Reference FIG. 8d

[0146] Host 201 having received the ARP Reply, sends the IP packet to the physical address of the router. Interface-1 driver 203 gives the packet to IP FAS-1205 which attempts to forward the packet. First it checks IP Cache-1209 for a next hop FAS, but the destination is unknown in this cache so this cache checks with the FIB 213. The FIB holds a route to the WG FAS for the work group subnet, so this information is returned through the cache to IP FAS-1 which forwards the packet to the WG FAS 214.

[0147] WG FAS 214 consults the WG Cache 215, finds that the destination host 202 is valid on interface-2 and passes the packet over to IP FAS-2207. It also updates the IP Cache-1209 with the information so that future IP packets from host 201 to host 202 can go directly to IP FAS-2. IP FAS-2207 finally sends the packet out through interface-2 driver 204 to host 202.

Reference FIG. 8e

[0148] Source host 201 continues to send IP packets to destination host 202. Because of the entry in IP Cache-1209, these packets are directly forwarded to IP FAS-2207.

Reference FIG. 8f

[0149] Eventually the entry in the IP Cache-1209 ages out. Now these packets force IP FAS-1205 to consult the FIB 213 and forward them instead to the WG FAS 214. The WG FAS tries to find the host in the WG Cache 215. In the case of the WG Cache entry having aged out, the packets are deferred in the WG Cache while the WG FAS again floods out ARP requests on all interfaces in the workgroup. (FIG. 8d previously described the case of the entry still being in the WG Cache.)

Reference FIG. 8g

[0150] An ARP Reply is finally received from host 202 and the WG Cache entry is relearned, the WG Cache 215 validates the host status with the Range Table 216, and since the host 202 is valid on interface 2, the WG Cache 215 forwards the deferred packets through IP FAS-2207.

[0151] Pseudo code of several routines for implementing this embodiment is set forth below:

[0152] _ _ _ _ _ _

[0153] SERVICE routine of receiving interface FAS

[0154] if (Work Group FAS and FASTPATH):

[0155] skip IP header validation; else:

[0156] check version, length, check sum and time to live IP header fields;

[0157] check for martian addresses;

[0158] do Access List Control filter check;

[0159] lookup next hop in FAS cache;

[0160] returns next IP address and next FAS

[0161] FAS cache is loaded from FIB upon cache miss call FORWARD routine of next FAS

[0162] this could be in Work Group FAS or an Interface FAS.

[0163] FORWARD routine of Work Group FAS

[0164] call find host to lookup in Work Group Cache of Host Table;

[0165] if (INVALID):

[0166] consume IP packet;

[0167] if (VALID):

[0168] update FAS cache on receiving interface for next hop Interface FAS;

[0169] call FORWARD routine of next hop Interface FAS;

[0170] if (UNKNOWN):

[0171] packet was deferred in host cache

[0172] flood ARP requests out all interfaces in this Work Group

[0173] for (each interface in this work group) call ARPPRIME.

[0174] FORWARD routine of forwarding Interface FAS

[0175] do Access List Control filter check;

[0176] call ARPRESOLVE to map IP to physical address, pass in packet;

[0177] if (NOT DEFERRED):

[0178] send out IP packet done.

[0179] for Work Group, proxy ARP and snooping enabled;

[0180] for non Work Group, proxy and snooping are MIB settable.

[0181] SERVICE routine of receiving interface ARP FAS

[0182] if (snooping or

[0183] packet is addressed to one of the router's IP addresses or proxy is enabled and the PROXY TEST returns OK):

[0184] call ARPSET routine to cache source host from packet;

[0185] if (REQUEST packet addressed to Router or proxy OK):

[0186] send arp REPLY to source address in packet done.

[0187] PROXY TEST routine of interface ARP Agent

[0188] if (not Work Group interface):

[0189] if (FIB has a route with next hop not on subnet of receiving interface):

[0190] return proxy OK;

[0191] else: return proxy NOTOK;

[0192] if (Work Group interface):

[0193] call FIND HOST in Work Group Cache;

[0194] if (INVALID) or host found on receiving interface):

[0195] return proxy NOTOK;

[0196] if (VALID on different interface) return proxy OK.

[0197] if (UNKNOWN) call ARPPRIME on every interface in this work group and return proxy NOTOK

[0198] ARPSET routine in interface ARP Cache:

[0199] lookup entry in arp cache with packet's source IP;

[0200] cache the new physical address from source field in received packet;

[0201] if (arp entry was WAITING):

[0202] send out deferred IP packets;

[0203] if (Work Group Interface):

[0204] call LEARN HOST, pass configuration;

[0205] will cache source host from the ARP packet return

[0206] ARPPRIME routine in interface ARP Cache:

[0207] lookup entry in arp cache with packet's source IP;

[0208] if (not found): set as new entry;

[0209] if (not already on retry queue):

[0210] put on retry queue;

[0211] will retry ARP REQUESTs

[0212] broadcast out arp REQUEST on interface;

[0213] set arp entry status WAITING. return

[0214] ARPRESOLVE routine in interface ARP Cache:

[0215] ARP cache s loaded by ARP protocol or static management via MIBII Net-to-Media Table.

[0216] lookup host IP address in arp cache;

[0217] if (not found):

[0218] set as new entry with status WAITING;

[0219] if (WAITING):

[0220] defer packet on arp entry packet queue;

[0221] if (not already on retry queue):

[0222] put on retry queue;

[0223] broadcast out arp REQUEST on interface;

[0224] return DEFERRED;

[0225] if (RESOLVED):

[0226] return OK, and physical address.

[0227] FIND HOST routine of Work Group Cache:

[0228] Configuration =interface and physical address.

[0229] Host entries in cache having Range Status field with values:

[0230] VALID—host matches configuration in Range Table or not in Range Table but not High Security Work Group.

[0231] INVALID—host violates configuration in Range Table or not in Range Table and High Security Work Group.

[0232] NOT SET—host configuration not yet resolved by arp or host aged out on age queue.

[0233] lookup host entry in Work Group Cache of Host Table;

[0234] if (not found):

[0235] set new entry for host IP address in cache;

[0236] set entry's Range Status to NOT SET;

[0237] check host entry's Range Status;

[0238] if (INVALID):

[0239] tell source (via ICMP) that packet was administratively filtered;

[0240] return INVALID;

[0241] if (VALID):

[0242] return VALID and host interface FAS;

[0243] if (NOT SET):

[0244] defer IP packet on packet queue of host entry;

[0245] return UNKNOWN.

[0246] LEARN HOST routine in Work Group Cache:

[0247] Configuration, interface and physical address, is passed in lookup host entry in Work Group Cache of Host Table.

[0248] if (not in cache):

[0249] create new entry;

[0250] if (packet configuration not equal to host entry configuration):

[0251] set new con figuration in entry;

[0252] call VALIDATE HOST in Range Table to get Range Status;

[0253] if (VALID): send deferred packets to source address;

[0254] if (INVALID): flush deferred packets;

[0255] set host entry status to Range Status from Range Table;

[0256] set host entry age queue status to YOUNG.

[0257] Cache entries age with a keepalive attempt,

[0258] age out in less than 10 minutes if not active) return

[0259] VALIDATE HOST routine in Range Table

[0260] lookup host in Range Table;

[0261] if (host not in Range Table):

[0262] return INVALID if High Security Work Group, else return VALID;

[0263] if (host found in Range Table):

[0264] compare range entry configuration to packet configuration;

[0265] if (configuration matches): return VALID;

[0266] else return INVALID.

[0267] _ _ _ _ _ _

[0268] The above embodiments may be implemented in a general purpose computer 70 as shown in FIG. 9. This general purpose computer may include a Computer Processing Unit (CPU) 71, memory 72, a processing bus 73 by which the CPU can access the memory, and interface 74 to the rest of the router. Alternatively, the invention may be a memory 72, such as a floppy disk, compact disk, or hard drive, that contains a computer program or data structure, for providing to a general purpose computer instructions and data for carrying out the functions of the previous embodiments.

[0269] Having thus described a particular embodiment of the invention, various modifications will readily occur to those skilled in the art which are intended to be within the scope of this invention. Accordingly, the foregoing description is by way of example only, and not intended to be limiting.

Claims

1. A method of routing datagrams from a source to a destination in an IP communications network including routers having multiple router interfaces connecting multiple physical networks, wherein the routers forward IP datagrams based upon IP addresses, the method comprising the steps of: defining an IP work group by assigning multiple router interfaces to a same IP work group address; and forwarding IP datagrams through the routers based on the IP work group address.

2. The method of claim 1 further comprising: specifying IP host address ranges for different router interfaces; and filtering IP datagrams based on the host address ranges.

3. The method of claim 1, wherein if an IP datagram contains source and destination host addresses within the same IP work group, forwarding the datagram without performing header and address validation.

4. The method of claim 1, further including configuring a forwarding information base (FIB) with a route for the IP work group.

5. The method of claim 1, further comprising assigning a security level to the IP work group by identifying hosts within the group as “free” in order to permit forwarding to/from any interface, or “secured” in order to permit forwarding to/from a designated interface.

6. The method of claim 5, wherein four levels of security are provided: in a “low” security work group, a host with any physical address is free to reside on any interface as long as its IP address does not lie within specified host address ranges, but if it does fall in any one of the ranges then it must reside on a designated interface for that one range; in a “medium” security work group, a host's IP address must fall within a specified host address range for a designated interface, but unless a physical address is also specified, the physical address is not constrained; in a “high” security work group, a host must have a specified host IP address for a designated interlace and have a designated physical address; and in a “none” security work group, all hosts are free.

7. The method of claim 6, wherein a range table is maintained with the specified host address ranges and their designated interfaces.

8. A method of providing security in an IP communications network include routers having multiple router interfaces connecting multiple physical networks, wherein the routers forward IP datagrams based on IP addresses, the method comprising the steps of: defining an IP work group by specifying IP host address ranges for different router interfaces; and filtering IP datagrams based on the host address ranges.

9. The method of claim 8, wherein the defining step includes specifying an IP host address range for a single physical address.

10. The method of claim 8, wherein the defining step includes specifying multiple host address ranges which include the same IP host address to different router interfaces.

11. A method of increasing host mobility in an IP communications network including multiple physical networks connected by routers having multiple router interfaces, wherein the routers forward IP datagrams based upon IP addresses, the method comprising the steps of: defining an IP work group by assigning multiple router interfaces to a same IP work group address and forwarding IP datagrams based on the IP work group address, and wherein a host is attachable to any interface in the IP work group without requiring reconfiguration of the host IP address.

12. The method of claim 11, including maintaining a host table of IP host addresses and their associated interfaces.

13. The method of claim 12, further comprising reviewing the host table for duplicate IP host addresses and associated interfaces.

14. The method of claim 11, further comprising maintaining a count of known interfaces within the work group.

15. The method of claim 11, further comprising monitoring the hosts heard on each interface and maintaining a host table of IP host addresses and associated interfaces on which each host is heard.

16. The method of claim 11, wherein the host table is maintained as a cache memory accessible by each router interface.

17. The method of claim 11, further comprising: providing a work group forwarding agent for each work group.

18. The method of claim 17, further comprising: maintaining a host table of IP host addresses and their associated interfaces; and wherein the work group forwarding agent, prior to forwarding a datagram, accesses the host table for the associated interface.

19. The method of claim 11, wherein: the work group forwarding agent sends ARP requests to all interfaces in the work group to resolve an unknown host physical address.

20. The method of claim 19, further comprising: providing an ARP forwarding agent at each interface of the router, which accesses the host table.

21. The method of claim 11, further comprising: maintaining a range table of host IP addresses and associated interfaces on which the hosts may reside; and prior to forwarding a datagram, accessing the range table to validate a source or destination host.

22. An IP communications network including multiple physical networks connected by routers having multiple router interfaces, the routers forwarding IP datagrams based upon IP addresses, the network providing increased host mobility and including: means for defining an IP work group by assigning multiple router interfaces to a same IP work group address; and means for forwarding IP datagrams based on the IP work group address, wherein a host is attachable to any interface in the IP work group without requiring reconfiguration of the host IP address.

23. An IP communications network including routers having multiple router interfaces connecting multiple physical networks, the routers forwarding IP datagrams based on IP addresses, the network providing enhanced security and including: means for defining an IP work group by specifying IP host address ranges for different router interfaces; and means for filtering IP datagrams based on the host address ranges.

24. A router that provides security for preventing unauthorized transmissions comprising: a first interface connectable to a first network; means for assigning a range of valid IP host addresses to the first interface; and means for forwarding only IP datagrams transmitted from a host on the first network having a host IP address within the range of valid host addresses.

25. An apparatus for assigning a plurality of interfaces on an IP communications network to a work group, comprising: means for defining an IP work group by assigning an IP workgroup address to a plurality of interfaces; means for configuring interfaces to the IP work group; means for configuring ranges of IP host addresses to associated interfaces of the IP work group; and means for filtering IP datagrams based upon the host address ranges.