Patent Application
20060280189
The present invention relates generally to computer networking. The present invention relates more particularly to a method and system for insuring that communications between a local area network (LAN) and a wide area network (WAN) are routed through a gateway.
Internet service is almost ubiquitous. Service providers are deploying increasingly more advanced broadband services to their subscribers. The subscribers are attaching a growing number of Internet Protocol (IP) devices to their home and business networks. For example, not only are computers being attached to such networks, but televisions and telephones are also routinely attached.
Shared physical mediums have been developed, at least partially as a result of the desire to connect such devices to a network. Several of the home and business networking topologies currently in use and under future consideration use a shared medium for both WAN and LAN connectivity, thus reducing cost and complexity of the devices attached thereto. The use of a shared medium may occur, for example, when a bridge is used to facilitate communication between a service provider and a LAN. Wireless access (such as WiFi), Multimedia over Coax Alliance (MoCA), and HomePlug are examples of shared media.
However, when the WAN and LAN ports share the same physical medium in a home or business network, traffic originating from devices on the LAN that is destined for the WAN is not physically forced to be routed through the gateway. Similarly, traffic originating from a WAN that is destined for the LAN is not physically forced to be routed through the gateway. Thus, the gateway is not necessarily a physically intermediate device between the LAN and the WAN. This means that devices on a home or business network may not be protected by the features provided by the gateway, such as the firewall and parental controls.
Furthermore, an IP device on the home or business network could inadvertently receive an IP address from a dynamic host configuration protocol (DHCP) server on the WAN instead of from the LAN's gateway. Thus, although the use of a shared physical medium has proven generally suitable for its intended purpose, such configuration does present inherent deficiencies which detract from its overall effectiveness and desirability.
These problems can be alleviated by implementing manual medium access controller identification (MAC ID) filtering on the service provider's DHCP servers, but this procedure is labor intensive. Further, it does not readily allow a user to install new gateway devices. MAC ID filtering also presents a scaling problem and thus could have a significant cost impact on the service provider.
Therefore, it is desirable to provide a method and system to ensure that all LAN traffic originating from LAN IP devices is only routed through the gateway and that all WAN traffic originating from the broadband network (including the Internet) is only routed to the LAN via the gateway. In this manner, features of the gateway can be advantageously utilized.
This problem is becoming more urgent as service providers begin to deploy bridging devices using fiber-to-the-home (FTTH) and other broadband WAN technologies on the network access side. They connect these bridging devices to the gateway via a shared medium that may also be used for a home or business LAN. For instance, a fiber optical network terminal (ONT) may utilize MOCA or HomePlug to enter the house without having to install Ethernet cable (which may require the drilling of holes, etc.), while also providing connectivity between devices in the home or business network.
Routing through a gateway could be forced by using tunneling or 802.1x-like technologies in the gateway and service provider network, but these are not simple solutions. Furthermore, it cannot be assumed that these technologies exist in the gateway (such as a residential gateway purchased at retail). It is thus desirable to resolve this problem in a manner that does not conflict with existing gateways and routers or require technologies that typically do not reside in consumer based products.
Embodiments of the present invention and their advantages are best understood by referring to the detailed description that follows. It should be appreciated that like reference numerals are used to identify like elements illustrated in one or more of the figures.
The exemplary embodiment of the present invention described herein provides a way for a WAN bridge (which can be an ONT, a modem, or another device )to automatically determine which IP device of a LAN is the gateway and correspondingly restrict traffic flows to/from the LAN through the gateway. In this manner, features of the gateway, such as a firewall and/or parental controls, can be advantageously utilized.
Referring now to
An assumption can be made that the gateway will recognize, but not respond to, a DHCP discover/request originating from itself. The WAN bridge can be installed by the service provider for broadband connectivity. Either the user or the service provided can install a gateway and IP clients on the shared physical medium (such as that of MOCA, HomePlug, WiFi wireless, etc.). Once installed, the bridge then sends out a DHCP discovery (on its LAN port) to identify any DHCP servers on the shared medium, as indicated by the circled number 4 of
The residential gateway (gateway) will be the only device to respond (it is assumed that the only DHCP server in the network is implemented within the gateway) and is thus identified by the bridge. The bridge obtains a private IP address from the gateway, as indicated by the circled number 5 of
Once the bridge identifies that there is a gateway downstream, it temporarily enables a LAN DHCP server and responds to any and all DHCP requests from devices on the LAN (clients, PCs, gateways, routers, etc.). The lease time on the IP addresses is set to a short value, e.g., 1 minute or less. At this point the gateway will obtain a short lease IP address and gateway address from the bridge, as indicated by the circled numbers 6-10 of
The bridge will then transmit test (probe) traffic from its LAN side to the gateway using a destination IP address anywhere in the public IP network, as indicated in block 304 of
It is worthwhile to note that if the gateway has been provisioned with multiple WAN MAC addresses, it must forward the test (probe) traffic once for every MAC address assigned. This allows the bridge to learn and add to its forwarding table all WAN MAC addresses that must be forwarded. Furthermore, if the gateway has been provisioned with MAC addresses for LAN devices that must receive public IP addresses, e.g., CableHome, the gateway must also forward the test (probe) traffic once for every MAC address for each device that has been provisioned.
At this point, the bridge has identified the WAN MAC address of the gateway and the original DHCP leases offered by the bridge DHCP server will be expiring. However, if the bridge has not yet found the WAN MAC address of the gateway, it can renew the leases of the LAN device IP addresses and send the traffic again in an attempt to find it. The leases should not permanently expire until the WAN MAC address of the gateway is found.) Once the bridge has learned the gateway WAN MAC address, it will disable its own DHCP server to prevent renewing LAN DHCP requests. The bridge will then forward only those DHCP requests that originate from the gateway, i.e., the only device in the home or business network that should receive an IP address from a WAN side DHCP server is the identified gateway. Other IP client DHCP requests will be blocked (filtered) by the bridge and thus never seen by the service provider network, as indicated by the circled numbers 14 and 18-21.
Furthermore, the bridge will then only forward IP traffic sourced from the gateway in the upstream direction and will ignore traffic from other devices. In the downstream direction, traffic will only be forwarded directly to the gateway, as indicated by block 307 of
Any short lease IP address assigned by the bridge's DHCP server to any LAN device will expire and subsequent DHCP addresses for these and any other client devices will be from the gateway only. All traffic sourced by home or business networking device will be directed only to the gateway, as indicated by the circled numbers 15-17.
The bridge can retain the DHCP IP address assigned by the gateway in order to allow for LAN based management of the bridge via the gateway. This would be important for self install, self diagnostics, service enablement, etc.
With particular reference to
It is worthwhile to note that the IP addresses shown in
DHCP requests from downstream are used to discover a gateway and to obtain a private IP address from the gateway. Subsequently, the traffic sent downstream is then used to find the correct logical connection with the gateway. According to contemporary practice, all DHCP requests are typically made upstream and bridges do not implement DHCP at all (they just pass through traffic).
An alternative network configuration is to locate the DHCP server responding with short term lease DHCP addresses upstream from the bridge. Strictly speaking, the DHCP server that responds with the short term lease would not have to be integrated into the bridge. However, there are practical network maintenance and support issues to consider if that DHCP server is located upstream of the bridge. For example, the physical location of the DHCP server can be critical. It should be physically located in such a way as to ensure that devices on the home or business network are guaranteed to see an offer from the server in question before it sees offers from other DHCP servers on the network.
Alternative applications for the present invention include: use in deployments where an gateway is configured to administer one and only one private IP address via DHCP (as described in TR-068 I-202 “single PC mode”) wherein more than one LAN device can request an IP address via DHCP, in which case there is no guarantee that the single available DHCP address would be assigned to the correct LAN device; and use in deployments where a DSL modem is configured to share its public WAN IP address obtained by PPPOE with a single LAN device (as described in TR-068 I-197 “IP passthrough”) wherein more than one LAN device could compete with a router for that IP address via DHCP.
According to one or more embodiments of the present invention, there can be other implementations in which the bridge learns which DHCP traffic to forward. For example, the gateway or a LAN device can require a public IP address. If the LAN device has been configured to include DHCP Option 60, the bridge should add the WAN MAC address associated to that DHCP request to its forwarding table. However, these other methods require changes to be made on the LAN devices.
Referring now to
Processor 403 comprises and/or communicates with a memory 404. Memory 404 can be disposed within WAN bridge 400. Alternatively, memory 404 can be disposed elsewhere. Instructions for performing the acts of
As used herein, the term “gateway” can refer to a residential gateway. The term gateway can refer to any device, including a general purpose computer, that performs at least some of the functions associated with a contemporary gateway. Thus, gateway 400 does not have to be limited to the functions commonly associated with a contemporary gateway and gateway 400 does not have to be a dedicated gateway.
According to this exemplary embodiment of the present invention, a WAN bridge is used to discover one or more gateways of the LAN and to control traffic flow between the WAN and the LAN. However, such discovery and control may be performed by another device or combination of devices. Thus, discussion herein regard a WAN bridge is by way of illustration and not by way of limitation.
The exemplary embodiment of the present invention described herein provides a way for a WAN bridge or other device(s) to discover a gateway and then restrict communication between the WAN and LAN through the gateway. In this manner, features of the gateway, such as a firewall and/or parental controls, can be advantageously utilized. This is accomplished in a manner that does not conflict with existing gateways and routers or require technologies that typically do not reside in consumer based products.
Embodiments described above illustrate, but do not limit, the invention. It should also be understood that numerous modifications and variations are possible in accordance with the principles of the present invention. Accordingly, the scope of the invention is defined only by the following claims.
