Browse Prior Art Database

A method of routing based on security protocols

IP.com Disclosure Number: IPCOM000227448D
Publication Date: 2013-May-08
Document File: 4 page(s) / 66K

Publishing Venue

The IP.com Prior Art Database

Abstract

It‘s offen that a machine have two or more NIC and the data is expected to be sent out through different NIC port. And it's very common to separate the data flow to different NIC port by the destination, but it's difficult to separate them by the usage such as FTP/HTTP. This invention will provide a way to separate the data flow to different NIC port by the usage.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 69% of the total text.

Page 01 of 4

A method of routing based on security protocols

The issue is seen on a server, Let's have a look at the network topology:

In the Figure 1, Server 1 want to transfer data to FileServer, while the Security Policies configured in Switch prevent it from doing this. The details is like this:


Eth0 is brought up first, here Server 1 can reach the FileServer through Eth0 and the route table is as below:
Destination Gateway Genmask Flags Metric Ref Use Iface

0.0.0.0 9.125.90.1 0.0.0.0 UG 0 0 0 eth0


Eth1 is brought up now, the route table is updated as below:
Destination Gateway Genmask Flags Metric Ref Use Iface

   0.0.0.0 9.125.80.1 0.0.0.0 UG 0 0 0 eth1 Server 1 cannot reach the FileServer because of:


1) The default GW(9.125.90.1) was replaced by the DHCP service of Eth1, it has the new GW(9.125.80.1)


2) Switch has some security policies configured which only allow some specific network protocol to pass through. Thus FTP/TFTP is blocked by Switch and data cann't be transferred to FileServer

To fix this case, we can do the following:


1) Make sure Eth0 is brought up after Eth1(the one connected to Switch), so that the correct default GW(9.125.90.1) was not overlaid. But it's difficult for

1


Page 02 of 4

Server 1 to determine which one is connected to Switch.


2) Prohibit Eth1 for DHCP service, only assign static IP address to Eth1. It's not flexible to management.

The invention idea to resolve the problem is that:
1
A PolicyAgent located in Switch will response to the DHCP request to notify Server 1 that the default GW of Eth1 has some limitation.

2) Maintain multiple default gateway in the Server 1 route table
Destination Gateway Genmask Flags Metric Ref Use Iface


0.0.0.0 9.125.90.1 0.0.0.0 UG 0 0 0 eth0

     0.0.0.0 9.125.80.1 0.0.0.0 UG 0 0 0 eth1
3Add two flag(Allow & Deny) in route table to indicate the default GW limitation, such as

Destination Gateway Genmask Flags Metric Ref Use Allow Deny Iface


0.0.0.0 9.125.90.1 0.0.0.0 UG 0 0 0 eth0

   0.0.0.0 9.125.80.1 0.0.0.0 UG 0 0 0 tcp,80 eth1
The flag "Allow" in the second default gateway indicates that only TCP protocol with port 80 is allowed and all other data will be denied.

With this method, we have the following advantages:

Give a way to support multiple default GW which allows the Server 1 for both data transfer and the machine management


Allow the quick network deployment for Server 1


Allow customer to balance different network traffic into different port, such as FTP/TFTP using eth0, WWW browsing using eth 1

The detailed steps:

2


Page 03 of 4

PolicyAgent DHCPClient DHCPServer

(Switch) (Router)

v v v

| | |

| Begins initialization |

| | |

| _____________/|\____________ |

|/DHCPDISCOVER | DHCPDISCOVER \|

| | |

| | Determines

| | configuration

| | |

|\ | ____________/ |

| \________ | /DHCPOFFER |

|DHCPPOLICY\ |/ |

| \ | |

| Collects replies |

| \| |

| Selects configuration |

| Save Policy |

| | |

| |\____________ |

| | DHCPREQUEST\ |

| | |

| | Commits configuration

| | |

| | _____________/|

| |/...