Browse Prior Art Database

Recognize legal ARP packets for preventing ARP attack on Open flow environment

IP.com Disclosure Number: IPCOM000244192D
Publication Date: 2015-Nov-23
Document File: 4 page(s) / 329K

Publishing Venue

The IP.com Prior Art Database

Abstract

This invention discloses a protect ARP attach method on OF environment, it used controller monitoring DHCP packets interaction, and extract IP address and mac address information and build a database(DB) to store map of IP address to mac address, when controller received a ARP packet from switch, the controller will check ARP packet whether is valid by searching and checking DB, if ARP packets is valid, the controller will process it as normal, if the map of IP-address to mac-address on ARP packet was received by controller can’t find on DB, the controller will assume this ARP packet was invalid, the controller will ignore this ARP packet.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 53% of the total text.

Page 01 of 4

Recognize legal ARP packets for preventing ARP attack on Open flow environment

This patent can solve ARP-attack issue on SDN environment. ARP attack used forged mac-address and IP address fake other host and gateway to realize blocking network or attack of man in the middle on tradition network .on Openflow (OF) environment ,all of ARP packets will forward to OF controller for next step process, if the controller can't recognize whether ARP packets were legal or illegal , the controller have to process it which may be have to create virtual host or port by this forged ARP or doing other process .whatever all of those process will cost a lot of resource , the finally result was that the controller will get unavailable by forged ARP packets . We should have a method to block those illegal ARP packet for protecting controller.

Up to now, there still was not any method can defend ARP attack on OF environment.

Figure 1


Figure 1: ARP attack on tradition networking.

1



Page 02 of 4

Figure 2

Figure 2: ARP attach on OF networking, a lot of packet was forwarding to OF controller

This invention
discloses a protect ARP attach method on OF environment, it used controller monitoring DHCP packets interaction, and extract IP address and mac

address information and build a database(DB) to store map of IP address to mac address, when controller received a ARP packet from switch, the controller will check ARP packet whether is valid by searching and checking DB, if ARP packets is valid, the controller will process it as normal, if the map of IP-address to mac-address on ARP packet was received by controller can't find on DB, the controller will assume this ARP packet was invalid, the controller will ignore this ARP packet.

When Controller receive an ARP packet, it will check the DB to make sure the APR packet is valid. So the first question is how we can get this DB. Our method is listening the DHCP packets and extract the IP and MAC to create the IP-MAC table.

2



Page 03 of 4

Below is the detail process how the IP-MAC table created:


End Point broadcasts an initial DHCP discover packet to find available servers.


Once the OF Switch receive the packet, the packet match a default flow entry and trigger...