CN1822565A - Network with MAC table overflow protection - Google Patents

Network with MAC table overflow protection Download PDF

Info

Publication number
CN1822565A
CN1822565A CNA2005101083695A CN200510108369A CN1822565A CN 1822565 A CN1822565 A CN 1822565A CN A2005101083695 A CNA2005101083695 A CN A2005101083695A CN 200510108369 A CN200510108369 A CN 200510108369A CN 1822565 A CN1822565 A CN 1822565A
Authority
CN
China
Prior art keywords
bridge
port
frame
address
mac address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2005101083695A
Other languages
Chinese (zh)
Inventor
葛安
吉里什·奇鲁沃洛
马赫·阿利
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alcatel CIT SA
Alcatel Lucent NV
Original Assignee
Alcatel NV
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alcatel NV filed Critical Alcatel NV
Publication of CN1822565A publication Critical patent/CN1822565A/en
Pending legal-status Critical Current

Links

Images

Abstract

A method of operating a bridge node (B 0 ) in a network system. The bridge node comprises a plurality of ports (BP 0. x ). The method comprises a step of receiving a frame (240), from a device in the network system and other than the bridge node, at a port in the plurality of ports. The frame comprises a source network address. The method is also responsive to at least one condition (250, 260) associated with the port in that the method stores the source address in a forwarding table associated with the bridge if the at least one condition is satisfied. The at least one condition comprises whether the frame was received within a time window T W of when a threshold number of previous frames were received at the port and their respective source network addresses were stored in the table.

Description

Network with MAC table overflow protection
The cross reference of related application
The application requires in the U.S. Provisional Application No.60/619 of submission on October 15th, 2004,330 priority.
Technical field
The present invention relates to computer network, and more particularly at the network with MAC table overflow protection.
Background technology
Because a variety of causes, Ethernet is all supported in a lot of application in the network field.For example, Ethernet is to be extensive use of and the effective media of cost, has a large amount of interfaces and the speed capabilities scope up to 10+Gbps.Ethernet can be used for the application set up an independent position by an independent entity such as company etc., perhaps entity as an alternative can connect together different Local Area Network to form a bigger network, is sometimes referred to as wide area network (WAN).Further again, ethernet technology is also through being used to form the network that is sometimes referred to as Metro Ethernet (MEN), and the network that MEN normally can openly visit is relevant with the urban area usually, so has used term " metropolitan area " Ethernet.MEN provides so-called metropolitan area (metrodomain), typically by one such as ISP (ISP) independent manager's control.MEN typically is used for connecting between Access Network and core net.The fringe node that Access Network generally includes the bridge that is operating as private user or end subscriber is a user node, makes network have connectedness.Core net is used to be connected to other Metro Ethernets, and core net mainly provides the frame function of exchange.
Ethernet typically comprises a plurality of bridges, also is referred to as other titles sometimes, such as switch.Bridge typically is operating as received frame, sometimes frame is referred to as other titles, and such as bag or message, under any circumstance frame all comprises a part with source address and destination-address, such as head.Frame can comprise other information, is sent to the payload or the data of the device at destination-address place such as the device from source address.Bridge receives this frame and via a port to this destination it is transmitted from this source on a port, wherein source and destination can be another bridge or user or other nodes in the Ethernet.Be connected to and corresponding to the table of each address of its each port by setting up (or " learning "), and then after inquire about its table, thereby by from being designated as table that the port that is connected to the destination with this address forwards frame and this frame is forwarded to the address of expectation, bridge is carried out its routing function thus.The table of introducing like this is called mac address forwarding table in this document herein, and wherein MAC is the abbreviation of " Media Access Control " (medium access control), and each MAC Address all is the hardware address of its corresponding hardware in the marked network uniquely.Exactly, in IEEE 802 networks, the data link of OSI Reference Model control (DLC) layer is divided into two sublayers, i.e. (i) logic link control (LLC) layer and (ii) MAC layer.The MAC layer directly links to each other with network media (be physical layer among the OSI or the 1st layer) by interface.Therefore, each the different connection to network media needs different MAC Address.At last, when bridge receives frame, read the destination MAC Address in the header of bridge from frame, set up the interim connection between source port and the destination port, this frame is forwarded, and then stop connecting from its destination port.
In the calculating in the present age, be exactly that the bad person has carried out a lot of effort and makes troubles with the operation of giving network or obtain undelegated visit to Internet resources to the negative development in the frequent use of network.In the environment of Ethernet, a kind of behavior of malice is exactly that the user is connected to network and then comes bridge is flooded (flood) with unusual a large amount of frame, thereby adds different and unknown MAC addresses.When bridge received each frame, this bridge checked that its mac address forwarding table is to determine whether this table has been recorded in the source MAC in this frame during this transmits.If do not store this address like this, this table this address of storage and it is associated with the port that receives the frame that carries this source address then, therefore, source address just has been associated with a port on the bridge afterwards.Therefore, when the frame that receives subsequently, this frame have with transmit in the MAC Address of having stored be complementary destination-address the time, bridge is transmitted this frame along the port that is associated with this address.Therefore, according to aforementioned content, should be noted that originally bridge is the clauses and subclauses of each source address storage that are not stored in as yet in this table in it is transmitted.Along with the increase of the number of the source address of this class the unknown, the memory that is used for these addresses at last can become full.Yet, at this moment, according to prior art, if bridge receive its destination-address not be full of transmit in frame, common " broadcasting " each this frame of this bridge then, this means that this bridge sends out this frame from its all of the port (except receiving the port of this frame), wish that the destination can receive this frame and confirms the bridge that sends broadcasting is responded with one, thereby make this bridge can upgrade its mac address forwarding table, so that this table has the clauses and subclauses that are associated with the port that receives the affirmation with this destination MAC Address afterwards.Yet, should be noted that this method is to have circumscribedly, according to prior art, the bad person that this limitation is particularly flooded to bridge utilizes.For example, the MAC table has limited space.In another example, mac address forwarding table is associated overtime window (timeoutwindow) with each MAC Address of being stored, if therefore during time out period not to the activity of appropriate address, just from this MAC shows, remove this address.Suppose to have these limitation, then the bad person might send thousands of different MAC Address to same bridge in the relatively short time cycle.Because its size restriction will be if the mac address forwarding table of bridge will reach its address limit and the broadcasting meeting increases a large number of services to network.In addition, in case mac address forwarding table is full of, the bridge with this table is just no longer accepted new MAC Address, that is to say, this bridge will have all professional all being broadcast to by the port among the defined VLAN of this frame of arriving of unknown MAC addresses.As a result of, this bridge is flooded (overwhelmed) rapidly, and can not carry out its bridging functionality, also begins to abandon the frame from other sources simultaneously.Therefore, this bridge is flooded by this attack, and whole network might be flooded by this attack.
In the prior art, attempt two kinds of methods and handled above-mentioned principle and bridge limitation.In first method, statistics ground changes MAC Address in the mac address forwarding table of bridge.In the method, manually set up mac address forwarding table, therefore and when bridge receives the new frame with the MAC destination-address that does not comprise as yet, these frames are abandoned, and can be after a while not upgrading this table as content to the response of broadcasting this frame.Yet,, therefore reduced to come the possibility of emphasis network burden with these frames because bridge is not broadcasted the frame that is abandoned.In the second approach, when a node adds this network or start a node, all adopt authentication based on MAC.In the method, when a MAC Address entity added this network or start a MAC Address entity, this MAC Address entity issued was sometimes referred to as the frame of registration frame, so that bridge can receive this frame and this bridge can correspondingly upgrade its MAC Address.
The method of above-mentioned prior art can reduce to make this bridge possibility that over-burden owing to mac frame bridge being flooded, but also there is the defective that can be found by those of ordinary skill in the art in these methods.As the defective example of first method, bridge can receive legal frame, if but these frames comprise as yet the not destination MAC Address in the table of this bridge, then these frames will be dropped, and therefore the network refusal provides service for these frames.As the defective example of second method, owing to equipment might regularly close or start, thus need once a plurality of examples of registration, and this also makes the bad person to come with a large amount of registration frames network and bridge thereof are flooded.Under above situation, need solve the defective of prior art by preferred embodiment, will be described in more detail below.
Summary of the invention
The method that bridge in a kind of operating network system is arranged in a preferred embodiment.Bridge comprises a plurality of ports.This method is included in a port in a plurality of ports from network system and be different from the step of the equipment received frame of this bridge.This frame comprises source network address.This method also responds at least one condition that is associated with this port, if promptly satisfy at least one condition, this method just is stored in this source address in the transmitting of being associated with this bridge.This at least one condition comprises whether this frame is at time window T WIn respective sources that receive and these frames the network address whether be stored in this table time window T WBe about receive the time window of the time of threshold number purpose previous frame in this port.
Also describe and required aspect other at this.
Description of drawings
Fig. 1 illustrates the network system according to the example of preferred embodiment.
Fig. 2 illustrates the frame that has the various data blocks that are used to carry out MAC address authentication (promptly determining reliability) according to preferred embodiment.
Fig. 3 illustrates the method that is authenticated by bridge according to preferred embodiment.
Fig. 4 illustrates the method for upgrading mac address forwarding table according to preferred embodiment operation net bridge node.
Fig. 5 illustrates according to preferred and implements by the logical description of bridge as the storage space of transmitting.
Fig. 6 illustrates the substituting preferred embodiment of the method for Fig. 4.
Embodiment
Fig. 1 illustrates the block diagram of the network system 10 that can realize preferred embodiment.In general, on rank shown in Figure 1, each in the system 10 all is known in the art, wherein can adopt various forms of hardware and softwares to programme and be configured in this shown node, to carry out the step according to the discussion in this document.Yet, as described below, this method of operation and some function of adding bridge to are used for this preferred embodiment and have improved system 10 on the whole, and can relatively easily these methods and function be added in the existing hardware and software programming of the system such as system 10.In fact, as a result of, this preferred embodiment is more flexibly and can expands to the network of different sizes.
System 10 represents the bridge coil that comprises a plurality of nodes usually, such as Ethernet.In the environment of Ethernet, some nodes can be called ethernet bridge or switch, and, will use term " bridge " in this document for for the purpose of the unanimity.It should be noted that, can refer to bridge in the system 10 and the physical connection between other equipment in various manners, and can realize these physical connections in various manners, but under any circumstance, these physical connections all allow to carry out two-way communication between two bridges that are connected of each group.Communicate by data block, these data blocks are commonly referred to frame, bag or message, and for for the purpose of the unanimity, will use term " frame " in this document.In the part of network, and be known in the art equally, can adopt additional route layer, thereby be defined in the path of transmitting frame in the network.Then, referring to system 10, in general, system 10 comprises three bridge B 0To B 2In system 10, each bridge B xAlso be connected to one or more other bridges via corresponding ports.For example, bridge B 0Via port BP 0.0Be connected to bridge B 1, bridge B 1Via port BP 1.1Be connected to bridge B 2The connection that should be noted that shown bridge can realize or can have the intermediate node with bridge function by direct connection.Under any circumstance, according to shown in Figure 1, those of ordinary skill in the art will recognize, can be with all the other connections between the respective bridge among Fig. 1 and above-mentioned connection summary in following table 1:
Bridge The bridge that is connected
B 0 Via port BP 0.0Be connected to B 1
B 1 Via port BP 1.0Be connected to B 0Via port BP 1.1Be connected to B 2
B 2 Via port BP 2.0Be connected to B 1
Table 1
Except that above-mentioned bridge connects, bridge B 1Be connected to webserver NS, owing to will be illustrated more clearly in below, webserver NS is sometimes referred to as certificate server and is connected to database D B.
Continue frame of reference 10,, also a plurality of bridges are depicted as among the figure and are connected to subscriber station node US in order to carry out example x, the subscriber station node can be referred to as other titles, such as user node or subscriber station.Subscriber station is the example of node, and at consolidated network or be in the network place that is positioned at far-end, such as in different physical locations such as commercial entity, university, government organs, subscriber station can be implemented in LAN, WAN or the fhe global the Internet.Typically, the certain user stands and wishes to communicate with other subscriber stations, and therefore a key function of bridge just is in the mode of leaving these subscriber stations alone or even promotes this communication in the discernible mode of these subscriber stations.As a result of, a subscriber station in the system 10 can be on bigger distance with respect to the node between network layer and the subscriber station pellucidly with system 10 in another subscriber station communicate.In addition, in Fig. 1, some subscriber stations are depicted as the corresponding port that is connected respectively to a bridge, and other subscriber stations are connected to Local Area Network, wherein this LAN supports one group of local user station.As the former example, subscriber station US 1Be connected to bridge B 0Port BP 0.1, and LAN LN 0Be connected to bridge B 0Port BP 0.2Simultaneously, as for LAN LN 0, it comprises subscriber station US 3, US 4And US 5And the transmission medium of sharing, wherein the transmission medium that will share sometimes is embodied as and gathers hub.These examples of subscriber station among Fig. 1 and the annexation of all the other examples are summarized in the following table 2:
Bridge Subscriber station that is connected or LAN
B 0 Being connected to US1 via port BP0.1 is connected to US2 via port BP0.3 and is connected to US8 via port BP0.4 and is connected to LAN LN0 (having US6 and US7) via port BP0.2
B 1 Via port BP 1.2Be connected to US 9
B 2 Via port BP 2.1Be connected to LAN LN 1
Table 2
Now by the agency of system 10, should be noted that under different operations, can come system 10 is operated according to prior art, and this preferred embodiment have improved bridge B in addition xThe resistivity of the MAC flooding at place.To these different aspects, each bridge is safeguarded a memory storage area that is implemented in usually in the Content Addressable Memory (CAM) by " background technology ", at this CAM is called mac address forwarding table (or abbreviate as " transmitting ").In this preferred embodiment, introduce the data structure of the mac address forwarding table of each bridge now.When the bridge according to this preferred embodiment receives the frame with source MAC,, then will be stored in the mac address forwarding table of this bridge from the various address informations of this frame if reach some condition (will describe in detail after a while).For simplifying understanding to this information, consider an example, wherein at first activate such as with bridge B 0Be the bridge of example, the mac address forwarding table of this bridge is empty, afterwards first clauses and subclauses is added in this table.In the case, the data of transmitting are taked the form of following table 3:
MAC Address Port id Port type Time stamp Whether authenticate
A 0.1 The user T1 Not
Table 3 (MAC transmits)
Table 3 first capable be not must be included in the actual tables of data, but comprise this row herein so that provide to being included in the intelligible description of the data value in the table.Observe the row of table 3, in first row, bridge has preferably been stored the source MAC from the frame that is received.For the sake of simplicity, in this document, when realizing actual MAC Address, capitalization is used as exemplary MAC Address, perhaps can stores other forms.In secondary series, bridge has preferably been stored the identifier of the port that receives received frame.In this example, wherein table 3 is bridge B 0Table, so this is presented as at its port PB 0.1The place receives frame.Certainly, the specific identifier in this example " 0.1 " is for the identifier with Fig. 1 is complementary, and in actual applications, can identify port in various manners.Under any circumstance, the reception to a plurality of frames provides the foundation this port information in a port of bridge with respect to other ports of same bridge in order to distinguish, and will describe this basis in detail after a while.In the 3rd row, bridge can be stored the identifier of the port type that receives received frame.This information provides the foundation for determining whether after a while to authenticate about corresponding M AC address, and determines that for adjusting the parameter whether information in the given received frame is stored in the mac address forwarding table provides the foundation.In the 4th row, bridge has preferably been stored the time stamp that receives current received frame.At last, in the 5th row, as described below in conjunction with Fig. 2 and Fig. 3, some clauses and subclauses during bridge has also preferably been taked to transmit about it or whole authentication methods of clauses and subclauses, therefore the 5th row have been indicated the authentication state of any given time, "Yes" means determines that corresponding M AC address is that "No" means the reliability of not checking corresponding MAC Address as yet reliably, and " N/A " means and will can not determine the reliability of corresponding MAC Address.
Fig. 2 and Fig. 3 have introduced this method at the method for this preferred embodiment of source MAC authentication at the 5th row of table 3.Especially, preferably carry out authentication, but, can not authenticate from the frame that another bridge receives a bridge owing to will discuss after a while about the arbitrary frame that receives from subscriber station in transmitting.About the authentication to the frame that receives from subscriber station, Fig. 2 shows the preferred frame FR that wherein has various data blocks, and Fig. 3 shows the method for optimizing 100 of authentication.In these diagrams each will be described below in more detail.
At first from left to right observe the frame FR of Fig. 2, this frame is included in a way the head that can contrast with other network frames.Yet, this frame head preferably includes and shows and will frame FR be carried out identifier and other parts of frame authentication, wherein this identifier might indicate the request of sending bridge authentication request or to this request responding, below in conjunction with Fig. 3 this is further discussed.Next part among the frame FR is bridge identifier symbol (ID), and what wherein identified is that the bridge of transmit frame FR request maybe will receive the bridge to this request responding.Last part among the frame FR is the number N of MAC Address identifier, is depicted as MAC1 to MACN, and wherein N is preferably more than 1, so that make bridge ask once a plurality of MAC Address to be authenticated in an independent frame.At last, it should be noted that, when frame FR is returned the bridge of the request of sending, a mark can be added on each in N the MAC Address identifier, wherein each the MAC Address identifier among the frame FR all is depicted as and (for example has the flag F x that appends on it in the mode of example, MAC1 has flag F 1, and MAC2 has flag F 2, or the like).This mark shows finds that during authenticating corresponding M AC address is reliable (being that mark is set to first state) or insecure (being that mark is set to second different conditions).Can provide these marks with certain other forms, such as by comprising these marks in other places of frame FR (for example in frame head).
As mentioned above, Fig. 3 illustrates the method 100 of authentication, wherein should be noted that method 100 now preferably by a plurality of bridges execution in the system 10, and in some instances, might have some not carry out the bridge of this method.In the mode of example, can be in bridge method 100 be embodied as and comprises enough hardware, software and data message so that carry out the computer program of following step.Therefore,, consider to be connected to one or more subscriber stations but be not directly connected to the bridge of the webserver, such as being free of attachment to webserver NS but being connected to subscriber station US among Fig. 1 in the mode of example 1, US 2And US 8Bridge B 0 Method 100 starts from step 110, wherein bridge (B for example 0) reliability of the MAC that determines this bridge oneself one group of N MAC Address in transmitting.In this preferred embodiment, based on after a while the timing considerations of detailed description being come execution in step 110, and in frame FR, this N MAC Address is sent to this network in the mode shown in Fig. 2 by the bridge of collecting N MAC Address transmitting from it.The head of frame FR has been indicated the character of this frame and its directly to connect or has been received the webserver that address verification is provided by the mid-level net bridging.Therefore, in this example, bridge B 0Issue will be by bridge B 1The frame FR that receives, this frame FR is directly connected to webserver NS.In response, bridge B 1For this authentication request provides service.Therefore, use term, then send the bridge (B for example of request from other verification process as known in the art 0) be the requesting party, receive its request and can come to provide the bridge (B for example of service via the webserver for it 1) be called authenticating party.In fact, the requestor requests authenticating party authenticates, if by authentication, the information that then authenticates owing to believing allows the requesting party to take further action.In response to requesting party's request, authenticating party and webserver NS communicate.Therefore, in the example of Fig. 1, bridge B 1Become requesting party's bridge B 0Authenticating party and interrelate and therefore bridge B with frame FR 1Communicate with webserver NS and database D S.In this preferred embodiment, such as setting in advance database D S by network manager etc. so that be system's 10 storages reliably or the tabulation of efficient MAC address.As a result of, the bridge that is directly connected to webserver NS can be visited this tabulation via this webserver NS and maybe can be made this webserver NS visit this tabulation.Therefore, under current environment, such as whether having stored database D S in advance into by definite each MAC Address MAC1 to MACN, whether each that assess in these addresses is reliable to determine it.In response, webserver NS is to direct-connected authenticating party bridge (B for example 1) return each indication in N the MAC Address, wherein as mentioned above, this indication can be taked the form of additional marking or corresponding to other forms of each MAC Address among the frame FR.Then, authenticating party is transmitted back requesting party's (promptly initiating a side of request) bridge with this information.Then, return the method 100 of Fig. 3, when requesting party's bridge receives response to its authentication request, just finished step 110 and method 100 proceeds to step 120.
In step 120, requesting party's bridge (B for example 0) each reliability indication in its response that receives from reliability of step 110 is determined is responded.Therefore, for being designated as each MAC Address reliably by authenticating party, method 100 proceeds to step 130 from step 120.On the contrary, for being designated as insecure each MAC Address by authenticating party, method 100 proceeds to step 140 from step 120.
Owing to having found that reliable MAC Address arrives step 130, in this step, requesting party's bridge (B for example 0) upgrading it, to transmit with wherein corresponding MAC Address of indication be reliable.So temporarily return table 3, should be noted that the 5th row, also do not check the reliability of MAC Address A till the moment shown in the table 3, that is to say, also do not have completing steps 110 till this moment or its response according to table 3.Yet, if according to step 120, have been found that MAC Address A is reliably (being effective according to database D S promptly) and with flow guiding step 130, in step 130, correspondingly upgrade the 5th row so, these row can be shown in the form of table 3, but will the indication "No" change the indication "Yes" into.Certainly, can adopt other modes to indicate reliable address,, wherein should be appreciated that this reliable address of state indication and its insecure address of complement code indication such as being that a state is provided with an independent binary value.After step 130 was shown to upgrade, method 100 was returned step 110 to check the reliability of N MAC Address of another group.
Owing to having found that insecure MAC Address (can learn from direct-connected website or from being connected to gather hub or be hidden in some websites that gather after the hub) arrives step 140, in this step, take corresponding action about the clauses and subclauses of the MAC Address in transmitting.So temporarily return table 3, can wander back to once more, also do not check the reliability of MAC Address A till the moment shown in the table 3.Yet, when arriving step 140, wherein the address of being discussed is insecure (for example is not reliably or be not stored among the database D S), then take steps so that these clauses and subclauses in the table 3 are invalid so that discharge be used for these clauses and subclauses memory space to be used in the future other addresses.Mode with example, for being found to be insecure this address, the clauses and subclauses that are used for this address in requesting party's MAC can being transmitted are labeled as invalid and after a while it are being covered, and these clauses and subclauses in perhaps can will transmitting when determining unreliable character are removed from this table.Therefore under any circumstance all should be noted that, can discern insecure clauses and subclauses in time and with its removing from transmit, thereby make that effective memory space of this table can be used for clauses and subclauses after a while when requesting party's bridge receives the other frame with corresponding MAC Address.After step 140 was shown to upgrade, method 100 was returned step 110 to check the reliability of N MAC Address of another group.
According to aforementioned content, can carry out multiple research about method 100.In general, this method makes bridge can ask once to authenticate nearly N MAC Address, and when having determined the reliability of these addresses, this bridge correspondingly upgrades its mac address forwarding table, and the reliability by determining a plurality of addresses with an independent frame FR can reduce expense.Be known in the art, for being updated to reliable address, bridge can be operated about these addresses afterwards, such as the address that later frame is routed to after the authentication.For being found to be insecure address, bridge can be with holding the address that newly receives by the employed memory space of this address information before.By this way, and will be further described below, can regularly discharge memory space to hold other address.In addition, if the bad person attempts to come MAC transmitted with insecure address to flood, then method 100 is removed these addresses in time, thereby reduces to flood the possibility of this bridge owing to receiving unreliable address.At last, should be noted that to further contemplate following item that those of ordinary skill in the art can adjust and authenticate the timing that takes place to reach to the occurrence frequency of its response.
Fig. 4 illustrates the method 200 according to this preferred embodiment operation net bridge node, and wherein method 200 is preferably carried out by a plurality of bridge in the system 10, and in some instances, might have some not carry out the bridge of this method.In the mode of example, can be in bridge method 200 be embodied as and comprises enough hardware, software and data message so that carry out the computer program of following step.Method 200 starts from beginning step 210, and this step shows that this bridge has begun parallel method, usually illustrates with step 220 and step 230.Exactly, one of these methods shown in the step 220 on Fig. 4 left side are exactly the method 100 of Fig. 3.Therefore, the method 220 of Fig. 4 is intended being used for illustration method 100 and is preferably carried out continuously by the bridge of being discussed, and has also carried out the independent method 230 that usually is illustrated in method 220 the right simultaneously.In other words, when manner of execution 230, also carried out method 220, the method 100 of method 220 execution graphs 3.Therefore, monitor transmitting of this bridge in time, wherein once check the nearly reliability of N MAC Address, to be identified as reliable address carry out mark also will be identified as insecure address be designated as invalid, remove these addresses and/or cover these addresses with the address that newly receives.To be described in detail in same time durations below and usually carry out method of operating 230.
Method 230 (parallel method in the method 200) starts from the wait state shown in the step 240.Exactly, continue step 240 till the bridge of being discussed receives frame.Discussion for method 230, except as otherwise noted, otherwise the frame of intending discussing is exactly the frame of the general type in the Ethernet, comprising source address and the destination-address other data that are certain type, in the prior art, when receiving such frame, usually the source address of this frame is added in the mac address forwarding table that receives bridge with the port that receives this frame, and afterwards these values are used for professional route is gone back to this address, this address is as destination-address at that time.Yet on the contrary, this preferred embodiment that operates in this environment has been realized some condition, thereby has reduced bridge is full of its mac address forwarding table with unknown (or illegal) MAC Address possibility.For continuing above-mentioned same example, so supposition is by bridge B 0Come manner of execution 200 and parallel method thereof.Therefore, bridge B 0Wait is from any LAN LN 0Or subscriber station US 1, US 2Or US 8And will be connected to bridge B after a while 1The frame of any other nodes of a port.In case receive frame, method 230 just proceeds to step 250 from step 240.
In step 250, applied a condition, it at first determines whether and the MAC Address of the current frame that receives might be stored in the mac address forwarding table of this bridge, but should be noted that this condition is based on the port that receives this frame.Exactly, in step 250, the bridge that receives present frame determine whether in another frame, to receive in same port and in table (in transmitting) stored the source MAC in the present frame.In other words, step 250 determines whether the source MAC in the current received frame is unique with respect to other source MACs in the transmitting of the same port that receives current received frame.If receive frame with such duplicate sources address in same port and it is stored in the table, then method 230 turns back to step 240 with flow process from step 250 and receives next frame to wait for.Equally, though this do not discuss in case concentrate on this preferred embodiment aspect, according to prior art,, then this frame can be forwarded to its destination if the frame that is received has effective certified source address and destination-address.Yet according to step 250, if do not receive frame with known source address and it is stored in the table on same port, method 230 proceeds to step 260 from step 250.
In step 260, introduced a notion, promptly time window is expressed as T in this document W, it becomes another condition that can apply, and determining whether and the MAC Address of the current frame that is received might be stored in the mac address forwarding table of this bridge, and should be noted that this condition also is based on the port that receives this frame.Those of ordinary skill in the art can settling time window T WDuration, and as describing after a while, for the different port of different bridge, an independent bridge, and even for the different time (times of day) of given bridge or given port, can change time window T WDuration.Under any circumstance, in step 260, utilize to receive from same port to have the bridge that before is not stored in the present frame of the source address its mac address forwarding table, for the port that receives current received frame, this bridge is determined at T WThe number of the frame that internal memory is stored in this mac address forwarding table and receives from this same port wherein is abbreviated as NFPT with this number in this document W(" N " represents number, " F " representative frame, and " P " represents same port, " T W" T during the time window that experienced of representative W).In addition, be in this consideration, return table 3 once more, can wander back to, another clauses and subclauses herein are exactly the port that receives each corresponding frame, as shown in this independent example for equaling 0.1 port id.Therefore, suppose that table 3 has a large amount of clauses and subclauses, then step 260 is searched time stamp, what have determined to receive in this same port and in table, store other frame with unique source address, and the result is value NFPT W, this time stamp is with respect to the T that is experienced is shown time of advent of the current frame that receives WIn duration in time.Then, method 230 proceeds to step 270 from step 260.
In step 270, bridge is with NFPT WBe appointed as THRFPT WThresholding compare.This providing more effectively at T WWhether received unacceptable during this time in same port and might be the tolerance of suspicious a large amount of frames, and because the discovery before the step 250 have had (relative to each other) unique address.In other words, with thresholding THRFPT WBe set to occur certain numerical value of this suspicious situation.As a result of, in step 270, if from same port and in time T WIn and relative to each other have unique address (as detected in step 250) by NFPT WThe frame that is reflected outnumbered thresholding THRFPT W, then the bridge port of being discussed might be subjected to flooding of the malice of carrying out with the frame with insecure address very much.Therefore, if NFPT WSurpassed thresholding THRFPT W, then method 230 turns back to step 240 from step 270, to wait for next frame.Therefore, it should be noted that, if this suspicious event has taken place, then in the step 240 that and then will carry out, receive and follow by step 250,260 and 270 frames of handling and not cause that the mac address forwarding table to this bridge carries out new writing, and the address of this frame can be broadcast to network equally.Therefore, this frame does not influence bridge significantly.In addition, if at T WIn receive other frame with identical suspicious attribute, then handle these frames in an identical manner and each frame minimized the influence that receives bridge, reduced the possibility that these frames flood this bridge accordingly.
Only work as NFPT WDo not surpass THRFPT WThe time arrive step 280, in this step, bridge writes various data about the current frame that receives to its mac address forwarding table, wherein these data are consistent with the descriptor shown in the table 3.Therefore, write MAC Address, as port id, port type and the time stamp that receives this current received frame according to this frame.At last, certified MAC Address designator is set to indicate the value that authenticates as yet, thereby and parallel method 100 can after certain the time attempt these clauses and subclauses are authenticated and change this value (, then removing whole clauses and subclauses) if perhaps definite this MAC Address is insecure.Afterwards, method 230 returns flow process to step 240, waiting for next received frame, this moment about this frame and according to before description proceed method 230.
According to aforementioned content, by considering an example, can further describe the each side of this preferred embodiment, system 10 has moved a period of time and bridge B in this example 0Further expanded its mac address forwarding table.Therefore, in such example, suppose table 3 extended further to and comprise as following in the other clauses and subclauses as shown in the table 4, and supposition is during expending the additional period of adding at received frame and with it on table 3, the first entry A that has determined the MAC Address at T1 place is reliable, as shown in the 5th in the table 4 row, different with this same item in the table 3, these row are designated as "Yes":
MAC Address Port id Port type Time stamp Whether authenticate
A 0.1 The user T1 Be
B 0.3 The user T2 Be
C 0.4 The user T3 Not
D 0.4 The user T4 Be
E 0.4 The user T5 Be
F 0.2 The user T6 Not
G 0.0 Network T7 N/A
Table 4
Utilize table 4, by following the step of method 200, a plurality of examples are enlightenments, and below will study these examples, and those of ordinary skill in the art can expect other a large amount of examples.
Consideration is about first example of table 4, wherein bridge B 0At its port BP 0.1The place receives the frame with source MAC A and the arrival of the moment T8 after moment T7.Therefore, according to step 250, should be noted that (to be BP at same port 0.1) locate to receive and successfully learn and in table, stored source MAC A, first row of table 4 shows such frame.As a result of, with respect to the clauses and subclauses that are used for same port of being stored in the table, the MAC Address of the current frame that receives not is unique, therefore, and bridge B 0Can in its mac address forwarding table, not form other clauses and subclauses, and on the contrary, the flow process of method turns back to step 240.
Consideration is about second example of table 4, wherein bridge B 0At its port BP 0.3The place receives the frame of the subscriber station with source MAC A and the arrival of the moment T9 after moment T7, supposes T equally WGreater than the time between T1 and the T9.According to step 250,, should be noted that it before is to receive with respect to the different port of the current frame that receives although received identical MAC Address at moment T1.Therefore, flow process proceeds to step 260 and step 270.Therefore, suppose the T that is experiencing WDuring this time at port BP 0.3It (is THRFPT that the number of the frame that the place receives is less than or equal to the thresholding that is used for this port W), then that this is up-to-date frame adds table 4 to, is embodied in the following table 5.Should be noted that this unverified MAC Address will not be used in transmitted frame, till it having been carried out authentication.If this authentication success, these new clauses and subclauses of the eighth row in then can updating form 5 are so that change its authentication indication into "Yes" from "No".
MAC Address Port id Port type Time stamp Whether authenticate
A 0.1 The user T1 Be
B 0.3 The user T2 Be
C 0.4 The user T3 Not
D 0.4 The user T4 Be
E 0.4 User port T5 Be
F 0.2 The user T6 Not
G 0.0 Network T7 N/A
A 0.3 The user T8 Not
Table 5
Consideration is about the 3rd example of table 4, wherein bridge B 0At its port BP 0.4The place receives the frame with source MAC H and the arrival of the moment T10 after moment T7, and supposes T equally WGreater than the time between T1 and the T10.According to step 250, this MAC Address is unique with respect to the MAC Address in transmitting, and therefore, flow process proceeds to step 260 and step 270.Yet, suppose in the case THRFPT WEqual 2, although so in actual applications numerical value is unrealisticly low.In step 260, determine NFPT W, promptly be stored in bridge B 0Mac address forwarding table in and from the port BP identical with the current frame that receives 0.4The number of the frame that receives.From the angle of table 4, determined number equals 3 (promptly from three MAC Address C, D and E, at moment T3, T4 and T5, all at port BP 0.4The place receives).As a result of, because NFPT WValue greater than THRFPT WValue, therefore in step 270, its determined number obtains sure answer.Therefore, owing to be at the T that is experienced WReceive this frame during this time in the same port that receives other frames, therefore in fact will be somebody's turn to do the new frame that receives and be considered as to increase the weight of a kind of risk that bridge is born with unique mac address.Therefore, will not be stored in the mac address forwarding table of this bridge, and flow process turns back to step 240 to wait for next frame from the mac address information of this frame.
Described above in the method 200 of Fig. 4 parallel method and provided foregoing example, can carry out various researchs and can compare about this preferred embodiment now with prior art.Therefore, below the example of these researchs will be discussed respectively.
As first research, consider a kind of situation, wherein the bridge of manner of execution 200 receives very a large amount of frames, and each frame all has a unverified source MAC, sends these frames and probably is in order to flood or even to rout this bridge.As mentioned above, the bridge of prior art will be accepted these frames, till its memory is full of fully, and begin to broadcast after this, thereby increase the weight of the burden of this bridge greatly and upset business on this network.On the contrary, in this preferred embodiment, on the basis of every port and for time window, limit of the influence of these frames to bridge.Therefore, in fact, if at time window T WIn receive very a large amount of frames with unique address, then step 270 will be forbidden these frames are stored in the table and on every port it will be broadcasted.Therefore, just can not flood the whole memory of bridge, and certain part that in fact can keep the memory of its table is used for the MAC Address that receives in other ports, this is all by adjusting T WAnd THRFPT WValue realize.
As another research about this preferred embodiment, method 230 illustrates an independent thresholding THRFPT W, the frame that exceeds this thresholding can not be recorded.Yet, should be noted that and can adopt a plurality of thresholdings, thereby each thresholding is all made less intense response.For example, the first lower thresholding THRFPT1 can be set WIn case, so that NFPT WSurpass this thresholding, bridge just can reduce speed at corresponding port received frame to reduce to flood the possibility of this bridge equally, and if NFPT WSurpass the second bigger thresholding THRFPT2 W, then these frames all can be abandoned.Equally, for one or two thresholding, work as NFPT WArrived these thresholdings, then in another preferred embodiment, sent a warning or indication, thereby can additionally investigate the reason that the unique mac address that receives at an independent bridge port place rolls up to network manager.Therefore, under any circumstance, in this preferred embodiment, for the first group of unique address that in the time of setting, arrives same port, transmitting first of memory handles, but along with the increase of frame number, for a plurality of this frame that receives after a while provides second different disposal with these unique address.As the example shows, the processing of this variation can be the frame that abandons after a while, reduce receiving the speed of these frames, and/or issues the alarm of this state or indication etc. to network manager.Also have other processing to determine by those of ordinary skill in the art.
Another research as about this preferred embodiment should be noted that T WAdvantage with the parallel work-flow of method 100.Especially, experience T in time WMethod 100 can be discerned the various reliable MAC Address in the mac address forwarding table well, but it can also discern the insecure address in this table simultaneously, thereby removes these insecure addresses (or these addresses can be capped) from memory.Therefore, at experience T WThe time, can discharge memory to hold the frame that newly receives with unique address, this result wherein occurs and be receiving the NFPT after a while of the port of these addresses because some addresses are marked as unreliablely WValue has reduced.Therefore, utilize the NFPT that reduces W, step 270 will be more frequent obtain the answer negating, thus other MAC Address that will receive in same port equally are stored in the table.In addition, based on experiencing T WShould fill some memory spaces with unverified address during this time and from this same memory space, remove the notion of other unverified addresses, can be with T WBe set to desired value.Moreover, should be noted that if at the time durations that the floods experience T that bridge port is not carried out frame W, then there is the sufficient time to carry out authentication about these MAC Address of having stored, therefore probably have only legal MAC Address to stay in the mac address forwarding table, thereby make all the other memory spaces open the MAC Address that receives after a while.
As last research, in this preferred embodiment, should be noted that mac address forwarding table comprises port type indication, wherein in table 4, express in the mode of example, to be connected to another bridge be bridge B because MAC Address G has arrived 1Port BP 0.0, therefore MAC Address G is depicted as network type.In this example, come received frame rather than directly from the subscriber station received frame via the other connection of network, and can suppose that other bridge that receive this frame have also carried out the method for this preferred embodiment, thereby reduce the possibility that this frame has insecure MAC Address.Therefore, for this MAC Address, promptly those MAC Address that received from another bridge by a bridge can be considered as it getting rid of from the analysis of method 200 reliably and with it.
Fig. 5 illustrates the block diagram of memory space MS that work done in the manner of a certain author is the logical description of memory, wherein stores its mac address forwarding table according to the bridge of this preferred embodiment, and Fig. 5 also shows effective logical partitioning that the method according to above preferred embodiment produces.In the mode of example, memory space MS and be assigned therein as bridge B corresponding to Fig. 1 draws 0In this preferred embodiment, in fact memory space MS is divided into and has a plurality of parts, the mac source address of the frame that receives with each port that is stored in the bridge of safeguarding this memory.Therefore, have five port BP 0.0To BP 0.4Bridge B 0Example in, in fact memory space MS has been divided into and has been appointed as GBP 0.0To GBP 0.4Five storage sets, correspond respectively at bridge port BP 0.0To BP 0.4The MAC Address that the place receives.For carrying out example, with each group GBP X.yBe depicted as and have identical or approximately uniform size, promptly have identical or approximately uniform amount of memory.In the realization of reality, based on different considerations, such as port type, one or more groups can vary in size, and can wander back to port type here is that mode with example illustrates in the table 3 that stored by bridge according to this preferred embodiment and superincumbent.In addition, go out as shown, be used for a given group of GBP X.yEach independent memory space need not to be continuous, so Fig. 5 only work done in the manner of a certain author be a kind of logical description of method.
Fig. 5 helps understanding to the other aspect of this preferred embodiment to the signal of memory space MS, promptly combines aforementioned content again relevant for the other aspect of discussing below in conjunction with Fig. 6.Can wander back to, receive frame and just store its corresponding source MAC when relevant with the port of this frame of reception (and source MAC) and if only if satisfy one or more conditions and these conditions according to the bridge of preferred embodiment.So referring to Fig. 5, it has logically been described and wished that in fact each bridge port all has for its available roughly finite storage space in memory space MS, wherein the THRFPTW value of every port is provided with and will prevents that this bridge from storing some address, these addresses are from a port, receive and the address stored number based on its other ports with respect to bridge, these addresses have consumed unusual a large amount of memory space MS.In other words because each port has its oneself condition, these conditions be associated with this port and with the THRFPT of appropriate setting WTherefore be associated, when carrying out this method for optimizing, storage be stored in MAC Address among the memory space MS based on the frame that receives a port, and regardless of the frame that receives in other ports of same bridge.On the contrary, in the prior art, the MAC Address in the frame that a port receives might stop the MAC Address in the frame that the other port at same bridge is received to be stored.Exactly, in the prior art, if a port is flooded with frame, the then whole memory of transmitting all can be full of, thereby stoped the address that other ports at same bridge are received to be stored, the storage of the MAC Address that therefore in fact receives a port has been subjected to the influence of the frame that receives in other ports.Yet in this preferred embodiment, by condition is associated with each port, in fact bridge just can not allow whole memory space MS is flooded in the storage from the MAC Address of a port.In addition, for each GBP, memory is carried out further logical partitioning to be contained in the MAC Address of learning during the verification process, i.e. the MAC Address of bad authentication and certified those MAC Address.Unverified MAC Address might with certified MAC Address from same physical port.Yet certified frame can be by not controlled in logic port.Therefore, unverified MAC Address be learn from the not controlled part of port and be not used in the repeating process.In addition, the unverified part of GBP should not influence the forwarding decision of bridge.
Fig. 6 illustrates the method 200 ' of alternate embodiment, and its plan is used to describe the use to the step identical with the method 200 of Fig. 4, but only shows some steps to simplify this figure, is appreciated that from aforesaid method 200 also to comprise other step.In addition, Fig. 6 comprises step 255 between step 250 and step 260.Therefore, before step 250 is defined as the answer negating and arrives step 260, arrive step 255.In step 255, bridge (B for example 0) another value and another thresholding are compared, wherein this value is the number that is stored in the unverified address that is used for the corresponding port among the memory space MS, and (" N " represents number, and " UN " representative is unverified at this this number to be appointed as NUNAP, " A " represents the address, and " P " represents port).In addition, the thresholding that will be used for comparison is appointed as THRUNAP.If NUNAP has surpassed thresholding THRUNAP, then method 200 ' can not proceed to step 260, but turns back to step 240 to wait for another frame.Therefore, in this example, can not finally advance to step 280, should be in this step 280 source MAC of the frame that received be stored in and transmit.On the contrary, if NUNAP does not surpass thresholding THRUNAP, then method 200 ' proceeds to step 260, continue flow process according to method 200 as mentioned above at this, and the reader can be with reference to previous discussion to obtain more details.
Then, be conceived in the method 200 ' of Fig. 6 to add the effect of step 255, can also and can understand this effect in conjunction with the memory space MS of Fig. 5 with reference to the exemplary network system 10 of figure 1.Consider bridge B once more 0, can wander back to this preferred embodiment once more and in fact on the basis of every port, apply condition, wherein these condition influence whether be present at source MAC that given port is in the frame to be received and transmit.By this way, this preferred embodiment has limited the attack of on bridge one of this bridge independent port being attempted effectively, uses and leave the other resource (for example other resource of memory space MS) of bridge for other ports.Yet, it should also be appreciated that when a plurality of users can be connected to an independent port, for example in the mode of example at bridge port BP 0.2The place, this port BP 0.2Via LAN LN 0Being connected to a plurality of users (is subscriber station US 3, US 4And US 5), just this situation might appear.According to coming across LAN or other this possibilities that connect in (for example hub) of using more, should be noted that only has one might be to attempt to come bad person that this port is flooded with a large amount of frames with corresponding different source MACs among a plurality of users that are connected to a port.Therefore, in fact, that subscriber station that does destruction might use the whole storage sets GBP that are used for this port of Fig. 5.For example, subscriber station US 3Might be to port BP 0.2Flood, thus consumption group GBP 0.2Big part.Owing to taked this action, be therefore from subscriber station US 4And US 5Will probably be that reliable source MAC stays little space or leaving space for it not.Therefore, close the step 255 of injecting method 200 ' once more, should be noted that in fact this kept some spaces for the MAC Address that has authenticated in memory space MS now.In other words, if there has been unusual a large amount of current unverified MAC Address to be stored among the memory space MS that transmits, this has just stoped source address has been write this memory space MS so.Therefore,, just no longer write other source address, so those of ordinary skill in the art can set up thresholding and can store enough spaces of authenticating address to stay at the physical storage that is used for storing in case reach thresholding THRUNAP.In addition, should further notice, attack the destructive website (for example via the transmission medium of sharing) of a port if existence connects based on the multistation to this port, then any negative effect of this time attacking all only limits to distribute to the resource of the port that is connected rather than whole bridge.Therefore, compared with prior art, be used to stop owing to attack the possibility that upsets whole bridge an independent port higher.
By considering to further expand two examples of foregoing example, wherein subscriber station US 3Attempt port BP 0.2Flood, and subscriber station US 4And US 5Attempting provides reliable address to it, can further understand above interpolation to step 255.In first example, suppose at subscriber station US 4And US 5The moment before this same port sends moment of its reliable address, this subscriber station with insecure address to port BP 0.2Flood.In the case, if receive have reliable address from subscriber station US 4Or US 5Frame the time NUNAP surpassed THRUNAP, bridge B then 0Might abandon this frame.Yet, can wander back to the parallel method of method 200 (or method 200 '), when arriving step 255 for the frame with reliable address, should might have the NUNAP that reduces by parallel authentication method 100 this moment.If situation is like this, then method 200 ' will advance to outside the step 255 about the frame with reliable address, and the source MAC of this frame can be stored among the memory space MS that transmits afterwards.Afterwards, when having authenticated this address itself, subscriber station US 3Just can not attempt covering this address with other flooding.In second example, if from subscriber station US 3Flood will have before attempting reliable address from subscriber station US 4Or US 5Frame be sent to bridge B 0, then step 255 is delivered to step 260 forward with flow process, and reason is till receive in such frame, and the number (NUNAP) that is used for the unverified address of this port will be lower than thresholding THRUNAP for zero.Therefore, in first example or second example,, these addresses can be write the possibility of transmitting (and can transmit the frame that receives after a while based on these reliable addresses afterwards) thereby improved for reliable source MAC provides other protection.
According to above explanation and description, those of ordinary skill in the art should recognize that this preferred embodiment provides the network with MAC table overflow protection.With respect to prior art, these preferred embodiments comprise dramatic benefit, have described some of them advantage and those of ordinary skill in the art above in detail and can determine other advantages.As another advantage,, can carry out variously substituting, revising or change and do not break away from invention scope to foregoing description although described this preferred embodiment in detail.For example, can change the mode of determining the reliability of the frame discussed about the step 110 of the method 100 of Fig. 3, make to be distributed to each bridge in this locality, rather than have central site network server NS and database D B.In this modification, bridge with the MAC Address of the subscriber station that received and the institute's buffer memory that is retained in this bridge place certified/the MAC table compares reliably.As another example, can T be set neatly according to specific port profile WAnd THRFPT WAn example of this set is presented as when beginning on weekdays, for example because a lot of computers startings might be arranged when beginning on weekdays, the number that therefore can be desirably in the unique MAC Address that is used for port in the Clerk of Works is higher, and this number diminishes afterwards, thereby provides new (being used for the same day) MAC Address for bridge.Therefore, for adapting to this expectation, in the morning can be with THRFPT WBe set to higher value.According to port identity, can dynamically arrange T WAnd THRFPT W, so that can be within the acceptable range with the effective again possibility restriction of the MAC Address that makes the client.In fact, should be noted that in substituting embodiment, be used for the T of the different port of same bridge or different bridges WOr THRFPT WPerhaps T WAnd THRFPT WCan be different, thus flexibility increased for being stored in the frame that is used for this port in the table in time with unique address.As another example, this preferred embodiment can be applied to the network except that Ethernet.As another example,, should be appreciated that and these methods can be combined with the additive method that is provided now by this bridge or provide in the future although the whole bag of tricks that is provided by bridge has been provided in detail in the discussion of front.Therefore, these examples have also been illustrated invention scope and advantage thereof, and these invention scopes and advantage thereof have reduced the possibility that mac address table overflows.As a result of, as following claim was defined, the description of these advantages and front also was used for invention scope is carried out example.

Claims (10)

1. the method for the bridge in the operating network system, described bridge comprises a plurality of ports, described method comprises:
A port in described a plurality of ports, from described network system and the equipment that is different from described bridge receive a frame, described frame comprises source network address;
At least one condition that is associated with described port is responded,, just described source address is stored in the transmitting of being associated with described bridge if satisfy described at least one condition; And
Wherein said at least one condition comprises whether described frame is at time window T WIn respective sources that receive and these frames the network address whether be stored in the described table described time window T WBe about receive the time window of the time of threshold number purpose previous frame in described port.
2. method according to claim 1:
Each port in wherein said a plurality of port all has the thresholding number that is associated; And
Wherein the thresholding number that is associated with a port in described a plurality of ports is different from the thresholding number that is associated with another port in described a plurality of ports.
3. method according to claim 1 also is included in the different described time window T that constantly adjust W
4. method according to claim 1:
Each port in wherein said a plurality of port all has the time window T that is associated WAnd
The time window T that is associated with a port in described a plurality of ports wherein WOn the duration, be different from the time window T that is associated with another port in described a plurality of ports W
5. method according to claim 1 comprises that also described bridge determines whether the multiple source address in described the transmitting is reliable.
6. method according to claim 5 also comprises the steps: in response to described determining step
Each source address provides a reliable indication in order to be defined as reliably in the described table in described table; And
Allow to cover in the described table and be defined as insecure each source address.
7. method according to claim 6, wherein said at least one condition comprise also whether the number of the source address that has unreliable indication in the described table surpasses thresholding.
8. method according to claim 5, also comprise in response to described at least one condition that is associated with described port, one group of parameter that storage is associated with described frame, the identifier that described this group parameter comprises the identifier of described port and receives the time of described frame.
9. method according to claim 8, wherein said parameter also comprise described port type indication and show the designator of whether determining the reliability of described source address.
10. the bridge in the network system, described bridge comprises:
A plurality of ports, wherein with each port operation for from described network system and the equipment that is different from described bridge receive a frame, described frame comprises source network address; And
Circuit, whether be different from each and any source address that before in corresponding frame, had received that has been stored in described the transmitting in described port according to described source address, be used for when satisfying at least one condition, described source address is stored in the transmitting of being associated with described bridge.
CNA2005101083695A 2004-10-15 2005-10-13 Network with MAC table overflow protection Pending CN1822565A (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US61933004P 2004-10-15 2004-10-15
US60/619,330 2004-10-15
US11/229,114 2005-09-16

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN201410464353.7A Division CN104243472A (en) 2004-10-15 2005-10-13 Network with MAC table overflow protection

Publications (1)

Publication Number Publication Date
CN1822565A true CN1822565A (en) 2006-08-23

Family

ID=36923637

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2005101083695A Pending CN1822565A (en) 2004-10-15 2005-10-13 Network with MAC table overflow protection

Country Status (1)

Country Link
CN (1) CN1822565A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101911648A (en) * 2008-01-11 2010-12-08 阿尔卡特朗讯公司 Facilitating defense against MAC table overflow attacks
CN102164091A (en) * 2011-05-13 2011-08-24 北京星网锐捷网络技术有限公司 Method for building MAC (Media Access Control) address table and provider edge device
CN103595638A (en) * 2013-11-04 2014-02-19 北京星网锐捷网络技术有限公司 Method and device for MAC address learning
CN115334046A (en) * 2022-07-04 2022-11-11 超聚变数字技术有限公司 MAC address deleting method and device

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101911648A (en) * 2008-01-11 2010-12-08 阿尔卡特朗讯公司 Facilitating defense against MAC table overflow attacks
CN101911648B (en) * 2008-01-11 2013-10-16 阿尔卡特朗讯公司 Method for facilitating defense against MAC table overflow attacks and Ethernet exchanger
CN102164091A (en) * 2011-05-13 2011-08-24 北京星网锐捷网络技术有限公司 Method for building MAC (Media Access Control) address table and provider edge device
CN102164091B (en) * 2011-05-13 2015-01-21 北京星网锐捷网络技术有限公司 Method for building MAC (Media Access Control) address table and provider edge device
CN103595638A (en) * 2013-11-04 2014-02-19 北京星网锐捷网络技术有限公司 Method and device for MAC address learning
CN103595638B (en) * 2013-11-04 2016-09-28 北京星网锐捷网络技术有限公司 A kind of MAC address learning method and device
CN115334046A (en) * 2022-07-04 2022-11-11 超聚变数字技术有限公司 MAC address deleting method and device
CN115334046B (en) * 2022-07-04 2023-09-01 超聚变数字技术有限公司 MAC address deleting method and device

Similar Documents

Publication Publication Date Title
CN104243472A (en) Network with MAC table overflow protection
CN111010376B (en) Master-slave chain-based Internet of things authentication system and method
US9729655B2 (en) Managing transfer of data in a data network
CN103460648B (en) Methods and systems for screening Diameter messages within a Diameter signaling router (DSR)
US20190116114A1 (en) Packet forwarding method and apparatus
CN1938982B (en) Method and apparatus for preventing network attacks by authenticating internet control message protocol packets
CN101741855B (en) Maintenance method of address resolution protocol cache list and network equipment
CN1761244A (en) Method for setting up notification function for route selection according to border gateway protocol
CN1333617A (en) MAC address based telecommunication limiting method
CN101313534A (en) Method, apparatus and system implementing VPN configuration service
CN1855874A (en) Bridged network spanning tree abnormality detection
CN1210934C (en) Method for communication network that allows inter-node user mobility
CN110493366A (en) The method and device of network management is added in a kind of access point
CN101540755A (en) Method, system and device for recovering data
CN101635731A (en) Method and equipment for defending MAC address deception attack
CN113709250A (en) Cross-domain user data synchronization method based on subscription sending mode
CN1521993A (en) Network control method and equipment
CN102223422A (en) Domain name system (DNS) message processing method and network safety equipment
CN1822565A (en) Network with MAC table overflow protection
CN112367263B (en) Multicast data message forwarding method and equipment
CN102340511B (en) Safety control method and device
JPWO2004081800A1 (en) Message delivery apparatus and method, system and program thereof
US20070133529A1 (en) Method of providing multicast services in virtual private LAN
EP1388972B1 (en) Multi-layer multicast user management method
CN104601460B (en) A kind of message forwarding method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20060823