Method and apparatus for forwarding data packets using aggregating router keys

Abstract

Method and apparatus for supporting the forwarding of received data packets in a router (402,702) of a packet- switched network. A forwarding table (706a) is configured in the router based on aggregating router keys and associated aggregation related instructions received from a key manager (400,700). Each aggregating router key represents a set of destinations. When a data packet (P) is received comprising an ingress tag derived from a sender key or router key, the ingress tag is matched with entries in the forwarding table. An outgoing port is selected for the packet according to a found matching table entry that further comprises an associated aggregation related instruction. An egress tag is then created according to the aggregation related instruction, and the packet with the created egress tag attached is sent from the selected outgoing port to a next hop router.

Description

technical field [0001] The present invention generally relates to methods and apparatus for supporting the forwarding process of data packets in a public packet-switched network, such as the Internet, such that unwanted data packets can be avoided. Background technique [0002] Packet-based transfer of digitally encoded information between parties over IP (Internet Protocol) networks is used for various communication services such as email messaging, Internet browsing, voice and video telephony, content streaming, gaming, and the like. The digitally encoded information is arranged at the sender into data packets, which are then transmitted over a transmission path to the intended recipient. The delivery path between the sender and receiver can include various networks, switches, gateways, routers, and interfaces. The communicating parties are often referred to as "end hosts" and can be any type of device capable of packet-based IP communications, such as fixed and mobile ph...

AI Technical Summary

Problems solved by technology

[0015] However, more or less sophisticated functionality can be added in the end-host or link layer in order to restrict connections, like filters / firewalls or the like

However, these solutions are "last line of defense" solutions, meaning that the transmission of unwanted data packets can still occupy network resources along the entire sender-receiver path, while the packets are always discarded at the receiver anyway

[0016] Another problem in a communication system with many end-hosts and multiple routers is that if the security solution used does not employ either bit-masking of IP addresses as described above, nor its equivalent to achieve route aggregation, then the routers The forwarding table in will contain a huge number of entries

Such large forwarding table processing can become extremely complex, requiring substantial resources for storage, processing, and communication, which can generally result in undesirable costs and delays

In particular, if cryptographic security mechanisms are introduced in routers, the overhead will become even greater, e.g. due to management of cryptographic keys and / or cryptographic processing, whereby complexity reduction in routers becomes more desirable

Images