Novel method for transferring access control list rules to synchronize security protection in a locator/identifier separation protocol environment with cross‐segment host mobility

Abstract

SummaryExtended access control lists (ACLs) are used to filter packets for network security. However, in current network frameworks, ACL rules are not transferred simultaneously with devices that move across network segments. The Internet Engineering Task Force proposed the Locator/Identifier Separation Protocol (LISP), which enables routers (xTRs) to configure ACL rules for blocking immobile endpoint identifiers (EIDs). However, when an EID moves from the original xTR to a new xTR, the ACL rules at the original xTR cannot be transferred with the EID. Thus, the new xTR lacks the corresponding ACL rules to effectively block the EID, resulting in security risks. The highlights of this study are as follows. First, a method is proposed for dynamically transferring ACL rules in LISP environments and frameworks. Second, the map‐register and map‐notify protocols were combined to encapsulate and transfer the ACL rules and thus obviate an additional process required to transfer these rules. Third, the experimental results verified that the proposed method can be used to achieve synchronized security protection in an LISP environment involving cross‐segment EID movements.