| WO/2019/224574 | IMS-BASED STREAMING FRAMEWORK |
| JP2007158470 | DATA CONVERTER |
| JP4778199 | Data transfer device and data transfer method |
BOSSARDT MATTHIAS (CH)
DUEBENDORFER THOMAS (CH)
BOSSARDT MATTHIAS (CH)
| WO2003078459A2 | 2003-09-25 |
| US20020078202A1 | 2002-06-20 | |||
| US5905859A | 1999-05-18 | |||
| US6658565B1 | 2003-12-02 |
| 1. | An internet traffic control system com¬ prising a plurality of control devices (20) located at a plurality of locations of the internet, each control de¬ vice (20) processing data packets originating from or .ad¬ dressed to at least one given IP address according to IP specific processing rules (28) , and an infrastructure system (20, 111, 114) adapted to receive the IPspecific processing rules (2S) for a given IP address from an owner (30) of said IP ad¬ dress and automatically distributing said IPspecific processing rules (28) to at least part of said control devices (20) . |
| 2. | The system of claim 1 wherein said contrrol devices (20) are adapted to block packets from or to a given IP address if requir~ed by said IPspecific process¬ ing rules (28) . |
| 3. | The system of any of the preceding claims wherein said IPspecific processing rules (28) are not allowed to change a source or destination address or a timetolive field of saicL packets. |
| 4. | The system of any of the preceding claims wherein said IPspecific processing rules (28) are not allowed to change a routing path of said packets. |
| 5. | The system of any of the preceding claims wherein said IPspecific processing rules (28) are not allowed to increase a packet rate or packet size. |
| 6. | The system of any of the preceding claims wherein said infrastructure system (20, 111, 114) com¬ prises at least one management device (111) adapted to receive IPspecific processing rules (28) from said owner (30) and distributing the IPspecific processing rules (28) to said control devices (20) . |
| 7. | The system of any of the preceding claims wherein said control devices (20) are adapted to receive said IPspecific processing rules (28) from said infra— structure system (20, 111, 114) as encrypted or digitally signed messages and for verifying the authenticity of said encrypted or digitally signed messages. |
| 8. | The system of any of the preceding claims wherein at least part of said control devices (20) com¬ prises a router (22) and at least one processing device (24) , wherein packets corresponding to the given IP ad¬ dress are passed through processing device (24) . |
| 9. | A method for controlling internet traffic, wherein the internet comprises a plurality of control de¬ vices (20) located at a plurality of locations of the internet, said method comprising the steps of automatically distributing IPspecific proc¬ essing rules (28) attributed to a given IP address by an owner (30) of the given IP address to said plurality of control devices (20) and processing, in said control devices (20) , data packets originating from or addressed to trie given IP address according to the IPspecific processing rules (28) attributed to said given IP address. |
| 10. | Trie method of claim 9 comprising the step of blocking, in accordance to the IPspecific processing rules (28) of the given IP address, at least panrt of the messages originating from or addressed to the given IP address . |
| 11. | Trie method of claim 10 comprising the step of blocking or discarding, in accordance to the IP specific processing rules (28) of the given IP address, messages addressed to the given IP address and fulfilling at least one additional criterion. |
| 12. | Trie method of any of the claims 9 to 11 wherein said IPspecific processing rules (28) are not allowed to perform at least one of the following opera¬ tions: a) changing a source or destination address of said packets, b) changing a routing path of said packets, c) changing a timetolive field of said packets, d) increasing a packet rate, e) increasing a packet size. |
| 13. | The method of any of the claims 9 to 12 comprising the step of distributing said IPspecific processing rules (28) to said plurality of control de¬ vices (20) in encrypted and/or digitally signed messages and checking, by said control devices (20) , an authentic ity of said encrypted and/or digitally sig_αed messages . |
| 14. | The method of any of the claims 9 to 13 wherein, by means of said IPspecific processing rules (28), said control devices (20) are instructed to main¬ tain a log of traffic to and/or from the given IP ad dress. |
| 15. | The method of claim 14 wherrein said log comprises statistical data and/or tracebac^ data on the traffic to and/or from the given IP address. |
| 16. | The method of any of the claims 14 or 15 comprising the step of transferring said log to the owner (30) of the given IP address. |
| 17. | The method of any of the claims 9 to 16 further comprising the step of verifying tlhe identity of the owner (30) of the given IP address. |
| 18. | The method of claim 17 further comprising the steps of issuing a digital certificate to the owner (30) to be included with instructions for changing the IPspecific processing rules (28) and checking said digital certificate when re¬ ceiving said instructions from said owner (30) . |
| 19. | The method of claim 18 wheαrein said digi¬ tal certificate comprises the given IP addiress or ad¬ dresses . |
| 20. | The method of any of the claims 9 to 19 comprising the step of checking a payload of the data packets originating from or addressed to ttie given IP ad dress against at least one criterion given by the IP specific processing rules (28) attributed to said ad¬ dress . |
| 21. | The method of any of the claims 9 to 20 comprising the step of processing a packet first under the IPspecific processing rules (28) of its source IP address and then under the IPspecific processing rules (28) of its destination IP addrress. |
| 22. | The method of any of the claims 9 to 21, wherein each control device (2O) is located between two groups of end systems, each group comprising several end systems having different IP adcLresses. |
| 23. | The method of any of the claims 9 to 22 comprising the steps of attributing context data to each of said con¬ trol devices (20), said context data being indicative of at least one information from the group comprising a) an Autonomous System the control device receives packets from and/or an. Autonomous System the control device sends packets to , b) data indicative if the control device sends data to or receives data from a stub network, c) operating parameters of a router the con¬ trol device is associated with, and d) a geographical position of the control de¬ vice, and making an installation and/or execution of a given processing rule depemdent on said context data. |
| 24. | The method of claim 23 wherein said oper¬ ating parameters comprise at least one information from the group comprising a) a current load of the router, b) a current load on connections to or from the router, and c) configuration information of the router. |
| 25. | The method of any of the claims 9 to 24 comprising the step of distributing said processing" rules to all of said control devices (20) . |
| 26. | The method of any of the claims 9 to 25 comprising the step of distributing a processing rutle ad¬ dressing an expected incident prior to an occurrence of said expected incident. |
| 27. | The method of any of the claims 9 to 26 comprising the step of issuing, modifying and/or delet ing, by said owner, a processing rule (28) attributed to the given IP address from a device having an IP adcLress different from the given IP address. |
| 28. | The method of any of the claims 9 to 26 comprising the step of deleting by said owner, a process ing rule (28) attributed to the given IP address. |
| 29. | The method of any of the claims 9 to 28 wherein, by means of said IPspecific processing rules (28) , said control devices (20) are instructed to limit a package rate or bandwidth to be allowed for data packets to/from the given IP address. |
| 30. | The method of any of the claims 9 to 28 wherein, by means of said IPspecific processing rules (28) , said control devices (20) are instructed to stamp a header of data packets to/from the given IP address . |
| 31. | The method of any of the claims 9 to 28 wherein, by means of said IPspecific processing rules (28), said control devices (20) are instructed to modify a payload of data, packets to/from the given IP address. |
Technical Field
The invention relates to a distributed traf¬ fic control system for the internet that allows an Inter¬ net Protocol (IP) network address owner to remotely proc¬ ess packets addressed to or originating from IP addresses he or she owns.
Background Art
The processing and, in particular, filtering of data packets plays an important role in internet tech¬ nology. For example, filters are used for defending against "Distributed Denial-of-Service attacks" (DDoS at¬ tacks) that try to flood a given address by sending it a large number of data packets from a variety of sources.
Typically, filters are implemented as fire¬ walls, which may protect a single device or a stub net¬ work. Such firewalls can be programmed to process indi¬ vidual packets, typically by analyzing them against cer- tain criteria and e.g. rejecting them if the criteria are met. Such schemes, however, will fail under heavy load, e.g. when the corresponding firewall is, itself, becoming saturated by a very large number of incoming packets.
Disclosure of the Invention
Hence, the problem to be solved by the inven¬ tion is to provide a traffic control system that allows a more robust control of the traffic on the internet.
This problem is solved by the system and method according to the independent claims .
Accordingly, a plurality of control devices is located at a plurality of locations with±n the inter¬ net. Each control device is processing the cLata packets originating from or addressed to one or more given IP ad- dresses according to IP-specific processing rules attrib¬ uted to the given IP addresses. An infrastructure system is provided for receiving the IP-specific processing rules for the given IP addresses from the owner (s) of the IP addresses and for automatically distributing them to some or, advantageously, to all the control devices. Such a scheme allows the owner (s) of the IP addresses to con¬ trol the traffic to/from his/their site in a non-local, distributed manner.
In this context, the term "internet" is used in the sense of the Federal Networking Council's defini¬ tion and is to designate any global area system that
1. is logically linked together by a globally unique address space based on the Internet Protocol (IP) or its subsequent extensions/follow-ons; 2. is able to support communications using the Transmission Control Protocol/Internet Protocol (TCP/IP) suite or its subsequent extensions /follow-ons, and/or other IP-compatible protocols; and
3. provides, uses or makes accessible, either publicly or privately, high level services layered on the communications and related infrastructure described herein.
Devices directly attached to the internet for exchanging data thereon are attributed at least one unique IP address.
The owner of an IP address is topically the actual owner or operator of the device the IP address is assigned to, or a delegate (such as an ISF) authorized by the actual owner to act on his behalf.
Brief Description of the Drawings
The invention will be better understood and objects other than those set forth above will become ap¬ parent when consideration is given to the following de¬ tailed description thereof. Such description makes refer- ence to the annexed drawings, wherein:
Fig. 1 is a schematic diagram of part of the internet with control devices and an infrastructure sys¬ tem according to the present invention, and
Fig. 2 is a simplified block diagram of a control device.
Modes for Carrying Out tine Invention
Overview:
Fig. 1 shows a schematic illustration of the internet having a series of devices attached thereto. As known to a person skilled in the art ., the internet is based on an interconnected structure of large and small networks, such as backbone networks ILO, regional or mid- level networks 11 and local or stub-networks 12. The various parts of the network are ope_rated by a number of operators that have agreed on a set of common protocols and standards . The present invention proposes a service that enables network operators to safely delegate specific traffic control to network users. The delegation is safe in the sense that an owner of a IP network address or ad¬ dress range can get control only oveir his/her IP packets that have such an IP address either as source or destina¬ tion or both. By adding further restzrictions on the traf¬ fic control capabilities, as discussed below, misuse and malicious interference with other traffic can be pre¬ vented. If the source and destination address of a network packet belong to different parties, a packet can be controlled by two different parties. Traffic control
can be executed by a designated party on behalf of a net¬ work address owner.
In order to implement the system, a plurality of remotely programmable control devices 20 are arranged at various locations in the internet. The owner 30 of a single network address or range of addresses can obtain access to the management of some or all of these devices after having registered for this service according to the invention.
The control devices :
In a preferred embodiment, each control de¬ vice 20 comprises a router 22 and at least one processing device 24 as shown in Fig. 2. Most traffic simply passes through router 22 where it is forwarded in conventional manner. Some packets, however, are passed through proc¬ essing device 24. An alternative embodiment is to inter¬ pose the processing device in a communication link.
For this purpose, control device 20 contains a list 26 of IP-specific processing rules 28. Each proc¬ essing rule applies to packets originating from a given IP address or addressed to a given IP address. The given IP address can either be a single ' address or a range of addresses . When a packet originating from or addressed to an IP address as specified by one of the IP-specific processing rules 28, the packet is passed through proc¬ essing device 24 where it is processed according to the applicable IP-specific processing rule(s) . When processing device 24 processes a network packet, it first executes traffic control on behalf of the owner of the source IP address. Subsequently, it exe¬ cutes traffic control on behalf of the owner of the IP destination address. This is analogous to the high-level communication process of first sending an internet packet by the source (and hence under its control) and then re¬ ceiving it by the destination (and consequently under the
recipient's control) . This control hand-over is performed at each activated control device on the network path of an IP packet .
Typical operations specified in the IP— specific processing rules 28 for a given IP address are, for example : a.) Block or discard packets fulfilling cer¬ tain criteria., such as packets coming from a certain source address, using a certain protocol or exceeding a certain packet rate or length. A typical application is to block all messages to a given IP address that fulfil at least one additional criterion. to) Check the payload of a packet against at least one given criterion given by the processing .rules, e.g. check if it contains a given sequence of bytes or has a given length, and take specific action, such as blocking the packet or logging it. In this case, tlαe pay- load content or length of the packets is processed ac¬ cording to tlhe processing rule. c) Maintain a log of traffic to and/or from the given IP address. The log can e.g. contain chaαracter- istic data o± the packets, such as source address, time, length, IP header and/or hash values of the partial of full header and/or payload. In particular, the log can contain statistical data and/or traceback data on "the traffic to axαd/or from the given IP address . It can regu¬ larly or upon request be transferred to the owner 30 of the given IP address . cd) Limit a packet rate or bandwidth to be al- lowed for data packets to/from a given IP address 3oy dropping or delaying packets when the rate or bandwidth is exceeded. e) Stamp the packet header by adding data thereto that uniquely identifies control device (s) it has passed or a traffic flow it belongs to.
±) Modify the payload of a packet.
These measures can be used alone or in combi¬ nation.
In general, each IP-specific processing rule specifies the criteria (source/destinat±on address, pay- load properties, protocol type, any packet protocol header field, time of packet arrival, content type of packet payload etc.) that packets must meet and the con¬ sequences (such as blocking or logging) if a packet meets the given criteria. In order to better control the distribution and operation of the processing rules 28, a set of con¬ text data is associated to each control device 20. The context data may e.g. contain some or, advantageously, all of following information: 1) The logical position of the control device in the Internet. This data indicates the Autonomous Sys¬ tem the control device receives packets from and/or the Autonomous System the control device sends packets to. The term "Autonomous System" (AS) is used to designate a collection of routers under a single administrative authority, using a common Interior Gateway Protocol for routing packets. On the Internet, a public AS has a glob¬ ally unique number, an Autonomous System number (ASN) , associated with it; this number is used in both the ex- change of exterior routing information (between neighbor¬ ing Autonomous Systems) , and as an identifier of the AS itself .
2) The functional position of the control de¬ vice in the Internet. This data indicates if the control device sends data to or receives data from a stub net¬ work. The term "stub network" designates a network that only carries packets to and from local hosts . Even if it has paths to more than one other networks, it does not carry traffic for other networks except for the packets directed to or originating from its local hosts.
3) If the control device is assigned to a router, the context data advantageously comprises operat-
ing parameters of the router, such as: A current load of the router (e.g. expressed in terms of the current packet drop rate) , a current load on the connections to or from the router (e.g. in terms of a bandwidth usage) , and con- figuration information, of the router (e.g. the network sections the roυter is connected to or the addresses the router provides access to on its downstream side) .
4) The geographical position of the control device, such as the country or geographical region it is in or the geographical, coordinates of its location.
The instal lation or execution of a processing rule can be made dependent on information in the context data. For example, a subscriber to the services described here may only be authorized to install processing rules on control devices in one given geographical or logical or functional area. For example, to prevent an excessive number of processing rrules from being installed in a backbone where they would consume considerable resources for filtering all the packets, most processing rules might be limited to being installed on control devices directly connected to a stub network.
Note: in contrast to the operations carried out by a conventional router, the IP-specific processing rules are, in general, not used to and generally not al- lowed to change the routing path of the packets.
It should be noted, in addition, that the control devices are not necessarily associated to or in¬ tegrated into routers. They may also be stand-alone de¬ vices that monitor the traffic running through a given line.
In most applications it makes little sense to associate a control device with a single end system. Ad¬ vantageously, each control device is located between two groups of end systems, each group comprising several end devices having different IP addresses.
An example of a device that could act as a control device 20 is όlescribed in US 2003/0035430.
∑nfrastructure system:
The system according to the invention com- prises an infrastructure system. This infrastructure sys¬ tem serves to receive the IP-specific processing rules for a given ZP address from the owner 30 of the given ad¬ dress and to automatically distribute the IP-specific processing rixles to the control devices 20. To avoid fraud and abuse, it also has to make sure that only the true owner 30 of an IP address (or his delegate) is al¬ lowed to feecl IP-specific processing rules for that ad¬ dress to the control devices 20.
In the embodiment of Fig. 1, the infrastruc- ture system h.as a hierarchical architecture, even tlhough it can also, at least in part, use peer to peer communi¬ cation between the control devices 20.
Tlαe owner 30 of a given IP address, e.g . the owner 30 of a web server 100, can feed IP-specific proc- essing rules to the control devices 20 by means of the infrastructure system.
Tlie example of Fig. 1 assumes that access to the infrastrtzcture system is controlled by a Traffic Con¬ trol Service provider (TCSP) 110 operating one or more suitably programmed servers 111. TCSP 110 sets up con¬ tracts with a. number of Internet service provides ( ISP - a term that, in the present context, is understood to en¬ compass not only the stub network operators, but also the operators of backbones and regional networks) . TCSP ad- vantageously has contracts at least with some ISPs oper¬ ating large or significant parts of the Internet, such as backbone networks . However, the scaleable and robust na¬ ture of the present system allows it to operate witlh use¬ ful results even if only a fraction of the operators are contractually cooperating with the TCSP.
Tlαe ISPs cooperating with the TCSP install one or more control devices 20 in their networks, e .g. in
the role of routers, and enable their network marxagement systems 114 to program and configure them.
In. order to be able to use the control de¬ vices, an IP owner 30 must first register with th_e TCSP 110 before us÷Lng the traffic control service. The TCSP 110 verifies the identity of the IP owner 30, e.g. based on digital cer-tificate information or written legal iden¬ tity documents , and verifies the claimed ownership of IP addresses that the IP address owner 30 wants to control traffic for. To check this ownership, TCSP 110 can con¬ tact an Internet number authority 112 (IP address owner¬ ship is maintained in the databases of organizations such as ARIN, RIPE, NCC and others) . If TCSP 110 can identify the requesting- IP owner 30 and confirm his ownerslhip over the IP address (es) in question, access to the sen/ice is granted by issuing a digital certificate to IP address owner 30.
The digital certificate is a digital message that is difficult to counterfeit, such as e.g. a digital message signed by a digital signature that can be veri¬ fied using a public key of TCSP 110.
Once the IP address owner 30 is equipped with the digital certificate, it can issue or modify tlie IP- specific processing rules, even from a host having- an IP address different from the IP address the digital cer¬ tificate was issued for.
Whenever the IP address owner 30 wants to is¬ sue, modify or delete an IP-specific processing rτ_ile for his IP address , he sends a message to be forwarded to the control devices 20. The message contains among otlier things the digital certificate for verification b;y the receiving devices. The message can be distributed in various manners, depending on the specific implementation of the infrastructure system. Some possible implernenta- tions of the message distribution in the infrastructure system are:
a) IP owner 30 sends his message to the net¬ work management systems 114 of the ISPs who have a con¬ tract with TCSP 110. For this purpose, IP owner 30 is provided with a list of addresses of the network manage- ment systems 114. b) IP owner 30 sends his message to a manage¬ ment device (e.g. server 111) of TCSP 110, which then distributes it automatically to the control devices 20. For this purpose, TCSP 110 maintains a list of the IP ad- dresses of all control devices 20 or of the network man¬ agement systems 114 of the participating ISPs and dis¬ tributes the message to all or at least some of them. c) IP owner 30 sends his message directly or through TCSP 110 to one or more control devices 20, which then forward ±t to one or more other control devices 20, which in their turn forward it to other control devices 20, etc., thereby distributing the message in a peer-to- peer 1 network.
Tϊαese message distribution mechanisms can be used alternatively or in combination.
AcLvantageously, the digital certificate is¬ sued by TCSP 110 to IP owner 30 comprises the IP num¬ ber(s) that IP address owner 30 is granted control over, i.e. it is possible to derive the IP number(s) from the digital certificate without consulting any database con¬ taining IP numbers . This makes it possible for any device of the infrastructure system to check the authenticity of a certificate quickly and autonomously.
ThLe messages containing the IP-speciffic proc- essing rules can be distributed to the control devices 20 in signed and/or encrypted manner to allow the control devices 20 to check the authenticity of the messages for reducing the risk of tampering by third parties .
In principle, each ISP could establish a mini-TCSP and offer the traffic control service limited to his network:. However, this would make worldwide de¬ ployment of traffic control based services cumbersome.
The introduction of a TCSP helps to scale the management of the traffic control service. Only a single service registration is needed instead of a separate one with each ISP. The infrastructure can be deployed incremen¬ tally. Most traffic control based services will be useful even if not all ISPs offer it. They become more effective when more ISPs join. E.g. anti-spoofing protection and firewall-like services can filter closer to the attack source and therefore less network resources will be wasted.
As can be seen from the above, the infra¬ structure system can e.g. be formed by server 11H of TCSP 110, the network management systems 114 of the ISPs and communication means incorporated into the control devices 20 if a hierarchical approach is used, but it can also comprise only part of these components, such as the com¬ munication means of the control devices 20 only if a flat, non-hierarchic peer-to-peer approach is used.
Attack prevention and defense: To illustrate the workings of the invention in a simple example, we assume that IP owner 30 operates a web page on his web server 100. He notices that his web server is under DDoS attack, such as a UDP (User Datagram Protocol) flooding attack. To block the attack, tie sends an IP-specific processing rule to the control devices 20 using the infrastructure system as described above. The processing rule can e.g. specify to block the UDJP packets that are addressed to his IP address and have certain characteristics, such as a given length. Once this IP- specific processing rule has been distributed to the con¬ trol devices 20, the attacking packets are blocked close to their source, thereby preventing an overload of web server 100.
For stopping a DDoS ref lector attack to server 100 , IP owner 30 can deploy ingress f iltering
rules that block all traffic that enters the Internet from customers of a peripheral ISP and that carrries this web site's spoofed IP address in the packets. Of: course, transit traffic, the traffic of the peripheral ΣSP where this web site is attached to, and traffic to clients lo¬ cated at peripheral ISPs must net be blocked, as the web site's reply packets should still be able to reach the legitimate hosts requesting service from it.
Attacks based on protocol misuse like e.g. sending ICMP unreachable or TCP reset messages to tear down TCP connections can also be filtered out. Without a distributed traffic control service as describee! here, worldwide filtering of illegitimate packets is almost im¬ possible due to the many network operators involved that would have to be contacted individually for setting up filter rules all over the globe.
Other applications:
The control devices 20 are in no way limited to firewall-like functionality because new software (or hardware) modules can be installed when needed. They can e.g. be used to distributedly collect traffic statistics (e.g. delays or packet loss on intermediate links for network debugging) of packets sent to specific IP ad- dresses, to implement a worldwide packet traceback serv¬ ice by storing a backlog of packet header and/or payload hashes, to support network forensics (by sampling traces of suspicious network activity) , or to optimize download speed and routing, e.g. by sensing and reporting network congestion.
Security Considerations :
For the present system to be accepted by ISPs, it is vital that the control devices 20 will keep the network manageable by the network operators and that they cannot be misused for an attack themselves.
This is addressed by limiting the control of each IP acLdress owner to his own traffic onZLy, i.e. an IP address owner can only issue processing rules for packets to or from his IP addresses. This allows the service to assure that traffic owned by other parties is not af¬ fected. Hence, collateral damage caused by rnisconfigura- tions or malicious behavior of users having access to such devices can be prevented. In addition, ISPs do not lose control over their network. Additional steps can be taken for reducing the risk of misuse or misconfigurations even further. In particular", control device 20 can impose limitations on what the processing rules are allowed to do, such as: a) The processing rules are not allowed to change the source or the destination IP add-tress of a packet. Such rerouting could wreak havoc easily (causing routing loops; interference with other routing mecha¬ nisms; transparent source spoofing; "forwarcling" of at¬ tack traffic) . b) The TTL (time-to-live) field of IP packets cannot be modified as it aims to set an upper bound of network resources a packet is able to use. c) A processing rule is not allowed to cause the packet rate to increase, which prevents the control devices 20 from amplifying traffic. An exception to this rule may be granted for the implementation of mirroring services. Also, collecting and forwarding statistical data or tiraceback data or stamping the header of a mes¬ sage should, within limits, not be considered to increase the packet rate. d) Similarly, the amount of the network traf¬ fic leaving the control device must be equaL or less com¬ pared to tlie amount of traffic entering it. I.e. packet size may only stay the same or become smaller. e) New service modules for the control de¬ vices 20 sliould be checked for security compliance before deployment .
Consequently, the danger of delegating par¬ tial control of the network from the network operator to the customers is very limited as countermeasures against effects of misconfigurations and misuse were taken into consideration when designing this new service.
Notes:
The system described jhere can be used reac- tivelLy as well as proactively. In. other words, it allows to distribute processing rules during, after, but also prior to an attack. Due to the distributed nature of the processing devices and the high degree of control over the processing rules, it does not require an attack path to be known in advance. Hence, a processing rule address¬ ing an expected incident (such as an attack or the arri¬ val of data packets to be monitored) can be sent out prior to the occurrence of the expected incident.
An encrypted or digitally signed message, in the context of this description and the claims, desig¬ nates a message using digital enciryption or a digital signature that make it virtually impossible to fake such a message. Typical encryption and signature systems are known to the person skilled in the art and e.g. use matched pairs of secret and public keys and a public key infrastructure to distribute the latter. The messages must 3oe made authentic by using a method which assures that they are difficult to fake. .For example, the entity generating the message can digitally sign it, e.g. by en- crypting it using its secret key, while the entity re¬ ceiving the message can check the message's authenticity, e.g. Iby decrypting the message using the sender's public key. To make it impossible for third parties to send fake messages to the control devices, each control device ad- vantageously maintains a list of the public keys for checking the validity of the certificates of the entities
before accepting their mo<dif ications of its processing rules .
While there artre shown and described presently pref erred embodiments of the invention, it is to be dis- tinctly understood that tlαe invention is not limited thereto but may be otherwise variously embodied and prac¬ ticed within the scope of the following claims .