US20020062450A1

US20020062450A1 - Methods, modems, and systems for blocking data transfers unless including predefined communications to provide access to a network

Info

Publication number: US20020062450A1
Application number: US09/999,655
Authority: US
Inventors: Brian Carlson; Gerald Cooper; James Kent
Original assignee: Ericsson Inc
Current assignee: Ericsson Inc
Priority date: 1999-05-07
Filing date: 2001-10-30
Publication date: 2002-05-23
Also published as: AU4361200A; WO2000069144A1; US6643780B1

Abstract

The transfer of data through a modem can be blocked in the modem during a safe mode unless the data includes predefined communications such as a request for a network address to maintain access to the network for the host system or a response to the request that includes the network address. Accordingly, the safe mode can protect a host system from unauthorized access from the network, while allowing the network service to be maintained for the host system. In particular, requests for renewals of leases, such as Dynamic Host Configuration Protocol (DHCP) requests and responses thereto, on Internet Protocol (IP) addresses used by the host system may not be blocked by the modem during safe mode. Furthermore, requests and response for addresses of systems on the network to which the DHCP requests are transmitted, such as Address Resolution Protocol (ARP) requests and responses thereto, may also not be blocked during safe mode. Moreover, in some embodiments according to the present invention, the blocking is provided at the modem so that multiple host systems can be protected by the modem. Related methods, modems, and systems are disclosed.

Description

CLAIM FOR PRIORITY

This application is a Continuation-In-Part (CIP) of, and claims priority to, U.S. patent application Ser. No. 09/307,363, filed May 7, 1999, entitled Cable Modems that Block Data Transfers During Safe Mode of Operation and Related Methods, which is commonly assigned to the assignee of the present CIP, the entire disclosure of which is hereby incorporated herein by reference as if set forth herein in its entirety.[0001]

FIELD OF THE INVENTION

The present invention relates to the field of communications in general and more particularly to modems and related methods and systems.

BACKGROUND

With the rise in popularity of the Internet, many users are accessing the Internet through the Public Switched Telephone Network (PSTN) over a modem connected to a telephone line in the user's home. Unfortunately, the bandwidth provided by home telephone lines may prove to be inadequate for some applications on the Internet. For example, some data sets provided by the Internet may be so large that it is difficult to transfer the data set over the telephone line in a given time so that the application operates in a real-time manner. In particular, current residential telephone modem technology may be limited to data rates on the order of 56 kilobaud (kb).

In an attempt to reduce the bandwidth problem associated with the telephone lines described above, there have been efforts to provide Internet service over coaxial cables used to provide cable TV. Accordingly, the user may access the Internet over the cable system using a cable modem to provide data rates of 42 megabaud or higher. Accessing the Internet via a cable system may involve initializing the cable modem each time the cable modem is turned on, during which the cable modem may register with the cable system. For example, when the user wishes to access the Internet, the user may turn on the cable modem which then registers with the cable system.

As the number of cable modems handled by the cable system increases, the time needed to register each cable modem may also increase thereby lengthening the registration time. For example, if hundreds of cable modems are used in a cable system, the registration time for a selected cable modem may be several minutes. Consequently, the user may wish to avoid turning the cable modem off in an effort to avoid the delay incurred by a lengthy registration process. For example, if the user turns the cable modem on just prior to accessing the Internet, the user may need to wait for the registration process to complete before gaining access to the Internet. Moreover, cable systems may also provide television and telephone service to a user's home such as by routing these services through the cable modem to the television and telephone. Accordingly, the user may desire that the cable modem be left on so as not to interrupt telephone or television service.

Unfortunately, leaving the cable modem turned on may decrease the security of the computer to which the cable modem is attached. In particular, the computer may be more susceptible to attack via the cable. For example, an unauthorized user may attempt to gain access to the computer via the cable. Moreover, because the cable provides relatively high bandwidth, relatively simple attacks, such as trying a large number of password combinations, may require only a short time to be successful. In view of the above, there exists a need to improve the security of cable modems used to access the Internet via cable systems.

Accordingly, the present invention may allow improvement in the security of cable modems by blocking access to the cable modem from the cable system while the cable modem is in safe mode. Blocking data transfers may allow the subscriber to leave the host system connected to the cable modem, thereby possibly avoiding the delay associated with the registration process while reducing the security threats posed by maintaining a physical connection to the cable modem.

SUMMARY OF THE INVENTION

Embodiments according to the present invention provides methods, modems, and systems for blocking the transfer of data in a modem during a safe mode unless the data transfer includes predefined communications. In some embodiments, the predefined communications can be network access maintenance information such as a request for a network address to maintain access to the network for the host system or a response to the request that includes a network address. Accordingly, the safe mode can protect a host system from unauthorized access from the network, while allowing the network service to be maintained for the host system during the safe mode of operation.

In particular, requests for renewals of leases, such as Dynamic Host Configuration Protocol (DHCP) requests and responses thereto, on Internet Protocol (IP) addresses used by the host system may not be blocked by the modem during safe mode. Furthermore, requests and response for addresses of systems on the network to which the DHCP requests are transmitted, such as Address Resolution Protocol (ARP) requests and responses thereto, may also not be blocked during safe mode. Moreover, in some embodiments according to the present invention, the blocking is provided at the modem so that multiple host systems can be protected by the modem.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of an embodiment of a cable system according to the present invention. [0010]
FIG. 2 is a block diagram of an embodiment of the cable modem [0011] 100 of FIG. 1.
FIG. 3 is a flowchart that illustrates operations of a cable modem according to the present invention. [0012]
FIG. 4 is a block diagram that illustrates embodiments of cable modems according to the present invention through which host systems can communicate with the Internet. [0013]
FIG. 5 is a block diagram that illustrates embodiments of cable modems according to the present invention through which host systems can communicate with the Internet. [0014]
FIG. 6 is a block diagram that illustrates embodiments of cable modems according to the present invention through which host systems can communicate with the Internet. [0015]
FIG. 7 is a block diagram that illustrates embodiments of cable modems according to the present invention through which host systems can communicate with the Internet. [0016]
FIGS. 8A and 8B are flowcharts that illustrate embodiments of methods, cable modems, and systems according to the present invention through which host systems can communicate with the Internet. [0017]
FIG. 9 is a flowchart that illustrates cable modems and methods according to embodiments of the present invention.[0018]

DETAILED DESCRIPTION OF THE INVENTION

The present invention now will be described more fully hereinafter with reference to the accompanying drawings, in which preferred embodiments of the invention are shown. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. Like numbers refer to like elements throughout. [0019]
As will be appreciated by one of skill in the art, the present invention may be embodied as methods, devices, or systems. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects all of which may be generally referred to herein as a “circuit.”[0020]
The present invention is also described using flowchart illustrations. It will be understood that each block of the flowchart illustrations, and combinations of blocks in the flowchart illustrations, can be implemented by computer program instructions. These program instructions may be provided to a processor, such that the instructions which execute on the processor create means for implementing the functions specified in the flowchart block or blocks. The computer program instructions may be executed by the processor to cause a series of operational steps to be performed by the processor to produce a computer implemented process such that the instructions which execute on the processor provide steps for implementing the functions specified in the flowchart block or blocks. [0021]
Accordingly, blocks of the flowchart illustrations support combinations of means for performing the specified functions, combinations of steps for performing the specified functions and program instruction means for performing the specified functions. It will also be understood that each block of the flowchart illustrations, and combinations of blocks in the flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or steps, or combinations of special purpose hardware and computer instructions. In some embodiments according to the present invention, the functions disclosed in the blocks may occur out of the order illustrated in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. [0022]
It will be understood that the term “coupled” as used herein to describe arrangements of devices includes arrangements wherein intervening devices are present between the coupled devices. For example, where a first device is described as coupled to a second device, the description will be understood to include other devices located between and coupled to the first and second devices. [0023]
FIG. 1 is a block diagram of an embodiment of a cable system according to the present invention. The cable system includes a Cable Modem Termination System or Cable Modem Terminal Server (CMTS) [0024] 140 and a plurality of cable modems 100. The CMTS 140 can provide services, such as television service, telephone service, and internet service, to subscribers of the cable system via cable modems 100 by transferring data over a cable 110, such as a coaxial cable. For example, a subscriber may access the Internet through the respective cable modem 100 from a host 125 such as a Personal Computer (PC).
The [0025] CMTS 140 manages the services provided to the respective subscribers in the cable system. For example, a first subscriber may receive television, telephone, and Internet services while a second subscriber may receive only Internet service. Moreover, different subscribers may receive a different quality of service. For example, a first subscriber may receive Internet service at relatively low bandwidth while a second subscriber may receive Internet service at relatively high bandwidth. Accordingly, the CMTS 140 transmits and receives data to and from the respective cable modems 100 a-f at the rates associated with the respective subscribers. The CMTS 140 can also adjust parameters of the cable modems 100 a-f used to transfer data such as phase timing, frequencies and power levels associated with the transfer of data between the respective cable modems 100 a-f and the CMTS 140. For example, the CMTS 140 can monitor the timing and power levels of the data transferred from the respective cable modems 100 a-f and instruct each cable modems 100 a-f to adjust the timing and power level of the data transfer performed by the cable modems 100 a-f.
In one embodiment, the Internet service provided by the [0026] CMTS 140 includes data transferred between the CMTS 140 and the cable modem 100 a via the cable 110 at respective frequencies. For example, the subscriber may request information from the Internet, wherein data is transferred from the host 125 through the cable modem 100 a to the CMTS 140 over the cable 110 at a first frequency. The CMTS 140 responds to the request for information by transferring the requested data from the CMTS 140 to the host 125 through the cable modem 100 a over the cable 110 at a second frequency. In another embodiment, the request is transmitted via a telephone line which is not part of the cable system.
It will be understood by those of skill in the art, that the data transfers between the [0027] CMTS 140 and the cable modem 100 a may be performed according to standards known in the art. For example, data transfers between the CMTS 140 and the cable modem 100 a may be performed using a Time Division Multiple Access (TDMA) technique wherein data is transmitted and received over the cable 110 in predefined time-slots. Standards for the transfer of data in cable systems are discussed in the Data Over Cable System Interface Specification (DOCSIS).
When the [0028] cable modem 100 a is turned on, the cable modem 100 a performs an initialization sequence wherein the cable modem 100 a registers with the cable system. In particular, the cable modem 100 a transfers an identifier to the CMTS 140 that identifies the cable modem 100 a within the cable system. Accordingly, the CMTS 140 can communicate with the selected cable modem 100 a using the cable modem's respective identifier.
During registration, the [0029] CMTS 140 performs ranging of each of the cable modems 100 a-f registered to adjust for the propagation delay of that data transferred, to adjust the proper power level of the data transfer, and to determine the quality of service provided to the subscriber. If telephone service is provided to the subscriber via the cable system, the registration process can also include the determination of parameters for the telephone service.
After registration, the [0030] CMTS 140 provides services to the subscriber via the respective cable modem 100 a. In operation, services are provided by data transfers between the CMTS 140 and the cable modem 100 a. In particular, data is transferred from the CMTS 140 to a selected cable modem 100 a using the identifier that identifies the selected cable modem 100 a in the cable system. In operation, the data transfer to the selected cable modem 100 a, includes the identifier which matches the identifier of the selected cable modem 100 a. For example, if the selected cable modem 100 a has an associated identifier of 800, a data transfer including an identifier of 800 will be accepted by the selected cable modem 100 a. A data transfer can include information and/or a command directed to the selected cable modem 100 a.
FIG. 2 is a block diagram of an embodiment of the cable modem [0031] 100 of FIG. 1. Data is transferred between the CMTS 140 and the cable modem 100 by a Media Access Controller (MAC) 105 coupled to the cable 110. The MAC 105 accepts data transfers from the CMTS 140 if the identifier included in the data transfer matches the identifier of the cable modem 100. The data transfer can include information intended for a first host 125, a second host 120, a telephone 107, the cable modem 100, or other device accessed via the cable modem 100. For example, the data transfer may include information intended for the first host 125 in response to a request made by the first host 125 or a range command for the cable modem 100 to transfer timed information to the CMTS 140. The functions provided by the MAC 105 may be provided by software running on processor 115 or by hardware and/or software separate from the processor. While the processor, media access controller, host interface controller, and telephone interface controller of FIG. 2 are illustrated as separate blocks, it will be understood that one or more of these portions of the modem or sub-portions thereof, can be implemented using combined hardware and/or software.
The data transfer may include an address specifying which device coupled to the cable modem [0032] 100 is the destination of the data transfer. For example, if the data transfer is intended for the second host 120, the address included in the data transfer identifies the second host 120 as the destination. Although not shown, the MAC 105 may be coupled to a Radio Frequency (RF) tuner that modulates and demodulates the data included in the data transfers. For example, data transfers to the CMTS 140 may be modulated and transferred over a first channel on the cable 110. The RF tuner demodulates the data transferred from the CMTS 140 over a second channel on the cable 110.
A [0033] processor 115 coordinates operations of the cable modem 100 within the cable system to provide the selected services to the subscriber. According to the present invention, data transfers to addressed hosts are blocked by the processor 115 during a safe mode of operation and not blocked by the processor 115 during normal mode operation. Moreover, blocking can be preformed on a host basis. For example, in one embodiment, data transfers addressed to the first host 125 are blocked while data transfers addressed to the second host 120 are received and provided to the second host 120. Moreover, data transfers including commands for the cable modem 100 or addressed to devices other than the hosts are unaffected by the safe mode of operation. Foe example, a ranging command issued to the cable modem 100 during safe mode of operation is accepted and responded by the MAC 105.
In one embodiment, the safe or normal mode of operation is selected using software that maintains a safe mode flag that is set to one of a safe mode state or a normal state flag to indicate the selected mode of operation. For example, the flag can be set to the safe mode state to indicate the safe mode of operation and set to the normal mode sate to indicate the normal mode of operation. In one embodiment, the mode of operation is selected by pressing a [0034] safe mode button 108 on the housing of the cable modem 100 a. The safe mode button 108 can be momentary switch that causes the processor 115 to toggle the mode of operation.
In another embodiment, the mode of operation is selected via a command issued by the host. For example, the subscriber may cause a command to be issued to the cable modem [0035] 100 whereupon the cable modem 100 a changes the mode of operation. In still another embodiment, the mode of operation is selected based on a level of activity at the host. For example, the safe mode of operation can be selected after a period of inactivity at the first example, the safe mode of operation can be selected after a period of inactivity at the first host 125 is observed over a predetermined time interval. The cable modem 100 a can resume the normal mode of operation upon the resumption of activity at the first host 125. Accordingly, the mode of operation can be selected based on the subscriber's use of the host coupled to the cable modem 100 a. Moreover, the cable modem 100 a need not be located near the subscriber for the mode of operation to be selected. For example, the cable modem 100 may be located in the basement of the subscriber's home while the host is located in the subscriber's home office.
A Host Interface Controller (HIC) [0036] 135 provides the data received by the processor 115 to the addressed host and provides data from the host to the processor 115 for transfer to the CMTS 140. The HIC 135 can be a controller suitable for interfacing to at least one host, such as an Ethernet controller, Universal Serial Bus (USB) or other type of interface known to those of skill in the art.
A [0037] telephone interface 116 provides telephone data from a telephone 107, such a Data Telephone Equipment (DTE), to the processor 115 and provides data transferred from the CMTS 140 to the telephone 107. As described above, data transfers to the telephone 107 from the CMTS 140 are unaffected by safe mode of operation.
FIG. 3 is a flowchart illustrating operations of a cable modem [0038] 100 according to the present invention. According to FIG. 3, the cable modem 100 performs initialization upon being turned on or reset (block 300). The processor 115 reads the stored value of the safe mode flag to determine which mode of operation is selected (block 305) and resets a host inactivity timer that indicates the elapsed time since host activity was last detected.
If the safe mode flag indicates that safe mode of operation is selected (block [0039] 310) for host 115, the processor determines if data transfers from the CMTS 140 to host 125 are currently enabled (block 320). If data transfers are not enabled (block 320) to the host 125, the processor 115 waits for host activity to be detected (block 340) at host 125. Otherwise, if data transfers are currently enabled (block 320) to host 125, the processor 115 disables data transfers (block 335) and then waits for host activity at host 125 to be detected (block 340).
The cable modem [0040] 100 continues to operate in the safe mode of operation until host activity is detected at host 125 whereupon the safe mode flag is cleared and the host inactivity timer is reset (block 345), or until a safe mode button is pushed (block 350) thereby changing the safe mode of operation to the normal mode of operation (block 360) and resetting the host inactivity timer.
When the normal mode of operation is enabled (block [0041] 310), due to the commencement of activity at the host 125 (block 345) or by pressing the safe mode button (block 360), the processor determines if data transfers from the CMTS 140 are currently disabled (block 315). If data transfers are disabled (block 315), the processor 115 enables data transfers and waits for the host inactivity timer to expire (block 330). Otherwise the processor 115 waits for the host inactivity timer to expire (block 330).
The cable modem [0042] 100 continues to operate in the normal mode of operation until the host inactivity timer expires (block 330) whereupon the safe mode flag is set, or until the safe mode button is pushed (block 350) thereby changing the normal mode of operation to safe mode of operation (block 360).
Pursuant to further embodiments according to the present invention, the transfer of data through the modem can be blocked during safe mode unless the data transfer includes a request for a network address to maintain access to the network for the host system or a response to the request that includes the network address. Accordingly, the safe mode can protect a host system from unauthorized access from the network, while allowing the network service to be maintained for the host system during the safe mode of operation. [0043]
In particular embodiments according to the present invention, requests for renewals of leases, such as Dynamic Host Configuration Protocol (DHCP) requests and responses thereto, of Internet Protocol (IP) addresses used by the host system are not be blocked by the modem during safe mode. Furthermore, requests and responses for addresses of systems on the network to which the DHCP requests are transmitted, such as Address Resolution Protocol (ARP) requests and responses thereto, may also not be blocked during safe mode. Moreover, in some embodiments according to the present invention, the blocking is provided at the modem so that multiple host systems can be protected by the modem. [0044]
In contrast, blocking all data transfers through the modem may prevent the host system from renewing a lease on an Internet Protocol (IP) address. Failure to renew the lease may cause an interruption in Internet service to the host system until the host system can reacquire a new IP address so that Internet service can be restored. [0045]
Although embodiments according to the present invention are disclosed herein with reference to cable modems, it will be understood that the invention can be embodied in any device which provides a connection between a network and a host system. Furthermore, although embodiments according to the present invention are disclosed herein with reference to the Internet, it will be understood that the present invention may be practiced with any type of network that provides “always on” connections using network addresses which are renewed over time. [0046]
As used herein the term “network address” can include logical addresses of systems on a network, such as Internet Protocol (IP) addresses that make up an Internet address. An IP address (also called an IP number) can be a number which uniquely identifies a computer system (or host system) that uses the Internet. The IP address is used, for example, by servers on the Internet to direct data to the host system associated with the IP address. [0047]
The term “network address” can also include a physical address on a network, such as a MAC address of a host system connected to a Local Area Network (LAN), or the like. The MAC address (also called an Ethernet address or an IEEE MAC address) is a number (typically written as twelve hexadecimal digits, [0048] 0 through 9 and A through F, or as six hexadecimal numbers separated by periods or colons, i.e. 0080002012EF, 0:80:0:2:20:EF) which can uniquely identify a host system that connects to the network via an Ethernet interface or a network interface, such as a Universal Serial Bus (USB) that can emulate an Ethernet interface.
FIG. 4 is a block diagram that illustrates embodiments of cable modems according to the present invention through which host systems can communicate with the Internet. As illustrated in FIG. 4, first and [0049] second host systems 420, 425 transmit predefined communications to a modem 400 which may be transferred to the Internet 440. The modem 400 can also receive predefined communications from the Internet 440 which may be transferred to the host systems 420, 425. In some embodiments according to the present invention, the predefined communications is network access maintenance information that is used to maintain access to the Internet 440 for the host system 420, 425. In some embodiments according to the present invention, the modem 400 is a cable modem.
The [0050] modem 400 can operate in a normal mode wherein all data received at the cable modem 400 is transferred through the modem 400 to the Internet 440 or the first and second host systems 420, 425, including the predefined communications. The modem 400 can also operate in safe mode wherein data transfers through the modem 400 are blocked unless the data transfer includes the predefined communications. Blocking can be performed on a per host basis. For example, in some embodiments according to the present invention, data transfers addressed to the first host 420 are blocked while data transfers addressed to the second host 425 are allowed.
As discussed above, the safe mode can be enabled by setting a flag in software. For example, in some embodiments according to the present invention, the safe mode of operation is selected by “clicking” or otherwise providing input to a Graphical User Interface (GUI) that is interfaced to the [0051] modem 400, such as a web page. For example, the subscriber may cause click on a button on a web page to issue a command to the modem 400 whereupon the modem 400 changes the mode of operation of the modem 400.
The [0052] first host system 425 can transmit a request 445 for a network address to the modem 400 that is needed to maintain its connection to the Internet 440. The modem 400 determines that the request 445 includes the request for a network address and does not block the data transfer of request 445 to the Internet 440. Subsequently, if the modem 400 receives a response 450 to the request 445 from the Internet 440, the modem 400 will not block the transfer of the response 450 to the first host system 420.
Still referring to FIG. 4, the [0053] second host system 425 can also transmit a request 455 for a network address to the modem 400 that is needed to maintain its connection to the Internet 440. The modem 400 determines that the request 455 includes the request for a network address and does not block the data transfer of request 455 to the Internet 440. Subsequently, if the modem 400 receives a response 460 to the request 455 from the Internet 440, the modem 400 will not block the transfer of the response 460 to the second host system 425.
In contrast, the [0054] modem 400 can block the transfer of a data transmission 465 from the second host system 425 to the Internet upon determining that the data transmission 465 does not include a request for a network address to maintain its connection to the Internet 440. The modem 400 can also block a data transmission 470 from the Internet 440 upon determining that the data transmission 470 does not include a response to a request for a network address to maintain a connection to the Internet 440 associated with the first or second host systems 420, 425.
In some embodiments according to the present invention, the network access maintenance information can be requests for a network address to maintain access to the [0055] Internet 440 for the host system 420, 425 or a response to the request that includes the network address. The requests and responses can be ARP requests and ARP responses thereto. The ARP requests can be generated by the host systems to determine a physical address of another system with which the host systems communicates. When a host system needs to send data to another device on the Internet using TCP/IP, the host system can check to see if it has the hardware address (or MAC address) associated with the destination IP address. If the destination system's hardware address is not known to the host system, then the host system can request the MAC address of the destination using an ARP request.
The ARP request can include the IP address of the system for which the MAC address is sought. The system that is using the IP address included in the ARP request can respond by transmitting an ARP response to the host system. The ARP response can include the MAC address of the host system to which the ARP response is directed. In some embodiments according to the present invention, the ARP response can be Unicast over the Internet to the host system. [0056]
For example, the [0057] first host system 420 may need to have the MAC address of a CMTS included in the cable system which provides access to the Internet 440. Accordingly, the request 445 can be an ARP request transmitted to the modem 400 by the first host system 420 whereupon the modem 400 can transfer the ARP request to the CMTS according to the present invention.
The CMTS can transmit an ARP response, such as the [0058] ARP response 450, to the modem 400 that includes the MAC address of the CMTS. The modem 400 transfers the ARP response 450 to the first host system 420 upon determining that the ARP request 445 sent by the first host system 420 is still pending.
The requests and responses can also be DHCP requests and DHCP responses thereto. DHCP is based on a client-server paradigm, in which a DHCP client, such as the first and [0059] second host systems 420, 425 of FIG. 4, can contact a DHCP server for configuration parameters.
One configuration parameter that can be provided by DHCP is an IP address. In general, a host system is initially assigned a specific IP address that is appropriate to the network on which the host system is located. If the host system moves to a new network, it can be assigned a new IP address for that new network. DHCP can include other configuration parameters such as a subnet mask, a default router, a Domain Name System (DNS) server, and the like. [0060]
DHCP can provide IP addresses to the host systems on a “leased” basis. A DHCP lease is the amount of time that the DHCP server allows the host system (or DHCP client) permission to use the IP address before the IP address expires. A DHCP lease can typically provide an IP address to a host system for several hours or longer. The host system having the leased IP address can request a renewal of the lease on the IP address to extend its use of the IP address. In some embodiments, the host system may begin requesting a renewal of the lease about half way through the lease period. Accordingly, an IP address currently leased to the host system will expire after the lease period expires unless the lease associated with the IP address is renewed by the DHCP client or at the DHCP server. Otherwise, the host system may lose access to the [0061] Internet 440.
For example, the [0062] request 445 in FIG. 4 can be a DHCP request generated by the first host system 420 for renewal of a lease on its current IP address. The modem 400 determines that the request 445 includes the DHCP request and transfers the data to the Internet 440. The DHCP request 445 is transmitted on the Internet 440 to a DHCP server that has control over the IP address currently being used by the fist host system 420. The DHCP server can transmit a DHCP response, such as response 450, that renews the lease of the IP address. The modem 400 transfers the data transmitted by the DHCP server to the first host system 420 upon determining that the data includes the DHCP response to the currently pending DHCP request. Although a single response 450 to the request 455 is described above, in some embodiments according to the present invention, multiple DHCP servers may respond by issuing respective responses 450 to the request 445, whereupon the first host system 420 can accept one of the responses 450.
FIG. 5 is a block diagram that illustrates embodiments of [0063] cable modems 500 according to the present invention through which a host system 520 can communicate with the Internet 540 using ARP requests and ARP responses using the MAC address of the host system 520. According to FIG. 5, the host system 520 can transmit an ARP request 545 that includes the MAC address of the host system 520. The cable modem 500 determines that the data received from the host system 520 includes an ARP request and records that the ARP request 545 is pending. The cable modem 500 associates the MAC address with the pending ARP request 545 recorded in the cable modem 500 and transfers the ARP request 545 to the Internet 540. For example, the cable modem 500 can maintain a table that indicates which ARP requests are currently pending and what MAC addresses is associated with each pending ARP requests. In some embodiments according to the present invention, a learn table included in the cable modem 500 can be extended to include the MAC addresses associated with the ARP requests.
Upon receiving data from the [0064] Internet 540, the cable modem 500 determines whether the data includes an ARP response. If the cable modem 500 determines that the data includes an ARP response, the cable modem 500 determines if a MAC address included with the ARP response matches the MAC address associated with the ARP request 545 that is pending in the cable modem 500. For example, the cable modem 500 can check the table used to record which ARP requests are pending and the MAC addresses associated with each. If the ARP response includes a MAC address which matches the MAC address associated with any of the pending APR requests, the cable modem 500 can transfer the ARP response to the host system having the MAC address associated with the ARP request.
It will be understood that ARP requests made by other host systems and responses thereto can also be processed by the [0065] cable modem 500. For example, a second host system can transmit ARP requests including a second MAC address to the cable modem 500. The cable modem 500 can associate the ARP requests from the second host system with a second MAC address in the same table used to associate the ARP request 545 with the MAC address of the host system 520.
After transferring the data, the [0066] cable modem 500 can disassociate the MAC address with the pending ARP request so that any subsequent data received from the Internet can be blocked by the cable modem 500 even if the data appears to be an ARP response that includes the MAC address that was associated with the previous ARP request. For example, if ARP response 570 is received by the cable modem 500 after receiving ARP response 550 and is determined to include the same MAC address that was included with ARP response 550, ARP response 570 will be blocked by the cable modem 500.
In some embodiments according to the present invention, the MAC address can be disassociated from the pending ARP request by deleting the ARP request from the table or by deleting the MAC address from the table, or otherwise indicating that a corresponding response for the pending ARP request has already been received and transferred by the [0067] cable modem 500.
FIG. 6 is a block diagram that illustrates embodiments of [0068] cable modems 600 according to the present invention through which a host system 620 can communicate with a DHCP server 640 using DHCP requests and DHCP responses including Transaction Identifiers (XID) generated by the host system 620 that uniquely identify the DHCP requests and responses. According to FIG. 6, the host system 620 can transmit a DHCP request 645 that includes an XID generated by the host system 620. The cable modem 600 determines that the data received from the host system 620 includes a DHCP request and records that the DHCP request 645 is currently pending. The cable modem 600 associates the XID with the pending DHCP request 645 recorded in the cable modem 600 and transfers the DHCP request 645 to the DHCP server 640. For example, the cable modem 600 can maintain a table that indicates which DHCP requests are currently pending and what XID is associated with each of the pending DHCP requests. In some embodiments according to the present invention, the learn table included in the cable modem 600 can be extended to include the XID associated with the DHCP requests.
Upon receiving data from the [0069] DHCP server 640, the cable modem 600 determines whether the data includes a DHCP response. If the cable modem 600 determines that the data includes a DHCP response, the cable modem 600 determines if an XID included with the DHCP response corresponds to the XID associated with any of the DHCP requests that is currently pending in the cable modem 600. For example, the cable modem 600 can compare the XID included with the DHCP response 650 with the XID associated with DHCP request 645. If the DHCP response includes an XID which matches the XID associated with any of the pending DHCP requests, the cable modem 600 can transfer the DHCP response to the host system having the XID associated with the DHCP request.
It will be understood that DHCP requests made by other host systems and responses thereto can also be processed by the [0070] cable modem 600. For example, a second host system can transmit DHCP requests including a second XID to the cable modem 600. The cable modem 600 can associate the DHCP requests from the second host system with the second XID in the same table used to associate the DHCP request 645 with the XID of the first host system 620.
After transferring the data, the [0071] cable modem 600 can disassociate the XID with the pending DHCP request so that any subsequent data received can be blocked by the cable modem 600 even if the data appears to be a DHCP response that includes an XID previously associated with a once pending DHCP request. For example, if DHCP response 670 is received by the cable modem 600 after receiving DHCP response 650 and is determined to include the same XID that was included with DHCP response 650, DHCP response 670 will be blocked by the cable modem 600.
In some embodiments according to the present invention, the XID can be disassociated from the pending DHCP request by deleting the DHCP request from the table, by deleting the XID from the table, or otherwise indicating that a corresponding response for the pending DHCP request has already been received and transferred by the [0072] cable modem 600. In some embodiments according to the present invention, the XID can be disassociated from a pending DHCP request when a second DHCP request is received from the same host system before a DHCP response is received to the first (currently pending) DHCP request. For example, if the cable modem 600 receives a second DHCP request from the host system 620 before the DHCP response 650 is received by the cable mode 600, the cable modem can disassociated the XID from the DHCP request 645 in the cable modem 600. Subsequently, when the DHCP response 650 is received it will be blocked by the cable modem 600.
As illustrated in FIG. 7 is a block diagram that illustrates embodiments of [0073] cable modems 700 according to the present invention through which a host system 720 can transmit and receive ARP requests and responses and DHCP requests and responses. As discussed above, the host system 720 can include a MAC address in the ARP requests and include an XID in the DHCP requests so that each of the requests can be uniquely identified when determining whether an ARP/DHCP response matches a currently pending ARP/DHCP request in the cable modem 700.
According to FIG. 7, the [0074] host system 720 transmits an ARP request 745 to determine the MAC address of a CMTS 710. The MAC address of the host system can be included in an ARP request 745 and can be associated with the ARP request 745 in the cable modem 700. The ARP request 745 can be transmitted to the CMTS 710 which can transmit an ARP response 750 to provide the MAC address requested in the ARP request 745. The cable modem 700 determines that the ARP response 750 includes the same MAC address that is associated with the ARP request 745 in the cable modem 700, transfers the data received from the CMTS 710 to the host system 720, and disassociates the MAC address with the ARP request 745 in the cable modem so that any subsequent ARP responses having the same MAC address can be blocked by the cable modem 700.
The [0075] host system 720 transmits a DHCP discover request 755 to a DHCP server 740 for an IP address. The DHCP discover request 755 can include an XID1 that the cable modem 700 associates with the DHCP discover request 755. The cable modem 700 transfers the DHCP discover request 755, including the XID1, to the DHCP server 740 via the CMTS 710. The DHCP server 740 can transmit a DHCP offer 760 of an IP address, including XID1, to the cable modem 700 via the CMTS 710. The cable modem 700 determines that the DHCP offer 760 includes the XID1 that is associated with the currently pending DHCP discover request 755 in the cable modem 700, transfers the DHCP offer 760 to the host system 720, and disassociates the DHCP discover request 755 with the XID1 in the cable modem so that any subsequent DHCP responses that include XID1 can be blocked by the cable modem 700.
If the host system decides to accept the IP address included in the [0076] DHCP offer 760, the host system 720 transmits a DHCP request 765, including an XID2, to the DHCP server 740 that requests the IP address in the DHCP offer 760. The cable modem 700 associates the DHCP request 765 with the XID2 in the cable modem 700 and transfers the DHCP request 765, including the XID2, to the DHCP server 740 via the CMTS 710. The DHCP server 740 can transmit a DHCP ACK 770, including XID2, to the cable modem 700 via the CMTS 710 granting the host system 720 the use the requested IP address. The cable modem 700 determines that the DHCP ACK 770 includes the XID2 that is associated with the currently pending DHCP request 765 in the cable modem 700, transfers the DHCP ACK 760 to the host system 720, and disassociates the DHCP request 765 with the XID2 in the cable modem so that any subsequent DHCP ACKs that include XID2 can be blocked by the cable modem 700.
The [0077] host system 720 can renew the lease on the IP address by transmitting a new DHCP request before the lease expires. Typically, leases provided by a DHCP server can last several hours. The host system 720 may transmit the DHCP renewal request to the DHCP server 740 about halfway through the current lease. For example, if the current lease will expire about fours hours after the DHCP server 740 transmits the DHCP ACK 770, the host system 720 may transmit a DHCP renewal request about two hours after the DHCP server 740 transmitted the DHCP ACK 770.
Before transmitting the DHCP renewal request, the [0078] host system 720 may transmit an ARP request 775 to ensure that the host system 720 is using the most current MAC address when communicating with the CMTS 710 and the DHCP server 740. The host system 720 transmits an ARP request 775 to determine the MAC address of the CMTS 710. The MAC address of the host system 720 can be included in the ARP request 775 and can be associated with the ARP request 775 in the cable modem 700. The ARP request 775 can be transmitted to the CMTS 710 which can transmit an ARP response 780 to provide the MAC address requested by the ARP request 775. The cable modem 700 determines that the ARP response 780 includes the same MAC address that is associated with the ARP request 775 in the cable modem 700, transfers the data received from the CMTS 710 to the host system 720, and disassociates the MAC address from the ARP request 775 in the cable modem 700 so that any subsequent ARP responses having the same MAC address can be blocked by the cable modem 700.
The [0079] host system 720 can transmit a DHCP renewal request 785 for the current IP address to the DHCP server 740 via the CMTS 710. The DHCP renewal request 785 can include an XID3 that the cable modem 700 associates with the DHCP renewal request 785. The cable modem 700 transfers the DHCP renewal request 785, including the XID3, to the DHCP server 740 via the CMTS 710. The DHCP server 740 can transmit a DHCP ACK 790 to the cable modem 700, including the XID3, to grant the renewal of the lease on the current IP address. The cable modem 700 determines that the DHCP ACK 790 includes the XID3 that is associated with the currently pending DHCP renewal request 785 in the cable modem 700, transfers the DHCP ACK 790 to the host system 720, and disassociates the DHCP renewal request 785 from the XID3 in the cable modem 700 so that any subsequent DHCP responses that include XID3 can be blocked by the cable modem 700.
FIGS. 8A and 8B are flowcharts that illustrate embodiments of methods and systems of cable modems according to the present invention. Upon receiving data from a host system while in safe mode, the cable modem determines whether the received data includes an ARP request (block [0080] 800) or a DHCP request (block 805). Otherwise, the data is blocked (block 810). In some embodiments according to the present invention, the ARP and DHCP requests can be determined using functions illustrated by the following pseudo code example:

Input:

EthPkt - Pointer to Ethernet (layer 2) packet

Length - Length of packet

Returns:

TRUE - Packet should be forwarded (at least continue processing)

FALSE - Packet is discarded

Pseudo Code:

RetValue = FALSE

if safemode is enabled AND modem is in OPERATIONAL state

if Packet is ARP

if SetARPPending(SRC MAC) successful

Retvalue = TRUE

Else if Packet is IP

Initialize pointer to IP part of packet

if IP->Protocol = UDP

Initialize pointer to UDP part of Packet

iif UDP->Destination Port = BOOTP SERVER (67)

Initialize Pointer to Bootp/DHCP packet (same header)

if SetDHCPPending (SRC MAC, DHCP->XID)

successful

RetValue = TRUE

Return RetValue
If the data is determined to include an ARP request (block [0081] 800), the MAC included therewith is associated with the pending ARP request in the cable modem and is transferred to the network in conjunction with setting a time-out interval timer (block 815). In some embodiments according to the present invention, the ARP request can be made pending and associated with the MAC address using functions illustrated by the following pseudo code example:

Set Arp Pending

Input: CpeMAC -Pointer to CPE MAC (Ethernet) address

Returns: TRUE -ARP pending flag set for valid CPE,

FALSE if not

Pseudo Code:

RetValue = FALSE ! Assume no entry

! Unlearned entries will be 0:0:0:0:0:0 and shouldn't match

For I = 0 to I < (Maximum # of hosts supported)

if LearnTable [i] .EthAddr = HostMAC

LearnTable [i] .ArpPending = TRUE

RetValue = TRUE

Return RetValue
If the data is determined to include a DHCP request (block [0082] 805), the XID included therewith is associated with the pending DHCP request in the cable modem and is transferred to the network in conjunction with setting a time-out interval timer (block 820). In some embodiments according to the present invention, the DHCP request can be made pending and associated with the XID using functions illustrated by the following pseudo code example:

Set DHCP Pending

Input: HostMAC -Pointer to CPE MAC (Ethernet) address

XID -DHCP Message Transaction ID will be the

same through a complete sequence

Returns: TRUE -DHCP XID set for valid CPE, FALSE if not

Pseudo Code:

RetValue = FALSE ! Assume no entry

! Unlearned entries will be 0:0:0:0:0:0 and shouldn't match

For I = 0 to I < (Maximum # of hosts supported)

if LearnTable[i] .EthAddr = HostMAC

Learn Table [i] .DHCPXID = XID

RetValue = TRUE

Return RetValue
Upon receiving data from network while in safe mode, the cable modem determines whether the received data includes an ARP response (block [0083] 825) or a DHCP response (block 830). Otherwise, the data is blocked (block 835). In some embodiments according to the present invention, the ARP and DHCP responses can be determined using functions illustrated by the following pseudo code example:

Input:

EthPkt - Pointer to ethernet (layer 2) packet

Length - Length of packet

Returns:

TRUE - Packet should be forwarded

FALSE - Packet is discarded

Pseudo Code:

RetValue = FALSE

if safemode is enabled AND modem is in OPERATIONAL state

if Packet is ARP

! Note that this clears pending data found

if IsARPPending(DST MAC) successful

Retvalue = TRUE

Else if Packet is IP

Initialize pointer to IP part of packet

if IP->Protocol = UDP

Initialize pointer to UDP part of Packet

if UDP->Source Port = BOOTP SERVER (67)

Initialize Pointer to Bootp/DT-ICP packet (same header)

! Note that this clears pending data if found

if IsDHCPPending(DST MAC, DHCP->XID)

successful

RetValue = TRUE

Return RetValue

If the data is determined to include an ARP response (block 825), the MAC address included therewith is checked to determine if it matches the MAC address associated with the pending ARP request in the cable modem (block 840). If the a match occurs, the DHCP response is transferred to the host system in conjunction with resetting the time-out interval timer (block 845). If the MAC addresses do not match, the data is blocked (block 835). In some embodiments according to the present invention, the ARP response can be processed using functions illustrated by the following pseudo code example:



Is Arp Pending
Input: CpeMAC - Pointer to CPE MAC (ethernet) address
Returns: Value of ARP pending flag if found, FALSE otherwise
Pseudo Code:
RetValue = FALSE ! Assume no entry
For I = 0 to I < (Maximum # hosts supported)

if LearnTable[i] .EthAddr = CpeMAC

	RetValue = LearnTable [i] .ArpPending
	Learn Table [i] .ArpPending = FALSE;

Return RetValue

If the data is determined to include an DHCP response (block 830), the XID included therewith is compared to the XID associated with the currently pending DHCP request in the cable modem (block 850). If the XIDs match, the DHCP response is transferred to the host system and the DHCP request is disassociated with the XID in the cable modem in conjunction with resetting a time-out interval timer (block 855). In some embodiments according to the present invention, the DHCP request can be made pending and associated with the XID using functions illustrated by the following pseudo code example:



	Is DHCP Pending
	Input: XID - Transaction ID from DHCP response
	Returns: TRUE if XID found in table, FALSE otherwise
	Pseudo Code:
	RetValue = FALSE ! Assume no enty

	! Unlearned entries will be 0:0:0:0:0:0 and shouldn't match
	For I = 0 to I < (Maximum # hosts supported)

if LearnTable(i] .DHCPXID = XID

	RetValue = TRUE
	Learn Table [i] .DHCPXID = 0

	Return RetValue

If one of the time-out interval timers expires before receiving an acceptable ARP or DHCP response (block [0086] 860), the currently pending request associated with the time-out interval timer that expired is disassociated with the MAC or XID so that any subsequent ARP or DHCP responses including the MAC address or XID can be blocked by the cable mode.
FIG. 9 is a flowchart that illustrates cable modems and methods according to embodiments of the present invention. In particular, embodiments of modems according to the present invention can include a safe mode according to the present invention and a firewall mode. The respective states of the firewall mode and the safe mode in the cable modem can be changed by, for example, pushing the [0087] safe mode button 108.
It will be understood by those having skill in the art that, in some embodiments according to the present invention, the firewall mode can be provided by commercially available software, such as software marketed by BVRP Software, [0088] 1 bis rue Collange, 92593 Levallois Perret Cedex, France and on the web at www.vicomsoft.com. It will be understood by those having skill in the art that a firewall can examine traffic routed between the host system and the Internet if the traffic meets certain criteria. Firewalls can filter data using address filtering, protocol filtering, etc.
As shown in FIG. 9, the cable modem powers-up so that the safe mode is disabled and the firewall is off (block [0089] 900). When input is provided to the cable modem (block 905), the firewall is enabled and the safe mode is disabled (block 910). When input is again provided (block 915), the safe mode is enabled (block 920). When input is again provided (block 925) the cable modem disables the firewall and the safe mode (block 900). The safe mode and the firewall operation can continue to be cycled each time input is provided to the cable modem.
Input can be provided to the cable modem by pushing the [0090] safe mode button 108 on the modem housing or by clicking on a GUI as described above. In some embodiments according to the present invention, the user changes the firewall/safe mode by depressing the safe mode button 108 for about a predetermined time and releasing the safe mode button 108. For example, the user can change the firewall/safe mode by depressing the safe mode button 108 for about four seconds and then releasing the safe mode button 108.
In the drawings and specification, there have been disclosed typical embodiments of the invention and, although specific terms are employed, they are used in a generic and descriptive sense only and not for purposes of limitation, the scope of the invention being set forth in the following claims. [0091]

Claims

What is claimed:

1. A method for providing a host system access to a network through a modem, the method comprising:

blocking transfer of data in a modem during a safe mode of operation of the modem unless the data transfer includes predefined communications.

2. The method of claim 1 wherein the predefined communications comprise network access maintenance information.

3. The method of claim 1 wherein the predefined communications comprise a request for a network address to maintain access to the network for the host system or a response to the request that includes the network address.

4. The method of claim 1 further comprising:

allowing the transfer of data other than the predefined communications through the modem during a normal mode of operation of the modem.

5. The method of claim 3 wherein the request is received from the host system and the response to the request is received from the network.

6. The method of claim 3 wherein the blocking transfer of data in a modem during a safe mode of operation of the modem unless the data transfer includes predefined communications comprises:

blocking transfer of the data from the host system to the network unless it is determined that the request comprises an Address Resolution Protocol (ARP) request for a MAC address of a system on the network that uniquely identifies the ARP request as originating from the host system; and

blocking transfer of the data from the network to the host system unless it is determined that the response comprises an ARP response that includes the MAC address requested by the ARP request.

7. The method of claim 3 wherein the blocking transfer of data in a modem during a safe mode of operation of the modem unless the data transfer includes predefined communications comprises:

determining if data received at the modem from the host system comprises an Address Resolution Protocol (ARP) request for a MAC address of a system on the network that uniquely identifies the ARP request as originating from the host system;

associating the MAC address with the ARP request in the modem and transmitting the ARP request including the MAC address from the modem to the network upon determining that the request comprises the ARP request;

determining if data received from the network at the modem comprises an ARP response including the MAC address associated with the ARP request; and

transmitting the data received from the network to the host system upon determining that the data received from the network comprises the ARP response including the MAC address associated with the ARP request.

8. The method of claim 7 further comprising:

disassociating the MAC address with the ARP request in the modem after transmitting the data received from the network to the host system.

9. The method of claim 7 wherein the data received from the network at the modem comprises first data and wherein the ARP response comprises a first ARP response, the method further comprising:

blocking second data received from the network at the modem after the first data is received upon determining that the second data comprises a second ARP response including the MAC address associated with the first ARP request.

10. The method of claim 7 further comprising:

disassociating the MAC address with the ARP request in the modem upon determining that the ARP response including the MAC address associated with the ARP request has not been received from the network within a time-out interval.

11. The method of claim 10 wherein the ARP request comprises a first ARP request, the method further comprising:

disassociating the MAC address with the first ARP request in the modem upon receiving a second ARP request from the host system; and

blocking data received from the network at the modem upon determining that the data received from the network comprises the first ARP response including the MAC address associated with the first ARP request.

12. The method of claim 3 wherein the blocking transfer of data in a modem during a safe mode of operation of the modem unless the data transfer includes predefined communications comprises:

blocking transfer of the data from the host system to the network unless it is determined that the request comprises an Dynamic Host Control Protocol (DHCP) request for an Internet Protocol (IP) address for the host system including a Transaction Identifier (XID) that uniquely identifies the DHCP request as originating from the host system; and

blocking transfer of the data from the network to the host system unless it is determined that the response comprises an DHCP response that includes the XID associated with the DHCP request.

13. The method of claim 3 wherein the blocking transfer of data in a modem during a safe mode of operation of the modem unless the data transfer includes predefined communications comprises:

determining if data received at the modem from the host system comprises a Dynamic Host Control Protocol (DHCP) request for an Internet Protocol (IP) address for the host system including a Transaction Identifier (XID) that uniquely identifies the DHCP request as originating from the host system;

associating the XID with the DHCP request in the modem and transmitting the DHCP request including the XID from the modem to the network upon determining that the request comprises the DHCP request;

determining if data received from the network at the modem comprises a DHCP response including the XID associated with the DHCP request; and

transmitting the data received from the network to the host system upon determining that the data received from the network comprises the DHCP response including the XID associated with the DHCP request.

14. The method of claim 13 further comprising:

disassociating the XID with the DHCP request in the modem after transmitting the data received from the network to the host system.

15. The method of claim 13 wherein the XID is generated by the host system.

16. The method of claim 13 wherein the data received from the network at the modem comprises first data and wherein the DHCP response comprises a first DHCP response, the method further comprising:

blocking second data received from the network at the modem after the first data is received upon determining that the second data comprises a second DHCP response including the XID associated with the first DHCP request.

17. The method of claim 13 further comprising:

disassociating the XID with the DHCP request in the modem upon determining that no data received from the network comprises the DHCP response including the XID associated with the DHCP request within a time-out interval.

18. The method of claim 17 wherein the DHCP request comprises a first DHCP request, the method further comprising:

disassociating the XID with the first DHCP request in the modem upon receiving a second DHCP request from the host system; and

blocking data received from the network at the modem upon determining that the data received from the network comprises the first DHCP response including the XID associated with the first DHCP request.

19. The method of claim 1 further comprising:

receiving input to the modem; and

ceasing blocking transfer of data in the modem in response to the input.

20. The method of claim 19 wherein receiving input to the modem comprises at least one of clicking on a Graphical User Interface and pushing a safe mode button on the modem.

21. The method of claim 1 wherein the host system comprises a first host system, the method further comprising:

allowing transfer of data associated with a second host system during a normal mode of operation of the modem associated with the second host system.

22. The method of claim 1 further comprising:

receiving input to the modem;

changing at least one of operation of a firewall associated with the modem and the safe mode in response to the input.

23. A modem that transfers data between a network and a host system, the modem comprising:

a processor circuit in the modem that is configured to block the transfer of data through the modem during a safe mode of operation of the modem unless the data includes predefined communications.

24. The modem of claim 23 wherein the predefined communications comprise network access maintenance information.

25. The modem of claim 23 wherein the predefined communications comprise a request for a network address to maintain access to the network for the host system or a response to the request that includes the network address.

26. The modem of claim 23 wherein the processor circuit is further configured to allow the transfer of data other than the predefined communications through the modem during a normal mode of operation of the modem.

27. The modem of claim 25 wherein the request is received from the host system and the response to the request is received from the network.

28. The modem of claim 25 wherein the processor circuit is further configured to block transfer of the data transfer from the host system to the network unless it is determined that the request comprises an Address Resolution Protocol (ARP) request for a MAC address of a system on the network that uniquely identifies the ARP request as originating from the host system and to block transfer of the data from the network to the host system unless it is determined that the response comprises an ARP response that includes the MAC address requested by the ARP request.

29. The modem of claim 25 wherein the processor circuit is further configured to:

determine if data received at the modem from the host system comprises an Address Resolution Protocol (ARP) request for a MAC address of a system on the network that uniquely identifies the ARP request as originating from the host system;

associate the MAC address with the ARP request in the modem and transmitting the ARP request including the MAC address from the modem to the network upon determining that the request comprises the ARP request;

determine if data received from the network at the modem comprises an ARP response including the MAC address associated with the ARP request; and

transmit the data received from the network to the host system upon determining that the data received from the network comprises the ARP response including the MAC address associated with the ARP request.

30. The modem of claim 25 wherein the processor circuit is further configured to:

block transfer of the data from the host system to the network unless it is determined that the request comprises an Dynamic Host Control Protocol (DHCP) request for an Internet Protocol (IP) address for the host system including a Transaction Identifier (XID) that uniquely identifies the DHCP request as originating from the host system; and

block transfer of the data from the network to the host system unless it is determined that the response comprises an DHCP response that includes the XID associated with the DHCP request.

31. The modem of claim 25 wherein the processor circuit is further configured to:

determine if data received at the modem from the host system comprises a Dynamic Host Control Protocol (DHCP) request for an Internet Protocol (IP) address for the host system including a Transaction Identifier (XID) that uniquely identifies the DHCP request as originating from the host system;

associate the XID with the DHCP request in the modem and transmitting the DHCP request including the XID from the modem to the network upon determining that the request comprises the DHCP request;

determine if data received from the network at the modem comprises a DHCP response including the XID associated with the DHCP request; and

transmit the data received from the network to the host system upon determining that the data received from the network comprises the DHCP response including the XID associated with the DHCP request.

32. A modem that transfers data between a network and a host system, the modem comprising:

means for blocking the transfer of data through a modem during a safe mode of operation of the modem unless the data includes predefined communications.

33. The modem of claim 32 wherein the predefined communications comprise network access maintenance information.

34. The modem of claim 32 wherein the predefined communications comprise a request for a network address to maintain access to the network for the host system or a response to the request that includes the network address.

35. The modem of claim 34 wherein the means for blocking comprises:

means for determining if data received at the modem from the host system comprises an Address Resolution Protocol (ARP) request for a MAC address of a system on the network that uniquely identifies the ARP request as originating from the host system;

means for associating the MAC address with the ARP request in the modem and transmitting the ARP request including the MAC address from the modem to the network upon determining that the request comprises the ARP request;

means for determining if data received from the network at the modem comprises an ARP response including the MAC address associated with the ARP request;

means for transmitting the data received from the network to the host system upon determining that the data received from the network comprises the ARP response including the MAC address associated with the ARP request.

36. The modem of claim 34 wherein the means for blocking comprises:

means for determining if data received at the modem from the host system comprises a Dynamic Host Control Protocol (DHCP) request for an Internet Protocol (IP) address for the host system including a Transaction Identifier (XID) that uniquely identifies the DHCP request as originating from the host system;

means for associating the XID with the DHCP request in the modem and transmitting the DHCP request including the XID from the modem to the network upon determining that the request comprises the DHCP request;

means for determining if data received from the network at the modem comprises a DHCP response including the XID associated with the DHCP request; and

means for transmitting the data received from the network to the host system upon determining that the data received from the network comprises the DHCP response including the XID associated with the DHCP request.