CN101635621A - Interactive method for address resolution protocol - Google Patents
Interactive method for address resolution protocol Download PDFInfo
- Publication number
- CN101635621A CN101635621A CN200810116949A CN200810116949A CN101635621A CN 101635621 A CN101635621 A CN 101635621A CN 200810116949 A CN200810116949 A CN 200810116949A CN 200810116949 A CN200810116949 A CN 200810116949A CN 101635621 A CN101635621 A CN 101635621A
- Authority
- CN
- China
- Prior art keywords
- client
- resolution protocol
- address resolution
- address
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an interactive method for an address resolution protocol. The method comprises the following steps of: 1, a public key and a private key of the equipment are generated and all clients under the equipment obtain the public key of the equipment; 2, when receiving an address resolution protocol request message from the client, the equipment completes the private key signature of the address resolution protocol packet needing to be transferred by using the signature algorithm and transmits the generated signature and the transferred address resolution protocol packet to the client as an address resolution protocol answer message; and 3, after receiving the address resolution protocol answer message from the equipment, the client determines whether to refresh the address resolution protocol buffer memory in the client according to the state of the answer message. Therefore, the method can completely prevent ARP spoofing on the equipment supporting the authentication of the ARP under a condition of being compatible with the prior equipment.
Description
Technical field
The present invention relates to network security, more specifically, relate to a kind of exchange method of address resolution protocol.
Background technology
Ethernet is a broadcast environment, and address resolution protocol (ARP, AddressResolution Protocol) utilizes host IP address to determine the agreement of its physical address on the Ethernet.The ARP address does not have security mechanism.The assailant can use counterfeit ARP message to answer ARP request, even initiatively sends counterfeit gratuitous ARP packet, makes the ARP information of main frame cache misses.Such main frame can be delivered to illegal MAC Address to the IP message, thereby the assailant reaches man-in-the-middle attack or denial of service purpose.
On the network equipment, can utilize IP and MAC binding table, prevent distorting of ARP.On PC, also need to bind statically.The IP that changes main frame or gateway if desired must change the binding on all PC, can cause a large amount of work of keeper.
In ARP reciprocal process because ARP agreement itself is not done authentication to mutual both sides, so that client PC is subjected to the attack of ARP deception easily.
Solutions more of the prior art necessarily require all terminals all to realize the ARP agreement that authenticates, in case equipment such as the router that existence can't be supported in the network, switches, whole proposal just is difficult to dispose.
Can also carry out each other authentication with the mode of sharing key in the prior art, be under the situation of many clients but individual shortcoming is arranged, and shared key is lost easily, is stolen, thereby make the message that the assailant also can the counterfeit ARP of authentication.
Summary of the invention
In order to solve above-mentioned the problems of the prior art, the present invention proposes a kind of exchange method of address resolution protocol, this method may further comprise the steps: step 1 generates the PKI and the private key of equipment, and makes the PKI of all clients acquisition equipment under the equipment; Step 2, when equipment is received arp request message from client, equipment uses signature algorithm that the address resolution protocol bag that will send is carried out private key signature, and sends to client with the signature that generated with the address resolution protocol bag that sends as the address resolution protocol response message; And step 3, after client is received address resolution protocol response message from equipment, whether refresh address resolution protocol cache in the client according to the state decision of response message.
The method according to this invention also comprises the attaching signature that helps client to carry out address resolution in the address resolution protocol response message.
When another client under the equipment during to the address resolution protocol address of client-requested client, client appends to be sent giving in the address resolution protocol response message of another client with attaching signature.
Wherein, step 3 comprises: judge whether the signature in the response message can pass through public key verifications, if can pass through public key verifications, then refreshes the address resolution protocol cache in the client, otherwise, do not refresh the address resolution protocol cache in the client.
Step 3 also comprises: do not comprise in response message under the situation of signature, judge further whether existing IP-MAC list item is to produce through the address resolution protocol response message that authenticates in the client, if, then do not refresh the address resolution protocol cache in the client, otherwise, refresh the address resolution protocol cache in the client.
The method according to this invention, signature algorithm comprises RSA Algorithm.
The IP address, MAC Address and the challenge parameter that comprise client in the arp request message by the client transmission.
The IP address, MAC Address and the signature that comprise equipment in the address resolution protocol response message by the equipment transmission.
In addition, the IP address, MAC Address, signature and the attaching signature that comprise equipment in the address resolution protocol response message by the equipment transmission.
Signature is generated by the IP address in the address resolution protocol response message, MAC Address and challenge parameter according to RSA Algorithm.
Attaching signature is according to signature algorithm IP address, MAC Address and the trusted closing date of client to be carried out public key signature by equipment to be generated.
Only belonging to the IP address of client and MAC Address just allows to be added in arp request message or the response message and from client and sends.
When in the arp request that equipment is received, not comprising the challenge parameter in the scheduled time, equipment requirements client installation addresses analysis protocol authentication means.
Therefore, adopt method of the present invention, under the condition of compatible existing equipment, can protect ARP and attack.
Other features and advantages of the present invention will be set forth in the following description, and, partly from specification, become apparent, perhaps understand by implementing the present invention.Purpose of the present invention and other advantages can realize and obtain by specifically noted structure in the specification of being write, claims and accompanying drawing.
Description of drawings
Accompanying drawing is used to provide further understanding of the present invention, and constitutes the part of specification, is used from explanation the present invention with embodiments of the invention one, is not construed as limiting the invention.In the accompanying drawings:
Fig. 1 is the flow chart of the method according to this invention;
Fig. 2 is the ARP attack prevention policies schematic diagram according to the original creation of the inventive method; And
Fig. 3 is the schematic diagram according to first embodiment of the inventive method.
Embodiment
Below in conjunction with accompanying drawing the preferred embodiments of the present invention are described, should be appreciated that preferred embodiment described herein only is used for description and interpretation the present invention, and be not used in qualification the present invention.
Fig. 1 is the flow chart of the method according to this invention.
As shown in Figure 1, this method may further comprise the steps:
S102 generates the PKI and the private key of equipment, and makes the PKI of all clients acquisition equipment under the equipment;
S104, when equipment is received arp request message from client, equipment uses signature algorithm that the address resolution protocol bag that will send is carried out private key signature, and sends to client with the signature that generated with the address resolution protocol bag that sends as the address resolution protocol response message; And
Whether S106 after client is received address resolution protocol response message from equipment, refreshes address resolution protocol cache in the client according to the state decision of response message.
The method according to this invention also comprises the attaching signature that helps client to carry out address resolution in the address resolution protocol response message.
When another client under the equipment during to the address resolution protocol address of client-requested client, client appends to be sent giving in the address resolution protocol response message of another client with attaching signature.
Wherein, S106 comprises: judge whether the signature in the response message can pass through public key verifications, if can pass through public key verifications, then refreshes the address resolution protocol cache in the client, otherwise, do not refresh the address resolution protocol cache in the client.
S106 also comprises: do not comprise in response message under the situation of signature, judge further whether existing IP-MAC list item is to produce through the address resolution protocol response message that authenticates in the client, if, then do not refresh the address resolution protocol cache in the client, otherwise, refresh the address resolution protocol cache in the client.
The method according to this invention, signature algorithm comprises RSA Algorithm.
The IP address, MAC Address and the challenge parameter that comprise client in the arp request message by the client transmission.
The IP address, MAC Address and the signature that comprise equipment in the address resolution protocol response message by the equipment transmission.
In addition, the IP address, MAC Address, signature and the attaching signature that comprise equipment in the address resolution protocol response message by the equipment transmission.
Signature is generated by the IP address in the address resolution protocol response message, MAC Address and challenge parameter according to RSA Algorithm.
Attaching signature is according to signature algorithm IP address, MAC Address and the trusted closing date of client to be carried out public key signature by equipment to be generated.
Only belonging to the IP address of client and MAC Address just allows to be added in arp request message or the response message and from client and sends.
When in the arp request that equipment is received, not comprising the challenge parameter in the scheduled time, equipment requirements client installation addresses analysis protocol authentication means.
Fig. 2 is the ARP attack prevention policies schematic diagram according to the original creation of the inventive method.
Suppose that all terminals all trust the PKI of certain equipment, this equipment is central apparatus, generally is gateway.
As shown in Figure 2, utilize the public private key pair technology, do the generation of public and private key on equipment, client has its PKI.Equipment carries out private key signature to ARP bag, and signature is attached to ARP wraps, can certifying signature when client is received this class ARP bag and refresh arp cache.Client can be backwards-compatible general A RP bag, if the ARP item just in the buffer memory then will can not refresh this arp cache through authenticating.
Client adds challenge parameter (Challenge) in the ARP request, equipment adds signature (Signature) in ARP answers, wherein, and the Signature=RSAsign in replying (IP||MAC||Challenge); Wherein, IP and MAC imply during ARP answers to comprise the Challenge during Challenge equals to ask.Signature algorithm can use but be not limited to RSA.
Challenge is attached value in the request, and in gratuitous ARP, Challenge is complete 0.When receiving gratuitous ARP, client can initiatively be initiated the ARP request.
(1) backward compatible
Client rs PC and equipment can be supported backward compatible, do not support to authenticate under the situation of ARP at equipment, and PC can receive normal ARP message, because the ARP presentation in the buffer memory all is not authentication, and can normal refresh.Do not support to authenticate under the situation of ARP at PC, equipment can be backward compatible, and the ARP that sends authentication simultaneously answers with normal ARP and answers.
PC if still receive same IP but the ARP request of different MAC or answer, will broadcast an ARP request again under the situation of the IP-MAC binding of receiving effective authentication, for confirmation this be normal equipment replacement, or the ARP that forges.When repeatedly the answer of legitimate signature was not all received in the broadcast arp request, PC can accept unsigned ARP and answer.Such mechanism, in the time of can guaranteeing that equipment replacement and device mac address are changed, PC need not configuration.
(2) checking between the client
In most of the cases, the IP/MAC address binding of gateway can not be forged, and therefore can solve most problem.ARP safety between the client then can be selected following mechanism for use if desired.
On the equipment of being trusted, can preserve an IP/MAC binding relationship tabulation, after the terminal in this tabulation is reached the standard grade, by ARP authentication reply message, can receive a RSASign (IP, MAC, attaching signature ExpireTime), wherein, IP is the IP address of this station terminal, MAC is the MAC Address of this station terminal, and ExpireTime is the trusted closing date, with the public key signature of trusted device.When the ARP address of this station terminal of another one terminal request, this message is attached to ARP answers the back, the requestor just can be by this message of checking, and trust IP/MAC has bound.
The introducing of ExpireTime is in order to prevent Replay Attack, even the assailant has obtained the signature of IP/MAC/ExpireTime effectively by the Network Sniffing program, and this message of can not resetting for a long time.
(3) prevent that client from sending ARP and attacking
Can in the software of client, add inspection, not allow to send the ARP request or the answer of the IP/MAC address that does not belong to this station terminal.This detection can guarantee that most of ARP viruses can't impact network.
(4) gateway forces to install the ARP Authentication Client
When gateway is received not the ARP request of adding authentication challenge, can think that this client do not install the ARP authentication means.Gateway device can change it over to client downloads page by intercepting and capturing the method for client side HTTP visit.
A kind of malicious attack is arranged, can send the unverified ARP request of pretending to be victim IP continuously, allow gateway believe that the main frame of this IP correspondence do not install client, thereby disturb the access to netwoks of this main frame.Gateway can write down the time that last this IP sends the ARP request that contains authentication information, prevents this attack.Only in a period of time, can't receive authentication ARP when request, think that just client do not install this instrument.
Fig. 3 is the schematic diagram according to first embodiment of the inventive method.
As shown in Figure 3, equipment links to each other with a double layer network by switch, or directly links to each other with user PC.Authentication ARP client is downloaded and installed to equipment by forcing installation or user to be manually installed on the user PC.It is mutual that user PC and equipment authenticate ARP.Assailant's ARP responds (or gratuitous ARP) because can not be verified, and can not refresh the ARP list item on the user PC.
In sum, adopt method of the present invention, under the situation of compatible existing equipment, can fully prevent the ARP deception the equipment of supporting authentication ARP.
Be the preferred embodiments of the present invention only below, be not limited to the present invention, for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (13)
1. the exchange method of an address resolution protocol is characterized in that, said method comprising the steps of:
Step 1 generates the PKI and the private key of equipment, and makes all clients under the described equipment obtain the PKI of described equipment;
Step 2, when described equipment is received arp request message from client, described equipment uses signature algorithm that the address resolution protocol bag that will send is carried out private key signature, and with the signature that generated with described the address resolution protocol bag that sends is sent to described client as described address resolution protocol response message; And
Whether step 3 after described client is received address resolution protocol response message from described equipment, refreshes address resolution protocol cache in the described client according to the state decision of described response message.
2. method according to claim 1 is characterized in that, also comprises the attaching signature that helps client to carry out address resolution in described address resolution protocol response message.
3. method according to claim 2, it is characterized in that, when another client under the described equipment during to the address resolution protocol address of the described client of described client-requested, described client appends to be sent giving in the address resolution protocol response message of described another client with described attaching signature.
4. method according to claim 1 and 2 is characterized in that, described step 3 comprises:
Judge whether the signature in the described response message can pass through public key verifications, if can then refresh the address resolution protocol cache in the described client by described public key verifications, otherwise, do not refresh the address resolution protocol cache in the described client.
5. method according to claim 4 is characterized in that, described step 3 also comprises:
In described response message, do not comprise under the situation of signature, judge further whether existing IP-MAC list item is to produce through the address resolution protocol response message that authenticates in the described client, if, then do not refresh the address resolution protocol cache in the described client, otherwise, refresh the address resolution protocol cache in the described client.
6. method according to claim 5 is characterized in that described signature algorithm comprises RSA Algorithm.
7. method according to claim 6 is characterized in that, comprises IP address, MAC Address and the challenge parameter of described client in the arp request message by described client transmission.
8. method according to claim 1 is characterized in that, comprises IP address, MAC Address and the signature of described equipment in the address resolution protocol response message by described equipment transmission.
9. method according to claim 2 is characterized in that, comprises IP address, MAC Address, signature and the attaching signature of described equipment in the address resolution protocol response message by described equipment transmission.
10. according to Claim 8 or 9 described methods, it is characterized in that described signature is generated by the IP address in the described address resolution protocol response message, MAC Address and challenge parameter according to described RSA Algorithm.
11. method according to claim 9 is characterized in that, described attaching signature is according to described signature algorithm IP address, MAC Address and the trusted closing date of described client to be carried out public key signature by described equipment to be generated.
12. method according to claim 10 is characterized in that, only belongs to the IP address of described client and MAC Address and just allows to be added in arp request message or the response message and from described client and send.
13. method according to claim 12 is characterized in that, when in the arp request that described equipment is received, not comprising described challenge parameter in the scheduled time, and the described client installation addresses of described equipment requirements analysis protocol authentication means.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101169492A CN101635621B (en) | 2008-07-21 | 2008-07-21 | Interactive method for address resolution protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101169492A CN101635621B (en) | 2008-07-21 | 2008-07-21 | Interactive method for address resolution protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101635621A true CN101635621A (en) | 2010-01-27 |
| CN101635621B CN101635621B (en) | 2012-07-25 |
Family
ID=41594692
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008101169492A Active CN101635621B (en) | 2008-07-21 | 2008-07-21 | Interactive method for address resolution protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101635621B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113347198A (en) * | 2021-06-23 | 2021-09-03 | 深圳壹账通智能科技有限公司 | ARP message processing method, device, network equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101150406B (en) * | 2006-09-18 | 2011-06-08 | 华为技术有限公司 | Network device authentication method and system and relay forward device based on 802.1x protocol |
-
2008
- 2008-07-21 CN CN2008101169492A patent/CN101635621B/en active Active
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113347198A (en) * | 2021-06-23 | 2021-09-03 | 深圳壹账通智能科技有限公司 | ARP message processing method, device, network equipment and storage medium |
| CN113347198B (en) * | 2021-06-23 | 2022-07-08 | 深圳壹账通智能科技有限公司 | ARP message processing method, device, network equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101635621B (en) | 2012-07-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Mallik | Man-in-the-middle-attack: Understanding in simple words | |
| AlSa'deh et al. | Secure neighbor discovery: Review, challenges, perspectives, and recommendations | |
| CN103297437B (en) | A kind of method of mobile intelligent terminal secure access service device | |
| US20140298037A1 (en) | Method, apparatus, and system for securely transmitting data | |
| CN101150572B (en) | Binding and update method and device for mobile node and communication end | |
| CN105897782A (en) | Method and device for treating call request of interface | |
| CN103079200A (en) | Wireless access authentication method, system and wireless router | |
| CN101145915B (en) | An authentication system and method of trustable router | |
| CN102577301A (en) | Method and apparatus for trusted authentication and logon | |
| CN103023911A (en) | Authentication method for access of trusted network devices to trusted network | |
| CN105447715A (en) | Method and apparatus for anti-theft electronic coupon sweeping by cooperating with third party | |
| CN108259406A (en) | Examine the method and system of SSL certificate | |
| CN101715009A (en) | Safe address allocation method, detecting device, detecting equipment and detecting system | |
| Jiang et al. | Secure DHCPv6 Using CGAs | |
| Hossain et al. | Survey of the Protection Mechanisms to the SSL-based Session Hijacking Attacks. | |
| CN104767740A (en) | User platform credible authentication and access method | |
| CN101399814B (en) | Method, system and device for verifying relation between data link layer address and sending side | |
| CN105188057A (en) | Method and system for enhancing network access authentication security | |
| Mallik et al. | Understanding Man-in-the-middle-attack through Survey of Literature | |
| CN101635621B (en) | Interactive method for address resolution protocol | |
| CN101437228B (en) | Method, apparatus and system for implementing wireless business based on smart card | |
| KR100901279B1 (en) | Wire/Wireless Network Access Authentication Method using Challenge Message based on CHAP and System thereof | |
| US10079857B2 (en) | Method of slowing down a communication in a network | |
| Bharti et al. | Prevention of Session Hijacking and IP Spoofing With Sensor Nodes and Cryptographic Approach | |
| Luna | Man-in-the–Middle Attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: HILLSTONE NETWORKS COMMUNICATION TECHNOLOGY CO., L Free format text: FORMER OWNER: HILLSTONE NETWORKS (BEIJING) INC. Effective date: 20140716 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100085 HAIDIAN, BEIJING TO: 215163 SUZHOU, JIANGSU PROVINCE |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20140716 Address after: 215163 Jiangsu city of Suzhou province high tech Zone (Suzhou city) kolding Road No. 78 Gaoxin Software Park Building 7 floor 3 Patentee after: HILLSTONE NETWORKS Address before: 100085 Beijing city Haidian District on the seven Street No. 1 Huizhong 3 storey building Patentee before: Hillstone Networks Communication Technology (Beijing) Co., Ltd. |
|
| CP03 | Change of name, title or address |
Address after: 215163 No. 181 Jingrun Road, Suzhou High-tech Zone, Jiangsu Province Patentee after: SHANSHI NETWORK COMMUNICATION TECHNOLOGY CO., LTD. Address before: 215163 3rd Floor, 7th Building, High-tech Software Park, 78 Keling Road, Suzhou Science and Technology City, Jiangsu Province Patentee before: HILLSTONE NETWORKS |
|
| CP03 | Change of name, title or address |