Summary of the invention
In order to solve above-mentioned the problems of the prior art, the present invention proposes a kind of exchange method of address resolution protocol, this method may further comprise the steps: step 1 generates the PKI and the private key of equipment, and makes the PKI of all clients acquisition equipment under the equipment; Step 2, when equipment is received arp request message from client, equipment uses signature algorithm that the address resolution protocol bag that will send is carried out private key signature, and sends to client with the signature that generated with the address resolution protocol bag that sends as the address resolution protocol response message; And step 3, after client is received address resolution protocol response message from equipment, whether refresh address resolution protocol cache in the client according to the state decision of response message.
The method according to this invention also comprises the attaching signature that helps client to carry out address resolution in the address resolution protocol response message.
When another client under the equipment during to the address resolution protocol address of client-requested client, client appends to be sent giving in the address resolution protocol response message of another client with attaching signature.
Wherein, step 3 comprises: judge whether the signature in the response message can pass through public key verifications, if can pass through public key verifications, then refreshes the address resolution protocol cache in the client, otherwise, do not refresh the address resolution protocol cache in the client.
Step 3 also comprises: do not comprise in response message under the situation of signature, judge further whether existing IP-MAC list item is to produce through the address resolution protocol response message that authenticates in the client, if, then do not refresh the address resolution protocol cache in the client, otherwise, refresh the address resolution protocol cache in the client.
The method according to this invention, signature algorithm comprises RSA Algorithm.
The IP address, MAC Address and the challenge parameter that comprise client in the arp request message by the client transmission.
The IP address, MAC Address and the signature that comprise equipment in the address resolution protocol response message by the equipment transmission.
In addition, the IP address, MAC Address, signature and the attaching signature that comprise equipment in the address resolution protocol response message by the equipment transmission.
Signature is generated by the IP address in the address resolution protocol response message, MAC Address and challenge parameter according to RSA Algorithm.
Attaching signature is according to signature algorithm IP address, MAC Address and the trusted closing date of client to be carried out public key signature by equipment to be generated.
Only belonging to the IP address of client and MAC Address just allows to be added in arp request message or the response message and from client and sends.
When in the arp request that equipment is received, not comprising the challenge parameter in the scheduled time, equipment requirements client installation addresses analysis protocol authentication means.
Therefore, adopt method of the present invention, under the condition of compatible existing equipment, can protect ARP and attack.
Other features and advantages of the present invention will be set forth in the following description, and, partly from specification, become apparent, perhaps understand by implementing the present invention.Purpose of the present invention and other advantages can realize and obtain by specifically noted structure in the specification of being write, claims and accompanying drawing.
Embodiment
Below in conjunction with accompanying drawing the preferred embodiments of the present invention are described, should be appreciated that preferred embodiment described herein only is used for description and interpretation the present invention, and be not used in qualification the present invention.
Fig. 1 is the flow chart of the method according to this invention.
As shown in Figure 1, this method may further comprise the steps:
S102 generates the PKI and the private key of equipment, and makes the PKI of all clients acquisition equipment under the equipment;
S104, when equipment is received arp request message from client, equipment uses signature algorithm that the address resolution protocol bag that will send is carried out private key signature, and sends to client with the signature that generated with the address resolution protocol bag that sends as the address resolution protocol response message; And
Whether S106 after client is received address resolution protocol response message from equipment, refreshes address resolution protocol cache in the client according to the state decision of response message.
The method according to this invention also comprises the attaching signature that helps client to carry out address resolution in the address resolution protocol response message.
When another client under the equipment during to the address resolution protocol address of client-requested client, client appends to be sent giving in the address resolution protocol response message of another client with attaching signature.
Wherein, S106 comprises: judge whether the signature in the response message can pass through public key verifications, if can pass through public key verifications, then refreshes the address resolution protocol cache in the client, otherwise, do not refresh the address resolution protocol cache in the client.
S106 also comprises: do not comprise in response message under the situation of signature, judge further whether existing IP-MAC list item is to produce through the address resolution protocol response message that authenticates in the client, if, then do not refresh the address resolution protocol cache in the client, otherwise, refresh the address resolution protocol cache in the client.
The method according to this invention, signature algorithm comprises RSA Algorithm.
The IP address, MAC Address and the challenge parameter that comprise client in the arp request message by the client transmission.
The IP address, MAC Address and the signature that comprise equipment in the address resolution protocol response message by the equipment transmission.
In addition, the IP address, MAC Address, signature and the attaching signature that comprise equipment in the address resolution protocol response message by the equipment transmission.
Signature is generated by the IP address in the address resolution protocol response message, MAC Address and challenge parameter according to RSA Algorithm.
Attaching signature is according to signature algorithm IP address, MAC Address and the trusted closing date of client to be carried out public key signature by equipment to be generated.
Only belonging to the IP address of client and MAC Address just allows to be added in arp request message or the response message and from client and sends.
When in the arp request that equipment is received, not comprising the challenge parameter in the scheduled time, equipment requirements client installation addresses analysis protocol authentication means.
Fig. 2 is the ARP attack prevention policies schematic diagram according to the original creation of the inventive method.
Suppose that all terminals all trust the PKI of certain equipment, this equipment is central apparatus, generally is gateway.
As shown in Figure 2, utilize the public private key pair technology, do the generation of public and private key on equipment, client has its PKI.Equipment carries out private key signature to ARP bag, and signature is attached to ARP wraps, can certifying signature when client is received this class ARP bag and refresh arp cache.Client can be backwards-compatible general A RP bag, if the ARP item just in the buffer memory then will can not refresh this arp cache through authenticating.
Client adds challenge parameter (Challenge) in the ARP request, equipment adds signature (Signature) in ARP answers, wherein, and the Signature=RSAsign in replying (IP||MAC||Challenge); Wherein, IP and MAC imply during ARP answers to comprise the Challenge during Challenge equals to ask.Signature algorithm can use but be not limited to RSA.
Challenge is attached value in the request, and in gratuitous ARP, Challenge is complete 0.When receiving gratuitous ARP, client can initiatively be initiated the ARP request.
(1) backward compatible
Client rs PC and equipment can be supported backward compatible, do not support to authenticate under the situation of ARP at equipment, and PC can receive normal ARP message, because the ARP presentation in the buffer memory all is not authentication, and can normal refresh.Do not support to authenticate under the situation of ARP at PC, equipment can be backward compatible, and the ARP that sends authentication simultaneously answers with normal ARP and answers.
PC if still receive same IP but the ARP request of different MAC or answer, will broadcast an ARP request again under the situation of the IP-MAC binding of receiving effective authentication, for confirmation this be normal equipment replacement, or the ARP that forges.When repeatedly the answer of legitimate signature was not all received in the broadcast arp request, PC can accept unsigned ARP and answer.Such mechanism, in the time of can guaranteeing that equipment replacement and device mac address are changed, PC need not configuration.
(2) checking between the client
In most of the cases, the IP/MAC address binding of gateway can not be forged, and therefore can solve most problem.ARP safety between the client then can be selected following mechanism for use if desired.
On the equipment of being trusted, can preserve an IP/MAC binding relationship tabulation, after the terminal in this tabulation is reached the standard grade, by ARP authentication reply message, can receive a RSASign (IP, MAC, attaching signature ExpireTime), wherein, IP is the IP address of this station terminal, MAC is the MAC Address of this station terminal, and ExpireTime is the trusted closing date, with the public key signature of trusted device.When the ARP address of this station terminal of another one terminal request, this message is attached to ARP answers the back, the requestor just can be by this message of checking, and trust IP/MAC has bound.
The introducing of ExpireTime is in order to prevent Replay Attack, even the assailant has obtained the signature of IP/MAC/ExpireTime effectively by the Network Sniffing program, and this message of can not resetting for a long time.
(3) prevent that client from sending ARP and attacking
Can in the software of client, add inspection, not allow to send the ARP request or the answer of the IP/MAC address that does not belong to this station terminal.This detection can guarantee that most of ARP viruses can't impact network.
(4) gateway forces to install the ARP Authentication Client
When gateway is received not the ARP request of adding authentication challenge, can think that this client do not install the ARP authentication means.Gateway device can change it over to client downloads page by intercepting and capturing the method for client side HTTP visit.
A kind of malicious attack is arranged, can send the unverified ARP request of pretending to be victim IP continuously, allow gateway believe that the main frame of this IP correspondence do not install client, thereby disturb the access to netwoks of this main frame.Gateway can write down the time that last this IP sends the ARP request that contains authentication information, prevents this attack.Only in a period of time, can't receive authentication ARP when request, think that just client do not install this instrument.
Fig. 3 is the schematic diagram according to first embodiment of the inventive method.
As shown in Figure 3, equipment links to each other with a double layer network by switch, or directly links to each other with user PC.Authentication ARP client is downloaded and installed to equipment by forcing installation or user to be manually installed on the user PC.It is mutual that user PC and equipment authenticate ARP.Assailant's ARP responds (or gratuitous ARP) because can not be verified, and can not refresh the ARP list item on the user PC.
In sum, adopt method of the present invention, under the situation of compatible existing equipment, can fully prevent the ARP deception the equipment of supporting authentication ARP.
Be the preferred embodiments of the present invention only below, be not limited to the present invention, for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.