CN1290088A - Method and apparatus for security of communication network by using insffective code safety interference - Google Patents
Method and apparatus for security of communication network by using insffective code safety interference Download PDFInfo
- Publication number
- CN1290088A CN1290088A CN 99121076 CN99121076A CN1290088A CN 1290088 A CN1290088 A CN 1290088A CN 99121076 CN99121076 CN 99121076 CN 99121076 A CN99121076 A CN 99121076A CN 1290088 A CN1290088 A CN 1290088A
- Authority
- CN
- China
- Prior art keywords
- address
- destination
- transmitter
- source
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A security device used in LAN equipment (such as multi-port retransmitter) for preventing interception features that in the data packet which is required to be not transmitted to the undesired transceivers connected with communication network equipment, the invalid codes independent to the data are used to rewrite the data, so that secrete and user-sensitive information can not be transmitted to the undesired transceivers. The invalid codes can definitely inform undesired transceivers of that the data in the packet is invalid.
Description
The present invention relates generally to a kind of security control apparatus, the invention particularly relates to and use invalid code element to carry out the method and apparatus of the anti-eavesdrop of data communication with undesirable network equipment in interference and the communication network.
The new progress of data communication technology is carried out getting along with greatly aspect the resource-sharing between computer system at the network that reliable high speed data channels is provided by use.By the standard common, allow network to have versatility, thereby can cross over the information that user's applications exchange does not rely on seller (vendor) equipment communication procedure.Along with network is universal day by day, the requirement of network performance is also being improved.Set up complicated more agreement and meet this requirement, and use existing twisted-pair feeder in the office buildings, thereby the user of the literacy of all in fact computers is with the cost access resources of minimum.
Multiport repeater (repeater) is a kind of normally used arrangement, communications network, to provide access to netwoks to terminal use's (such as personal computer, work station or the like).This device has a plurality of " ports ".In many situations, each port is connected to a terminal node that uses 10base-T " twisted wire pair " (Twisted Pair) or connected by the 100BASE-X of IEEE 802.3 standard codes.These ports are as the physical interface between arrangement, communications network and terminal use radio station.Each port is according to IEEE 802.3 repeater modular workings.When receiving a data communication packet (packet) from any single port, according to this standard, this packet is retransmitted to every other port.When receiving more than one grouping at any time, the multiport repeater carries out the collision algorithm (collision algorithm) stipulated in described standard.
Ethernet bridging device (bridge) is a kind of device with two or more physical ports, and it can be according to the destination-address that divides into groups the single port of the delivery of packets that receives at any port to any other.The grouping that is not delivered to port is considered as by the grouping of filtering.
Media interviews control (Media Access Control, MAC) function is converted to the ethernet frame of the reality that can be transmitted to digital information (it generally is stored in the memory with the form of grouping) on Ethernet connects, perhaps from network connect receive as the frame of packet memory memory.
One of key issue that comprises internet security is an eavesdropping problem.Because the grouping that receives on a port of repeater will be retransmitted to all of the port of repeater, therefore eavesdrop.So, if there is not certain security mechanism, then be connected to except with a port that destination-address in the packet is associated the network equipment of port also will receive this grouping.The ethernet bridging device does not have this problem, because be included in source and destination information in the grouping by use, they have delivery of packets (promptly are connected to the port in terminal use radio station to desirable port, this radio station have with grouping in the source address that is complementary of destination-address), and not packet retransmission to the ability that is positioned at the device on other ports.
For Local Area Network or the last anti-eavesdrop of wide area network (WAN) at use multiport repeater, and the cost and the signal delay that do not have and use bridger to be associated need improved security mechanism.In use the typical network work of " multiport repeater ", each port of multiport repeater is exclusively used in unique user enduringly.For network, use the ethernet address that is associated with user's terminal node device (such as personal computer, work station or the like) to discern this user uniquely.When the user sent grouping at every turn on network, terminal node just sent its ethernet address automatically, and this address is in " source address field " of a part of being divided into groups by the conduct of IEEE 802.3 standard codes.Grouping also comprises " destination address field ", plans to receive the source of this grouping in order to identification.
A kind of situation that the internet security scheme runs into is that network equipment is intercepted and captured data sensitivity or secret of not planning to them.A kind of method for the treatment of this problem is the transfer of data of ending to undesirable network equipment.Yet the major defect of this scheme is to have Network to have the possibility that unwelcome conflict takes place owing to not understanding when those network equipments plan to send.This scheme has also been run counter to IEEE802.3 repeater standard.
Authorize the 5th, 161, No. 192 and the 4th, 901 of people such as people such as Carter and Nicols respectively, disclosing a kind of method of anti-eavesdrop in No. 348 United States Patent (USP)s.Adopt this method,, can prevent eavesdropping by replace being sent to the data of undesirable network equipment with sign indicating number type irrelevant or at random.These safety systems depend on such fact, that is, according to IEEE 802.3 standards or lan protocol, the replacement of using irrelevant sign indicating number type to be done will cause not being the Frame of legal Frame.Say in particular, IEEE 802.3 standard codes media interviews controls (MAC) frame structures, it comprises the method for checking the validity be sent out data.Use predetermined algorithm for data packet content (not comprising Start Frame Delimiter (SFD) and Frame Check Sequence (FCS) field) calculating cyclic redundancy verification (CRC) value.Be the dateout grouping, transmitting device calculate crc value insert the FCS field.Receiving system calculates crc value according to packet, and will be worth with value in the FCS of the grouping that has sent field and make comparisons.If these two values are unequal, then error result points out that packet is invalid.Though discern the percentage of illegal Frame with this method very high, still has such possibility, that is, irrelevant sign indicating number type is will be with replaced data enough alike so that do not produce error.In this case, undesirable network equipment does not possess and points out that it is not that desirable destination and data are indications of invalid data.This will cause unwanted and undesirable negative results.Use irrelevant improperly or sign indicating number type at random as legal data will guide user or network equipment according to those results take inappropriate with may be destructive action.
As noted above such, need to improve security mechanism, with anti-eavesdrop on LAN that uses the multiport repeater or WAN network, wherein, with such method the packet of delivering to undesirable network equipment is disturbed, thereby point out that to receiving network equipment the data that are included in the packet are invalid clearly.
In order to overcome above-mentioned limitation of the prior art, and overcome and after reading and having understood this specification, will become more obvious other limitation, the present invention has disclosed a kind of safe countermeasure set, and its uses HALT (time-out) code element anti-eavesdrop in having such as the communication network of the arrangement, communications network of repeater.Safe countermeasure set prevents that a data responsive or that maintain secrecy is sent to the undesirable network equipment on the communication network.In addition, as by (the IEEE of IEEE limited company, Inc.) the IEEE802.3u standard code of Chu Baning, and by with reference to be incorporated in this like that, the HALT code element is pointed out, (or the data in the protocol Data Unit (protocol data unit, PDU)) are invalid in packet.So by mistake valid data will can not thought the HALT code element in undesirable terminal use radio station.
Security control apparatus is for the network device stores network equipment source address that is connected to communication network.After receiving a grouping, security control apparatus is made comparisons the destination-address that is included in the grouping with the source address of having stored.Unmatched those network equipments of source address and destination-address receive the grouping of being sent with the form (that is, the data in the grouping are substituted by the HALT code element) of change.And those network equipments of source address and destination-address coupling receive the grouping of being sent with the form that does not change.
The HALT code element in grouping, occurs and guaranteed that undesirable network equipment knows that data are invalid.Validity or ineffectivity for data can be not ambiguous.In addition, because the HALT code element represented and the value that is included in the data independence in the grouping, therefore the information about initial data is not sent to undesirable network equipment on the communication network.
These advantages and other each advantages of characterizing novelty of the present invention will be pointed out in claims of appended and a part that constitute presents in detail.Yet, in order to understand the present invention, its advantage and the purpose that obtains by its use better, must in these materials, the object lesson according to a kind of equipment of the present invention have been described referring to accompanying drawing (they constitute the another part of presents) and the description material that accompanies.
Figure 1A is explanation operated system figure of the present invention;
Figure 1B is the diagram of the data structure of explanation packet that changes form of the present invention and the packet that do not change form;
Fig. 2 is the functional-block diagram of security control apparatus of the present invention;
Fig. 3 is the system block diagram that repeater management devices of the present invention is shown;
Fig. 4 is the block diagram according to repeater of the present invention/repeater management devices;
Fig. 5 A illustrates the block diagram of finishing the sequence of taking precautions against the required step of eavesdropping according to of the present invention, and wherein, source address register upgrades with " tracking " source address;
Fig. 5 B illustrates the block diagram of finishing the sequence of taking precautions against the required step of eavesdropping according to of the present invention, and wherein, the destination-address register of the controller of locking mode upgrades source address register by having not.
In the description of preferred embodiment below, with reference to the accompanying drawing of a part that constitutes presents, and by illustrating that one can be realized that embodiments of the invention illustrate.Should understand, can utilize other embodiment and can make change, and not depart from scope of the present invention.
The invention provides a kind of safe countermeasure set that is used for the arrangement, communications network of communication network, it uses invalid code element to prevent eavesdropping.Arrangement, communications network comprises a receiving element and a transmitting element, receiving element is used for receiving protocol Data Unit (PDU) or grouping by at least one port that is connected to communication network, transmitting element is coupled to receiving element effectively, is used for sending out protocol data by at least one port that is connected to communication network.In addition, arrangement, communications network also can be finished one or more communications network functionalities, comprising: switching, Route Selection, bridge joint and repeating transmission.The detail of receiving element and transmitting element is described with reference to Fig. 1-5 in the following discussion.
Figure 1A is explanation operated system figure of the present invention.Arrangement, communications network 10 is coupled to one or more transmissions or receiving element (transmitter-receiver) 22,24,26 and 28 effectively.The message or the data 44 that are included among data communication packets 20 or the PDU are sent to arrangement, communications network 10 from transmitter-receiver 22.In these message 44 some are that transmitter-receiver is specific, that is, do not plan they are delivered to all transmitter-receivers on arrangement, communications network 10.For illustrative purposes, Figure 1A illustrates a kind of like this situation, wherein, plans to be delivered to transmitter-receiver 24 from the message 44 of transmitter-receiver 22, and does not plan to be delivered to transmitter-receiver 26 and 28.According to the present invention, arrangement, communications network 10 (it comprises repeater management devices 60, management address tracking cell 50, security control apparatus 40 and safe countermeasure set 30) allow original packet 20 unchangeably (immovable PDU) be delivered to the transmitter-receiver 24 of hope.Yet before being sent to undesirable device 26 and 28, arrangement, communications network 10 substitutes mutagenic thus PDU 32 to the message 44 usefulness HALT code elements 48 of original immovable PDU20.Further describe this operation below with reference to Figure 1B.
Figure 1B be PDU is shown change form 32 and the figure of 20 the data structure of not changing form.According to IEEE 802.3 standards, as shown in the figure, PDU comprises that header fields 34, start frame define symbol (SFD) field 36, destination address field 38, source address field 40, length field 42, data field 44 (if needed, comprise fill character) and Frame Check Sequence field (FCS) field 46.After transmitter-receiver 22 received PDU 20, arrangement, communications network 10 was made comparisons the known source that destination-address 38 and source address field from all previous tracked sources draw at arrangement, communications network 10.Known source is included in the source address register 54, and here is further described with reference to Fig. 2.According to the source address of transmitter- receiver 24,26 and 28 whether with the destination-address coupling of PDU20, send immovable PDU to transmitter- receiver 24,26 and 28 from arrangement, communications network 10.Source address does not receive the PDU that changes with those transmitter- receivers 26 and 28 of the destination-address of PDU coupling, and wherein, surrogate data method 44 inserts data fields with HALT code element 48.Also can insert HALT code element 48 other parts of PDU20 and not depart from scope of the present invention.For example, can place source address field 40 or length field 42 to HALT code element 48.
In one embodiment of the invention, the transmitter-receiver 24 that allows to be hopeful receives immovable PDU20 (its data 44 are not subjected to disturbance fully), and undesirable transmitter- receiver 26 and 28 receives the PDU32 (its data 44 usefulness HALT code elements 48 replace) that changes.HALT code element 48 points out clearly that to transmitter- receiver 26 and 28 PDU32 of change is comprising invalid data.
Can use above-mentioned instruction to optimize receiving element 24,26 and 28; Transmitting element 22; And/or arrangement, communications network 10, to deal with many dissimilar protocol Data Units 20, comprise grouping, frame and unit (cell), as long as relevant agreement regulation HALT signal or other similar signal.Receiving element 24,26 and 28; Transmitting element 22; With arrangement, communications network 10 also can be optimised, with in based on IEEE802 communication network (such as communication network) based on twisted wire pair work.
One embodiment of the present of invention provide a kind of secure mode of operation (Secure Operations Mode), and it allows on the basis of port basis, start eavesdropping selectively and take precautions against.The destination-address 38 of input PDU20 with make comparisons corresponding to the tracked source address of selecting that is activated port.Any have with the port of selecting that is activated of destination-address 38 unmatched source addresses receive HALT code element 48, rather than be included in the initial data 44 in the PDU20.Continue not received PDU20 with immovable form by the port of this function on, and no matter whether destination-address and known source address mate.
Fig. 2 is the functional-block diagram according to security control apparatus 40 of the present invention.Security control apparatus 40 can be realized in management and address tracking cell 50 in the combination with hardware and/or software.Security control apparatus 40 determines which PDU is sent to transmitter-receiver 24 with immovable form 20, and determines to receive those transmitter- receivers 26 and 28 of the PDU32 that changes.
In one embodiment, controller 56 comprises with the free-running operation (free-run) or the mechanism of locking mode work not.In locking mode not, before source address in the source address register 54 and the destination-address 38 in destination-address register 52 are made comparisons, the destination-address 38 from destination-address register 52 is inserted source address register 54.So, compare and will always cause coupling, thereby all transmitter-receivers that are connected to arrangement, communications network 10 will receive immovable PDU 20.
In another embodiment, controller 56 also comprises the mechanism with locking mode work.In locking mode, the known source that is contained in the source address register 54 of update package does not comprise the destination-address 38 that is stored in the destination-address register 52.Work for the mode that Fig. 2 is described in security control apparatus 40 usefulness fronts.
Table I explanation according to locking mode and be stored in the input in the destination-address register 52 PDU destination-address 38 whether with the source address matches that is stored in the source address register 54, the action of taking by controller 56.
The table I
Add latching mode and whether mate action
Not locking coupling does not have, and (all receiving element receptions are immovable
PDU20。)
Do not match and upgrade source address register 54 and all
Receiving element receive immovable PDU20.The receiving element of locking matches receives immovable PDU.
All unmatched receiving elements that do not match receive the PDU that changes
32。
From the table I as seen, when source address register 54 " did not lock ", when running into the source address of a previous the unknown, controller 56 was updated in the source address in the source address register 54.Yet when source address register " locking ", controller provides valuable security mechanism, and this mechanism prevents to be eavesdropped or intercept and capture secret information by undesirable network equipment, and its method is to disturb to Unidentified network equipment to send packet.
In one embodiment, PDU 20 is delivered at the data passes port one 4,16 and 18 on 58 along separate routes from port one 2, this data passes has been avoided controller 56 along separate routes, thereby the transmission of PDU20 in arrangement, communications network 10 handled by the combination of hardware and software, rather than handled by controller 56.Data passes is 58 receiving port 12 and the transmit ports 14,16 and 18 that are coupled to effectively on arrangement, communications network 10 along separate routes, and like this, controller 56 has been walked around in the transmission of packet 20.
This arrangement allows the work of controller 56 to concentrate in the control operation, has accelerated the processing of PDU20 like this.Yet, when destination-address register 52 and in source address register 54 storage corresponding between the source address of port one 6 and 18 relatively cause not matching the time, controller 56 prevents to be sent out by port one 6 and 18 with immovable form by the PDU20 that port one 2 receives.On the other hand, when the coupling that relatively causes between destination-address register 54 and the source address register 54, after receiving PDU20 by port one 2, the PDU20 that controller 56 allows to be sent out is undisturbedly by port one 4 outputs.
Fig. 3 is a system block diagram, and repeater management control system or repeater management devices (RMD) 60 and its interface that is associated are shown.RMD60 comprises management and address tracking cell 50, and it realizes security control apparatus 40 by the combination of hardware and/or software.Be used in the information transmission that the security monitoring of determining in management and the address tracking cell 50 is controlled to management and address tracking cell 50.Local pin (pin) 78 provides the communication channel from management and address tracking cell to other RMD.RMD60 uses the serial line interface 66 link to each other with repeater, sends relevant port status and controls 64 information with route in accordance with regulations.This information can be resent to management and address tracking cell 50 then.Management and address tracking cell 50 and medium access controller (MAC) 70, direct memory access (DMA) (DMA) 74 and push-up storage (FIFO) 72 are tried to find out bus 84 between repeater.(ManagementInformation Base monitors with repeater that MIB) (Repeater monitor, RMON) counter 76, to follow the tracks of the repeater port status to provide management information bank for each port.Port status and control 64, DMA74 and MIB and RMON counter 76 all have to the inlet of CPU (central processing unit) interface 62.Main channel 80 and remote access channel 82 are provided between cpu i/f 62 and DMA64.
Fig. 4 has described an embodiment of repeater management devices (RMD) 60.Between repeater bus 84 in accordance with regulations route come and go the transmission information with repeater 94 far away.Safety and serial signal 86 in accordance with regulations route deliver to the repeater 88 that links to each other with RMD60.Repeater 88 provides AUI port 90 and twisted wire pair port 92.Cpu bus 96 is connected to CPU98 to RMD90.Use local pin 78 to come and go transmission information with RMD102 with other.
Fig. 5 A describes according to the present invention to taking precautions against the flow chart of eavesdropping the main-process stream that carries out.At square frame 100 and 110 places, when controller 56 is initialization or programming mode, upgrade source address register 54 by the source address that reads the PDU20 that is sent out.At square frame 100 places, controller 56 reads the source address of the source address field 40 of the PDU20 that is sent out.At square frame 110 places, controller 56 is stored in source address in the source address register 54.At square frame 120 places, controller 56 reads from the destination-address of the destination address field 38 of the PDU20 of communication port 12 receptions that are coupled to communication network.At square frame 130 places, controller 56 is stored in destination-address 38 in the destination-address register 52.At square frame 140 places, controller 56 will be made comparisons in destination-address in the destination-address register 52 38 and the source address that is stored in the source address register 54.The output of the comparison of square frame 140 has determined next procedure.At square frame 150 places, the source address that is stored in the source address register 54 receives the grouping 20 that does not change form with those transmitter-receivers 24 that are stored in destination-address 38 couplings in the destination-address register 52.At square frame 160 places, the source address that is stored in the source address register 54 receives the PDU20 that changes form with destination-address 38 unmatched those transmitter- receivers 26 and 28 that are stored in the destination-address register 52, wherein, come alternate data 44 with HALT code element 48.
In Fig. 5 B, described the method for another kind of strick precaution eavesdropping, wherein, when controller 56 is in not locking mode or free-running operation pattern, upgraded source address register 54 by destination-address register 52.At square frame 120 places, controller 56 reads the destination-address 38 of the PDU20 that is sent out.At square frame 130 places, controller is stored in destination-address 38 in the destination-address register 52.When controller 56 during at locking mode not, at square frame 170 places, the destination-address 38 that controller 56 usefulness are stored in the destination register 52 upgrades source address register 54.Then, at square frame 140 places, controller 56 will be made comparisons in destination-address in the destination-address register 52 38 and the source address in source address register 54.Relatively will cause coupling, because before comparison, upgraded source address register 54 with destination-address register 52.So at square frame 150 places, controller 56 will send the PDU20 of immovable form.
Yet,, before making comparisons, upgrade source address register 54 without destination-address register 52 when controller during at locking mode.This causes skip block 170, thereby destination-address 38 being stored in the step that (square frame 130) carries out afterwards in the destination-address register 52 is at square frame 140 places, will make comparisons in destination-address in the destination-address register 52 38 and the source address in source address register 54.The output of the comparison of square frame 140 has determined next procedure.At square frame 150 places, the source address that is stored in the source address register 54 receives the grouping 20 that does not change form with those transmitter-receivers 24 that are stored in destination-address 38 couplings in the destination-address register 52.At square frame 160 places, the source address that is stored in the source address register 54 receives the PDU32 that changes form with destination-address 38 unmatched those transmitter- receivers 26 and 28 that are stored in the destination-address register 52, wherein, come alternate data 44 with HALT code element 48.
Be through with like this to the description of preferred embodiment of the present invention.Below some paragraphs some other the method that reaches identical purpose is described.
The application of enumerating in this manual is for illustrative purposes, and does not plan to accomplish that nothing left is leaked or the strict form that is disclosed that limits the invention to.For example, the present invention can be applicable to anyly have the I/O device adapter of memory and be not limited to network adapter.
The present invention can be used for having the different devices and the system of modular construction.For example, safety management function is to describe with reference to the Ethernet repeater of 100Mbit/s.Yet, the people of those skilled is appreciated that, these safety management functions can be easily with other can switch, the arrangement, communications network of Route Selection and/or bridge joint realizes, use the agreement of regulation halt code element or any other code element as long as realize the system of these functions, this code element is notification receiver clearly, and the data of grouping are invalid shown in having.These other communication network task and repeating transmission task described herein can connect together and also can not connect together.
The present invention can use diverse ways and produce and the source address of store storage in source address register.When the safety management controller is in not locking mode, except upgrading the source address register with the destination-address register information, also can be by input from upgrading source address register with the source address information (i.e. input " expection " or " known " source address) of the effective transmitter-receiver that is coupled of network communication device.Another kind of way is when the safety management controller is in initialization or programming mode, can upgrade source address register by the source address information (i.e. input " tracking " source address) that reads from data communication packets.
The present invention also can realize by enough dissimilar memories that these memories include but not limited to random-access memory (ram), direct access storage, sequential access memory, associative storage and read-only memory (ROM).Also can come predetermined memory with various ways, comprising but be not limited to register, cache, formation, virtual memory and buffer.
The use of address is suitable for other address and group address among the present invention, such as multicasting group address (multicast-group addresses) and broadcast address (broadcast addresses).Be further appreciated that the present invention can be with various media interviews control frame structures, these structures have destination address field, source address field, data field and halt or similar code element.
For purpose of description, provided the foregoing description of preferred embodiment of the present invention.Do not plan to accomplish that nothing left is leaked or the strict form that is disclosed that limits the invention to.Because top instruction can be made many modifications and variations.Plan not to be by detailed description but to limit scope of the present invention by appending claims here.
Claims (17)
1. security control apparatus, be used between a plurality of transmitter-receivers, providing safe data communication, safe data communication is provided between the described transmitter-receiver, described transmitter-receiver is coupled to the port on the arrangement, communications network in the local area network (LAN), described data communication comprises one or more packets, described packet has source address, destination-address and data field, described security control apparatus is coupled to described arrangement, communications network effectively, it is characterized in that described security control apparatus comprises:
(a) source memory address is used for being coupled to each described transmitter-receiver storage source address of described arrangement, communications network;
(b) safety management controller, it is coupled to described source memory address, is used for described destination-address and the described source address that is stored in described source memory address are made comparisons; And
(c) safe countermeasure set, it is coupled to described safety management controller, be used to disturb and the data communication of some described transmitter-receivers like this, the described source address that these transmitter-receivers have does not match with the described destination-address in described packet, wherein, described safe countermeasure set is stored into the described data field of described data communication to invalid code element, and described invalid code element is pointed out to described reception transmitter-receiver clearly, and described data communication is invalid.
2. security control apparatus as claimed in claim 1, it is characterized in that, described security control apparatus comprises that also data passes along separate routes, it is coupled to the RTP on described arrangement, communications network, be used between described transmitter-receiver and described arrangement, communications network, transmitting rapidly described packet, wherein, described safety management controller has been walked around in the transmission of described packet.
3. security control apparatus as claimed in claim 2, it is characterized in that, described security control apparatus also comprises the destination-address memory that is coupled to described safety management controller, be used to store described destination-address, the described destination-address that wherein said safety management controller will be stored in the described destination-address memory is made comparisons with the described source address that is stored in the described source memory address.
4. security control apparatus as claimed in claim 1 is characterized in that, invalid code element is as the HALT code element by the IEEE802.3u standard code.
5. security control apparatus as claimed in claim 1 is characterized in that, described safety management controller starts each port selectively in order to take precautions against eavesdropping.
6. security control apparatus as claimed in claim 1 is characterized in that described communication network is based on the communication network of IEEE 802.
7. security control apparatus as claimed in claim 1 is characterized in that described communication network is based on the communication network of twisted wire pair.
8. security control apparatus as claimed in claim 3, it is characterized in that, described safety management controller comprises the device that is used to upgrade described source memory address, its method is before being made comparisons with the described source address in described source memory address in the ground, described destination in the memory of described destination address location, described destination-address in the described destination-address memory is inserted described source memory address, wherein, described relatively causing mates, thereby described packet is retransmitted to all described transmitter-receivers that are connected to described arrangement, communications network.
9. arrangement, communications network that is used between a plurality of transmitter-receivers of local area network (LAN), providing data communication, described data communication comprises at least one packet, described packet has source address, destination-address and data field, it is characterized in that, described arrangement, communications network comprises:
(a) security control apparatus, it is coupled to described arrangement, communications network, is used to provide eavesdropping to take precautions against, and described security control apparatus comprises:
(ⅰ) source memory address is used for being connected to each described transmitter-receiver storage source address of described arrangement, communications network;
(ⅱ) safety management controller, it is coupled to described source memory address, is used for the described destination-address of described packet is made comparisons with the described source address that is stored in the described source memory address;
(ⅲ) safe countermeasure set, it is coupled to described safety management controller, be used to disturb to the data communication of some transmitter-receivers like this, being stored in the described source address of these transmitter-receivers in the described source memory address does not match with described destination-address in described packet, wherein, described safe countermeasure set is stored into the described data field of described packet with invalid code element, and described invalid code element points out that to receiving transmitter-receiver described packet is invalid clearly;
(b) transmission and receiving port, they are coupled to described arrangement, communications network, are used to be connected to described transmitter-receiver to send and to receive described data communication; And
(c) data passes along separate routes, it is coupled to described RTP, be used for accelerating between described transmitter-receiver and described arrangement, communications network the transmission of described packet, wherein, the data passes in described network communication device has been walked around described safety management controller.
10. security control apparatus as claimed in claim 9, it is characterized in that, described security control apparatus also comprises the destination-address memory that is coupled to described safety management controller, be used to store described destination-address, wherein, the described safety management controller described destination-address that will be stored in the described destination-address memory is made comparisons with the described source address that is stored in the storage of described source address.
11. arrangement, communications network as claimed in claim 10, it is characterized in that, described safety management controller comprises the device that is used to upgrade described source memory address, its way is, before described destination-address in the described destination-address memory and the described source address in described source memory address are made comparisons, described destination-address in described destination-address memory is inserted in the described source memory address, described relatively causing mated, thereby retransmit described packet to all described transmitter-receivers that are connected to described arrangement, communications network.
12. arrangement, communications network as claimed in claim 9 is characterized in that, as IEEE 802.3u prescribed by standard, invalid code element is the HALT code element.
13. arrangement, communications network as claimed in claim 9 is characterized in that, in order to take precautions against eavesdropping, described safety management controller starts each described port selectively.
14. a method that prevents to eavesdrop on communication network, described communication network comprises a plurality of transmitter-receivers that are coupled to arrangement, communications network, it is characterized in that, described method comprises:
(a) read the packet of sending from described transmitter-receiver, described packet has source address, the destination-address in destination field and the data in data field in source address field;
(b) described destination-address and described source memory address are made comparisons, this source memory address has described source address, and described source memory address is coupled to described arrangement, communications network effectively; And
(c) insert invalid code element in the described data field that sends to the described packet of some transmitter-receivers like this, the described source address that these described transmitter-receivers have in described source memory address does not match with the described destination-address in described packet.
15. the method eavesdropped of preventing as claimed in claim 14 is characterized in that described method also comprises the step of described source address being imported described source memory address.
16. the method eavesdropped of preventing as claimed in claim 15, it is characterized in that, the step of described source address being imported described source memory address comprises: when described safety management controller is in initialization or programming mode, read the described source address of the described source address field in the described packet, and described source address is stored in the described source memory address.
17. the method eavesdropped of preventing as claimed in claim 15, it is characterized in that, the step of described source address being imported described source memory address comprises: when described safety management controller is in not locking mode, read the described destination-address of described packet, and described destination-address is stored in the described source memory address as described source address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 99121076 CN1290088A (en) | 1999-09-27 | 1999-09-27 | Method and apparatus for security of communication network by using insffective code safety interference |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 99121076 CN1290088A (en) | 1999-09-27 | 1999-09-27 | Method and apparatus for security of communication network by using insffective code safety interference |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1290088A true CN1290088A (en) | 2001-04-04 |
Family
ID=5281788
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 99121076 Pending CN1290088A (en) | 1999-09-27 | 1999-09-27 | Method and apparatus for security of communication network by using insffective code safety interference |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1290088A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100375069C (en) * | 2002-04-16 | 2008-03-12 | 松下电器产业株式会社 | Invalidating system |
| CN1625879B (en) * | 2002-02-05 | 2010-06-16 | 思科技术公司 | Address hopping of packet-based communications |
| CN105847156A (en) * | 2015-02-02 | 2016-08-10 | 意法半导体国际有限公司 | Default data packet routing in a NFC device |
-
1999
- 1999-09-27 CN CN 99121076 patent/CN1290088A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1625879B (en) * | 2002-02-05 | 2010-06-16 | 思科技术公司 | Address hopping of packet-based communications |
| CN100375069C (en) * | 2002-04-16 | 2008-03-12 | 松下电器产业株式会社 | Invalidating system |
| CN105847156A (en) * | 2015-02-02 | 2016-08-10 | 意法半导体国际有限公司 | Default data packet routing in a NFC device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP0464563B1 (en) | Encryption with selective disclosure of protocol identifiers | |
| EP0464562B1 (en) | Method and apparatus for decryption of an information packet having a format subject to modification | |
| EP0464564B1 (en) | Generic encryption technique for communication networks | |
| US5161193A (en) | Pipelined cryptography processor and method for its use in communication networks | |
| US5235644A (en) | Probabilistic cryptographic processing method | |
| US5099517A (en) | Frame status encoding for communication networks | |
| Cerf et al. | Proposal for an international end to end protocol | |
| US7143282B2 (en) | Communication control scheme using proxy device and security protocol in combination | |
| CN1311660C (en) | Server apparatus, and method of distributing a security policy in communication system | |
| US6272640B1 (en) | Method and apparatus employing an invalid symbol security jam for communications network security | |
| CN111447235A (en) | Network device and network system | |
| EP0860958B1 (en) | Virtual network architecture | |
| KR19990030284A (en) | Communication method and communication device | |
| US7523306B2 (en) | Simplified CCMP mode for a wireless local area network | |
| CN1406034A (en) | Electronic apparatus with relay function in wireless data communication | |
| US6175875B1 (en) | Multicast filtering | |
| CN1290088A (en) | Method and apparatus for security of communication network by using insffective code safety interference | |
| EP1024640B1 (en) | Method of encoding status information | |
| CN113924752B (en) | Data transmission method and automation network | |
| US20030128699A1 (en) | Method and apparatus for header updating | |
| US20050135244A1 (en) | Wireless network load generator address mask manipulation | |
| JP2004357284A (en) | Transmission/reception system | |
| KR20060028482A (en) | Secure indirect addressing | |
| EP0464566B1 (en) | Abort processing in pipelined communication | |
| CN114124350A (en) | Consensus algorithm for improving performance in network heterogeneous environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: GR Ref document number: 1066904 Country of ref document: HK |
|
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: WD Ref document number: 1036176 Country of ref document: HK |