KR101710385B1 - Method, apparatus and computer program for managing arp packet - Google Patents

Method, apparatus and computer program for managing arp packet Download PDF

Info

Publication number
KR101710385B1
KR101710385B1 KR1020150141999A KR20150141999A KR101710385B1 KR 101710385 B1 KR101710385 B1 KR 101710385B1 KR 1020150141999 A KR1020150141999 A KR 1020150141999A KR 20150141999 A KR20150141999 A KR 20150141999A KR 101710385 B1 KR101710385 B1 KR 101710385B1
Authority
KR
South Korea
Prior art keywords
arp
packet
gateway
request packet
arp request
Prior art date
Application number
KR1020150141999A
Other languages
Korean (ko)
Inventor
황인욱
송용주
Original Assignee
아토리서치(주)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 아토리서치(주) filed Critical 아토리서치(주)
Priority to KR1020150141999A priority Critical patent/KR101710385B1/en
Application granted granted Critical
Publication of KR101710385B1 publication Critical patent/KR101710385B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/22Arrangements for preventing the taking of data from a data transmission channel without authorisation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]

Abstract

The present invention relates to a method for managing an ARP packet in a software definition network. The method for managing an ARP packet comprises the steps of: setting, by a controller, a switch to process an ARP packet on an IP of a gateway according to a flow table; and blocking a host generating an ARP response packet when the ARP response packet on the IP of the gateway is detected.

Description

METHOD, APPARATUS AND COMPUTER PROGRAM FOR MANAGING ARP PACKET,

The present invention relates to a method for controlling a software defined network. More particularly, the present invention relates to a method for managing an ARP packet for a gateway of a network in order to defend against an ARP spoofing attack in a software defined network.

Software Defined Networking (SDN) is a technology that manages all the network devices in the network by an intelligent central management system. In the SDN technology, a controller provided in a software form instead of a control operation related to packet processing performed in a network device of existing hardware type has a merit in that it can develop and assign various functions over an existing network structure .

The SDN system generally comprises a controller server for controlling the entire network, a plurality of open flow switches controlled by the controller server for processing packets, and a host corresponding to a lower layer of the open flow switch. Here, the open flow switch is only responsible for transmitting and receiving packets, and routing, management, and control of the packets are all performed in the controller server. In other words, separating the data planes and control planes that form the network equipment is the basic structure of the SDN system.

Open Networking Foundation, "OpenFlow Specification 1.5.0"

SUMMARY OF THE INVENTION It is an object of the present invention to provide a method and apparatus capable of effectively blocking ARP spoofing in a software defined network while ensuring flexibility in network operation for ARP management.

A method for managing an ARP packet in a software defined network according to an embodiment of the present invention includes: setting a switch such that the controller processes an ARP packet for an IP of the gateway according to a flow table; And blocking the host that generated the ARP response packet if an ARP response packet for the IP of the gateway is found.

Further, a method for managing an ARP packet in a software defined network according to an embodiment of the present invention includes: setting, in a switch, processing of an ARP packet for an IP of a gateway according to a flow table; And blocking the host that has generated the ARP response packet if an ARP response packet for the IP address of the gateway is found.

Meanwhile, a controller for managing an ARP packet in a software defined network according to an embodiment of the present invention includes a communication unit for connecting to a switch via a network; And a controller for setting a switch to process the ARP packet for the IP of the gateway according to the flow table and for blocking the host which has generated the ARP response packet if an ARP response packet for the IP of the gateway is found .

Further, a switch for managing an ARP packet in a software defined network according to an embodiment of the present invention includes: a communication unit for connecting to a controller via a network; And a controller for setting an ARP packet to be processed according to the flow table, and blocking the host that has generated the ARP response packet when an ARP response packet for the IP of the gateway is found.

In addition, a computer program recorded on a computer readable medium for executing a process of managing an ARP packet in a software defined network according to an embodiment of the present invention in a controller server may further include a step of processing the ARP packet for the IP of the gateway according to the flow table A function of setting a switch; And blocking a host that has generated the ARP response packet if an ARP response packet for the IP address of the gateway is found.

Further, a computer program recorded on a computer readable medium for executing in the switch the process of managing ARP packets in a software defined network according to an embodiment of the present invention is configured to process ARP packets for the IP of the gateway according to a flow table Function; And blocking a host that has generated the ARP response packet if an ARP response packet for the IP address of the gateway is found.

According to the present invention, there is an effect that the controller processes the ARP packet for the gateway, thereby preventing the ARP spoofing fundamentally without changing the gateway or the host, and blocking the host attempting the ARP spoofing.

1 is a diagram for explaining the configuration of a software defined network;
2 is a diagram for explaining ARP spoofing;
3 is a flowchart for explaining a method of managing an ARP packet in an SDN according to an embodiment of the present invention

It is to be understood that the present invention is not limited to the description of the embodiments described below, and that various modifications may be made without departing from the technical scope of the present invention. In the following description, well-known functions or constructions are not described in detail since they would obscure the invention in unnecessary detail.

In the drawings, the same components are denoted by the same reference numerals. And in the accompanying drawings, some of the elements may be exaggerated, omitted or schematically illustrated. It is intended to clearly illustrate the gist of the present invention by omitting unnecessary explanations not related to the gist of the present invention. Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.

It should be understood that the term " flow rule " in the context of the present invention means a network policy applied by a controller server in a software defined network in the context of a skilled artisan.

Further, in the present specification, the open flow switch 200 can be understood as a concept including a switch supporting only an open flow protocol, a virtual switch supporting an open flow protocol, and a general L2 switch supporting an open flow protocol.

1 is a diagram for explaining a configuration of a software defined network. Referring to FIG. 1, a software defined network may include a controller server 100, network equipment 200, and a host 300. The network device 200 and the host 300 may be referred to as a node, and a link may denote a connection between two nodes.

The controller server 100 manages the network equipment 200 and centrally manages and controls the plurality of network equipment 200. Specifically, the controller server 100 includes an application program that performs functions such as topology management, path management related to packet processing, link discovery, and packet flow flow management, And can be implemented in a mounted form.

The network device 200 functions to process packets under the control of the controller server 100. Examples of the network equipment 200 include a mobile communication base station, a base station controller, a gateway equipment, a wired network switch, and a router.

In the software defined network, the controller server 100 and the open flow switch 200 exchange information with each other. The open flow protocol is widely used as a protocol for this. That is, the open flow protocol is a standard that allows the controller server 100 and the open flow switch 200 to communicate with each other.

According to the open flow protocol, the switch 200 exchanges information with the controller server 100 via a control channel, and includes one or more flow tables for pipeline processing, a group table, A meter table and / or a network interface for packet delivery.

On the other hand, in the software defined network, the transmission between the hosts 300 is based on the IP address. More specifically, the transmitting host attempts to transmit data using the IP address of the receiving host, and ARP is used to convert the IP address to the MAC address.

ARP, or Address Resolution Protocol, is a protocol used to map an IP address to a physical network address, such as a MAC address, on a network. Where the physical network address may include the network card address of the Ethernet.

For example, if Host A tries to send an IP packet to Host B, but does not know the physical network address of Host B, it uses ARP protocol to broadcast an ARP Request packet containing the IP address of Destination B on the network )can do. When the host B receives the ARP request packet for its own IP address, it will send an ARP reply packet containing its own physical network address to A.

The IP address and the corresponding physical network address information collected in this manner are stored in a memory in a memory called an ARP cache of each IP host, and packet transmission to the host B is processed by referring to the ARP table, The ARP table can be updated periodically.

However, ARP does not consider a means of authenticating the other party. Using this, a malicious attacker can send an ARP reply packet to answer the wrong contents, modulate the ARP table of the network nodes, and intercept the data packets.

If this attack is done in a way that modulates the ARP for the gateway, the problem can be serious because an attacker can intercept or tamper with every packet sent outside the local network.

A more detailed description of the ARP attack will be described later with reference to FIG. 2 attached hereto.

In the example shown in Figure 2, the local network comprises, for example, a gateway 10 for L3 communications, one or more switches 20, 30 connected to the gateway and supporting L2 communications, one or more hosts A (25) and a host B (35).

In this case, the hosts A and B may store the IP address and the MAC address of the gateway 10 in a form of a table in the ARP cache through the ARP protocol.

However, if host A wishes to intercept host B's packets, attacker A can continuously modulate the ARP table of host B by sending an ARP message continuously.

For example, attacker A can modulate the ARP table of the host B by continuously transmitting an ARP response packet corresponding to the IP address of the gateway to its MAC address. Host B, whose ARP table has been tampered with, will mistake the MAC address of attacker A as the MAC address corresponding to the IP of the gateway and send all packets to A to be sent out.

In this way, ARP spoofing is an attack that uses the loophole of the ARP protocol to deceive the MAC address of another computer as the MAC address of the other computer.

In particular, an attacker can intercept all packets leaving the local area by tricking the MAC address of the attacker into the MAC address of the gateway. If the attacker intercepts and modulates the intercepted packet and sends it back to the gateway, it is difficult for the attacker to recognize the attack.

In order to prevent such ARP spoofing, conventionally, a static ARP table has been operated or a method of monitoring ARP spoofing in a local network has been adopted.

First, the defensive method of setting the static ARP table can be implemented to statically define the local ARP cache to ignore the ARP message or ignore the packet having the MAC address other than the specific MAC address.

This approach can fundamentally defend ARP spoofing, but at the same time, it creates problems that can degrade the flexibility and efficiency of network operations. For example, if the gateway's MAC address changes, you need to reset the ARP table for all nodes in the network.

Second, the method of monitoring ARP spoofing in the local network is implemented in such a manner that the agent server checks the ARP table of the node to check whether the same MAC address is used in another IP or monitors the occurrence of an abnormally large number of ARP responses . However, there is a problem in that ARP spoofing can not be fundamentally defended due to the postmortem response.

SUMMARY OF THE INVENTION The present invention has been made to solve the above problems.

According to an embodiment of the present invention, the ARP packet for the gateway can be processed through the controller without following the conventional broadcast-based ARP packet processing procedure. In a software-defined network, the controller can centrally control the nodes in the network, allowing the controller to control the processing of ARP packets to the gateway, thus blocking ARP spoofing.

For example, if the ARP packet received by the switch is an ARP request message for the gateway, the switch may be controlled to send it to the controller in the form of a packet, which is a packet, without broadcasting it. The controller may then send an ARP Response message containing the MAC address of the gateway to the switch in the form of a packet out message.

As another example, if the ARP packet received by the switch is an ARP request message for the gateway, the switch can be controlled to send an ARP response message to the host with reference to the flow table, without broadcasting it, to the host. In this case, the flow rule will be updated by the controller when the MAC address of the gateway is changed.

This does not occur under normal circumstances when the switch receives an ARP reply to the gateway from a source other than the controller. That is, the ARP response message can exist only when the attacker attempts to spoof ARP.

Therefore, if the ARP packet received by the switch is an ARP response message to the gateway, the source host of the packet can be determined to be an attacker. Thereafter, according to the embodiment of the present invention, if a switch drops a corresponding packet or transmits a packet to the controller in the form of a packet in which the packet is sent to the controller, the controller can prevent the ARP spoofing by blocking the source host of the packet.

A more specific method will be described later with reference to Fig. 3 attached hereto.

3 is a diagram for explaining a process of processing an ARP packet in a software defined network according to an embodiment of the present invention.

In step 310 of Figure 3, the host, switch, controller, and gateway may be implemented in a software defined network.

In step 320, the controller can set the switch to process the ARP packet for the gateway under the control of the controller. This can be implemented in such a way that the controller sends a flow rule to the switch as shown in Fig.

According to an embodiment of the present invention, the flow rules may specify for the processing of ARP requests and / or response packets for the IP of the gateway.

First, the flow rule for processing an ARP request does not broadcast the ARP request packet to the IP of the gateway but sends it to the controller as a packet-in message as shown in Table 1, or changes to an ARP response packet as shown in Table 2 To be sent to the source host.

Mach Field Instruction ARP Request for Gateway IP Encapsulate into a message that is a packet
2. Send to controller (send to controller)

Mach Field Instruction ARP Request for Gateway IP 1. Change the OXM_OF_ARP_OP field from REQUEST to REPLY
2. Record the gateway MAC address in the OXM_OF_ARP_SHA field
3. Transfer to the incoming port

In particular, according to the flow rule illustrated in Table 2, the switch can change the ARP request packet for the IP address of the gateway to the ARP response packet including the MAC address of the gateway.

More specifically, according to the embodiment of the present invention, the header OXM_OF_ARP_OP field of the ARP request packet received by the switch is changed from REQUEST to REPLY using the Set-Field action defined in the open flow standard, and the OXM_OF_ARP_SHA field is set to the gateway MAC address Can be set to be recorded. Further, it is possible to change the source IP and the destination IP of the packet received in the Set-Filed action to the gateway and the source host, respectively. In this manner, the ARP request packet received by the switch can be changed to the ARP response packet for the gateway have.

According to this, the switch can generate the ARP response packet without transmitting the ARP request packet to the controller or the network, thereby improving the performance of the network. Further, the flow rule as shown in Table 2 can be updated when the MAC address of the gateway is changed.

Second, the flow rule processing the ARP response may instruct the ARP reply packet for the IP of the gateway to be dropped, as shown in Table 3, or to be sent to the controller as a packet, as shown in Table 4, without unicasting .

Mach Field Instruction ARP Response to Gateway's IP Drop

Mach Field Instruction ARP Response to Gateway's IP Encapsulate into a message that is a packet
2. Send to controller (send to controller)

The switch will then reflect the received flow rule in the flow table.

If the host sends an ARP request message for the IP address of the gateway to the switch at step 325, the switch will not process the packet and will process the packet according to the flow table.

More specifically, if a flow rule such as Table 1 has been applied to the switch, after step 325, the switch may send the ARP request to the controller in the form of a message that is a packet. (Step 330). The controller receiving the ARP response message transmits the ARP response message to the switch in the form of a packet out message, and the switch transmits an ARP response message to the host. (Step 345)

On the other hand, when the flow rule as shown in Table 2 is applied to the switch, after the step 325, the switch does not broadcast the ARP request or transmit it to the controller, but converts the ARP request packet into an ARP response packet including the MAC address of the gateway , And send the ARP reply packet to the host. (Step 345)

On the other hand, if the host sends an ARP response message to the switch for the IP address of the gateway in step 350, the switch will process the packet according to the flow table without unicasting the packet.

More specifically, when the flow rule as shown in Table 3 is applied, the switch can drop the ARP packet for the IP of the gateway. (Step 360)

As another example, when the flow rule as shown in Table 4 is applied, the switch can transmit the ARP response to the controller in the form of a message in which the packet is a packet. (Step 370), the controller can block the source host of the packet. (Step 375). For example, the controller transmits a flow change command (OFPT_FLOW_MOD) instructing to drop all packets having the IP of the source host or a port change command (OFPT_PORT_MOD) You can block the source host in such a way.

Meanwhile, although not shown separately in FIG. 3, according to an embodiment of the present invention, the controller may further determine the MAC address of the gateway after step 330. FIG.

The above steps can be implemented by the following embodiments.

 The first embodiment is a case in which the virtual IP of the gateway is used. The actual IP of the gateway is known only to the controller, and other nodes in the network can be configured to use the gateway's virtual IP.

According to this, even if the MAC address of the gateway is changed, when the controller receives the ARP request message for the virtual IP of the gateway, it converts the ARP request message into the ARP request message for the actual IP of the gateway and broadcasts the ARP request message. And obtain the MAC address of the changed gateway.

The second embodiment is a method of manually entering the MAC address of the controller into the ARP table of the controller or maintaining the ARP connection with the gateway only through a specific port of the controller.

According to this, when the MAC address of the gateway is changed, the administrator needs to directly change the ARP table of the controller or the administrator's own port of the controller. This is a static method, but the efficiency of the network operation does not drop much because only one controller, not all nodes of the network, needs to be changed, unlike the conventional one.

The third embodiment is a method for confirming the MAC address of the gateway through the authentication process without following the ARP protocol. According to this, an agent is installed in each of the gateway and the controller, and the MAC address of the gateway can be grasped by periodically checking the MAC address through the authentication process.

The embodiments of the present invention disclosed in the present specification and drawings are intended to be illustrative only and not intended to limit the scope of the present invention. It is to be understood by those skilled in the art that other modifications based on the technical idea of the present invention are possible in addition to the embodiments disclosed herein.

100: controller
200: Network equipment
300, 25, 35: Host
10: Gateway
20, 30: switch

Claims (12)

A method for managing an ARP packet in a software defined network,
The controller establishing a switch to process the ARP packet for the IP of the gateway according to the flow table; And
And blocking the host that generated the ARP response packet if an ARP response packet for the IP of the gateway is found,
Wherein the setting step comprises:
The ARP request packet is converted into an ARP reply packet for the MAC address of the gateway without sending an ARP request packet for the IP address of the gateway or transmitting the ARP request packet to the controller and instructing the ARP request packet to be transmitted to the port on which the ARP request packet is received And sending a flow rule to the switch. delete 2. The method of claim 1,
And setting the switch to convert the ARP request packet into an ARP response packet for the MAC address of the gateway, including an instruction to change an ARP type and an MAC address in the header of the ARP request packet ARP packet management method.
2. The method according to claim 1,
Sending a flow rule instructing to drop an ARP response packet to the IP of the gateway or a flow rule instructing the controller to send an ARP response packet for the IP of the gateway to the controller in the form of a packet Characterized in that the ARP packet management method comprises: 5. The method of claim 4,
Transmitting a port change command for bringing down a port to which a host transmitting the ARP response packet is connected or a flow change command for dropping all packets transmitted by the host to the switch; . The method according to claim 1,
Wherein the setting step is a step of transmitting to the switch a flow rule instructing to transmit to the controller in the form of a message that is a packet without broadcasting an ARP request packet for the IP of the gateway,
Receiving an ARP request packet for the IP of the gateway from the switch in the form of a packet, and transmitting an ARP response packet for the MAC address of the gateway to the switch; . 7. The method of claim 6, wherein transmitting the ARP response packet comprises:
Receiving an ARP request packet including a virtual IP of the gateway, converting the virtual IP into an actual IP for the IP of the gateway, and broadcasting an ARP request packet. A method for managing an ARP packet in a software defined network,
Setting, in the switch, to process an ARP packet for the IP of the gateway according to a flow table;
And blocking the host that generated the ARP response packet if an ARP response packet for the IP of the gateway is found,
Wherein the setting step comprises:
A flow for instructing to convert the ARP request packet into an ARP response packet for the MAC address of the gateway and transmit the ARP request packet to the port on which the ARP request packet is received without broadcasting an ARP request packet for the IP of the gateway or transmitting the ARP request packet to the controller And applying a rule to the ARP packet. A controller for managing ARP packets in a software defined network,
A communication unit for connecting the switch and the network; And
And a control unit for setting a switch to process the ARP packet for the IP of the gateway according to the flow table and for blocking the host which has generated the ARP response packet when an ARP response packet for the IP of the gateway is found,
Wherein,
The ARP request packet is converted into an ARP reply packet for the MAC address of the gateway without sending an ARP request packet for the IP address of the gateway or transmitting the ARP request packet to the controller and instructing the ARP request packet to be transmitted to the port on which the ARP request packet is received And to transmit the flow rule to the switch. A switch for managing ARP packets in a software defined network,
A communication unit connected to the controller via a network; And
And a control unit configured to process the ARP packet according to the flow table and to block the host that has generated the ARP response packet if an ARP response packet for the IP of the gateway is found,
Wherein,
The ARP request packet is converted into an ARP reply packet for the MAC address of the gateway without sending an ARP request packet for the IP address of the gateway or transmitting the ARP request packet to the controller and instructing the ARP request packet to be transmitted to the port on which the ARP request packet is received And a flow rule is applied. A computer program recorded on a computer readable medium for executing in a controller server processing of managing an ARP packet in a software defined network,
Setting a switch to process the ARP packet for the IP of the gateway along with the flow table; And
When the ARP response packet for the IP address of the gateway is found, the host which has generated the ARP response packet is blocked,
The setting function may include:
The ARP request packet is converted into an ARP reply packet for the MAC address of the gateway without sending an ARP request packet for the IP address of the gateway or transmitting the ARP request packet to the controller and instructing the ARP request packet to be transmitted to the port on which the ARP request packet is received And sending a flow rule to the switch. CLAIMS What is claimed is: 1. A computer program recorded on a computer readable medium for executing in a switch processing of managing an ARP packet in a software defined network,
A function of setting an ARP packet for the IP of the gateway to be processed along with the flow table; And
When the ARP response packet for the IP address of the gateway is found, the host which has generated the ARP response packet is blocked,
The setting function may include:
A flow for instructing to convert the ARP request packet into an ARP response packet for the MAC address of the gateway and transmit the ARP request packet to the port on which the ARP request packet is received without broadcasting an ARP request packet for the IP of the gateway or transmitting the ARP request packet to the controller And a function of applying a rule to the ARP packet.
KR1020150141999A 2015-10-12 2015-10-12 Method, apparatus and computer program for managing arp packet KR101710385B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150141999A KR101710385B1 (en) 2015-10-12 2015-10-12 Method, apparatus and computer program for managing arp packet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150141999A KR101710385B1 (en) 2015-10-12 2015-10-12 Method, apparatus and computer program for managing arp packet

Publications (1)

Publication Number Publication Date
KR101710385B1 true KR101710385B1 (en) 2017-02-27

Family

ID=58315790

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150141999A KR101710385B1 (en) 2015-10-12 2015-10-12 Method, apparatus and computer program for managing arp packet

Country Status (1)

Country Link
KR (1) KR101710385B1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101906437B1 (en) 2016-12-13 2018-10-10 아토리서치(주) Method, apparatus and computer program for testing network security policy
KR20180130802A (en) * 2017-05-30 2018-12-10 아토리서치(주) Method, system and computer program for host secretion in software defined networking environment
KR101931139B1 (en) 2017-09-13 2018-12-20 아토리서치(주) Method, apparatus, and computer program for verifying host status information in a software defined network
KR101969304B1 (en) * 2017-10-26 2019-08-20 아토리서치(주) Method and computer program for handling trouble using packet-out message in software defined networking environment
WO2022103155A1 (en) * 2020-11-13 2022-05-19 현대자동차주식회사 Method and device for arp operation in communication system supporting multiple links

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20070081116A (en) * 2007-02-09 2007-08-14 주식회사 코어세스 Apparatus and method for automatically blocking spoofing by address resolution protocol
US20150281067A1 (en) * 2013-12-31 2015-10-01 Huawei Technologies Co.,Ltd. Method and apparatus for implementing communication between virtual machines

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20070081116A (en) * 2007-02-09 2007-08-14 주식회사 코어세스 Apparatus and method for automatically blocking spoofing by address resolution protocol
US20150281067A1 (en) * 2013-12-31 2015-10-01 Huawei Technologies Co.,Ltd. Method and apparatus for implementing communication between virtual machines

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Open Networking Foundation, "OpenFlow Specification 1.5.0"
정소영, 네이버 비즈니스 플랫폼 서비스플랫폼개발센터, "클라우드 환경에서 ARP 스푸핑 방지 메커니즘 구현하기" (2013.10.30. 공개) *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101906437B1 (en) 2016-12-13 2018-10-10 아토리서치(주) Method, apparatus and computer program for testing network security policy
KR20180130802A (en) * 2017-05-30 2018-12-10 아토리서치(주) Method, system and computer program for host secretion in software defined networking environment
KR101993875B1 (en) * 2017-05-30 2019-06-27 아토리서치(주) Method, system and computer program for host secretion in software defined networking environment
KR101931139B1 (en) 2017-09-13 2018-12-20 아토리서치(주) Method, apparatus, and computer program for verifying host status information in a software defined network
KR101969304B1 (en) * 2017-10-26 2019-08-20 아토리서치(주) Method and computer program for handling trouble using packet-out message in software defined networking environment
WO2022103155A1 (en) * 2020-11-13 2022-05-19 현대자동차주식회사 Method and device for arp operation in communication system supporting multiple links

Similar Documents

Publication Publication Date Title
KR101710385B1 (en) Method, apparatus and computer program for managing arp packet
KR100908320B1 (en) Method for protecting and searching host in internet protocol version 6 network
WO2019165950A1 (en) Lightweight Secure Autonomic Control Plane
CN107241313B (en) Method and device for preventing MAC flooding attack
KR101786620B1 (en) Method, apparatus and computer program for subnetting of software defined network
EP3817285A1 (en) Method and device for monitoring forwarding table entry
CA3025093C (en) Network device and controlling method thereof applicable for mesh networks
KR101881061B1 (en) 2-way communication apparatus capable of changing communication mode and method thereof
US10708163B1 (en) Methods, systems, and computer readable media for automatic configuration and control of remote inline network monitoring probe
KR102412933B1 (en) System and method for providing network separation service based on software-defined network
KR102092015B1 (en) Method, apparatus and computer program for recognizing network equipment in a software defined network
KR101786616B1 (en) Method, apparatus and computer program for subnetting of software defined network
KR102114484B1 (en) Method, apparatus AND COMPUTER PROGRAM for controlling network access in a software defined network
KR101931139B1 (en) Method, apparatus, and computer program for verifying host status information in a software defined network
CN109039680B (en) Method and system for switching main Broadband Network Gateway (BNG) and standby BNG and BNG
KR101969304B1 (en) Method and computer program for handling trouble using packet-out message in software defined networking environment
KR101932656B1 (en) Method, apparatus and computer program for defending software defined network
KR101074563B1 (en) Preventing method for overlapping dhcp message generation in arp spoofig attack blocking system
KR101914831B1 (en) SDN to prevent an attack on the host tracking service and controller including the same
CN115883256B (en) Data transmission method, device and storage medium based on encryption tunnel
EP3228048B1 (en) Method and apparatus for routing data to cellular network
KR102055912B1 (en) Apparatus and method for managing sharing terminal in a router environment
EP4072076A1 (en) Data transmission method, and related apparatus and system
KR101906437B1 (en) Method, apparatus and computer program for testing network security policy
KR100969466B1 (en) Apparatus and method for providing network access service about terminal of infected with virus

Legal Events

Date Code Title Description
E90F Notification of reason for final refusal
E701 Decision to grant or registration of patent right
GRNT Written decision to grant