CN100571272C - Improve the method for LAN communication safety - Google Patents
Improve the method for LAN communication safety Download PDFInfo
- Publication number
- CN100571272C CN100571272C CNB2006100206211A CN200610020621A CN100571272C CN 100571272 C CN100571272 C CN 100571272C CN B2006100206211 A CNB2006100206211 A CN B2006100206211A CN 200610020621 A CN200610020621 A CN 200610020621A CN 100571272 C CN100571272 C CN 100571272C
- Authority
- CN
- China
- Prior art keywords
- arp
- safety
- address resolution
- resolution protocol
- lan communication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to network service, particularly the ARP(Address Resolution Protocol) of network communication protocol and Reverse Address Resolution Protocol (RARP).The invention solves the problem of ARP poor stability, disclose a kind of method of utilizing safety certification to improve the fail safe of ARP processing procedure, prevent that ARP is by malicious modification.Technical scheme of the present invention is that the method for raising LAN communication safety comprises the steps: that a. increases user profile in address resolution protocol; B., certificate server is set, the user profile in the address resolution protocol is authenticated; C. then respond by authentication, otherwise do not respond.The invention has the beneficial effects as follows, can effectively distinguish the legitimacy of ARP message, thereby make main frame not influenced by illegal ARP message and revise the MAC binding information, the influence of ARP information is controlled, fundamentally solve the safety issue of ARP, improved the fail safe of local area network communication.
Description
Technical field
The present invention relates to network service, particularly the ARP(Address Resolution Protocol) of network communication protocol and Reverse Address Resolution Protocol (RARP).
Background technology
Often there is virus to utilize the principle of ARP deception at present in the local area network (LAN), eavesdrops data, duplicate oneself.Because these viruses are utilized the message format of ARP, distribute MAC-IP address binding relation arbituarily, revise the ARP table of other main frame in the network or gateway, this just makes other machine to surf the Net, or can not proper communication, disturbs the normal operation of whole local area network.
In the prior art, the common methods that overcomes the above problems is: on egress router all machines in the local area network (LAN) are done the Static ARP setting, the MAC-IP binding relationship manually is set, and on every PC configuring static ARP, the MAC Address of IP address of router correspondence is set.The problem of the maximum of this method is that management workload is big, if there are several thousand machines a sub-district, for the ISP that several attendants are only arranged, this almost is can not finishing of a task.Also have a kind of method to come dynamic binding with Dynamic Host Configuration Protocol server, though can reduce the task of human configuration, but for needs fixedly the LAN environment of IP can not be suitable for again, and it can only solve the problem in the ARP at gateway place list item confusion, can't solve the chaotic problem of ARP list item of other main frame of local area network (LAN).
Also having a kind of solution is with PPPoE authentication, logically all is point-to-point the connection between the outlet BAS of all PC of broadband cell and operator like this, the problem that does not exist ARP to cheat.But also be not suitable for making in this way for the environment that the intercommunication demand is arranged between the PC in some local area network (LAN), as the office net.
The key of above problem is exactly because ARP itself is the agreement of a no security control, if anyone sends out wrong MAC binding information with the ARP message format of standard, main frame in the local area network (LAN) or gateway all will be affected so.
Summary of the invention
Technical problem to be solved by this invention is exactly the problem at the ARP poor stability, and a kind of method of utilizing safety certification to improve the fail safe of ARP processing procedure is provided, and prevents that ARP is by malicious modification.
The present invention solves the problems of the technologies described above, and the technical scheme of employing is that the method for raising LAN communication safety comprises the steps:
A. in address resolution protocol, increase user profile; Described user profile is by user name length, username field, and the random number field, summary length field and clip Text field are formed; Described clip Text field be with digest algorithm with user name, random number and user cipher carry out that digest calculations forms;
B., certificate server is set, and certificate server extracts user cipher according to the user name in the address resolution protocol that receives from database; User cipher is added the random number in the address resolution protocol of reception, adopt same digest algorithm to carry out digest calculations; Clip Text in the address resolution protocol of result of calculation and reception is compared, identical then by authentication, otherwise authentication is not passed through;
C. then respond by authentication, otherwise do not respond.
The invention has the beneficial effects as follows, can effectively distinguish the legitimacy of ARP message, thereby make main frame not influenced by illegal ARP message and revise the MAC binding information, the influence of ARP information is controlled, fundamentally solve the safety issue of ARP, improved the fail safe of local area network communication.In addition,, be easy to expand charge and wait other function, strengthen the manageability of local area network (LAN) because used certificate server that the user is authenticated.
Description of drawings
Fig. 1 is that the transmission of embodiment receives flow chart.
Embodiment
Below in conjunction with drawings and Examples, describe technical scheme of the present invention in detail.
The present invention increases user authentication information in ARP, increase certificate server in the network, utilizes the authentication of user profile in the ARP processing procedure, improves the fail safe of network.
Technical scheme of the present invention is that the method for raising LAN communication safety is characterized in that: comprise the steps:
A. in address resolution protocol, increase user profile;
B., certificate server is set, the user profile in the address resolution protocol is authenticated;
C. then respond by authentication, otherwise do not respond;
Concrete user profile is by user name length, username field, and the random number field, summary length field and clip Text field are formed;
Further be: described clip Text field be with digest algorithm with user name, random number and user cipher carry out that digest calculations forms;
Concrete verification process is:
B1. certificate server extracts user cipher according to the user name in the address resolution protocol that receives from database;
B2. above-mentioned user cipher is added the random number in the address resolution protocol of reception, adopt same digest algorithm to carry out digest calculations;
B3. the clip Text in the address resolution protocol of result of calculation and reception is compared, identical then by authentication, otherwise authentication is not passed through;
Concrete digest algorithm is unidirectional irreversible digest algorithm;
As the MD5 algorithm;
Above-mentioned responding is meant: described responding is meant: receive the safety ARP request, then send out safety ARP and reply; Receive that safety ARP replys, then revise local ARP information table; Receive safe RARP request, then send out RARP safe to reply; Receive that safe RARP replys, then revise the ARP information table of oneself;
More particularly: described certificate server is arranged on the gateway.
Embodiment
For ease of narration, the ARP that will increase user profile below is called safety ARP, and its message is the safety ARP message.
The present invention is arranged on the difference character of safety ARP message in the action type field, and a kind of form of safety ARP message is as shown in table 1, and wherein the user profile form of Zeng Jiaing is self-defining, does not also have standardization at present.
Table 1
| 2 byte hardware types | 2 byte protocol types | 1 byte hardware address size | 1 byte length of protocol address | 2 byte manipulation types | The transmitting terminal hardware address | The transmitting terminal protocol address | The destination hardware address | The destination protocol address | 32 byte random numbers | 1 byte user name length | User name | 1 byte summary length | 1 byte summary length | Clip Text |
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 |
1 expression ether in table 1 the 1st hurdle; 0x0800 represents IP in the 2nd hurdle; The conventional ARP request of 1 expression in the 5th hurdle, the conventional arp reply of 2 expressions, the conventional RARP request of 3 expressions, the conventional RARP of 4 expressions replys, 21 expression safety ARP requests, 22 expression safety ARPs are replied, the safe RARP request of 23 expressions, the safe RARP of 24 expressions replys.The user profile of the 10th~15 hurdle for increasing in the table 1.
ARP safe in utilization needs the All hosts of local area network (LAN) and gateway can both support safety ARP in the local area network (LAN); Dispose or import oneself user name, password and address of the authentication server simultaneously in this locality.Certificate server can be the aaa server of standard, also can be the server of band user cipher database of oneself exploitation.Certificate server can also can be arranged on the gateway by individualism.
Main frame is sending the ARP request, and arp reply or RARP request when RARP replys, need to send with the safety ARP message; When receiving terminal has disposed safety ARP, receive traditional ARP message, do not do any response action; After receiving the safety ARP message, earlier the user profile in the message is extracted, be dealt into certificate server then and authenticate; Certificate server extracts password according to user name from database, add the random number of receiving, carries out digest calculations with same digest algorithm, compares result of calculation, and result of calculation is passed through with consistent then authentication of clip Text that server is received, otherwise does not pass through; If authentication by the safety ARP message is made response action; If authentication is not passed through, then do not do any response action.
Receive safety ARP message and authentication by after response action mainly contain: receive the safety ARP request, then send out safety ARP and reply; Receive that safety ARP replys, then revise local ARP information table; If receive safe RARP request, then send out RARP safe to reply; Reply if receive safe RARP, then revise the ARP information table of oneself.
The reception of whole safety ARP agreement and process of transmitting are referring to Fig. 1.
Present controlled local area network (LAN), the general online action that all has client software to control the user, as Internet bar and ISP the online client software is arranged all, so can on client software, increase the safety ARP function, also increase the safety ARP function on the gateway device, so above-mentioned virus distributes the ARP message arbituarily and artificial pseudo-IP illegal act can both solve, few of configuration effort amount, can be as the use of PPPoE yet what kind of influence communication between main frame.
Claims (5)
1. improve the method for LAN communication safety, it is characterized in that: comprise the steps:
A. in address resolution protocol, increase user profile; Described user profile is by user name length, username field, and the random number field, summary length field and clip Text field are formed; Described clip Text field be with digest algorithm with user name, random number and user cipher carry out that digest calculations forms;
B., certificate server is set, and certificate server extracts user cipher according to the user name in the address resolution protocol that receives from database; User cipher is added the random number in the address resolution protocol of reception, adopt same digest algorithm to carry out digest calculations; Clip Text in the address resolution protocol of result of calculation and reception is compared, identical then by authentication, otherwise authentication is not passed through;
C. then respond by authentication, otherwise do not respond.
2. the method for raising LAN communication safety according to claim 1 is characterized in that: described digest algorithm is unidirectional irreversible digest algorithm.
3. the method for raising LAN communication safety according to claim 2 is characterized in that: described digest algorithm is MD5.
4. the method for raising LAN communication safety according to claim 1 is characterized in that: among the step c, described responding is meant: receive the safety ARP request, then send out safety ARP and reply; Receive that safety ARP replys, then revise local ARP information table.
5. the method for raising LAN communication safety according to claim 1 is characterized in that: described certificate server is arranged on the gateway.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100206211A CN100571272C (en) | 2006-03-30 | 2006-03-30 | Improve the method for LAN communication safety |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100206211A CN100571272C (en) | 2006-03-30 | 2006-03-30 | Improve the method for LAN communication safety |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1825853A CN1825853A (en) | 2006-08-30 |
| CN100571272C true CN100571272C (en) | 2009-12-16 |
Family
ID=36936292
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006100206211A Expired - Fee Related CN100571272C (en) | 2006-03-30 | 2006-03-30 | Improve the method for LAN communication safety |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100571272C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103873478A (en) * | 2014-03-28 | 2014-06-18 | 上海斐讯数据通信技术有限公司 | Method for ensuring security of ARP message |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101175321B (en) * | 2006-10-30 | 2011-11-30 | 鸿富锦精密工业(深圳)有限公司 | Network access equipment, internetwork connection establishing method and mobile communication system using the same |
| CN103297559A (en) * | 2013-05-09 | 2013-09-11 | 厦门亿联网络技术股份有限公司 | Method for quickly searching equipment information within local area network |
| CN103347031B (en) * | 2013-07-26 | 2016-03-16 | 迈普通信技术股份有限公司 | A kind of method and apparatus taking precautions against ARP message aggression |
| CN103731258B (en) * | 2013-12-20 | 2017-07-28 | 三星电子(中国)研发中心 | Generate the method and apparatus of key |
| CN105207778B (en) * | 2014-07-03 | 2019-04-16 | 清华大学深圳研究生院 | A method of realizing packet identity and digital signature on accessing gateway equipment |
| US11277442B2 (en) * | 2019-04-05 | 2022-03-15 | Cisco Technology, Inc. | Verifying the trust-worthiness of ARP senders and receivers using attestation-based methods |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1534933A (en) * | 2003-03-28 | 2004-10-06 | 华为技术有限公司 | Safety access control method for internet protocol |
-
2006
- 2006-03-30 CN CNB2006100206211A patent/CN100571272C/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1534933A (en) * | 2003-03-28 | 2004-10-06 | 华为技术有限公司 | Safety access control method for internet protocol |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103873478A (en) * | 2014-03-28 | 2014-06-18 | 上海斐讯数据通信技术有限公司 | Method for ensuring security of ARP message |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1825853A (en) | 2006-08-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100571272C (en) | Improve the method for LAN communication safety | |
| JP4347335B2 (en) | Network relay program, network relay device, communication system, and network relay method | |
| Lloyd et al. | PPP authentication protocols | |
| CN101022340B (en) | Intelligent control method for realizing city Ethernet exchanger switch-in security | |
| US9148412B2 (en) | Secure configuration of authentication servers | |
| CN102255918A (en) | DHCP (Dynamic Host Configuration Protocol) Option 82 based user accessing authority control method | |
| CN101488857B (en) | Authenticated service virtualization | |
| US20100235625A1 (en) | Techniques and architectures for preventing sybil attacks | |
| CN101345743A (en) | Method and system for preventing network attack by utilizing address analysis protocol | |
| CN101141492A (en) | Method and system for implementing DHCP address safety allocation | |
| CN104901940A (en) | 802.1X network access method based on combined public key cryptosystem (CPK) identity authentication | |
| CN104618360B (en) | Bypass authentication method and system based on 802.1X agreement | |
| CN102571811A (en) | User access authority control system and method thereof | |
| CN101860551A (en) | Multi-user authentication method and system under single access port | |
| CN101146103A (en) | A method fro realizing stable secure protection of broadband access device | |
| CN101848206A (en) | Method for supporting 802.1X extensible authentication protocol in edge router | |
| CN103051626B (en) | A kind of authentication method and the network equipment | |
| CN101030945A (en) | Method for preventing PPPoE from being attacked by personnel server and false server | |
| WO2021253852A1 (en) | Data center 5g network encryption multicast-based authority authentication method and system | |
| CN1265579C (en) | Method for network access user authentication | |
| CN100474825C (en) | Method and system for unified process of domain authentication and user network authority control | |
| Cisco | Network Access Security Commands | |
| Cisco | Network Access Security Commands | |
| Cisco | Network Access Security Commands | |
| Cisco | Network Access Security Commands |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20091216 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |