CN101110731A - Method and apparatus for preventing network intermedium from accessing into control address - Google Patents
Method and apparatus for preventing network intermedium from accessing into control address Download PDFInfo
- Publication number
- CN101110731A CN101110731A CNA2007101176294A CN200710117629A CN101110731A CN 101110731 A CN101110731 A CN 101110731A CN A2007101176294 A CNA2007101176294 A CN A2007101176294A CN 200710117629 A CN200710117629 A CN 200710117629A CN 101110731 A CN101110731 A CN 101110731A
- Authority
- CN
- China
- Prior art keywords
- access control
- access node
- network gateway
- control address
- medium access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The present invention provides a method and a device for preventing the medium access control address to be deceived. The present invention comprises: Step one, the access node of the network automatically acquires the medium access control address of the broadband network gateway; Step two, the access node configures the medium access control address acquired from the broadband network gateway into the static medium access control address table of the access node or the visit control list. The present invention solves the security problem of the broadband network gateway MAC address deceit, and guarantees the automatic configuration of the broadband network gateway MAC address, and the security, the flexibility and the extendibility of the broadband access network can be enhanced.
Description
Technical field
The present invention relates to network communications technology field, relate in particular to a kind of method and device that prevents the MAC in the network (MediaAccess Control, medium access control system) address spoofing.
Background technology
Broadband access network just develops towards the broadband access network direction based on Ethernet-Aggregation at present, and its framework comprises following a few part: user network, access node (Access Node (AN)), Ethernet-Aggregation network and wideband network gateway (Broadband Network Gateway (BNG)).Wherein access node is finished the multi-form access of user, as DSLAM (Digital Subscriber Line Access Multiplexer) etc.; But wideband network gateway is meant application bandwidth and QoS (quality ofservice, service quality) Ce Lve IP (InternetProtocol Internet Protocol) edge router, as BRAS (Broadband Remote AccessServer, Broadband Remote Access Server) and business router etc.; The Ethernet-Aggregation network is finished the function of convergence and exchange.
Along with developing rapidly of broadband access network, it is used also more and more widely, but its safety problem also becomes the problem that everybody more and more is concerned about.User, access node, wideband network gateway and network all are faced with full spectrum of threats, particularly from the threat of user side.A malicious user can be palmed off the MAC Address of using wideband network gateway, wideband network gateway MAC address spoofing just, make identical MAC Address appear on the different port of equipment, cause MAC address learning to get muddled, cause the user to surf the Net.Solution for this threat, main method is a wideband network gateway MAC Address static configuration at present, promptly manual MAC with wideband network gateway is configured on the static mac address table of access node, and the wideband network gateway MAC address learning just can be disorderly like this.Though this method is simple, flexibility and extendibility are all very poor.
Summary of the invention
The purpose of this invention is to provide a kind of method and device that prevents the deception of the medium access control address in the network, the solution prior art can not realize the automatic configuration of MAC Address in the safety problem that solves MAC address spoofing, do not have the good flexibility and the technical problem of extendibility.
To achieve these goals, the invention provides a kind of method that prevents the deception of the medium access control address in the network, wherein, comprise the steps:
Above-mentioned method, wherein, in described step 1, the protocol massages of the down direction of described access node by intercepting the network side link/interface dynamically obtains the medium access control address of described wideband network gateway.
Above-mentioned method, wherein, the protocol massages of described down direction belongs to one or more in the following agreement: the multicast listener of the DHCP among IPv4 (version number of IP agreement is 4) and the IPv6 (version number of IP agreement is 6), the peer-peer protocol on the Ethernet, IGMP, IPv6 finds agreement.
Above-mentioned method, wherein, in described step 1, the medium access control address that described access node dynamically obtains described wideband network gateway is by starting the one or more of following function on the network side link/interface: the client functionality of the peer-peer protocol on DHCP or the Ethernet, IGMP/multicast listener find the host function of agreement.
Above-mentioned method, wherein, in described step 1, described access node obtains the medium access control address of described wideband network gateway by the Neighbor Discovery Protocol of IPv6.
Above-mentioned method, wherein, in described step 1, described access node finds that by multicast router agreement obtains the medium access control address of described wideband network gateway.
Above-mentioned method, wherein, in described step 1, described wideband network gateway makes described access node obtain the medium access control address of wideband network gateway by the mode of management agreement configuration access node.
Above-mentioned method, wherein, described management agreement is a Simple Network Management Protocol.
Above-mentioned method, wherein, in described step 1, described wideband network gateway makes described access node obtain the medium access control address of wideband network gateway by the mode of dynamic management notice of settlement access node.
Above-mentioned method, wherein, described dynamic management agreement is two layers of controlling mechanism of Digital Subscriber Loop forum, or Access Node Control Protocol, or public open policy service protocol agreement.
Above-mentioned method, wherein, in described step 2, described Access Control List (ACL) is the Access Control List (ACL) based on the source medium access control address that is applied on the user side link/interface of access node.
Above-mentioned method, wherein, after the medium access control address of the described wideband network gateway that described access node will obtain is configured to described Access Control List (ACL) based on the source medium access control address, forbid the message accesses network that medium access control address is identical with described wideband network gateway.
Above-mentioned method, wherein, described access node comprises switch, Digital Subscriber Line Access Multiplexer and optical line terminal.
In order to realize purpose of the present invention, the present invention also provides a kind of device that prevents the deception of the medium access control address in the network, wherein, comprising: address acquisition module is used for: make the access node of network obtain the medium access control address of wideband network gateway automatically; Configuration module is used for: will be configured to the static medium access control address table or the Access Control List (ACL) of described access node from the described medium access control address that described wideband network gateway obtains.
Technique effect of the present invention is:
The invention provides a kind of method and device that prevents MAC address spoofing, can prevent the wideband network gateway MAC address spoofing, in the safety problem that solves the wideband network gateway MAC address spoofing, can guarantee the automatic configuration of wideband network gateway MAC Address, can improve fail safe, flexibility and the extendibility of broadband access network.
Description of drawings
Fig. 1 is the network structure that is used to realize the inventive method embodiment provided by the invention;
Fig. 2 is the flow chart of steps of the inventive method.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing the preferred embodiments of the present invention are described, should be appreciated that preferred embodiment described herein only is used for description and interpretation the present invention, and be not used in qualification the present invention.
Fig. 1 is a network structure according to an embodiment of the invention.
As shown in Figure 1, this network is made of user 102, disabled user 104, access node 106 and wideband network gateway 108.Wherein, user 102 is connected to access node 106 by the user side link 2 of access node 106, disabled user 104 is connected to access node 106 by the user side link 3 of access node 106, and access node 106 is connected on the wideband network gateway 108 by network side link 1.In the present embodiment, access node 106 is an example with the switch, and wideband network gateway 108 is an example with the BAS Broadband Access Server.
Fig. 2 is the flow chart of steps that the present invention is used to prevent the method for MAC address spoofing.Among the present invention, described access node comprises switch, Digital Subscriber Line Access Multiplexer and optical line terminal.Describe the detailed process of Fig. 2 in detail below with reference to Fig. 1, as shown in Figure 2, prevent that the method for MAC address spoofing from may further comprise the steps:
Step S202, access node obtain the MAC Address of wideband network gateway automatically.
In this step, the wideband network gateway MAC Address that access node automatically obtains can be from following approach:
1) access node is intercepted the protocol massages of the down direction on the network side link/interface, dynamically obtains the wideband network gateway MAC Address.
The protocol massages here comprises the pairing protocol massages of following agreement:
A) DHCP (Dynamic Host Configuration Protocol): DHCP.
For IPv4, protocol massages comprises:
DHCP provides message (Offer): DHCP to find the response message of message.
DHCP confirmation message (Ack): the response message of DHCP request message.
For IPv6, protocol massages comprises:
DHCP issues message (Advertise): the response message of DHCP Solicit message.
Dhcp response message (Reply): dhcp response message.
DHCP reconfigures message (Reconfigure): DHCP reconfigures message.
DHCP relay response message (Relay-reply).
B) PPPoE (Point-to-Point Protocol over Ethernet): the peer-peer protocol on the Ethernet.The corresponding protocols message comprises:
PADO (PPPoE Active Discovery Offer): PPPoE initiatively finds to provide message.
PADS (PPPoE Active Discovery Session-confirmation, PPPoE): initiatively find the session confirmation message.
C) IGMP (Internet Group Management Protocol): IGMP.The corresponding protocols message comprises:
Membership Query: the membership query message comprises general polling and group address ad hoc inquiry message.
D) MLD (Multicast Listener Discovery): the multicast listener of IPv6 finds agreement.The corresponding protocols message comprises:
Multicast Listener Query: multicast listener query message comprises general polling and group address ad hoc inquiry message.
In an embodiment of the present invention, access node 106 is intercepted the protocol massages of the down direction on the network side link 1, dynamically obtains the wideband network gateway MAC Address.The message of intercepting can be above-described several message.
2) access node starts DHCP or pppoe client feature on the network side link/interface, and perhaps IGMP/MLD host function dynamically obtains the MAC Address of wideband network gateway.
In an embodiment of the present invention, the function below access node 106 starts on network side link 1 dynamically obtains the wideband network gateway MAC Address:
A) dhcp client function
For IPv4: on the network side link, send DHCP Discover message, in the Offer message that Dynamic Host Configuration Protocol server is responded, extract the MAC Address of server then, obtain the MAC Address of wideband network gateway.
For IPv6: on the network side link, send Information-Request or Solicit message, in Reply that Dynamic Host Configuration Protocol server is responded or Advertise message, extract the MAC Address of server then, obtain the MAC Address of wideband network gateway.
B) pppoe client feature
On the network side link, send the PADI message, in the Offer of PPPoE server response message, extract the MAC Address of server then, obtain the MAC Address of wideband network gateway.
C) IGMP/MLD host function
On the network side link, send the Report message, in the Query of server response message, extract the MAC Address of server then, obtain the MAC Address of wideband network gateway.
3) access node obtains the MAC Address of wideband network gateway by the Neighbor Discovery Protocol of IPv6.
The Neighbor Discovery Protocol of IPv6 is realized the interactive maintenance of adjacent node (node on the same link), and keeps the mapping between network layer address and the link layer address in a subnet.Defined 5 types information in the Neighbor Discovery Protocol: router advertisement, router solicitation, redirection of router, neighbor request and neighbours' declaration.Access node obtains the MAC Address of wideband network gateway by top message.
4) access node finds that by multicast router agreement obtains the MAC Address of wideband network gateway.
Multicast router finds that agreement is used for realizing the discovery feature of multicast router.
5) wideband network gateway as SNMP (SimpleNetwork Management Protocol, Simple Network Management Protocol), makes access node obtain the MAC Address of wideband network gateway by the mode of management agreement configuration access node.
6) wideband network gateway is by the mode of dynamic management notice of settlement access node, L2CM (Layer 2 Control Mechanism as DSL (DigitalSubscriber Loop Digital Subscriber Loop) forum, two layers of controlling mechanism), ANCP (Access Node Control Protocol, Access Node Control Protocol) agreement and COPS agreement (Common Open Policy Service, public open policy service protocol), make access node obtain the MAC Address of wideband network gateway.
Step S204, access node are configured to the wideband network gateway MAC Address that obtains in the static mac address table of access node or in the Access Control List (ACL).
In this step, Access Control List (ACL) is based on the Access Control List (ACL) of source MAC, is applied on the user side link/interface of access node.Access node is configured to the wideband network gateway MAC Address that obtains in the Access Control List (ACL) based on source MAC of access node, forbids the message accesses network identical with the wideband network gateway MAC Address.
In an embodiment of the present invention, access node 106 is configured to the wideband network gateway MAC Address that obtains in the static mac address table of access node, perhaps uses the Access Control List (ACL) based on source MAC on user side link 2 and 3.
Corresponding method of the present invention, the present invention also provides a kind of device that prevents the deception of the medium access control address in the network, comprise address acquisition module and configuration module, address acquisition module is used for: make the access node of network obtain the medium access control address of wideband network gateway automatically; Configuration module is used for: will be configured to the static medium access control address table or the Access Control List (ACL) of described access node from the described medium access control address that described wideband network gateway obtains.Described address acquisition module and configuration module can be the software modules that is arranged in access node, also can be the hardware modules with above function.
As mentioned above, the present invention has realized preventing the method for MAC address spoofing, just prevent the wideband network gateway MAC address spoofing, thereby, can guarantee that the wideband network gateway MAC Address disposes automatically, solve the safety problem of wideband network gateway MAC address spoofing, be used to improve fail safe, flexibility and the extendibility of broadband access network.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (14)
1. a method that prevents the deception of the medium access control address in the network is characterized in that, comprises the steps:
Step 1, the access node of network obtains the medium access control address of wideband network gateway automatically;
Step 2, described access node will be configured to from the described medium access control address that described wideband network gateway obtains the static medium access control address table or Access Control List (ACL) of described access node.
2. method according to claim 1 is characterized in that, in described step 1, the protocol massages of the down direction of described access node by intercepting the network side link/interface dynamically obtains the medium access control address of described wideband network gateway.
3. method according to claim 2, it is characterized in that the protocol massages of described down direction belongs to one or more in the following agreement: the multicast listener of the DHCP among IPv4 and the IPv6, the peer-peer protocol on the Ethernet, IGMP, IPv6 finds agreement.
4. method according to claim 1, it is characterized in that, in described step 1, the medium access control address that described access node dynamically obtains described wideband network gateway is by starting the one or more of following function on the network side link/interface: the client functionality of the peer-peer protocol on DHCP or the Ethernet, IGMP/multicast listener find the host function of agreement.
5. method according to claim 1 is characterized in that, in described step 1, described access node obtains the medium access control address of described wideband network gateway by the Neighbor Discovery Protocol of IPv6.
6. method according to claim 1 is characterized in that, in described step 1, described access node finds that by multicast router agreement obtains the medium access control address of described wideband network gateway.
7. method according to claim 1 is characterized in that, in described step 1, described wideband network gateway makes described access node obtain the medium access control address of wideband network gateway by the mode of management agreement configuration access node.
8. method according to claim 7 is characterized in that, described management agreement is a Simple Network Management Protocol.
9. method according to claim 1 is characterized in that, in described step 1, described wideband network gateway makes described access node obtain the medium access control address of wideband network gateway by the mode of dynamic management notice of settlement access node.
10. method according to claim 9 is characterized in that, described dynamic management agreement is two layers of controlling mechanism of Digital Subscriber Loop forum, or Access Node Control Protocol, or public open policy service protocol agreement.
11. according to any described method of claim in the claim 1 to 10, it is characterized in that, in described step 2, described Access Control List (ACL) is the Access Control List (ACL) based on the source medium access control address that is applied on the user side link/interface of access node.
12. method according to claim 11, it is characterized in that, after the medium access control address of the described wideband network gateway that described access node will obtain is configured to described Access Control List (ACL) based on the source medium access control address, forbid the message accesses network that medium access control address is identical with described wideband network gateway.
13. method according to claim 11 is characterized in that, described access node comprises switch, Digital Subscriber Line Access Multiplexer and optical line terminal.
14. a device that prevents the deception of the medium access control address in the network is characterized in that, comprising:
Address acquisition module is used for: make the access node of network obtain the medium access control address of wideband network gateway automatically;
Configuration module is used for: will be configured to the static medium access control address table or the Access Control List (ACL) of described access node from the described medium access control address that described wideband network gateway obtains.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007101176294A CN101110731A (en) | 2007-06-20 | 2007-06-20 | Method and apparatus for preventing network intermedium from accessing into control address |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007101176294A CN101110731A (en) | 2007-06-20 | 2007-06-20 | Method and apparatus for preventing network intermedium from accessing into control address |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101110731A true CN101110731A (en) | 2008-01-23 |
Family
ID=39042634
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2007101176294A Pending CN101110731A (en) | 2007-06-20 | 2007-06-20 | Method and apparatus for preventing network intermedium from accessing into control address |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101110731A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011038624A1 (en) * | 2009-09-29 | 2011-04-07 | 华为技术有限公司 | Method and routing device for generating access control list |
| CN102025734A (en) * | 2010-12-07 | 2011-04-20 | 中兴通讯股份有限公司 | Method, system and switch for preventing MAC address spoofing |
| CN102201963A (en) * | 2010-03-22 | 2011-09-28 | 杭州华三通信技术有限公司 | Media access control-forced forwarding method and functional unit |
| CN104837138A (en) * | 2015-03-27 | 2015-08-12 | 广东欧珀移动通信有限公司 | Detection method of terminal hardware identifier, and detection device of terminal hardware identifier |
| WO2023116424A1 (en) * | 2021-12-21 | 2023-06-29 | 深圳创维数字技术有限公司 | Gateway locking method and apparatus based on pon technology, and server and medium |
-
2007
- 2007-06-20 CN CNA2007101176294A patent/CN101110731A/en active Pending
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011038624A1 (en) * | 2009-09-29 | 2011-04-07 | 华为技术有限公司 | Method and routing device for generating access control list |
| CN102201963A (en) * | 2010-03-22 | 2011-09-28 | 杭州华三通信技术有限公司 | Media access control-forced forwarding method and functional unit |
| CN102201963B (en) * | 2010-03-22 | 2014-02-05 | 杭州华三通信技术有限公司 | Media access control-forced forwarding method and functional unit |
| CN102025734A (en) * | 2010-12-07 | 2011-04-20 | 中兴通讯股份有限公司 | Method, system and switch for preventing MAC address spoofing |
| CN102025734B (en) * | 2010-12-07 | 2015-06-03 | 中兴通讯股份有限公司 | Method, system and switch for preventing MAC address spoofing |
| CN104837138A (en) * | 2015-03-27 | 2015-08-12 | 广东欧珀移动通信有限公司 | Detection method of terminal hardware identifier, and detection device of terminal hardware identifier |
| WO2023116424A1 (en) * | 2021-12-21 | 2023-06-29 | 深圳创维数字技术有限公司 | Gateway locking method and apparatus based on pon technology, and server and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1472823B1 (en) | Arrangements and methods in an access system | |
| US8953601B2 (en) | Internet protocol version six (IPv6) addressing and packet filtering in broadband networks | |
| EP1613022A1 (en) | System and method for changing subnet masks for altering routing of messages between terminals in the same local area network | |
| CN100566334C (en) | Dynamic Service is selected and the end user disposes Ethernet Digital Subscriber Line Access Multiplexer and method are provided | |
| US8635314B2 (en) | Use of IPv6 in access networks | |
| US10129246B2 (en) | Assignment and distribution of network configuration parameters to devices | |
| US6775276B1 (en) | Method and system for seamless address allocation in a data-over-cable system | |
| EP2084858B1 (en) | Auto- provisioning of network services over an ethernet access link | |
| US6754622B1 (en) | Method for network address table maintenance in a data-over-cable system using destination reachibility | |
| US7801123B2 (en) | Method and system configured for facilitating residential broadband service | |
| US6018767A (en) | Method and system for managing subscription services with a cable modem | |
| US6697862B1 (en) | System and method for network address maintenance using dynamic host configuration protocol messages in a data-over-cable system | |
| US20150172994A1 (en) | Dynamic vlans in wireless networks | |
| US6560203B1 (en) | Method for changing type-of-service in a data-over-cable system | |
| US7630386B2 (en) | Method for providing broadband communication service | |
| RU2310993C2 (en) | Method for exchanging user data packets | |
| US6654387B1 (en) | Method for network address table maintenance in a data-over-cable system using a network device registration procedure | |
| CN101110731A (en) | Method and apparatus for preventing network intermedium from accessing into control address | |
| JP2014161084A (en) | Self-configuration of forwarding table in access node | |
| WO2008151548A1 (en) | A method and apparatus for preventing the counterfeiting of the network-side media access control (mac) address | |
| KR20050076410A (en) | Xdsl modem and system including dhcp spoofing server, and pppoe method for connecting internet using the same | |
| EP2073506B1 (en) | Method for resolving a logical user address in an aggregation network | |
| WO2013004558A1 (en) | A method and a system to configure network address port translation policy rules in napt devices | |
| Asadullah et al. | RFC 4779: ISP IPv6 Deployment Scenarios in Broadband Access Networks | |
| DRAFT | Residential Gateway (RG) IPv6 Requirements (updates to TR-124) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20080123 |