Summary of the invention
Not enough and be difficult for the location at fail safe in the prior art or configuration flexibility with family and the problem that is difficult to preventing malice DHCP service, the embodiment of the invention provides method and device and a kind of detection of a kind of network address distribution and stops illegal DHCP service method and device, the fail safe and the flexibility of IP address assignment can be taken into account, and the existence of illegal DHCP service can be taken precautions against.
The embodiment of the invention provides following technical scheme:
A kind of method of giving terminal distribution IP address, after server is received the IP address request information of terminal transmission, carry out following steps:
Judge whether once access network of terminal according to the terminal record of preserving, if, then terminal is given in the IP address assignment that terminal was once used during access network, if not, then give terminal distribution IP address according to the DHCP agreement with dynamical fashion, wherein, described terminal record comprises the IP address and the medium access control MAC Address of terminal, and chooses for according to the DHCP agreement IP address of terminal distribution in the IP address that excludes the terminal record with dynamical fashion;
After terminal entering network, the IP address and the MAC Address of terminal are carried out static binding, and after terminal exits network, remove the IP address of terminal and the binding of MAC Address.
A kind of system that gives terminal distribution IP address comprises client unit and network side apparatus, wherein,
Described client unit is used for being sent as to described network side apparatus the solicited message of terminal distribution IP address, comprises the terminal mac address information in the solicited message;
Whether once described network side apparatus is used for judging terminal access network according to described request information and terminal record that wherein, described terminal record comprises the IP address and the medium access control MAC Address of terminal;
Also be used in described terminal once during access network, terminal is given in the IP address assignment of using when terminal was once inserted network, when described terminal had not inserted network, give terminal distribution IP address with dynamical fashion according to the DHCP agreement, also be used for after terminal entering network, the IP address and the MAC Address of terminal are carried out static binding, and after terminal exits network, remove the IP address of terminal and the binding of MAC Address, wherein, in the IP address that excludes the terminal record, choose for the IP address of terminal distribution with dynamical fashion according to the DHCP agreement.
Method in the use embodiment of the invention can be given terminal distribution IP address neatly and is easy to locating terminal and guarantee network security.
Embodiment
The scheme of IP address assignment exists the problem that fail safe or configuration flexibility are not enough and be difficult for locating terminal and be difficult to preventing malice DHCP service under prior art, so be necessary to realize a kind of take into account fail safe and flexibility, and scheme that service is taken precautions against to some extent to malice DHCP.To this, the embodiment of the invention provides a kind of method of IP address assignment, by the cooperation of network management platform, gateway, client three parts, finishes the address assignment of terminal.Relation between network management platform, gateway, the client as shown in Figure 1, several gateways 102 of network management platform 101 management, each gateway 102 is connected with some terminals 103, each terminal 103 is provided with client 104.
The embodiment of the invention provides a kind of method of IP address assignment, and the method for dynamic distributing IP address is combined with the method for static distributing IP address.As shown in Figure 2, after server is received the IP address request information of terminal transmission, judge whether once access network of terminal according to the terminal record of preserving, if, then terminal is given in the IP address assignment that terminal was once used during access network, if not, then gives terminal distribution IP address with dynamical fashion.
When the terminal access network first time, by the Dynamic Host Configuration Protocol server that is arranged on gateway obtained the IP address and use the client that is positioned at terminal by client user's name and password by after the authentication of network management platform, network management platform is recorded in this IP address of terminal and MAC Address in the terminal record.Along with the increase of the terminal quantity of new access network, the clauses and subclauses in this terminal record are also along with increasing, and listed terminal is connected sometimes with network in the clauses and subclauses, is in off-state sometimes.Whether once whether network management platform learn terminal access network by the MAC Address of searching terminal in the terminal record.
As shown in Figure 3, the method concrete steps that provide of present embodiment are as follows:
Step 301: terminal sends the IP address request information to gateway;
Step 302: network management platform searching terminal record, judge whether once access network of terminal, if not, carry out step 303, if carry out step 304;
Step 303: gateway is given IP address of terminal Random assignment according to the DHCP agreement;
Step 304: network management platform is searched the IP address of this terminal and is given this terminal with this address assignment according to the terminal MAC Address in the terminal record;
Step 305: terminal is submitted to gateway with MAC Address, IP address, client user's name, password, is delivered to network management platform by gateway;
Step 306: network management platform judges whether terminal is legal, if not, then carry out step 307, if then carry out step 308;
Step 307: network management platform is regained to the IP address of this terminal distribution, provides information;
Step 308: the network management platform authorization terminal can access network, and the IP address and the MAC Address of record terminal;
Step 309: carry out the static binding of ARP.
In step 301, terminal contains the MAC Address of terminal in the packet that gateway sends; In step 302 network management platform from gateway obtain packet that terminal sends and in whether in the terminal record, judge whether for the first time access network of terminal according to the MAC Address of this terminal.If there is the MAC Address of this terminal in the terminal record, illustrate that this terminal once got access to an IP address, and also there is this IP address information in the terminal record, so network management platform sends to gateway to the MAC Address of this terminal and IP address, this IP address assignment is given terminal with this MAC Address by gateway.If there is not the MAC Address of this terminal in the terminal record, illustrate that then this terminal is the accesses network first time, give terminal distribution IP address with dynamical fashion this moment, promptly carries out according to the DHCP agreement.Terminal is handed to network management platform with IP address, self MAC address, client user's name, password by gateway after getting access to the IP address, network management platform receives that the back authenticates to judge whether this terminal is legal terminal, enter network as if legal then authorization terminal, and the mac address information of terminal and IP address information are left in the terminal record.
After terminal entering network, carry out the static binding of ARP, promptly gateway carries out static binding with the IP address and the MAC Address of terminal, and terminal is carried out static binding with the IP address and the MAC Address of gateway; After terminal exitted network, gateway was removed the binding of IP address of terminal and MAC Address, and terminal is removed the binding of gateway ip address and MAC Address.
Pass through h.323-configured gateway equipment and terminal equipment suitably in embodiments of the present invention, the IP number of addresses that makes gateway to provide is no less than the quantity of terminal.In step 303, during according to DHCP agreement distributing IP address, in the IP address that excludes network management platform terminal record, choose.
If terminal equipment changes, cause its MAC Address to change, then earlier the record of the terminal in the network management platform is upgraded, remove the binding relationship of this terminal MAC Address and IP address, and send to gateway in this terminal next time and to obtain IP when request, give this terminal by the DHCP service with IP address assignment at random, if it is further by the authentication access network, then write down its MAC Address and IP address, rebulid the binding relationship of the two.
The method that the embodiment of the invention provides has used the username and password of client to improve the fail safe of terminal, the MAC Address of record terminal and IP address make can locate easily to terminal, the MAC Address of terminal both can have been bound also can unbind, and this makes the distribution of IP address that certain flexibility be arranged again.
The embodiment of the invention provides a kind of system that gives terminal distribution IP address, as shown in Figure 4.Administrative unit 401 and allocation units 402 are network side apparatus, and client unit 403 is arranged on end side, are used to the packet that terminal distribution IP address is given in the request of sending.The content of packet comprises the terminal mac address information according to the form of DHCP agreement.Allocation units 402 can be arranged in the Dynamic Host Configuration Protocol server of gateway, receive the packet that client unit 403 is sent, and are passed to administrative unit 401 then, and whether once first judging unit 4011 in the administrative unit 401 judges terminal access network from packet.This moment, first judging unit 4011 was to draw by the record cell in the searching, managing unit 401 4012, preserved the terminal record in the record cell 4012, and the content of terminal record comprises the once mac address information and the IP address information of the terminal of access network.If record cell 4012 has retrieved the MAC Address of terminal in the packet in the terminal record, this terminal access network once then is described, and in record, can retrieve simultaneously the IP address that this terminal once obtained during access network, promptly the IP address of using when the terminal MAC Address is with access network once this moment is a corresponding relation.So first judging unit 4011 is sent to allocation units 402 with first kind of information, terminal is given in the IP address assignment of after allocation units 402 are received terminal once being used during access network.If first judging unit 4011 fails to retrieve the MAC Address of terminal in the packet in the terminal record, the terminal not access network of explanation with this MAC Address then, this moment, first judging unit 4011 was sent to allocation units 402 with first kind of information, allocation units 402 receive that the back dynamical fashion to terminal distribution IP address, promptly carries out according to the DHCP agreement.
The terminal MAC Address in the terminal record and the corresponding relation of IP address change, for example change when causing its MAC Address to change when terminal equipment, notification unit 4031 in the client unit 403 sends announcement information to administrative unit 401, first judging unit 4011 is according to announcement information, send second kind of information to allocation units 402, promptly requiring allocation units is terminal distribution IP address according to the DHCP agreement.
After terminal obtains the IP address, need judge also whether terminal is legal.Commit unit 4032 in the client unit 403 is submitted terminal mac address informations, IP address of terminal information, user name, password to administrative unit 401 at this moment, according to these data, second judging unit 4013 in the administrative unit 401 is judged the legitimacy of terminal according to user name of self storing and password database, if terminal is legal, to generate terminal recording information according to terminal mac address information and IP address information, and be sent to record cell 4012; If terminal is illegal, then disconnect and being connected of terminal, can transmit the descriptive information of being correlated with to client unit 403 in case of necessity.The system that uses the embodiment of the invention to provide has taken into account the fail safe and the flexibility of IP address assignment, and can position terminal.
The embodiment of the invention provides a kind of method that illegal DHCP server influences the network operation of taking precautions against under the mode that dynamic IP addressing is distributed.Be arranged on of the mandate of the Dynamic Host Configuration Protocol server of gateway through network management platform, can be terminal distribution IP address, Dynamic Host Configuration Protocol server without the network management platform mandate is called illegal DHCP server, and its existence can cause the conflict of IP address in the network, and communication can't normally be carried out.So must detect and stop the existence of illegal DHCP server.
Embodiment of the invention employing following steps detect and stop the existence of illegal DHCP server, as shown in Figure 5.
Step 501: in gateway broadcasts DHCP request data package, and the Dynamic Host Configuration Protocol server that is positioned at gateway does not respond the request from the gateway MAC Address;
Step 502: judge whether gateway receives that DHCP responds, and if not, then returns step 501, if then carry out step 503 and step 505;
Step 503: there is illegal DHCP server in the informing network management platform;
Step 504: network management platform is to illegal DHCP server location and further processing;
Step 505: in gateway broadcasts DHCP request data package, contain some different MAC Address in the packet of each broadcasting, and the Dynamic Host Configuration Protocol server that is positioned at gateway does not respond the DHCP request of sending from gateway;
Step 506: send the DHCP request data package that comprises the gateway MAC Address;
Step 507: judge whether gateway receives that DHCP responds, if, then return step 505, if not, process ends then.
Step 501 and step 502 are to detect in the network whether have illegal DHCP server.In the DHCP of gateway broadcasts request is to be used to detect illegal DHCP server, needs this moment to stop the Dynamic Host Configuration Protocol server of gateway to respond this request.Gateway can send descriptive information to Dynamic Host Configuration Protocol server, the DHCP request that makes Dynamic Host Configuration Protocol server not respond comprising the gateway MAC Address.So then can judge it is from illegal DHCP server if be positioned at the response that the Dynamic Host Configuration Protocol server of gateway is received the distributing IP address this moment, so just detects the existence of illegal DHCP server.
In the packet of each broadcasting, contain different MAC Address in the step 505, it is a kind of virtual MAC address, can only apply for the regulation of an IP address to satisfy each MAC Address, and to use a plurality of MAC Address be all to take for the IP address that illegal DHCP can be provided.At this moment the MAC Address quantity of Shi Yonging can set or preestablish default value by the network manager when detecting.In testing process, gateway can send descriptive information to Dynamic Host Configuration Protocol server, make Dynamic Host Configuration Protocol server not respond the DHCP request of these virtual mac address that comprise gateway broadcasts, and after illegally Dynamic Host Configuration Protocol server is received this packet that comprises a plurality of different MAC Address of gateway broadcasts, can distribute an IP address to each MAC Address, because these MAC Address are virtual, so response that this moment, gateway can not be received illegal DHCP server, so gateway need send a DHCP request data package that comprises the self MAC address again, then can whether receive whether respond the IP address that detects illegal DHCP service is all taken according to gateway.Under the situation about all being taken in the IP address of illegal DHCP service, gateway can not receive that DHCP responds, and has so just stoped the existence of illegal DHCP server in network after sending the DHCP request data package.
In step 501 and step 505, also can come the broadcast data request package by other network elements.Need add customizing messages this moment in packet, making the Dynamic Host Configuration Protocol server that is positioned at gateway discern this data request packet is to carry out measuring ability, thereby is not the pairing network element distributing IP of the MAC Address address in the packet.In step 506, need to send in esse MAC Address in the network, and the IP that the Dynamic Host Configuration Protocol server that is positioned at gateway is not responded from this MAC Address asks, so that make this MAC Address corresponding net element can receive the response of illegal DHCP server, whether all taken with the IP address that detects illegal DHCP service.
The method of using the embodiment of the invention to provide, can be in network the mode of distributing IP address be to detect the existence of illegal DHCP server and eliminate its influence under the situation of dynamic assignment, and network management platform is to the illegal DHCP server location and further handle.
As shown in Figure 6, the embodiment of the invention provides a kind of device that detects the device of illegal DHCP service and stop illegal DHCP service.Illegal DHCP service detection means 610 comprises transmitting element 611 and detecting unit 612 among the figure, illegal DHCP service holdout device 620 comprises transmitting element 621 and detecting unit 622, these two devices are used for detecting and stoping the existence of the illegal DHCP server 640 in the network, thereby guarantee to authorize the operate as normal of Dynamic Host Configuration Protocol server 630 and the normal operation of network.
The device that the embodiment of the invention provides can be positioned at gateway, also can be arranged at other network elements in the network.When the device that provides in the embodiment of the invention brings into operation, detect the existence of illegal DHCP server 640 earlier by illegal DHCP service detection means 610.Transmitting element 611 is broadcasted the DHCP request data package at this moment, contains the MAC Address of gateway in the packet, and this packet can be authorized to Dynamic Host Configuration Protocol server 630 and illegal DHCP server 640 is received.Meanwhile transmitting element 611 also needs to send descriptive information to the Dynamic Host Configuration Protocol server 630 of authorizing, so that authorize Dynamic Host Configuration Protocol server 630 not remove to respond this packet.The content of descriptive information can be the DHCP request data package that the Dynamic Host Configuration Protocol server 630 of order mandate does not respond the MAC Address that contains transmitting element place network element.Detecting unit 612 begins to detect then, then judges it is from illegal DHCP server 640 if receive the DHCP response, and this has just confirmed the existence of illegal DHCP server 640.Confirming under the situation that illegal DHCP server 640 exists that detecting unit 612 can also send relevant information by the relevant management devices in network, with the illegal DHCP server that exists in the further processing network.
Next, illegal service by 620 pairs of illegal DHCP server 640 of illegal DHCP service holdout device stops, this moment, transmitting element 621 elder generations broadcasted the DHCP request data package, contain some different MAC Address in the packet of each broadcasting, also need simultaneously to send descriptive information, so that authorize Dynamic Host Configuration Protocol server 630 not remove to respond this packet to the Dynamic Host Configuration Protocol server 630 of at this moment authorizing.And illegal Dynamic Host Configuration Protocol server 640 still can be to these MAC Address distributing IP addresses.Because the MAC Address in the packet of this moment broadcasting is actual network element in the map network not, also have no way of receiving the response of illegal DHCP server 640 to these MAC Address, so next whether taken for the IP address that detects 640 of illegal DHCP server and can provide, need send a DHCP request data package that has real mac address in the network again, it can be the MAC Address of detecting unit 622 place network elements, respond if detecting unit 622 is received DHCP this moment, illustrate that then illegal DHCP service also is not prevented from, its reason is that the IP address that 640 of illegal Dynamic Host Configuration Protocol server can provide is not also taken, so repeat the step of front, be transmitting element 621 broadcasting DHCP request data package and the DHCP request data package that has real mac address in the network, till detecting unit 622 receives that no longer DHCP responds, can judge that illegal DHCP service is prevented from this moment.
The device that uses the embodiment of the invention to provide, can be in network the mode of distributing IP address be to detect the existence of illegal DHCP server and stop its service under the situation of dynamic assignment.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.