Embodiment
For make purpose of the present invention, technical scheme, and advantage clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is described in more detail.
Before the statement embodiments of the invention, briefly introduce the message format of ping packet earlier:
The message format of ping packet is as follows:
If Ping echo request data package, then [type] field is 8, if Ping echo reply data bag, then [type] field is 0; [code] field all is 0 in both cases; [identifier] in the message, [sequence number] field are selected arbitrarily to set by transmitting terminal (Client), and these values will be returned in replying, and like this, transmitting terminal just can mate echo reply data bag and echo request data package; [option data] field can have, and also can not have, and also is to be set arbitrarily by transmitting terminal (Client), and receiving terminal (Server) must return [option data] field former state.
The embodiment of the method for protecting network safety can include but not limited to following several among the present invention:
The embodiment one of the method for protecting network safety:
As shown in Figure 1, the method step of protecting network safety comprises:
Step 101: network security protection equipment receives original ping data pack.
Described original ping data pack is meant that network security protection equipment does not also add the ping packet of validation value; original ping data pack can be from the original ping echo request data package of Intranet or from the original ping echo reply data bag of outer net, down with.
Step 102: network security protection equipment obtains validation value, at the option data field adding validation value of described original ping data pack.
Step 103: network security protection equipment is encoded to the original ping data pack that has added described validation value, obtains ping echo request data package.
Step 104: network security protection equipment sends described ping echo request data package to outer net.
Step 105: whether the network security protection device authentication includes value with described verification value matches from the option data field of the ping echo reply data bag of outer net.
Described coupling is meant: include in the option data field of ping echo reply data bag and the identical value of validation value that adds in the option data field of described original ping data pack, perhaps refer to utilize special algorithm that the performance data of the ping echo reply data bag of extraction is calculated, the value that obtains and the validation value that the option data field of ping echo reply data bag has are multiple situations such as identical, and present embodiment does not limit this.
Step 106: when elected item number included value with described verification value matches according to field, network security protection equipment was decoded to described ping echo reply data bag.
Step 107: network security protection equipment sends decoded ping echo reply data bag to Intranet.
From present embodiment as can be known; utilize the option data field of ping packet to set by transmitting terminal (Client); the principle that receiving terminal (Server) must return option data field former state; network security protection equipment adds validation value in the option data field to ping echo request data package; whether network security protection equipment includes with the value of described verification value matches the option data field in the ping echo reply data bag that receives under unidirectional or two-way data flow environment is verified; owing to the complete content that writes down the original ping data pack of passing through in the internal memory that not be used in network security protection equipment; so can take or not take the network security protection Device memory less, just can realize that monitoring to the ping packet reaches to take precautions against ping flood attack effectively.
Owing in the option data field, added validation value, thereby must carry out adaptive coding, so that the packet that has added validation value is sent normally and receives.Coded system will be illustrated hereinafter for example.
The embodiment two of the method for protecting network safety (with pre-set fixed value as validation value):
As shown in Figure 2, the method step of protecting network safety comprises:
Step 101-1 comprises: network security protection equipment receives original ping data pack.
Step 102-1 comprises: network security protection equipment obtains predefined fixed value, and network security protection equipment adds described fixed value as validation value in the option data field of original ping data pack.
Step 103-1 comprises: network security protection equipment is encoded to the original ping data pack that has added described fixed value, obtains ping echo request data package.
Step 104-1 comprises: network security protection equipment sends described ping echo request data package to outer net.
Step 105-1 comprises: whether the option data field of network security protection device authentication ping echo reply data bag contains described fixed value.
Step 106-1 comprises: when described option data field contained described fixed value, network security protection equipment was decoded to described ping echo reply data bag.
Step 107-1 comprises: network security protection equipment sends decoded ping echo reply data bag to Intranet.
The quantity of described fixed value is not limit, and can be one, can be a plurality of yet, and the obtain manner of described fixed value can be the fixing value that the user preserves on network security protection equipment, also can be the value of Network Security Device with computer.
Use fixed value as validation value; advantage is simple and easy to do; not be used in the complete content of preserving original ping data pack on the Network Security Device; only need preserve fixed value at network security protection equipment; only need stamp the trace of fixed value for the original ping data pack of process; in the time of will checking for security consideration, whether the ping echo reply data bag that the network security protection equipment inspection receives has the fixed value of coupling to get final product.This method is only preserved the purpose that fixed value promptly can reach the memory source of saving network security protection equipment with respect to the complete content of preserving original ping data pack.
The embodiment three of the method for protecting network safety (validation value that obtains by special algorithm estimated performance data):
As shown in Figure 3, the method step of protecting network safety comprises:
Step 101-2 comprises: network security protection equipment receives original ping data pack.
Step 102-2 comprises: network security protection equipment carries out the computing value of being verified according to the performance data that the original ping data pack that receives is carried with special algorithm; In the option data field of described original ping data pack, add described validation value.
Step 103-2 comprises: network security protection equipment is encoded to the original ping data pack that has added described validation value, obtains ping echo request data package.
Step 104-2 comprises: network security protection equipment sends described ping echo request data package to outer net.
Step 105-2 comprises: when network security protection equipment contains described validation value when the option data field of ping echo reply data bag; utilize described special algorithm to carry out the computing value of obtaining, verify whether described value is identical with described validation value according to the performance data that ping echo reply data bag carries.
Step 106-2 comprises: when utilizing described special algorithm to carry out computing according to the performance data that ping echo reply data bag carries, when the value that obtains was identical with described validation value, network security protection equipment was decoded to described ping echo reply data bag.
Step 107-2 comprises: network security protection equipment sends decoded ping echo reply data bag to Intranet.
The performance data that use is carried according to original ping data pack is carried out the method for the computing value of being verified with special algorithm; advantage is: even enter Intranet by network security protection equipment when desire; carrying out the packet of the malice of attack activity can forge and the identical value of validation value that adds original ping data pack in the option data field; but; because packet self characteristics data are specific often; distorted or be exactly originally the packet of malice if that is to say packet; its performance data also can change or be different with the performance data of the packet of safety; utilize this different performance data to calculate; the value that obtains is different with the value that the packet of malice is forged in the option data field often; thereby can't calculate the validation value that gets according to specific performance data and have higher fail safe by checking.
Compare with " first kind of mode: the fixed value that configures in advance with the user is as validation value "; more excellent is; on network security protection equipment, need not preserve validation value; only need stamp the trace of validation value for the original ping data pack of process; in the time of will checking for security consideration; network security protection equipment utilization special algorithm calculates a value to the performance data that the ping echo reply data bag that receives carries; when this value is consistent with the described validation value that presents in ping echo reply data bag option data field, judge that ping echo reply data bag is safe.This method can reach the purpose of the memory source of saving network security protection equipment with respect to the complete content of preserving original ping data pack.
The embodiment four of the method for protecting network safety (validation value that obtains by special algorithm estimated performance data and fixed value):
As shown in Figure 4, the method step of protecting network safety comprises:
Step 101-3 comprises: network security protection equipment receives original ping data pack.
Step 102-3 comprises: network security protection equipment carries out the computing value of being verified according to the performance data that predefined fixed value and original ping data pack are carried with special algorithm; In the option data field of described original ping data pack, add described validation value.
Step 103-3 comprises: network security protection equipment is encoded to the original ping data pack that has added described validation value, obtains ping echo request data package.
Step 104-3 comprises: network security protection equipment sends described ping echo request data package to outer net.
Step 105-3 comprises: when network security protection equipment contains described validation value when the option data field of the ping echo reply data bag that receives; utilize described special algorithm to carry out the computing value of obtaining, verify whether described value is identical with described validation value according to the performance data that described fixed value and described ping echo reply data bag carry.
Step 106-3 comprises: when utilizing described special algorithm to carry out computing according to the performance data that described fixed value and described ping echo reply data bag carry; when the value that obtains was identical with described validation value, network security protection equipment was decoded to described ping echo reply data bag.
Step 107-3 comprises: network security protection equipment sends decoded ping echo reply data bag to Intranet.
The factor that in the calculating of validation value, adds fixed value; because this fixed value is grasped by network security protection equipment, outer net can't be learnt fixed value, can be so that complexity of calculation increases; success is pretended and is descended by the probability of verifying, has increased the assailant and has carried out the difficulty that packet is forged.This method need be preserved fixed value on network security protection equipment, with respect to the complete content of preserving original ping data pack, can reach the purpose of the memory source of saving network security protection equipment.
The embodiment five of the method for protecting network safety (first validation value that obtains by special algorithm estimated performance data and fixed value and in the option data field, add described first validation value and fixed value as validation value):
As shown in Figure 5, the method step of protecting network safety comprises:
Step 101-4 comprises: network security protection equipment receives original ping data pack.
Step 102-4 comprises: the performance data that network security protection equipment carries according to predefined fixed value and original ping data pack is carried out computing with special algorithm and is obtained first validation value; In the option data field of described original ping data pack, add described first validation value and described fixed value as validation value.
Step 103-4 comprises: network security protection equipment is encoded to the original ping data pack that has added described validation value, obtains ping echo request data package.
Step 104-4 comprises: network security protection equipment sends described ping echo request data package to outer net;
Step 105-4 comprises: network security protection equipment contains described fixed value and when described option data field contains described first validation value when the option data field of ping echo reply data bag; utilize described special algorithm to carry out the computing value of obtaining, verify whether described value is identical with described first validation value according to the performance data that described fixed value and described ping echo reply data bag carry.
Step 106-4 comprises: network security protection equipment is when utilizing described special algorithm to carry out computing according to the performance data that described fixed value and described ping echo reply data bag carry; when the value that obtains is identical with described first validation value, described ping echo reply data bag is decoded.
Step 107-4 comprises: network security protection equipment sends decoded ping echo reply data bag to Intranet.
In the option data field, add the fixed value and first validation value as validation value; earlier to whether being that correct fixed value is verified; again to whether being to have first validation value of coupling to verify; can carry out twice checking to the ping echo reply data bag that receives; this method except advantage with " the third mode " promptly with respect to the complete content of preserving original ping data pack; can reach outside the purpose of the memory source of saving network security protection equipment, also have better strick precaution effect.
More than in four kinds of modes original ping data pack as previously mentioned, can be from the original ping echo reply data bag of outer net or from the original ping echo request data package of Intranet.
Above-mentioned special algorithm can be a hash algorithm.Hash algorithm is a kind of one-way function, and this principle of computing can be mapped as the binary value of random length the less binary value of regular length, and this little binary value just is called cryptographic Hash.Cryptographic Hash is the numeric representation form of one piece of data.For example, after one section plain text is carried out Hash operation, obtain a cryptographic Hash, even only change a letter in this section plain text, the cryptographic Hash that obtains is all the same hardly.Promptly being to locate through obtaining the data of identical cryptographic Hash after the Hash operation, is less feasible on calculating.And then, can obtain such conclusion: carry out cryptographic Hash that the cryptographic Hash that obtains after the Hash operation and packet present in the option data field when identical when a packet being extracted its characteristic, the data that this packet is described are not distorted, and promptly are original data.
For example,
When described original ping data pack was original ping echo reply data bag from outer net, the described characteristic of hash algorithm utilization can be: source IP address, purpose IP address, the packet life span of described original ping echo reply data bag.
When described original ping data pack was original ping echo request data package from Intranet, the described characteristic of hash algorithm utilization can be: source IP address, purpose IP address.
For example, after option data, add the fixed value FLAG of 2 bytes and the cryptographic Hash H of 2 bytes, totally 4 bytes, the computational methods of H are as follows:
H=Hash(FLAG,SIP,DIP,TTL),
Wherein, SIP is client's IP address, and DIP is the IP address of server, and TTL is IP bag life cycle.FLAG value relative fixed can be by being set in advance in the network security protection equipment, and whether can be used to distinguish is the Ping request response message of process coding.
The length of FLAG and H value can be expanded as required, such as respectively accounting for 4 bytes.
Use hash algorithm can have sizable elasticity to go to control the complexity of validation value, realize more preferably preventing ping malicious attack.
Certainly, hash algorithm is a kind of in the special algorithm, and this example does not constitute the qualification to special algorithm, so long as the special algorithm that can reach purpose of the present invention is all at these row.
Now illustrate under the uni-direction environment utilization to hash algorithm:
As shown in Figure 6, step 1: outer net sends original ping echo reply data bag to network security protection equipment.
Step 2: network security protection equipment structure validation value; in the option data field of described original ping echo reply data bag, add validation value; network security protection equipment sends the ping echo request data package of described code construction to outer net; as previously mentioned; type field is changed to 8 from 0; can with the type change of described original ping echo reply data bag ping echo request data package just; again to the procotol (IP of described original ping echo reply data bag; Internet Protocol) Tou source IP address and purpose IP address exchange; recomputate and revise original ping echo reply data bag the icmp packet verification of network control message agreement and with IP checksum field; revise the length field of described IP head; code construction goes out ping echo request data package; in this step from type field is changed to 8 from 0; up to this partial content of length field of revising described IP head promptly is the coding that preamble is mentioned; this is owing to added validation value in the option data field; and then packet can change packet voluntarily, and some are used for the data of usefulness of safety inspection such as the value of checksum field; for the transmission that can be well on to packet; need carry out aforesaid multiple field is exchanged or revises in this link; for the packet that has passed through checking; just need carry out the corresponding decoding step of process, just can obtain can be to it packet that is well on and sends.
Step 3: outer net sends ping echo reply data bag to network security protection equipment.
Step 4: for the ping echo reply data bag by checking, network security protection equipment sends decoded ping echo reply data bag through after decoding to Intranet.
Step 5: for the ping echo reply data bag that does not pass through checking, network security protection equipment abandons.
For original ping echo reply data bag from outer net; take in network security protection equipment, to make up validation value and original ping echo reply data bag is built into a ping echo request data package of passing through network security protection equipment; and send the scheme of described ping echo request data package to outer net; the general character that has owing to most existing ping attack packets; after adopting this scheme exactly; requirement does not enter Intranet with regard to not returning once more; therefore, can reduce the attack of ping attack packets.
Now illustrate under the two-way environment utilization to hash algorithm:
As shown in Figure 7, step 01: the subscriber equipment of Intranet sends original ping echo request data package to network security protection equipment.
Step 02: network security protection equipment structure validation value; in the option data field of described original ping echo request data package, add validation value; type field is constant; recomputate and revise original ping echo request data package the icmp packet verification of network control message agreement and with IP checksum field; revise the length field of described IP head; code construction goes out ping echo request data package, and network security protection equipment sends ping echo request data package to outer net.
Step 03: outer net sends ping echo reply data bag to network security protection equipment.
Step 04: for the ping echo reply data bag by checking, network security protection equipment sends decoded ping echo reply data bag through after decoding to Intranet.
Step 05: for the ping echo reply data bag that does not pass through checking, network security protection equipment abandons.
The embodiment of the invention also provides network security protection equipment, and the embodiment of network security protection equipment can include but not limited to following several:
The embodiment one of network security protection equipment:
As shown in Figure 8, this network security protection equipment comprises:
Receiving element 201 is used to receive original ping data pack and from the ping echo reply data bag of outer net.
Verification setting unit 202 is used to obtain validation value, and the option data field of the described original ping data pack that receives at described receiving element 201 adds validation value.
Authentication unit 204 is used to verify whether option data field from the ping echo reply data bag of outer net includes the value with described verification value matches.
Codec unit 205, be used for the original ping data pack that has added described validation value is encoded, obtain ping echo request data package, when the described option data field of described authentication unit 204 checkings includes value with described verification value matches, described ping echo reply data bag is decoded.
Transmitting element 203 is used for sending ping echo request data package that described codec unit 205 codings obtain and sending the decoded ping echo of described codec unit reply data bag to Intranet to outer net.
From present embodiment as can be known; owing to utilized the option data field of ping packet to set by transmitting terminal (Client); the principle that receiving terminal (Server) must return option data field former state; network security protection equipment adds validation value in the option data field to ping echo request data package; whether network security protection equipment mates the option data field in the ping echo reply data bag that receives under unidirectional or two-way data flow environment is verified; can take precautions against ping flood effectively attacks; and, just can realize monitoring to the ping packet so can take or not take the more internal memory of network security protection equipment less owing to writing down the complete content of the original ping data pack of passing through in the internal memory that not be used in network security protection equipment.
The concrete structure of the embodiment one of network security protection equipment comprises as shown in Figure 9:
Receiving element 201 comprises: primary reception unit 201-01 and outer net receiving element 201-02.Primary reception unit 201-01 is used to receive original ping data pack; Outer net receiving element 201-02 is used to receive the ping echo reply data bag from outer net.
Verification setting unit 202 comprises: acquiring unit 202-01 and unit 202-02 is set.Acquiring unit 202-01 is used to obtain validation value; The option data field that unit 202-02 is used for the original ping data pack that receives at described primary reception unit 201-01 is set adds validation value.
Authentication unit 204-0
Be used forWhether checking includes value with described verification value matches from the option data field of the ping echo reply data bag of outer net.
Codec unit 205 comprises: coding unit 205-01 and decoding unit 205-02.Coding unit 205-01 is used for the original ping data pack that unit 202-02 added described validation value is set encodes described, obtains ping echo request data package; Decoding unit 205-02 is used for when described authentication unit 204-0 verifies that described option data field includes value with described verification value matches described ping echo reply data bag being decoded.
Transmitting element 203 comprises: outwards transmitting element 203-01 and inwardly transmitting element 203-02.Outwards transmitting element 203-01 is used for sending the ping echo request data package that described coding unit 205-01 coding obtains to outer net; Inwardly transmitting element 203-02 is used for sending the decoded ping echo of described decoding unit 205-02 reply data bag to Intranet.
The embodiment two of network security protection equipment (with pre-set fixed value as validation value):
The concrete structure schematic diagram of the embodiment two of network security protection equipment is identical with Fig. 9, and this network security protection equipment comprises:
Described primary reception unit 201-01 is used to receive original ping data pack.
Described outer net receiving element 201-02 is used to receive the ping echo reply data bag from outer net.
Described acquiring unit 202-01 is used to obtain predefined fixed value as validation value.
Describedly the option data field that unit 202-02 is used for the original ping data pack that receives at described primary reception unit 201-01 is set adds described fixed value.
Described coding unit 205-01 is used for the original ping data pack that has added described fixed value is encoded, and obtains ping echo request data package.
Described authentication unit 204-0 is used to verify that described outer net receiving element 201-02 receives whether contains the value identical with described fixed value from the option data field of the ping echo reply data bag of outer net.
Described decoding unit 205-02 is used for when described authentication unit 204-0 verifies that described option data field contains the value identical with described fixed value, and described ping echo reply data bag is decoded.
Described outside transmitting element 203-01 is used for sending the ping echo request data package that described coding unit 205-01 coding obtains to outer net.
Described inside transmitting element 203-02 is used for sending the decoded ping echo of described decoding unit 205-02 reply data bag to Intranet.
Use fixed value as validation value; advantage is simple and easy to do; not be used in the complete content of preserving the original ping data pack of process on the Network Security Device; only need preserve fixed value at network security protection equipment; only need stamp the trace of fixed value for the original ping data pack of process; in the time of will checking for security consideration, network security protection equipment only checks whether the ping echo reply data bag of process has the fixed value of coupling to get final product.This network security protection equipment is with respect to the complete content of preserving original ping data pack, only preserves fixed value and be the purpose that can reach the memory source of saving network security protection equipment.
The embodiment three of network security protection equipment (by the special algorithm estimated performance data value of being verified):
The concrete structure schematic diagram of the embodiment three of network security protection equipment is identical with Fig. 9, and this network security protection equipment comprises:
Described primary reception unit 201-01 is used to receive original ping data pack.
Described outer net receiving element 201-02 is used to receive the ping echo reply data bag from outer net.
Described acquiring unit 202-01 is used for carrying out the computing value of being verified according to the performance data that the original ping data pack that described primary reception unit 201-01 receives is carried with special algorithm.
Described be provided with unit 202-02 be used for the original ping data pack that receives at described primary reception unit 201-01 the option data field add the described validation value that computing obtains.
Described coding unit 205-01 is used for the original ping data pack that has added the described validation value that computing obtains is encoded, and obtains ping echo request data package.
Described authentication unit 204-0 is used for when the option data field from the ping echo reply data bag of outer net that described outer net receiving element 201-02 receives contains described validation value, and whether the performance data of utilizing described special algorithm to carry according to ping echo reply data bag is carried out computing identical with described validation value with the value that the checking computing obtains.
Described decoding unit 205-02 is used for carrying out value that computing obtains when identical with described validation value when the performance data that described authentication unit 204-0 checking utilizes described special algorithm to carry according to ping echo reply data bag, and described ping echo reply data bag is decoded.
Described outside transmitting element 203-01 is used for sending the ping echo request data package that described coding unit 205-01 coding obtains to outer net.
Described inside transmitting element 203-02 is used for sending the decoded ping echo of described decoding unit 205-02 reply data bag to Intranet.
The performance data that use is carried according to original ping data pack is carried out the method for the computing value of being verified with special algorithm; advantage is: even enter Intranet by network security protection equipment when desire; carrying out the packet of the malice of attack activity can forge and the identical value of validation value that adds original ping data pack in the option data field; but; because packet self characteristics data are specific often; distorted or be exactly originally the packet of malice if that is to say packet; its performance data also can change or be different with the performance data of the packet of safety; utilizing this different performance data to calculate is often can't be by checking; thereby, calculate the validation value that gets according to specific performance data and have higher fail safe.
Compare with " first kind of mode "; what the second way was more excellent is; on network security protection equipment, need not preserve validation value; only need stamp the trace of validation value for the original ping data pack of process; in the time of will checking for security consideration; network security protection equipment utilization special algorithm calculates a value to the performance data that the ping echo reply data bag that receives carries; when this value is consistent with the validation value that presents in ping echo reply data bag option data field, judge that ping echo reply data bag is safe.This network security protection equipment can reach the purpose of the memory source of saving network security protection equipment with respect to the complete content of preserving original ping data pack or the second way.
The embodiment four of network security protection equipment (by special algorithm estimated performance data and the fixed value value of being verified):
The concrete structure schematic diagram of the embodiment four of network security protection equipment is identical with Fig. 9, and this network security protection equipment comprises:
Described primary reception unit 201-01 is used to receive original ping data pack.
Described outer net receiving element 201-02 is used to receive the ping echo reply data bag from outer net.
Described acquiring unit 202-01 is used for carrying out the computing value of being verified according to the performance data that the original ping data pack of predefined fixed value and described primary reception unit 201-01 reception is carried with special algorithm.
Describedly the option data field that unit 202-02 is used for the original ping data pack that receives at described primary reception unit 201-01 is set adds the described validation value that computing obtains.
Described coding unit 205-01 is used for the original ping data pack that has added the described validation value that computing obtains is encoded, and obtains ping echo request data package.
Described authentication unit 204-0 is used for when the option data field from the ping echo reply data bag of outer net that described outer net receiving element 201-02 receives contains described validation value, and whether the performance data of utilizing described special algorithm to carry according to described fixed value and described ping echo reply data bag is carried out computing identical with described validation value with the value that the checking computing obtains.
Described decoding unit 205-02 is used for carrying out value that computing obtains when identical with described validation value when the performance data that described authentication unit 204-0 checking utilizes described special algorithm to carry according to described fixed value and described ping echo reply data bag, and described ping echo reply data bag is decoded.
Described outside transmitting element 203-01 is used for sending the ping echo request data package that described coding unit 205-01 coding obtains to outer net.
Described inside transmitting element 203-02 is used for sending the decoded ping echo of described decoding unit 205-02 reply data bag to Intranet.
The factor that in the calculating of validation value, adds fixed value; because this fixed value is grasped by network security protection equipment, outer net can't be learnt fixed value, can be so that complexity of calculation increases; success is pretended and is descended by the probability of verifying, has increased the assailant and has carried out the difficulty that packet is forged.This network security protection equipment need be preserved fixed value, with respect to the complete content of preserving original ping data pack, can reach the purpose of the memory source of saving network security protection equipment.
The embodiment five of network security protection equipment (obtain first validation value by special algorithm estimated performance data and fixed value, in the option data field, add the fixed value and first validation value) as validation value:
The concrete structure schematic diagram of the embodiment five of network security protection equipment is identical with Fig. 9, and this network security protection equipment comprises:
Described primary reception unit 201-01 is used to receive original ping data pack.
Described outer net receiving element 201-02 is used to receive the ping echo reply data bag from outer net.
Described acquiring unit 202-01 is used for carrying out computing according to the performance data that predefined fixed value and original ping data pack are carried with special algorithm and obtains first validation value.
Describedly option data field that unit 202-02 is used for the original ping data pack that receives at described primary reception unit 201-01 is set adds described first validation value and described fixed value as validation value.
Described coding unit 205-01 is used for the original ping data pack that has added described validation value is encoded, and obtains ping echo request data package.
Described authentication unit 204-0 is used for containing described fixed value and when described option data field contains described first validation value when the option data field from the ping echo reply data bag of outer net that described outer net receiving element 201-02 receives, and whether the performance data of utilizing described special algorithm to carry according to described fixed value and described ping echo reply data bag is carried out computing identical with described first validation value with the value of verifying computing and obtaining.
Described decoding unit 205-02 is used for carrying out value that computing obtains when identical with described first validation value when the performance data that described authentication unit 204-0 checking utilizes described special algorithm to carry according to described fixed value and described ping echo reply data bag, and described ping echo reply data bag is decoded.
Described outside transmitting element 203-01 is used for sending the ping echo request data package that described coding unit 205-01 coding obtains to outer net.
Described inside transmitting element 203-02 is used for sending the decoded ping echo of described decoding unit 205-02 reply data bag to Intranet.
In the option data field, add the fixed value and first validation value; earlier to whether being that correct fixed value is verified; again to whether being to have first validation value of coupling to verify; can carry out twice checking to the ping echo reply data bag that receives; this network security protection equipment is except having the advantage of " the third mode "; promptly with respect to the complete content of preserving original ping data pack; can reach outside the purpose of the memory source of saving network security protection equipment, also have better strick precaution effect.
More than in the mode of four kinds of network security protection equipment, the special algorithm of mentioning is with identical to the argumentation content in the method for the encoding and decoding of packet and protecting network safety.
In addition, in the network environment that some confidentiality is had relatively high expectations, because the option data field can be utilized to transmit secret data, after the option data field is encoded, just strengthened difficulty to obtaining secret data, this can block effectively by setting up " ping passage (Ping Tunnel) " and carry out the transmission of secret data.
Because the option data field in the network security protection equipment utilization ping packet comes and goes constant characteristic; whether option data field in the ping echo reply data bag that receives under unidirectional or two-way data flow environment and the validation value that obtained are mated verify; can take precautions against ping flood effectively and attack, and can take or not take the more internal memory of network security protection equipment less and just can realize monitoring the ping packet.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct relevant hardware to finish by program, described program can be stored in a kind of computer-readable recording medium, described storage medium can be a read-only memory, disk or CD etc.
More than the method and the network security protection equipment of a kind of protecting network safety that the embodiment of the invention provided is described in detail, used specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that all can change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.