CN101567883A - Realization method for preventing MAC address forgery - Google Patents
Realization method for preventing MAC address forgery Download PDFInfo
- Publication number
- CN101567883A CN101567883A CN 200810185398 CN200810185398A CN101567883A CN 101567883 A CN101567883 A CN 101567883A CN 200810185398 CN200810185398 CN 200810185398 CN 200810185398 A CN200810185398 A CN 200810185398A CN 101567883 A CN101567883 A CN 101567883A
- Authority
- CN
- China
- Prior art keywords
- mac address
- access
- counterfeit
- user
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention relates to a realization method for preventing MAC address forgery. The method mainly comprises the following steps: firstly, acquiring media access control (MAC) address information and corresponding port information of a user terminal requesting for accessing a network; and then, according to the MAC address and corresponding port information and the MAC address and port information of an existed user terminal legally accessed to the network, determining a user access port forging MAC address access, and carrying out corresponding processing on the user access port. The method can adopt corresponding solution means when MAC forgery or address conflict problems exist in the network, namely prohibit and delete the forged MAC address information. Therefore, the method can effectively solve the problem of the MAC address forgery in the network so as to ensure the normal use of prior successfully-authenticated services accessed to the users.
Description
Technical field
The present invention relates to network communications technology field, relate in particular to a kind of implementation method that prevents that MAC Address is counterfeit.
Background technology
At present, adopt access devices such as DSLAM (Digital Subscriber Line Access Multiplexer) equipment, integrated access equipment to provide the application of broadband access very extensive.The multiple broadband access means that comprise ADSL (non-to Digital Subscriber Line), SHDSL (single-line high speed digital subscriber line), VDSL (Very-high-speed Digital Subscriber Line) etc. can be provided, user's broadband access network and other professional functions are provided, for example, video traffic and IP telephone service etc.
Be authentication, the billing operation of realization at the access user, and the needs such as malice access of avoiding the disabled user, at present, in a lot of networks, all adopt corresponding access user is carried out corresponding filtration treatment based on MAC (medium access control) address.
Along with increasing of the user of broadband application, part disabled user is the purpose that reaches illegal access, has just adopted the mode accessing to wide band network of counterfeit legal MAC Address, carries out illegal business; Perhaps, adopt the mode malicious interference broadband services of counterfeit MAC Address.For example, the user of part broadband application utilizes Software tool, and the MAC Address of change certain customers is attacked with the broadband user to normal use broadband network, disturbs normal broadband services.Therefore, cause occurring in the broadband access network the counterfeit problem of MAC Address, for this reason, need in broadband access network, provide the function that prevents that accordingly MAC Address is counterfeit.
At present, can adopt source MAC and port binding to realize preventing that MAC Address is counterfeit, source MAC and port binding refer in access devices such as DSLAM and integrated access equipment and distribute the unique permission of one or more whole access network to insert source MAC for each inserts the user.The source MAC that is specially the Ethernet message that access device comes up to the user judges, having only source MAC is that the message of the MAC Address set just allows to pass through, and is forwarded in the upper layer network; Other source MAC is not that the Ethernet message of the MAC Address of setting will be dropped.Like this, just, can prevent the problem that MAC Address is counterfeit effectively.
Yet that adopts at present prevents the method that MAC Address is counterfeit, though can prevent the problem that MAC Address is counterfeit, need all be provided with each user like this, and the source MAC that it can pass through is set.Because inserting user's source MAC all is Random assignment, if it is a lot of to insert the user, understanding user's MAC Address and carry out the workload of relative set in access device will be very huge.
And, also there is a very big defective in the above-mentioned counterfeit processing method of MAC Address that prevents, that is: after source MAC and port binding, if the user has changed a PC or has changed to another normal MAC Address, its business also can't normally be carried out, and must reset once new MAC Address in access device.Exactly because the existence of this defective causes the present MAC Address counterfeiting measures that prevents to be widely used.
Summary of the invention
In view of above-mentioned existing in prior technology problem, the purpose of this invention is to provide a kind of implementation method that prevents that MAC Address is counterfeit, with the counterfeit problem of MAC Address in effective solution broadband access network.
The objective of the invention is to be achieved through the following technical solutions:
The invention provides a kind of implementation method that prevents that MAC Address is counterfeit, comprising:
A, obtain the media access control MAC address information and the corresponding port information of user terminal of request access network;
B, according to described MAC Address and corresponding port information, and the MAC Address of the user terminal of the legal access network that has existed and port information determine the user access port that counterfeit MAC Address inserts, and it is handled accordingly.
Described steps A comprises:
A1, user terminal send authentication request packet to access device, are carrying the mac address information of user terminal in the message;
A2, access device obtain described authentication request packet, and the port information of message identifying and user terminal is sent to authenticating device;
A3, authenticating device receive described message, and obtain the mac address information and the corresponding port information of user terminal.
Among the present invention, steps A 2 described authentication request packet processing methods comprise:
Send to authenticating device after being supported in the port information that increases the user in the point-to-point protocol message identifying, dynamic host configuration protocol DHCP message identifying of Ethernet; Perhaps the communication protocol that adopts between support other access devices of employing and authenticating device sends to authenticating device with the port information of user terminal.
Described port information comprises:
The VPI VPI/ VPI VCI information of the physical port information of user terminal, user port and/or the VLAN ID VLAN id information of user port.
Described step B comprises:
B1, authenticating device judge described MAC Address whether with the MAC Address coupling of the user terminal of the legal access network of its preservation, if, execution in step B2 then, otherwise execution in step B3;
B2, determine that this user terminal is that counterfeit MAC Address inserts, and forbids its access;
B3, allow this accessing user terminal to network.
Described step B1 specifically comprises:
After the MAC Address and port information of the user terminal that the request of obtaining of B11, authenticating device inserts, judge the MAC Address and the corresponding port information of the user terminal whether it preserves legal access network, if having, execution in step B12 then, otherwise, execution in step B3;
B12, judge described MAC Address whether with the MAC Address coupling of the user terminal of the legal access network of its preservation, if, execution in step B2 then, otherwise execution in step B3.
Among the present invention, before carrying out described step B2, also comprise:
Further judge with the mac address information corresponding port information of the user terminal of the legal access network of described MAC Address coupling whether with authentication request packet in the port information coupling of user terminal, if then do not deal with, otherwise execution in step B2.
Described step B2 also comprises:
B21, authenticating device send the message that causes at described user end certification failure to access device;
B22, access device receive because after the message that causes of described authentification failure, with the mac address information deletion of the described user terminal of its preservation.
Described step B2 also comprises:
When the message that causes based on same port authentication failure that produces in the time period of setting when authenticating device surpasses predetermined times, then notify access device with this port blocking;
Perhaps,
When the message that causes based on same port authentication failure that receives in the time period of setting when access device surpasses predetermined times, then corresponding ports is forbidden.
Described step B3 also comprises:
On authenticating device, preserve the MAC Address and the corresponding port information thereof of described user terminal.
The present invention also provides a kind of access device that prevents that MAC Address is counterfeit, comprising:
The xDSL access module is used to provide xDSL interface and respective x DSL access function;
The counterfeit processing module of MAC Address is used to discern the message identifying of user terminal, and message identifying and this access user's port information is delivered to the upstream Interface module; The message that this module issues according to the authenticating device that receives, the MAC Address that deletion and/or binding relative users access interface are learnt;
The upstream Interface module is used for message identifying and this access user's port information is delivered to authenticating device; And support to receive the message that authenticating device issues, deliver to the counterfeit processing module of MAC Address.
Described access device can be for only supporting the broadband access equipment of broadband access, also can be for supporting the integrated access equipment of broadband access and narrow band access simultaneously.
Described xDSL interface can be adsl interface, SHDSL interface, or Very-high-speed Digital Subscriber Line VDSL interface;
Described upstream Interface comprises:
Gigabit Ethernet GE optical interface or electrical interface, Fast Ethernet FE optical interface or electrical interface, STM-1 optical interface or electrical interface, E1 interface, E3 interface or STM-4 interface.
Described access device also can receive that authenticating device issues because the message that authentication success causes is bound MAC Address and corresponding access interface.
The counterfeit processing module of described MAC Address also is provided with counter, be used for because the unsuccessful number of times of the counterfeit authentication that causes of MAC Address, and when a port occurs the counterfeit number of times of MAC Address above predetermined value in a period of time, except the access user's that will be learnt MAC Address deletion, also corresponding access interface is closed.
The present invention also provides a kind of authenticating device that prevents that MAC Address is counterfeit, comprising:
Subscriber information storing module is used to finish the memory function of user profile;
The counterfeit identification module of MAC Address, be used to receive message identifying and the user port information that user terminal is put forward, confirm whether be counterfeit MAC Address according to stored user information in the subscriber information storing module, if be the counterfeit user of MAC Address, then to access device return carry port information because the counterfeit message that causes authentification failure of MAC Address; If not counterfeit MAC Address, then submit message identifying to authentication module, and user's information is delivered to subscriber information storing module store;
Authentication module is used to finish the certification work of the counterfeit user's of non-MAC Address message identifying.
The counterfeit identification module of described MAC Address also comprises counter, when a counterfeit message of the MAC Address that access interface was sent out in a period of time surpasses predetermined quantity, then notifies access device this access interface is closed or to forbid.
As seen from the above technical solution provided by the invention, method of the present invention makes that authenticating device can be according to message identifying that receives and corresponding user profile, and this user's mac address information carries out the legitimacy judgement to it, and take corresponding solution when in network, having the counterfeit or address conflict problem of MAC, promptly forbid and delete counterfeit mac address information.
Therefore, the present invention can effectively solve the counterfeit problem of MAC Address in the network, and for example: wear a plurality of access devices under the authenticating device, each access device is with a plurality of access users again; If there is an access user to adopt a MAC-A address verification success, under this authenticating device another inserts the user and can't authenticate by corresponding with the MAC-A address again, thereby guaranteed the access user's of original authentication success professional normal the use.
Description of drawings
Fig. 1 is the applied environment schematic diagram of method of the present invention;
Fig. 2 is the flow chart of method of the present invention;
Fig. 3 is the structural representation of access device provided by the invention;
Fig. 4 is the structural representation of authenticating device provided by the invention.
Embodiment
Purpose of the present invention mainly is to solve the counterfeit problem of MAC Address.The method that the present invention adopts is by user profile and the mac address information thereof of authenticating device according to the message identifying of receiving, judge whether to exist the situation of the counterfeit or MAC Address conflict of MAC Address in conjunction with the corresponding information of its preservation, and there is the access user access network of the counterfeit or MAC Address conflict situations of MAC Address in refusal.Use the present invention,, and guarantee by counterfeit user's normal use if the problem of address forgery can protect access device, authenticating device etc. by this method.
Method of the present invention is specially: access device receives the message identifying that inserts the user, with message identifying and user port information, deliver in the authenticating device, authenticating device compares according to user port information, source MAC and known case, if do not exist MAC Address counterfeit, then authentication success; If there is the problem of address forgery, the unsuccessful information of return authentication, access device is deleted the MAC Address of being learnt according to the unsuccessful information of returning.
For the present invention there being further understanding, be described in further detail below in conjunction with the specific implementation of accompanying drawing to method of the present invention.
At first introduce the network environment that the present invention uses.As shown in Figure 1, user A and user B are by access device A cut-in convergent net, and promptly access device A supports user's access, specifically comprises user A (its MAC Address is MAC-A) and user B (its MAC Address is MAC-B); Access device B then is used to support the access of user C (its MAC Address is MAC-C).Access device A and access device B receive and carry out corresponding authentication processing on the authenticating device by converging net.
For realizing the present invention, corresponding access device need comprise following function among Fig. 1:
Finish the aggregation feature that the user inserts.Access device can insert one or more user, after converging by ATM or the up metropolitan area network of receiving of IP interface, directly or receive on the authenticating device;
Finish the interpolation function of user profile.Access device can be finished the interpolation function of user profile, the message identifying user's that can put forward the user information; Perhaps access device can be delivered to authenticating device with the user port information of authenticated user by other agreement;
Upstream Interface is provided.Access device can provide the upstream Interface of ATM or IP, receives metropolitan area network or directly receives on the authenticating device by upstream Interface, and user profile is reported authenticating device.
Access device provides the function with the authenticating device communication.Access device can be according to after the message, deleting the MAC Address that this port is learnt because the counterfeit authentication that causes of MAC Address gets nowhere that authenticating device issues.
Simultaneously, for realizing the present invention, the authenticating device among Fig. 1 can be BRAS (BAS Broadband Access Server) Verification System, also can be DHCP (DHCP) server, but no matter is which type of authenticating device all needs to comprise following concrete function:
Authenticating device need be finished the authentification of user function of or more users.
Need on the authenticating device to support to extract in the message identifying with on user profile, and compare, with the problem that determines whether that MAC Address is counterfeit.Perhaps authenticating device supports other communications protocol to obtain the port information of authenticated user from access device;
Authenticating device provides the function with the access device communication.Authenticating device can be delivered to access device by relevant agreement with the unsuccessful message of authentication.
Among the present invention, can be connected by metropolitan area network between described authenticating device and access device, also can directly connect.
Among the present invention, described access device can be DSLAM (Digital Subscriber Line Access Multiplexer) equipment of support broadband access, also can be for supporting the integrated access equipment of broadband access and narrow band access simultaneously.
Among the present invention, the user can insert corresponding access device by ADSL (ADSL (Asymmetric Digital Subscriber Line)), also can pass through SHDSL (mono signal high-speed digital subscriber line) and insert, and perhaps can also pass through VDSL (Very-high-speed Digital Subscriber Line) and insert, or the like.
As shown in Figure 2, method of the present invention may further comprise the steps in the specific implementation process:
Step 21: the user sends to access device and is carrying the authentication request packet of self MAC address (being source MAC) information;
The message identifying that is access device butt joint access customer is caught, and after capturing corresponding authentication request packet, then execution in step 22;
As shown in Figure 1, suppose that the user A under the access device A initiates verification process, then user A will send authentication request packet to access device;
In this step, described authentication request packet can be PPPOE (based on the point-to-point protocol of Ethernet) message, also can be DHCP (DHCP) message;
Step 22: receive the authentication request packet of user A as access device A after, in authentication request packet, increase this user's port information, and deliver to authenticating device and carry out corresponding authentication processing; Perhaps access device A delivers to authenticating device by other communications protocol with this user's port information;
The user's of described increase port information is specifically as follows: user's physical location information (being user's physical port information), the VLAN of user port (VLAN) information, or user port VPI (virtual path sign)/VCI (VPI) information, or the like;
Specifically comprise: can in the PPPOE message identifying that user terminal is sent up, increase user's port information, can in the DHCP message identifying that user terminal is sent up, increase user's port information; Also can in the PPPOA message identifying that user terminal is sent up, increase user's port information; The PPPOA message of perhaps user terminal being sent up is converted to the port information that increases the user behind the PPPOE message; Perhaps can support to adopt other agreements that user port information is delivered to uplink module;
Step 23: authenticating device obtains MAC Address and the user port information in the described authentication request packet, and the information obtained and the information of preservation compared judgement, to judge whether this access user is counterfeit MAC Address situation (perhaps judging whether to be that conflict situations appears in MAC Address), if, then execution in step 25, otherwise execution in step 24 is promptly carried out authentication processing according to the normal handling process;
Be specially, on authenticating device, judge the state of the storage area of described MAC Address of obtaining and user port information correspondence:
If the information stores zone is empty (not preserving the binding relationship information of any MAC Address and user port on the authentication authorization and accounting equipment as yet), determine that then this user can legally insert, the counterfeit or MAC Address conflict situations of MAC Address does not promptly appear;
Otherwise, continue to judge whether the described storage area that has stored information has the situation with this access user's MAC Address repetition, promptly judge the binding relationship information that whether has existed in the binding relationship of preserving based on this MAC Address, if do not have, then will execution in step 24, otherwise, execution in step 25;
In this step, authenticating device is at first judged according to mac address information, if have this mac address information in the binding relationship of finding to preserve, then further the port information in the binding relationship and this MAC Address corresponding port information are compared, if identical (explanation is the authentication request packet of being sent by same user) then do not deal with, if different, then there is the counterfeit or conflict of MAC Address in explanation, then needs execution in step 25; If do not have this mac address information in the binding relationship of preserving, determine that then this is the authentication request of a new validated user, and execution in step 24;
Step 24: in the message that authenticating device is sent up information and this user of the user port that receives with source MAC (as the MAC-A address of user A), and the port numbers of authenticating device binds, and is kept in the information corresponding stored zone;
After user A authentication under the access device A was passed through, corresponding business just can normally be carried out.
Step 25: when authenticating device determines that according to the corresponding information that carries in the authentication request packet of receiving its MAC Address is counterfeit or when the MAC Address conflict takes place, then to the unsuccessful information of corresponding access device return authentication, authentication authorization and accounting failed message;
Still as shown in Figure 1, suppose to receive the authentication request packet of user (for example user A of access device A) when authenticating device, and according to the port of user's source MAC and authenticating device judge the MAC Address MAC-A that determines the user and normally the user of use conflict, then determine authentification failure, and the information of failure is issued on the access device;
Step 26: access device is all deleted this port mac address information and the corresponding ports information learnt according to the message of the authentification failure that returns;
If because the MAC Address conflict causes repeatedly authenticating not passing through, forbid corresponding ports by corresponding information notice access device, forbid that promptly any information enters network from this port by authenticating device in a period of time for this port;
Perhaps access device in a period of time, receive some since MAC Address is counterfeit cause authentication failure message after, with this port blocking.
As shown in Figure 1, corresponding authentication processing process and said process that other access device (for example access device B) or user (for example user B and user C) relate to are similar, so describe in detail no longer one by one.
Based on the described method of the invention described above, the present invention also provides a kind of access device that prevents that MAC Address is counterfeit, described access device can be for only supporting the broadband access equipment of broadband access, also can be for supporting the integrated access equipment of broadband access and narrow band access simultaneously;
As shown in Figure 3, described access device specifically comprises:
The xDSL access module: be used to provide the access function of xDSL, promptly be used to provide the xDSL interface, described xDSL interface can also can be the SHDSL interface for adsl interface (comprising ADSL2, ADSL2+ etc.), also can be the VDSL interface;
The counterfeit processing module of MAC Address: the MAC address learning function that is used to finish user access port; This module can be discerned the message identifying of user terminal, and message identifying and this access user's port information is delivered to upstream Interface; The authentification failure message that this module can issue according to the authenticating device that receives, the MAC Address that deletion relative users access interface is learnt;
The counterfeit processing module of described MAC Address also is provided with counter, be used to carry out because the unsuccessful counting of the counterfeit authentication that causes of MAC Address, if the counterfeit problem of MAC Address repeatedly appears in a port in a period of time, except can MAC Address deletion, also this access interface can be closed the access user that learnt;
Upstream Interface module: be used for message identifying and this access user's port information is delivered to authenticating device; And the whether authentication success message that support to receive that authenticating device issues, deliver to the counterfeit processing module of MAC Address; Described upstream Interface can be GE interface (can be optical interface or electrical interface), can be FE interface (can be optical interface or electrical interface), also can be STM-1 interface (can be optical interface or electrical interface), E1 interface, E3 interface or STM-4 interface.
Based on method of the present invention, a kind of authenticating device that prevents address forgery also is provided, as shown in Figure 4, described authenticating device specifically comprises:
Subscriber information storing module: be used to finish the memory function of user profile, user's mac address information, user's port information etc. can be stored; Whether and it is online to insert the user according to this, determines whether to delete this stored user mac address information and corresponding port information;
The counterfeit identification module of MAC Address: be used to receive message identifying and the user port information that user terminal is put forward, extract the MAC Address of user terminal, confirm whether to exist the counterfeit problem of MAC Address, if the user is the counterfeit user of MAC Address, to access device return carry port information because the counterfeit message that causes authentification failure of MAC Address; If the user is the counterfeit user of non-MAC Address, submits message identifying to the authentication module authentication, and user's information is delivered to subscriber information storing module store; The counterfeit identification module of described MAC Address also is provided with counter, if determine that according to the count results of counter a counterfeit message of the MAC Address that access interface is sent out surpasses certain quantity in a period of time, by can transmitting order to lower levels, the notice access device be closed this access interface or is forbidden;
The counterfeit identification module of described MAC Address can be supported to judge whether to exist MAC Address counterfeit to the PPPOE message; Can support to judge whether to exist MAC Address counterfeit to the PPPOA message; Can support to judge whether to exist MAC Address counterfeit to the DHCP message; Can also support to look into by the communications protocol between other authenticating devices and the access device;
Authentication module: the certification work that is used to finish the counterfeit user's of non-MAC Address message identifying; And described authentication module can be supported the authentication of PPPOE, perhaps can support the authentication of PPPOA, perhaps can support the authentication of DHCP.
In above-mentioned access device and authenticating device, the counterfeit identification module cooperation of counterfeit processing module of described MAC Address and MAC Address just can be carried out discerning effectively at counterfeit MAC Address, thereby realizes purpose of the present invention.
In sum, prevent in the counterfeit method of MAC Address provided by the invention, authenticating device can be according to message identifying that receives and corresponding user profile, and this user's mac address information, judge, judge whether to have the problem that MAC Address is counterfeit or MAC Address is conflicted, thereby prevent that effectively the counterfeit situation of MAC Address from occurring.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.
Claims (18)
1, a kind of implementation method that prevents that MAC Address is counterfeit is characterized in that, comprising:
A, obtain the media access control MAC address information and the corresponding port information of user terminal of request access network;
B, according to described MAC Address and corresponding port information, and the MAC Address of the user terminal of the legal access network that has existed and port information determine the user access port that counterfeit MAC Address inserts, and it is handled accordingly.
2, the implementation method that prevents that MAC Address is counterfeit according to claim 1 is characterized in that, described steps A comprises:
A1, user terminal send authentication request packet to access device, are carrying the mac address information of user terminal in the message;
A2, access device obtain described authentication request packet, and the port information of message identifying and user terminal is sent to authenticating device;
A3, authenticating device receive described message, and obtain the mac address information and the corresponding port information of user terminal.
3, the implementation method that prevents that MAC Address is counterfeit according to claim 2 is characterized in that, steps A 2 described authentication request packet processing methods comprise:
Send to authenticating device after being supported in the port information that increases the user in the point-to-point protocol message identifying, dynamic host configuration protocol DHCP message identifying of Ethernet; Perhaps the communication protocol that adopts between support other access devices of employing and authenticating device sends to authenticating device with the port information of user terminal.
4, the implementation method that prevents that MAC Address is counterfeit according to claim 1 is characterized in that, described port information comprises:
The VPI VPI/ VPI VCI information of the physical port information of user terminal, user port and/or the VLAN ID VLAN id information of user port.
5, according to each described implementation method that prevents that MAC Address is counterfeit of claim 1 to 4, it is characterized in that described step B comprises:
B1, authenticating device judge described MAC Address whether with the MAC Address coupling of the user terminal of the legal access network of its preservation, if, execution in step B2 then, otherwise execution in step B3;
B2, determine that this user terminal is that counterfeit MAC Address inserts, and forbids its access;
B3, allow this accessing user terminal to network.
6, the implementation method that prevents that MAC Address is counterfeit according to claim 5 is characterized in that, described step B1 specifically comprises:
After the MAC Address and port information of the user terminal that the request of obtaining of B11, authenticating device inserts, judge the MAC Address and the corresponding port information of the user terminal whether it preserves legal access network, if having, execution in step B12 then, otherwise, execution in step B3;
B12, judge described MAC Address whether with the MAC Address coupling of the user terminal of the legal access network of its preservation, if, execution in step B2 then, otherwise execution in step B3.
7, the implementation method that prevents that MAC Address is counterfeit according to claim 5 is characterized in that, carries out described step B2 and also comprises before:
Further judge with the mac address information corresponding port information of the user terminal of the legal access network of described MAC Address coupling whether with authentication request packet in the port information coupling of user terminal, if then do not deal with, otherwise execution in step B2.
8, the implementation method that prevents that MAC Address is counterfeit according to claim 5 is characterized in that, described step B2 also comprises:
B21, authenticating device send the message that causes at described user end certification failure to access device;
B22, access device receive because after the message that causes of described authentification failure, with the mac address information deletion of the described user terminal of its preservation.
9, the implementation method that prevents counterfeit MAC Address according to claim 5 is characterized in that, described step B2 also comprises:
When the message that causes based on same port authentication failure that produces in the time period of setting when authenticating device surpasses predetermined times, then notify access device with this port blocking;
Perhaps,
When the message that causes based on same port authentication failure that receives in the time period of setting when access device surpasses predetermined times, then corresponding ports is forbidden.
10, the implementation method that prevents that MAC Address is counterfeit according to claim 5 is characterized in that, described step B3 also comprises:
On authenticating device, preserve the MAC Address and the corresponding port information thereof of described user terminal.
11, a kind of access device that prevents that MAC Address is counterfeit is characterized in that, comprising:
The xDSL access module is used to provide xDSL interface and respective x DSL access function;
The counterfeit processing module of MAC Address is used to discern the message identifying of user terminal, and message identifying and this access user's port information is delivered to the upstream Interface module; The message that this module issues according to the authenticating device that receives, the MAC Address that deletion and/or binding relative users access interface are learnt;
The upstream Interface module is used for message identifying and this access user's port information is delivered to authenticating device; And support to receive the message that authenticating device issues, deliver to the counterfeit processing module of MAC Address.
12, the access device that prevents that MAC Address is counterfeit according to claim 11, it is characterized in that, described access device can be for only supporting the broadband access equipment of broadband access, also can be for supporting the integrated access equipment of broadband access and narrow band access simultaneously.
13, the access device that prevents that MAC Address is counterfeit according to claim 11 is characterized in that, described xDSL interface can be adsl interface, SHDSL interface, or Very-high-speed Digital Subscriber Line VDSL interface;
14, the access device that prevents that MAC Address is counterfeit according to claim 11 is characterized in that, described upstream Interface comprises:
Gigabit Ethernet GE optical interface or electrical interface, Fast Ethernet FE optical interface or electrical interface, STM-1 optical interface or electrical interface, E1 interface, E3 interface or STM-4 interface.
15, the access device that prevents that MAC Address is counterfeit according to claim 11 is characterized in that, described access device also can receive that authenticating device issues because the message that authentication success causes is bound MAC Address and corresponding access interface.
16, the access device that prevents that MAC Address is counterfeit according to claim 11, it is characterized in that, the counterfeit processing module of described MAC Address also is provided with counter, be used for because the unsuccessful number of times of the counterfeit authentication that causes of MAC Address, and when a port occurs the counterfeit number of times of MAC Address above predetermined value in a period of time, except the access user's that will be learnt MAC Address deletion, also corresponding access interface is closed.
17, a kind of authenticating device that prevents that MAC Address is counterfeit is characterized in that, comprising:
Subscriber information storing module is used to finish the memory function of user profile;
The counterfeit identification module of MAC Address, be used to receive message identifying and the user port information that user terminal is put forward, confirm whether be counterfeit MAC Address according to stored user information in the subscriber information storing module, if be the counterfeit user of MAC Address, then to access device return carry port information because the counterfeit message that causes authentification failure of MAC Address; If not counterfeit MAC Address, then submit message identifying to authentication module, and user's information is delivered to subscriber information storing module store;
Authentication module is used to finish the certification work of the counterfeit user's of non-MAC Address message identifying.
18, the authenticating device that prevents that MAC Address is counterfeit according to claim 17, it is characterized in that, the counterfeit identification module of described MAC Address also comprises counter, when a counterfeit message of the MAC Address that access interface was sent out in a period of time surpasses predetermined quantity, then notify access device this access interface is closed or to forbid.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200810185398 CN101567883B (en) | 2005-04-25 | 2005-04-25 | Realization method for preventing MAC address forgery |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200810185398 CN101567883B (en) | 2005-04-25 | 2005-04-25 | Realization method for preventing MAC address forgery |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2005100662366A Division CN1855812B (en) | 2005-04-25 | 2005-04-25 | Method for preventing from fakery of MAC addresses and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101567883A true CN101567883A (en) | 2009-10-28 |
| CN101567883B CN101567883B (en) | 2013-12-18 |
Family
ID=41283832
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200810185398 Expired - Fee Related CN101567883B (en) | 2005-04-25 | 2005-04-25 | Realization method for preventing MAC address forgery |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101567883B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101800741B (en) * | 2010-01-25 | 2014-08-20 | 中兴通讯股份有限公司 | Device and method for preventing illegal media access control (MAC) address transfer |
| CN104009896A (en) * | 2014-05-19 | 2014-08-27 | 北京东土科技股份有限公司 | Node equipment access method, system and device based on MAC address |
| WO2015100645A1 (en) * | 2013-12-31 | 2015-07-09 | 华为技术有限公司 | Network security management method and access device |
| CN107181759A (en) * | 2017-07-05 | 2017-09-19 | 杭州迪普科技股份有限公司 | The authentication method and device of a kind of user equipment |
| CN109347816A (en) * | 2018-10-10 | 2019-02-15 | 上海易杵行智能科技有限公司 | A kind of binding method and system for port and access device |
| CN109981661A (en) * | 2019-03-29 | 2019-07-05 | 新华三技术有限公司 | A kind of method, apparatus and electronic equipment monitoring MAC Address |
| CN110087252A (en) * | 2019-05-30 | 2019-08-02 | 深圳市中航比特通讯技术有限公司 | A kind of communication network service dynamic change technology |
| CN112153027A (en) * | 2020-09-14 | 2020-12-29 | 杭州迪普科技股份有限公司 | Counterfeit behavior identification method, apparatus, device and computer readable storage medium |
| CN115001826A (en) * | 2022-06-02 | 2022-09-02 | 清华大学 | Network access control method, device, network equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1855812B (en) * | 2005-04-25 | 2010-04-28 | 华为技术有限公司 | Method for preventing from fakery of MAC addresses and equipment |
-
2005
- 2005-04-25 CN CN 200810185398 patent/CN101567883B/en not_active Expired - Fee Related
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101800741B (en) * | 2010-01-25 | 2014-08-20 | 中兴通讯股份有限公司 | Device and method for preventing illegal media access control (MAC) address transfer |
| WO2015100645A1 (en) * | 2013-12-31 | 2015-07-09 | 华为技术有限公司 | Network security management method and access device |
| CN104009896A (en) * | 2014-05-19 | 2014-08-27 | 北京东土科技股份有限公司 | Node equipment access method, system and device based on MAC address |
| CN104009896B (en) * | 2014-05-19 | 2017-05-17 | 北京东土科技股份有限公司 | Node equipment access method, system and device based on MAC address |
| CN107181759A (en) * | 2017-07-05 | 2017-09-19 | 杭州迪普科技股份有限公司 | The authentication method and device of a kind of user equipment |
| CN109347816A (en) * | 2018-10-10 | 2019-02-15 | 上海易杵行智能科技有限公司 | A kind of binding method and system for port and access device |
| CN109981661A (en) * | 2019-03-29 | 2019-07-05 | 新华三技术有限公司 | A kind of method, apparatus and electronic equipment monitoring MAC Address |
| CN109981661B (en) * | 2019-03-29 | 2022-04-22 | 新华三技术有限公司 | Method and device for monitoring MAC address and electronic equipment |
| CN110087252A (en) * | 2019-05-30 | 2019-08-02 | 深圳市中航比特通讯技术有限公司 | A kind of communication network service dynamic change technology |
| CN112153027A (en) * | 2020-09-14 | 2020-12-29 | 杭州迪普科技股份有限公司 | Counterfeit behavior identification method, apparatus, device and computer readable storage medium |
| CN112153027B (en) * | 2020-09-14 | 2022-11-25 | 杭州迪普科技股份有限公司 | Counterfeit behavior identification method, apparatus, device and computer readable storage medium |
| CN115001826A (en) * | 2022-06-02 | 2022-09-02 | 清华大学 | Network access control method, device, network equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101567883B (en) | 2013-12-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1855812B (en) | Method for preventing from fakery of MAC addresses and equipment | |
| CN101567883B (en) | Realization method for preventing MAC address forgery | |
| US7860029B2 (en) | Subscriber line accommodation device and packet filtering method | |
| CN101188614B (en) | A method, system and device for secure control of the user access | |
| CN101527655B (en) | Dynamic profiling system for data access control | |
| FR2716323A1 (en) | Secure system for interconnecting local networks via a public transmission network. | |
| CN101453447A (en) | Customer aging method for dynamic host configuration protocol DHCP and access equipment | |
| CN101888329B (en) | Address resolution protocol (ARP) message processing method, device and access equipment | |
| CN107707435B (en) | Message processing method and device | |
| CN109067937A (en) | Terminal admittance control method, device, equipment, system and storage medium | |
| US7733790B2 (en) | Method and apparatus for verifying service provisioning in networks used to provide digital subscriber line services | |
| CN1423452A (en) | Broad access network user identifying method | |
| CN101098290B (en) | Devices for implementing anti-spurious IP address on AN and methods therefor | |
| CN101018226A (en) | A method for access terminal and operator binding | |
| CN107645474A (en) | Log in the method for open platform and log in the device of open platform | |
| CN100438446C (en) | Switch-in control equipment, Switch-in control system and switch-in control method | |
| CN103026687A (en) | Limiting resources consumed by rejected subscriber end stations | |
| EP2073432B1 (en) | Method for binding an access terminal to an operator and corresponding access terminal | |
| CN102790696B (en) | A kind of network access system and method for network access thereof | |
| CN100550901C (en) | The method of obtaining broadband user access port information for broadwide access server | |
| CN101945143A (en) | Method and device for preventing message address spoofing on mixed network | |
| CN101415032B (en) | Three-layer private wire access method, apparatus and system | |
| CN100589486C (en) | Method for identifying soft ware of automatically being compatible with different 802.1x subscribers | |
| CN104982004B (en) | Manage the method and access device of network security | |
| US20150341328A1 (en) | Enhanced Multi-Level Authentication For Network Service Delivery |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20131218 Termination date: 20170425 |