CN101567883B - Realization method for preventing MAC address forgery - Google Patents
Realization method for preventing MAC address forgery Download PDFInfo
- Publication number
- CN101567883B CN101567883B CN 200810185398 CN200810185398A CN101567883B CN 101567883 B CN101567883 B CN 101567883B CN 200810185398 CN200810185398 CN 200810185398 CN 200810185398 A CN200810185398 A CN 200810185398A CN 101567883 B CN101567883 B CN 101567883B
- Authority
- CN
- China
- Prior art keywords
- mac address
- counterfeit
- information
- user
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention relates to a realization method for preventing MAC address forgery. The method mainly comprises the following steps: firstly, acquiring media access control (MAC) address information andcorresponding port information of a user terminal requesting for accessing a network; and then, according to the MAC address and corresponding port information and the MAC address and port informatio n of an existed user terminal legally accessed to the network, determining a user access port forging MAC address access, and carrying out corresponding processing on the user access port. The method can adopt corresponding solution means when MAC forgery or address conflict problems exist in the network, namely prohibit and delete the forged MAC address information. Therefore, the method can effectively solve the problem of the MAC address forgery in the network so as to ensure the normal use of prior successfully-authenticated services accessed to the users.
Description
Technical field
The present invention relates to network communications technology field, relate in particular to a kind of implementation method that prevents that MAC Address is counterfeit.
Background technology
At present, employing DSLAM(Digital Subscriber Line Access Multiplexer) access devices such as equipment, integrated access equipment provide the application of broadband access very extensive.Can provide and comprise that ADSL(is non-to Digital Subscriber Line), the SHDSL(single-line high speed digital subscriber line), the VDSL(Very-high-speed Digital Subscriber Line) etc. multiple broadband access means, user's broadband access network and the function of other business are provided, for example, video traffic and IP telephone service etc.
For realizing authentication, the billing operation for access user, and needs such as malice access of avoiding the disabled user, at present, much in networks, all adopting based on the access control of MAC(media) address carries out corresponding filtration treatment to corresponding access user.
Along with increasing of the user of broadband application, part disabled user is the purpose that reaches illegal access, has just adopted the mode accessing to wide band network of counterfeit legal MAC Address, carries out illegal business; Perhaps, adopt the mode malicious interference broadband services of counterfeit MAC Address.For example, the user of part broadband application utilizes Software tool, and the MAC Address of change certain customers, attacked with the broadband user to normal use broadband network, disturbs normal broadband services.Therefore, cause in broadband access network the problem that has occurred that MAC Address is counterfeit, for this reason, need in broadband access network, provide the function that prevents that accordingly MAC Address is counterfeit.
At present, can adopt source MAC and port binding to realize preventing that MAC Address is counterfeit, source MAC and port binding refer in the access devices such as DSLAM and integrated access equipment and distribute the unique permission access source MAC of one or more whole access network for each access user.The source MAC that is specially the Ethernet message that access device comes up to the user judged, only has the message that source MAC is the MAC Address set just to allow to pass through, and is forwarded in upper layer network; Other source MAC is not that the Ethernet message of the MAC Address of setting will be dropped.Like this, just, can effectively prevent the problem that MAC Address is counterfeit.
Yet what adopt at present prevents the method that MAC Address is counterfeit, although can prevent the problem that MAC Address is counterfeit, need to be arranged each user like this, and the source MAC that it can pass through is set.Because the source MAC of access user is Random assignment, if access user is a lot, understanding user's MAC Address and carry out the workload of relative set in access device will be very huge.
And, above-mentionedly prevent that from also there is a very large defect in the counterfeit processing method of MAC Address, that is: after source MAC and port binding, if the user has changed a PC or has changed to another normal MAC Address, its business also can't normally be carried out, and must reset once new MAC Address in access device.Exactly because the existence of this defect, cause the current MAC Address counterfeiting measures that prevents to be widely used.
Summary of the invention
In view of the existing problem of above-mentioned prior art, the purpose of this invention is to provide a kind of implementation method that prevents that MAC Address is counterfeit, effectively to solve the counterfeit problem of MAC Address in broadband access network.
The objective of the invention is to be achieved through the following technical solutions:
The invention provides a kind of implementation method that prevents that MAC Address is counterfeit, comprising:
A, the media access control MAC address information of obtaining the user terminal of asking access network and corresponding port information, the port information of described correspondence is carried at the point-to-point protocol PPPoE authentication request packet based on Ethernet that access device sends, or the dynamic host configuration protocol DHCP authentication request packet, or in the point-to-point protocol PPPoA authentication request packet based on asynchronous transfer mode ATM;
B, according to the described mac address information obtained, judged, if have the described mac address information obtained in the MAC Address that discovery is preserved and the binding relationship of user port, port information in binding relationship and the described port information obtained are compared, if different, to described access device return authentication failure information.
Described steps A comprises:
A1, described access device receive user terminal and send authentication request packet, are carrying the mac address information of user terminal in message, and described authentication request packet is the PPPoA authentication request packet;
A2, described access device obtain the authentication request packet that described user terminal sends, and increase the port information of described user terminal in the described authentication request packet obtained, and the authentication request packet that will carry port information sends to authenticating device;
A3, authenticating device receive the authentication request packet that described access device sends, and obtain mac address information and the corresponding port information of user terminal.
Described port information comprises:
The physical port information of user terminal, the virtual path of user port sign VPI, the VLAN ID VLAN id information of the VPI VCI information of user port or user port.
Described step B also comprises:
If have the described mac address information obtained in the MAC Address of preserving and the binding relationship of user port, and the port information of the port information in described binding relationship and the described user terminal obtained coupling, do not deal with.
Also comprise:
After described access device receives the message caused due to described authentification failure, the mac address information of the described user terminal of its preservation is deleted.
This method also comprises:
When the authentification failure message based on same port produced within the time period that authenticating device is being set surpasses predetermined number of times, notify access device by this port blocking;
Perhaps,
When the authentification failure message based on same port received within the time period that access device is being set surpasses predetermined number of times, by corresponding port blocking.
This method also comprises:
If there is not the described mac address information obtained in the binding relationship of the MAC Address of described preservation and user port, preserve MAC Address and the corresponding port information thereof of described user terminal on authenticating device.
The present invention also provides a kind of access device that prevents that MAC Address is counterfeit, comprising:
The xDSL access module, for providing xDSL interface and corresponding xDSL access function;
The counterfeit processing module of MAC Address, the message identifying that carries this user terminal MAC Address sent for identifying user terminal, increase this user's port information in message identifying, and the message identifying that will carry this user terminal MAC Address and this user's port information is delivered to the upstream Interface module; The authentification failure message issued according to the authenticating device received, delete the MAC Address that the relative users access interface is learnt;
The upstream Interface module, message identifying for the port information that will carry this user terminal MAC Address and this user is delivered to authenticating device, mac address information in the message identifying that makes authenticating device obtain according to this and this user's port information are judged, if have the described mac address information obtained in the MAC Address that authenticating device is preserved and the binding relationship of user port, port information in this binding relationship and the described port information obtained are compared, if different be defined as counterfeit MAC Address; The message of the whether authentication success that receives that authenticating device issues, and the message of the whether authentication success that will receive is delivered to the counterfeit processing module of MAC Address.
Described access device can be for only supporting the broadband access equipment of broadband access, also can be for support the integrated access equipment of broadband access and narrow band access simultaneously.
Described xDSL interface can be adsl interface, SHDSL interface, or Very-high-speed Digital Subscriber Line VDSL interface.
Described upstream Interface comprises:
Gigabit Ethernet GE optical interface or electrical interface, Fast Ethernet FE optical interface or electrical interface, STM-1 optical interface or electrical interface, E1 interface, E3 interface or STM-4 interface.
The message caused due to authentication success that described access device also can receive that authenticating device issues, bound MAC Address and corresponding access interface.
The counterfeit processing module of described MAC Address also is provided with counter, for carrying out the unsuccessful counting of authentication caused because MAC Address is counterfeit, and, when a port occurs that within a period of time the counterfeit number of times of MAC Address surpasses predetermined value, corresponding access interface is closed.
The present invention also provides a kind of authenticating device that prevents that MAC Address is counterfeit, comprising:
Subscriber information storing module, for the memory function of completing user information;
The counterfeit identification module of MAC Address, for receiving the media access control MAC address information that carries user terminal that access device puts forward and the message identifying of user port information, confirm according to the user profile of storing in subscriber information storing module whether the MAC Address in described authentication request packet is counterfeit MAC Address, counterfeit MAC Address if, to access device return carry port information cause the message of authentification failure because MAC Address is counterfeit, if not counterfeit MAC Address, submit message identifying to authentication module, and user's information is delivered to subscriber information storing module and stored, wherein, confirming as counterfeit MAC Address comprises: obtain the point-to-point protocol PPPoE authentication request packet based on Ethernet that access device is put forward, or dynamic host configuration protocol DHCP authentication request packet, or the mac address information in the point-to-point protocol PPPoA authentication request packet based on asynchronous transfer mode ATM, there is the described mac address information obtained in the MAC Address that judgement is preserved and the binding relationship of user port, port information in this binding relationship and the described port information obtained are compared, if different be defined as counterfeit MAC Address,
Authentication module, for completing the certification work of the message identifying to receiving.
The counterfeit identification module of described MAC Address also comprises counter, when a counterfeit message of the MAC Address that access interface is sent out within a period of time surpasses predetermined quantity, notifies access device that this access interface is closed or forbidden.
As seen from the above technical solution provided by the invention, method of the present invention makes the authenticating device can be according to the message identifying received and corresponding user profile, and this user's mac address information carries out validity judgement to it, and take corresponding solution while having the counterfeit or address conflict problem of MAC in network, forbid and delete counterfeit mac address information.
Therefore, the present invention can effectively solve the counterfeit problem of MAC Address in network, and for example: wear a plurality of access devices under an authenticating device, each access device is with again a plurality of access users; If there is an access user to adopt a MAC-A address verification success, another access user under this authenticating device can't be again with the MAC-A address by corresponding authentication, thereby guaranteed that the original business of the access user of authentication success normally used.
The accompanying drawing explanation
The applied environment schematic diagram that Fig. 1 is method of the present invention;
The flow chart that Fig. 2 is method of the present invention;
The structural representation that Fig. 3 is access device provided by the invention;
The structural representation that Fig. 4 is authenticating device provided by the invention.
Embodiment
Purpose of the present invention is mainly to solve the counterfeit problem of MAC Address.The method that the present invention adopts is user profile and the mac address information thereof according to the message identifying of receiving by authenticating device, judge whether to exist the situation of the counterfeit or MAC Address conflict of MAC Address in conjunction with the corresponding information of its preservation, and there is the access user access network of the counterfeit or MAC Address conflict situations of MAC Address in refusal.Use the present invention, if there is the problem of address forgery, can be protected access device, authenticating device etc. by this method, and guarantee by counterfeit user's normal use.
Method of the present invention is specially: access device receives the message identifying of access user, by message identifying and user port information, deliver in authenticating device, authenticating device compares according to user port information, source MAC and known case, if MAC Address is not counterfeit, authentication success; If there is the problem of address forgery, the unsuccessful information of return authentication, access device is deleted according to the unsuccessful information of returning the MAC Address of being learnt.
For the present invention being had to further understanding, the specific implementation below in conjunction with accompanying drawing to method of the present invention is described in further detail.
The network environment of paper the present invention once application.As shown in Figure 1, user A and user B are by access device A cut-in convergent net, and access device A supports user's access, specifically comprises that its MAC Address of user A(is MAC-A) and its MAC Address of user B(be MAC-B); Access device B is for supporting that its MAC Address of user C(is MAC-C) access.Access device A and access device B receive on authenticating device and carry out corresponding authentication processing by converging net.
For realizing the present invention, in Fig. 1, corresponding access device need to comprise following function:
The aggregation feature of completing user access.Access device can access one or more users, after converging by ATM or the up metropolitan area network of receiving of IP interface, directly or receive on authenticating device;
The interpolation function of completing user information.Access device can completing user information the interpolation function, the message identifying user's that can put forward the user information; Perhaps access device can be delivered to authenticating device by the user port information of authenticated user by other agreement;
Upstream Interface is provided.Access device can provide the upstream Interface of ATM or IP, by upstream Interface, receives metropolitan area network or directly receives on authenticating device, and user profile is reported to authenticating device.
Access device provides the function with the authenticating device communication.After the unsuccessful message of the authentication caused because MAC Address is counterfeit that access device can issue according to authenticating device, the MAC Address that this port is learnt is deleted.
Simultaneously, for realizing the present invention, the authenticating device in Fig. 1 can be the BRAS(BAS Broadband Access Server) Verification System, can be also the DHCP(DHCP) server, but no matter be which type of authenticating device all needs to comprise following concrete function:
Authenticating device need to complete user's authentication function of one or more users.
On authenticating device, need support to extract in message identifying with on user profile, and compare, with the problem that determines whether that MAC Address is counterfeit.Perhaps authenticating device supports other communications protocol to obtain the port information of authenticated user from access device;
Authenticating device provides the function with the access device communication.Authenticating device can be delivered to access device by relevant agreement by the unsuccessful message of authentication.
In the present invention, between described authenticating device and access device, can be connected by metropolitan area network, also can directly connect.
In the present invention, described access device can be the DSLAM(Digital Subscriber Line Access Multiplexer of support broadband access) equipment, also can be for can support the integrated access equipment of broadband access and narrow band access simultaneously.
In the present invention, the user can be by the ADSL(ADSL (Asymmetric Digital Subscriber Line)) access corresponding access device, also can pass through SHDSL(mono signal high-speed digital subscriber line) access, or can also pass through the VDSL(Very-high-speed Digital Subscriber Line) access, etc.
As shown in Figure 2, method of the present invention comprises the following steps in the specific implementation process:
Step 21: the user sends the authentication request packet that is carrying self MAC address (being source MAC) information to access device;
Be that access device is caught the message identifying of access user, after capturing corresponding authentication request packet, perform step 22;
As shown in Figure 1, suppose that the user A under access device A initiates verification process, user A will send authentication request packet to access device;
In this step, described authentication request packet can be the point-to-point protocol of PPPOE(based on Ethernet) message, can be also the DHCP(DHCP) message;
Step 22: after access device A receives the authentication request packet of user A, increase this user's port information in authentication request packet, and deliver to authenticating device and carry out corresponding authentication processing; Perhaps access device A delivers to authenticating device by other communications protocol by this user's port information;
The user's of described increase port information is specifically as follows: user's physical location information (being user's physical port information), the VLAN(VLAN of user port) information, or user port VPI(virtual path sign)/VCI(VPI) information, etc.;
Specifically comprise: increase user's port information in the PPPOE message identifying that can send up at user terminal, increase user's port information in the DHCP message identifying that can send up at user terminal; Increase user's port information in the PPPOA message identifying that also can send up at user terminal; The PPPOA message of perhaps user terminal being sent up is converted to the port information that increases the user after the PPPOE message; Perhaps can support to adopt other agreements that user port information is delivered to uplink module;
Step 23: authenticating device obtains MAC Address and the user port information in described authentication request packet, and the information obtained and the information of preservation are compared to judgement, take and judge whether this access user is counterfeit MAC Address situation (or determining whether that conflict situations appears in MAC Address), if, perform step 25, otherwise, perform step 24, according to normal processing procedure, carry out authentication processing;
Be specially the state of the storage area that the described MAC Address of obtaining of judgement and user port information are corresponding on authenticating device:
If information storage area is empty (not yet preserving the binding relationship information of any MAC Address and user port on authentication authorization and accounting equipment), definite this user can legally access, and the counterfeit or MAC Address conflict situations of MAC Address do not occur;
Otherwise, continue judge whether the described storage area that has stored information has the situation with the MAC Address repetition of this access user, in the binding relationship that judgement is preserved, whether there is the binding relationship information based on this MAC Address, if do not have, will perform step 24, otherwise, perform step 25;
In this step, at first authenticating device is judged according to mac address information, if have this mac address information in the binding relationship of finding to preserve, further by the port information in binding relationship, the port information corresponding with this MAC Address compares, if identical (explanation is the authentication request packet of being sent by same user), do not deal with, if different, the explanation exist MAC Address counterfeit or the conflict, need to perform step 25; If do not have this mac address information in the binding relationship of preserving, determine that this is the authentication request of a new validated user, and perform step 24;
Step 24: in the message that authenticating device is sent up the information of the user port that receives and this user with source MAC (as the MAC-A address of user A), and the port numbers of authenticating device bound, and is kept in information corresponding stored zone;
After user A authentication under access device A is passed through, corresponding business just can normally be carried out.
Step 25: when authenticating device determines that according to the corresponding information carried in the authentication request packet of receiving its MAC Address is counterfeit or when the MAC Address conflict occurs, to the unsuccessful information of corresponding access device return authentication, authentication authorization and accounting failed message;
Still as shown in Figure 1, suppose to receive when authenticating device the authentication request packet of user (for example user A of access device A), and determine user's MAC Address MAC-A and the normally user of use conflict according to user's source MAC and the port judgement of authenticating device, determine authentification failure, and failed information is issued on access device;
Step 26: access device is according to the message of the authentification failure that returns, by study to this port mac address information and corresponding port information all delete;
If this port is because the MAC Address conflict causes repeatedly authenticating and not passing through within a period of time, authenticating device by corresponding port blocking, forbids that any information enters network from this port by corresponding information notice access device;
Perhaps access device within a period of time, receive some cause authentication failure message because MAC Address is counterfeit after, by this port blocking.
As shown in Figure 1, corresponding authentication processing process and said process that other access device (for example access device B) or user (for example user B and user C) relate to are similar, therefore describe in detail no longer one by one.
Based on the described method of the invention described above, the present invention also provides a kind of access device that prevents that MAC Address is counterfeit, described access device can be for only supporting the broadband access equipment of broadband access, also can be for support the integrated access equipment of broadband access and narrow band access simultaneously;
As shown in Figure 3, described access device specifically comprises:
The xDSL access module: for the access function of xDSL is provided, for the xDSL interface is provided, described xDSL interface can be also the SHDSL interface for adsl interface (comprising ADSL2, ADSL2+ etc.), can be also the VDSL interface;
The counterfeit processing module of MAC Address: for the MAC address learning function of completing user access interface; This module can be identified the message identifying of user terminal, and the port information of message identifying and this access user is delivered to upstream Interface; The authentification failure message that this module can issue according to the authenticating device received, delete the MAC Address that the relative users access interface is learnt;
The counterfeit processing module of described MAC Address also is provided with counter, for carrying out the unsuccessful counting of authentication caused because MAC Address is counterfeit, if the problem that MAC Address is counterfeit repeatedly appears in a port within a period of time, except the MAC Address of the access user learnt can being deleted, also this access interface can be closed;
Upstream Interface module: for the port information by message identifying and this access user, deliver to authenticating device; And the whether authentication success message that support to receive that authenticating device issues, deliver to the counterfeit processing module of MAC Address; Described upstream Interface can be GE interface (can be optical interface or electrical interface), can be FE interface (can be optical interface or electrical interface) can be also STM-1 interface (can be optical interface or electrical interface), E1 interface, E3 interface or STM-4 interface.
Based on method of the present invention, a kind of authenticating device that prevents address forgery also is provided, as shown in Figure 4, described authenticating device specifically comprises:
Subscriber information storing module: for the memory function of completing user information, port information of user's mac address information, user etc. can be stored; And can be whether online according to this access user, determine whether to delete this stored user mac address information and corresponding port information;
The counterfeit identification module of MAC Address: message identifying and the user port information put forward for receiving user terminal, extract the MAC Address of user terminal, be confirmed whether the problem that exists MAC Address counterfeit, if the user is the counterfeit user of MAC Address, to access device return carry port information cause the message of authentification failure because MAC Address is counterfeit; If the user is the counterfeit user of non-MAC Address, submits message identifying to the authentication module authentication, and user's information is delivered to subscriber information storing module and stored; The counterfeit identification module of described MAC Address also is provided with counter, if determine that according to the count results of counter a counterfeit message of the MAC Address that access interface is sent out within a period of time surpasses certain quantity, by can transmitting order to lower levels, the notice access device be closed this access interface or forbid;
The counterfeit identification module of described MAC Address can be supported to be judged whether to exist MAC Address counterfeit to the PPPOE message; Can support to be judged whether to exist MAC Address counterfeit to the PPPOA message; Can support to be judged whether to exist MAC Address counterfeit to the DHCP message; Can also support to look into by the communications protocol between other authenticating devices and access device;
Authentication module: for the certification work of the message identifying that completes the counterfeit user of non-MAC Address; And described authentication module can be supported the authentication of PPPOE, or the authentication of PPPOA can be supported, or the authentication of DHCP can be supported.
In above-mentioned access device and authenticating device, the counterfeit identification module cooperation of the counterfeit processing module of described MAC Address and MAC Address just can be carried out effectively identifying for counterfeit MAC Address, thereby realizes purpose of the present invention.
In sum, prevent the counterfeit method of MAC Address provided by the invention, authenticating device can be according to the message identifying received and corresponding user profile, and this user's mac address information, judged, judge whether to have the problem that MAC Address is counterfeit or MAC Address is conflicted, thereby effectively prevent that the counterfeit situation of MAC Address from occurring.
The above; be only the present invention's embodiment preferably, but protection scope of the present invention is not limited to this, anyly is familiar with in technical scope that those skilled in the art disclose in the present invention; the variation that can expect easily or replacement, within all should being encompassed in protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.
Claims (15)
1. an implementation method that prevents that MAC Address is counterfeit, is characterized in that, comprising:
A, the media access control MAC address information of obtaining the user terminal of asking access network and corresponding port information, the port information of described correspondence is carried at the point-to-point protocol PPPoE authentication request packet based on Ethernet that access device sends, or the dynamic host configuration protocol DHCP authentication request packet, or in the point-to-point protocol PPPoA authentication request packet based on asynchronous transfer mode ATM;
B, according to the described mac address information obtained, judged, if have the described mac address information obtained in the MAC Address that discovery is preserved and the binding relationship of user port, port information in binding relationship and the described port information obtained are compared, if different, to described access device return authentication failure information.
2. the implementation method that prevents that MAC Address is counterfeit according to claim 1, is characterized in that, described steps A comprises:
A1, described access device receive user terminal and send authentication request packet, are carrying the mac address information of user terminal in message, and described authentication request packet is the PPPoA authentication request packet;
A2, described access device obtain the authentication request packet that described user terminal sends, and increase the port information of described user terminal in the described authentication request packet obtained, and the authentication request packet that will carry port information sends to authenticating device;
A3, authenticating device receive the authentication request packet that described access device sends, and obtain mac address information and the corresponding port information of user terminal.
3. the implementation method that prevents that MAC Address is counterfeit according to claim 1, is characterized in that, described port information is specially:
The physical port information of user terminal, the virtual path of user port sign VPI, the VPI VCI information of user port, or the VLAN ID VLAN id information of user port.
4. according to the described implementation method that prevents that MAC Address is counterfeit of claims 1 to 3 any one, it is characterized in that, described step B also comprises:
If have the described mac address information obtained in the MAC Address of preserving and the binding relationship of user port,
And the port information of the port information in described binding relationship and the described user terminal obtained coupling, do not deal with.
5. according to the described implementation method that prevents that MAC Address is counterfeit of claims 1 to 3 any one, it is characterized in that, also comprise:
After described access device receives the message of described authentification failure, the mac address information of the described user terminal of its preservation is deleted.
6. according to the described implementation method that prevents that MAC Address is counterfeit of claims 1 to 3 any one, it is characterized in that, also comprise:
When the authentification failure message based on same port produced within the time period that authenticating device is being set surpasses predetermined number of times, notify described access device by this port blocking;
Perhaps,
When the authentification failure message based on same port received within the time period that described access device is being set surpasses predetermined number of times, by corresponding port blocking.
7. according to the described implementation method that prevents that MAC Address is counterfeit of claims 1 to 3 any one, it is characterized in that, also comprise:
If there is not the described mac address information obtained in the binding relationship of the MAC Address of described preservation and user port, preserve MAC Address and the corresponding port information thereof of the described user terminal obtained on authenticating device.
8. an access device that prevents that MAC Address is counterfeit, is characterized in that, comprising:
The xDSL access module, for providing xDSL interface and corresponding xDSL access function;
The counterfeit processing module of MAC Address, the message identifying that carries this user terminal MAC Address sent for identifying user terminal, increase this user's port information in message identifying, and the message identifying that will carry this user terminal MAC Address and this user's port information is delivered to the upstream Interface module; The authentification failure message issued according to the authenticating device received, delete the MAC Address that the relative users access interface is learnt;
The upstream Interface module, message identifying for the port information that will carry this user terminal MAC Address and this user is delivered to authenticating device, mac address information in the message identifying that makes authenticating device obtain according to this and this user's port information are judged, if have the described mac address information obtained in the MAC Address that authenticating device is preserved and the binding relationship of user port, port information in this binding relationship and the described port information obtained are compared, if different be defined as counterfeit MAC Address; The message of the whether authentication success that receives that authenticating device issues, and the message of the whether authentication success that will receive is delivered to the counterfeit processing module of MAC Address.
9. the access device that prevents that MAC Address is counterfeit according to claim 8, is characterized in that, described access device is the broadband access equipment of support broadband access, or for support the integrated access equipment of broadband access and narrow band access simultaneously.
10. the access device that prevents that MAC Address is counterfeit according to claim 8, is characterized in that, described xDSL interface is adsl interface, SHDSL interface, or Very-high-speed Digital Subscriber Line VDSL interface.
11. prevent the access device that MAC Address is counterfeit according to claim 8, it is characterized in that, described upstream Interface comprises:
Gigabit Ethernet GE optical interface or electrical interface, Fast Ethernet FE optical interface or electrical interface, STM-1 optical interface or electrical interface, E1 interface, E3 interface or STM-4 interface.
12. prevent the access device that MAC Address is counterfeit according to claim 8, it is characterized in that, the message caused due to authentication success that described access device also can receive that authenticating device issues, bound MAC Address and corresponding access interface.
Prevent the access device that MAC Address is counterfeit 13. according to claim 8, it is characterized in that, the counterfeit processing module of described MAC Address also is provided with counter, for carrying out the unsuccessful counting of authentication caused because MAC Address is counterfeit, and, when a port occurs that within a period of time the counterfeit number of times of MAC Address surpasses predetermined value, corresponding access interface is closed.
14. an authenticating device that prevents that MAC Address is counterfeit, is characterized in that, comprising:
Subscriber information storing module, for the memory function of completing user information;
The counterfeit identification module of MAC Address, for receiving the media access control MAC address information that carries user terminal that access device puts forward and the authentication request packet of user port information, confirm according to the user profile of storing in subscriber information storing module whether the MAC Address in described authentication request packet is counterfeit MAC Address, counterfeit MAC Address if, to access device return carry port information cause the message of authentification failure because MAC Address is counterfeit; If not counterfeit MAC Address, submit message identifying to authentication module, and user's information is delivered to subscriber information storing module and stored; Wherein, confirming as counterfeit MAC Address comprises: obtain the point-to-point protocol PPPoE authentication request packet based on Ethernet that access device is put forward, or dynamic host configuration protocol DHCP authentication request packet, or the mac address information in the point-to-point protocol PPPoA authentication request packet based on asynchronous transfer mode ATM, if have the described mac address information obtained in the MAC Address of preserving and the binding relationship of user port, port information in this binding relationship and the described port information obtained are compared, if different be defined as counterfeit MAC Address;
Authentication module, for completing the certification work of the message identifying to receiving.
Prevent the authenticating device that MAC Address is counterfeit 15. according to claim 14, it is characterized in that, the counterfeit identification module of described MAC Address also comprises counter, for when a counterfeit message of the MAC Address that access interface is sent out within a period of time surpasses predetermined quantity, notify access device that this access interface is closed or forbidden.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200810185398 CN101567883B (en) | 2005-04-25 | 2005-04-25 | Realization method for preventing MAC address forgery |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200810185398 CN101567883B (en) | 2005-04-25 | 2005-04-25 | Realization method for preventing MAC address forgery |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2005100662366A Division CN1855812B (en) | 2005-04-25 | 2005-04-25 | Method for preventing from fakery of MAC addresses and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101567883A CN101567883A (en) | 2009-10-28 |
| CN101567883B true CN101567883B (en) | 2013-12-18 |
Family
ID=41283832
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200810185398 Expired - Fee Related CN101567883B (en) | 2005-04-25 | 2005-04-25 | Realization method for preventing MAC address forgery |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101567883B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101800741B (en) * | 2010-01-25 | 2014-08-20 | 中兴通讯股份有限公司 | Device and method for preventing illegal media access control (MAC) address transfer |
| WO2015100645A1 (en) * | 2013-12-31 | 2015-07-09 | 华为技术有限公司 | Network security management method and access device |
| CN104009896B (en) * | 2014-05-19 | 2017-05-17 | 北京东土科技股份有限公司 | Node equipment access method, system and device based on MAC address |
| CN107181759B (en) * | 2017-07-05 | 2020-07-07 | 杭州迪普科技股份有限公司 | Authentication method and device for user equipment |
| CN109347816B (en) * | 2018-10-10 | 2022-01-04 | 上海易杵行智能科技有限公司 | Binding method and system for port and access equipment |
| CN109981661B (en) * | 2019-03-29 | 2022-04-22 | 新华三技术有限公司 | Method and device for monitoring MAC address and electronic equipment |
| CN110087252B (en) * | 2019-05-30 | 2022-08-30 | 深圳市中航比特通讯技术股份有限公司 | Dynamic changing technology for communication network service |
| CN112153027B (en) * | 2020-09-14 | 2022-11-25 | 杭州迪普科技股份有限公司 | Counterfeit behavior identification method, apparatus, device and computer readable storage medium |
| CN115001826B (en) * | 2022-06-02 | 2023-04-11 | 清华大学 | Network access control method, device, network equipment and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1855812B (en) * | 2005-04-25 | 2010-04-28 | 华为技术有限公司 | Method for preventing from fakery of MAC addresses and equipment |
-
2005
- 2005-04-25 CN CN 200810185398 patent/CN101567883B/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1855812B (en) * | 2005-04-25 | 2010-04-28 | 华为技术有限公司 | Method for preventing from fakery of MAC addresses and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101567883A (en) | 2009-10-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1855812B (en) | Method for preventing from fakery of MAC addresses and equipment | |
| CN101567883B (en) | Realization method for preventing MAC address forgery | |
| US7860029B2 (en) | Subscriber line accommodation device and packet filtering method | |
| US6963579B2 (en) | System and method for broadband roaming connectivity using DSL | |
| CN101527655B (en) | Dynamic profiling system for data access control | |
| KR100738526B1 (en) | Smart Intermediate Authentication Manager SYSTEM AND METHOD for Multi Permanent Virtual Circuit access environment | |
| US7567578B2 (en) | System and method for roaming connectivity | |
| CN101188614B (en) | A method, system and device for secure control of the user access | |
| CN102480399B (en) | Based on multi-service authentication method and the system of IPoE | |
| CN101374045B (en) | Method for implementing user port orientation on GPON access equipment | |
| US20100299674A1 (en) | Method, system, gateway device and authentication server for allocating multi-service resources | |
| CN100499672C (en) | Method for distributing service based on terminal physical position | |
| CN101453447A (en) | Customer aging method for dynamic host configuration protocol DHCP and access equipment | |
| CN107707435B (en) | Message processing method and device | |
| CN103039038A (en) | Method and system for efficient use of a telecommunication network and the connection between the telecommunications network and a customer premises equipment | |
| CN101098290B (en) | Devices for implementing anti-spurious IP address on AN and methods therefor | |
| CN103026687A (en) | Limiting resources consumed by rejected subscriber end stations | |
| JP2008042735A (en) | Management method of mac address learning function, and network device | |
| EP2073432B1 (en) | Method for binding an access terminal to an operator and corresponding access terminal | |
| CN101662456B (en) | Method and system for sending terminal services | |
| CN100550901C (en) | The method of obtaining broadband user access port information for broadwide access server | |
| CN101415032B (en) | Three-layer private wire access method, apparatus and system | |
| CN104982004B (en) | Manage the method and access device of network security | |
| US20150341328A1 (en) | Enhanced Multi-Level Authentication For Network Service Delivery | |
| CN101399678B (en) | Method for authenticating and charging fixed IP user |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20131218 Termination date: 20170425 |