CN101605070B - Method and device for verifying source address based on control message monitoring - Google Patents
Method and device for verifying source address based on control message monitoring Download PDFInfo
- Publication number
- CN101605070B CN101605070B CN2009100881906A CN200910088190A CN101605070B CN 101605070 B CN101605070 B CN 101605070B CN 2009100881906 A CN2009100881906 A CN 2009100881906A CN 200910088190 A CN200910088190 A CN 200910088190A CN 101605070 B CN101605070 B CN 101605070B
- Authority
- CN
- China
- Prior art keywords
- message
- binding relationship
- address
- main frame
- state
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention provides a method and a device for verifying a source address. The method comprises the following steps: judging the type of the received message through a network access device; if the message comes from hosts which are not directly connected, checking whether the source address of the message exists in a bound relation table, and discarding the message if existing; transmitting the message if not existing; if the message is a data message from the hosts which are directly connected, checking whether the combination of the source address of the message and a message reaching port or a source link layer address in the message exists in the bound relation table, discarding the message if existing, and transmitting the message if not existing; if the message is a control message from the hosts which are directly connected, checking whether the source address of the message is legal, discarding the message if being illegal; transmitting the message if being legal; and operating the bound relation according to the type of the message. The method and the device are fine-grained, are applicable to IPv6 and IPv4 without modifying the hosts and the prior protocols.
Description
Technical field
Relate generally to Internet technical field of the present invention relates more specifically to real IP source address verification technique.
Background technology
The attack of the employing spoofed IP source address on the Internet is quite spread unchecked, and according to the statistics of the Internet tissue visualization, has 4000 Denial of Service attacks that adopt cook source address weekly at least.This class attack have easy initiation but be difficult to review characteristics, this is the reason that causes cook source address aggression to spread unchecked.
There have been a lot of technology to be suggested hope at present and can have controlled this class attack.They can be divided three classes:
Path filtering class (Filtering), this class technology mainly is to use routing iinformation to filter out the message of a part of cook source address.Typical example such as ingress filtering (Ingress filtering) exactly by checking its source address of message of receiving on the gateway whether in the address space range that inserts subnet, thereby judge whether message is legal.
End to end authentication class (End-to-End Approach), this class technology adds mark at the source end to message, and this destination that is marked at message is examined the authenticity that is used for judging contained source address in the message.
Recall class (Traceback), recalling the class technology is a kind of passive technology.Its wish to obtain message on the internet the path of process, attacking when taking place, by analyzing the address that packet route obtains the attack source.
The deployment of IPv6 more and more widely protects the IPv6 source address not to be forged the demand that has also become new.But, also do not have fine granularity path filtering scheme at present at the IPv6 source address.Because the IPv6 source address is more, other filtering scheme of prefix level can't effectively be contained cook source address aggression.Therefore, the IPv6 source address proof scheme that needs a kind of main frame granularity.Consider popularizing of dual-stack network, this scheme needs to consider the protection to the IPv4 source address simultaneously.
Summary of the invention
In order one of to address the above problem, the present invention proposes a kind of method of verifying source address, may further comprise the steps: network access equipment judge the message receive whether be from the main frame that does not directly link to each other message, from the data message of the main frame that directly links to each other or from the control message of the main frame that directly links to each other; If described message is the message that comes from the main frame that does not directly link to each other, check then whether the source address of described message is present in the binding relationship table, if exist, then abandon described message; If there is no, then transmit described message; If described message is the data message from the main frame that directly links to each other, whether the combination of then checking source link layer address in message source address and message arrival port or the message is present in the binding relationship table, if do not exist, then abandons described message, if exist, then transmit described message; If described message is from the control message of the main frame that directly links to each other, check then whether the source address of described message is legal, if described control message from directly continuous main frame is illegal, then abandon described message; If described control message from the main frame that directly links to each other is legal, then transmit described message; Type according to described message is operated the binding relationship in the described binding relationship table.
The invention allows for a kind of device of verifying source address, comprise: judge module, its be used to judge the message that receives whether be from the main frame that does not directly link to each other message, from the data message of the main frame that directly links to each other or from the control message of the main frame that directly links to each other; First processing module, it is used at described message is when coming from the message of the main frame that does not directly link to each other, to check whether the source address of described message is present in the binding relationship table, if exist, then abandons described message; If there is no, then transmit described message; Second processing module, it is used at described message for from the data message of the main frame that directly links to each other the time, whether the combination of checking source link layer address in message source address and message arrival port or the message is present in the binding relationship table, if do not exist, then abandon described message, if exist, then transmit described message; The 3rd processing module, it is used at described message checking whether the source address of described message is legal for from the control message of the main frame that directly links to each other the time, if described control message from directly continuous main frame is illegal, then abandons described message; If described control message from the main frame that directly links to each other is legal, then transmit described message; The bindings module, it is used for according to the type of described message the binding relationship of described binding relationship table being operated.
The method and the device of checking source address proposed by the invention are fine-grained, are applicable to IPv6 and IPv4, and needn't revise main frame and prior protocols.
Description of drawings
Above-mentioned and/or additional aspect of the present invention and advantage are from obviously and easily understanding becoming the description of embodiment below in conjunction with accompanying drawing, wherein:
Fig. 1 is a binding state transition diagram according to an embodiment of the invention;
Fig. 2 is the flow chart of the method for checking source address according to an embodiment of the invention;
Fig. 3 is a schematic representation of apparatus according to an embodiment of the invention.
Embodiment
Describe embodiments of the invention below in detail, the example of described embodiment is shown in the drawings.Below by the embodiment that is described with reference to the drawings is exemplary, only is used to explain the present invention, and can not be interpreted as limitation of the present invention.
One embodiment of the present of invention have proposed a kind of method of verifying source address, are illustrated in figure 1 as the flow chart of this method.This method may further comprise the steps:
Network access equipment judge the message receive whether be from the main frame that does not directly link to each other message, from the data message of the main frame that directly links to each other or from the control message of the main frame that directly links to each other;
If described message is the message that comes from the main frame that does not directly link to each other, check then whether the source address of described message is present in the binding relationship table, if exist, then abandon described message; If there is no, then transmit described message;
If described message is the data message from the main frame that directly links to each other, whether the combination of then checking source link layer address in message source address and message arrival port or the message is present in the binding relationship table, if do not exist, then abandons described message, if exist, then transmit described message;
If described message is from the control message of the main frame that directly links to each other, check then whether the source address of described message is legal, if described control message from directly continuous main frame is illegal, then abandon described message; If described control message from the main frame that directly links to each other is legal, then transmit described message;
Type according to described message is operated the binding relationship in the described binding relationship table.
As one embodiment of the present of invention, the method for checking source address with network access equipment that main frame directly links to each other on realize for example switch and WAP (wireless access point).As one embodiment of the present of invention, need a port of the switch of deployment not shared by a plurality of main frames, perhaps host interface has safe link layer address; Described safe link layer address is meant at 802.11i (wireless security standard) or 802.1ae/af (LAN safety standard) when being used the MAC of main frame (Media AccessControl, MAC sublayer) address; Port of described switch can not be shared by a plurality of main frames, is meant that the interface of a plurality of main frames can not be linked into the same interface of switch by equipment such as hubs; If this programme is deployed on the switch, on the port of switch, may connect other access devices, as switch, router etc., these ports need to be distinguished with the port that directly is connected main frame; As one embodiment of the present of invention, the main frame that is not directly connected to this scheme equipment of deployment is not carried out the source address of main frame granularity and filter.
As one embodiment of the present of invention, after disposing, set up the port of source address and deployment facility or the binding relationship of host link layer address, and message is filtered; As one embodiment of the present of invention, use a data structure storage binding relationship, be called the binding relationship table in this manual, can use the state and the lifetime of a data structure storage binding relationship in addition, be called the binding relationship state table in this manual; As one embodiment of the present of invention, according to the control message, as DHCPv4 (Dynamic Host Configuration Protocol version 4, the DHCP edition 4), DHCPv6 (Dynamic Host Configuration Protocol version 6, DHCP version 6), Neighbor Discovery Protocol (Neighbor Discovery Protocol), ARP (Address Resolution Protocol, address resolution protocol) or the like, time, come binding relationship table and binding relationship state table are made amendment with other incidents.
As one embodiment of the present of invention, the foundation of source address filtering rule, realize successively according to the following steps:
For static ip address, deployment facility joins the binding relationship table by the port (if deployment facility is a switch, and this port is monopolized by main frame) that reads configuration file or apparatus manager and manually this static address is connected with the main frame that is assigned with this static address or the binding relationship of link layer address (if main frame link layer address safe in utilization); Deployment facility is smelt the message of spy from the following type of direct-connected main frame: DHCPv4 Request (DHCPv4 request), DHCPv6 Request (DHCPv6 request), DHCPv6 Confirm (DHCPv6 affirmation), Duplicate Address DetectionNeighbor Solicitation (neighbours of conflict address detected are imploring), Gratuitous ARP (gratuitous ARP); If smell first message of visiting and be as above one of several messages, will enter following several steps respectively:
If it is DHCPv4 Request message that above-mentioned steps is smelt the message of visiting, deployment facility will wait for that Dynamic Host Configuration Protocol server or DHCP relay send to DHCP Acknowledgement (DHCP replys) message of this main frame; Deployment facility does not wait by the time described DHCP Acknowledgement message will withdraw from this step if (for example, be configured to 10 seconds) within a certain period of time, turns back to above-mentioned steps, waits for several messages described in the above-mentioned steps; If (for example be configured to 10 seconds) deployment facility etc. within a certain period of time by the time described DHCP Acknowledgement message, deployment facility will be waited for the Gratuitous ARP message that main frame sends, and the destination address of described Gratuitous ARP message must be the destination address in the described DHCP Acknowledgement message; If (for example be configured to 1 second) within a certain period of time, deployment facility does not wait by the time described Gratuitous ARP message will withdraw from this step; If within a certain period of time, deployment facility etc. are by the time described Gratuitous ARP message will wait for that other nodes are at the ARP Reply message of this Gratuitous ARP message answer under the consolidated network; If (for example be configured to 1 second) in a period of time, deployment facility is smelt and is visited described ARP Relpy message, will withdraw from this step; If in a period of time, (for example be configured to 1 second), deployment facility is not smelt and is visited described ARP Relpy message, will be in the binding relationship table newly-built list item, use this list item to preserve the port that addresses distributed is connected with main frame in the above-mentioned Dynamic Host Configuration Protocol server DHCP Acknowledgement message (if deployment facility is a switch, and this port is monopolized by main frame) or the binding relationship of link layer address (if main frame link layer address safe in utilization), in the binding relationship state table, add this list item simultaneously, the lifetime of list item is the address lease time that indicates in the described DHCPAcknowledgement message, the state of list item is designated as the DHCPv4 binding state, and withdraws from this step;
If smell the message of visiting is DHCPv6 Request message or DHCPv6 Confirm message, and deployment facility will wait for that Dynamic Host Configuration Protocol server or DHCP relay send to the DHCPv6Reply of this main frame (DHCPv6 answer); Deployment facility does not wait by the time described DHCPv6 Reply message will withdraw from this step if (for example be configured to 10 seconds) within a certain period of time, waits for several messages described in the above-mentioned steps; If (for example be configured to 10 seconds) deployment facility etc. within a certain period of time by the time described DHCPv6 Reply message, deployment facility will be waited for the Duplicate AddressDetection Neighbor Solicitation message that main frame sends, and the destination address of described Duplicate Address DetectionNeighbor Solicitation message must be the suggestion address in the described DHCPv6 Reply message; If (for example be configured to 1 second) within a certain period of time, deployment facility does not wait by the time described Duplicate Address Detection Neighbor Solicitation message will withdraw from this step; If within a certain period of time, deployment facility etc. are by the time described Duplicate Address DetectionNeighbor Solicitation message will wait for that other nodes are at Neighbor Advertisement (neighbours' declaration) message of this DuplicateAddress Detection Neighbor Solicitation message answer under the consolidated network; If (for example be configured to 1 second) in a period of time, deployment facility is smelt and is visited described Neighbor Advertisement message, will withdraw from this step; If in a period of time, (for example be configured to 1 second), deployment facility is not smelt and is visited described Neighbor Advertisement message, will be in the binding relationship table newly-built list item, use this list item to preserve the port that addresses distributed is connected with main frame in the above-mentioned Dynamic Host Configuration Protocol server DHCPv6 Reply message (if deployment facility is a switch, and this port is monopolized by main frame) or the binding relationship of link layer address (if main frame link layer address safe in utilization), in the binding relationship state table, add this list item simultaneously, the lifetime of list item is the address lease time that indicates in the described DHCPv6 Reply message, the state of list item is designated as the DHCPv6 binding state, and withdraws from this step;
If smell the message of visiting is Duplicate Address Detection Neighbor Solicitation message, and deployment facility will be waited for the Neighbor Advertisement message that other nodes are replied at this Duplicate AddressDetection Neighbor Solicitation message under the consolidated network; If (for example be configured to 1 second) in a period of time, deployment facility is smelt and is visited described NeighborAdvertisement message, will withdraw from this step; If in a period of time, (for example be configured to 1 second), deployment facility is not smelt and is visited described Neighbor Advertisement message, will be in the binding relationship table newly-built list item, the port that uses this list item to preserve the destination address among the above-mentioned Duplicate Address Detection NeighborSolicitation to be connected with main frame is (if deployment facility is a switch, and this port is monopolized by main frame) or the binding relationship of link layer address (if main frame link layer address safe in utilization), in the binding relationship state table, add this list item simultaneously, the lifetime of list item is a configurable stateless IPv6 address life span (for example being configured to 4 hours), the state of list item is designated as stateless IPv6 binding state, and withdraws from this step;
If smell the message of visiting is Gratuitous ARP message, and deployment facility will be waited for the ARP Reply message that other nodes are replied at this Gratuitous ARP message under the consolidated network; If (for example be configured to 1 second) in a period of time, deployment facility is smelt and is visited described ARP Reply message, will withdraw from this step; If in a period of time, (for example be configured to 1 second), deployment facility is not smelt and is visited described ARP Reply message, will be in the binding relationship table newly-built list item, the port that uses this list item to preserve the destination address among the above-mentioned Gratuitous ARP to be connected with main frame is (if deployment facility is a switch, and this port is monopolized by main frame) or the binding relationship of link layer address (if main frame link layer address safe in utilization), in the binding relationship state table, add this list item simultaneously, the lifetime of list item is a configurable manual IPv4 address life span (for example being configured to 4 hours), the state of list item is designated as manual IPv4 binding state, and withdraws from this step.
As one embodiment of the present of invention,, realize according to the following steps respectively for the modification of binding relationship table and binding state table:
Deployment facility is smelt the message of spy from the following type of direct-connected main frame: DHCPv4Decline (DHCPv4 refusal), DHCPv4 Release (DHCPv4 release), DHCPv6Decline (DHCPv6 refusal), with DHCPv6 Release (DHCPv6 release), if this type of message, and corresponding address is that respective host adopts the DHCP mode to obtain, and will delete corresponding list item from binding relationship table and binding state table; Simultaneously, it is any at main frame the Neighbor Solicitation and the ARP message of bind address of directly linking to each other that deployment facility is smelt spy, if main frame is not made answer (for example being configured to 2 seconds) in a period of time, and this address is stateless mode or manual allocation, will leave out this binding; In addition, deployment facility also needs to smell DHCPv4 Renew/Rebind (DHCPv4 delays/heavily binding) message and DHCPv6Renew/Rebind (DHCPv6 delays/heavily binding) message that spy comes from Dynamic Host Configuration Protocol server, if this type of message is new lease time with the life cycle of upgrading the binding of local correspondence;
Deployment facility monitors the life cycle of the binding in the binding state table; For the list item that the DHCP agreement is set up,, will delete this binding if be 0 life cycle; Address for stateless and manual allocation, to send Neighbor Solicitation message (for the IPv6 address) or ARP message (for the IPv4 address) to the main frame of correspondence at appropriate address, if do not reply, the binding list item that deletion is corresponding, if answer is arranged, it is new life cycle (for example being configured to 4 hours) with the life cycle of upgrading list item; For the address of static configuration, initiatively do not delete binding list item in any case;
If direct-connected main frame disconnects from deployment facility, with all bindings relevant of deletion with this main frame.
As one embodiment of the present of invention, use the source address filtering rule that message is filtered, realize according to the following steps successively:
This programme is distinguished the message come from the main frame that directly links to each other and message from the non-main frame that directly links to each other; The message of the described non-main frame that directly links to each other is meant and inserts by other network equipments that the main frame of the equipment of disposing this programme sends, through the message of this deployment facility; Need depend on configuration to deployment facility for the differentiation of this two classes message, if scheme is deployed on the switch, need clearly which port of configuration switch is to be connected to the main frame that directly links to each other, which is other network equipments that connect; If scheme is deployed on the WAP (wireless access point), need clearly disposes which link layer address and belong to other radio reception device;
For the message from the non-main frame that directly links to each other, this programme only judges whether the source address of this message has been assigned to local host, if this address is used by local host, will abandon this message, if this address is not used, will transmit this message;
For all messages from the main frame that directly links to each other, it is data message that this programme is at first distinguished, or the control message (DHCPv4, DHCPv6, Neighbor Discovery Protocol, ARP); For data message, this programme carries out strict filtration according to the filter rule list of having set up, that is, if the port or the list item in link layer address and the binding relationship table of the main frame of the IP source address of message and transmission message are inconsistent, perhaps this binding relationship does not exist, and then throws away this message; For the control message, need be examined, afterwards or be used to set up new binding, perhaps be used to revise the state of the binding that has existed, perhaps directly transmitted;
For control message from the main frame that directly links to each other, must be through the source address inspection, transmit again or (with) be used for triggering and revise the binding relationship of the source address of binding relationship table and binding state table; For Neighbor Solicitation message, its source address must be the address that has been tied to this main frame, or complete 0 address; For Neighbor Advertisement message, its source address and destination address must be the addresses that has been tied to this main frame; For the ARP message, its source IP address must be the address that has been tied to this main frame, and perhaps this message is a Gratuitous ARP message; For the DHCP message, its source address must be complete 0 address, perhaps has been tied to the address of this main frame; The message that does not satisfy above-mentioned requirements will directly be abandoned, and the message that meets the demands will be used to set up or revise corresponding binding relationship, and transmit.
Be illustrated in figure 2 as binding state transition diagram according to an embodiment of the invention.As one embodiment of the present of invention, the method for checking source address may further comprise the steps:
At first distinguish from the message of the main frame that directly links to each other and the message of the main frame that does not directly link to each other.For message, according to following step process from the main frame that does not directly link to each other:
Step 1: check whether the message source address is present in the binding relationship table.If exist, then abandon this message; If there is no, then transmit this message.
For the message from the main frame that directly links to each other, the present invention at first distinguishes data message or control message.For data message, handle according to following step:
Step 2: whether the combination of checking source link layer address (if link layer address safe in utilization) in message source address and message arrival port (if being deployed on the switch) or the message is present in the binding relationship table.If do not exist, then abandon this message; If exist, then transmit this message.
For control message, handle according to following step from the main frame that directly links to each other:
Step 3: this method is handled from the direct control message of continuous main frame according to following steps:
Step 3.1: this method checks whether the source address of message is legal.For all DHCP, ARP, NDP (Neighbor Discovery Protocol, Neighbor Discovery Protocol) message, its source address must be the address that has been tied to this main frame, or complete 0 address (for DHCP and NeighborSolicitation), perhaps message is a Gratuitous ARP message.For Neighbor Advertisement message, need simultaneously to check that its destination address must be the address that has been tied to this main frame.Abandon illegal message.
Step 3.2:DHCPv4 Request, DHCPv6 Request, DHCPv6 Confirm, Gratuitous ARP, Duplicate Address Detection Neighbor Solicitation message will be used to trigger the foundation of binding.
Step 3.3:DHCPv4 Decline, DHCPv4 Release, DHCPv6 Decline, DHCPv6Release will be used to remove the binding that has existed, triggered by the DHCP message.
Step 3.4: transmit all legal messages.
In order correctly to set up, revise and delete binding, the present invention also needs to smell the control message of visiting arrival this locality, has following step:
Step 4: this method is smelt the control message of visiting arrival this locality and is set up, revises and delete binding.
The foundation that step 4.1:DHCPv4 Acknowledgement, DHCPv6 Reply will be used to bind.
Step 4.2:, will be used to address inquires to local address of having bound and whether still be used at this locality the ARP message and the Neighbor Solicitation message of bind address.Do not obtain replying if address inquires to, binding is with deleted.
Step 4.3: be in not ARP Response of the address of binding state (arp reply, address resolution protocol is replied) and Neighbor Advertisement fully at this locality, will be used to delete this binding.
How to set up, revise and delete binding in order to offer some clarification on, as follows to the step of various situations, as shown in Figure 1.
Step 5: how this step explanation sets up binding according to the DHCPv4 agreement, and to the modification and the deletion of this binding:
Step 5.1: visit DHCPv4 Request message if smell from the main frame that directly links to each other, deployment facility will a newly-built binding in the binding state table, and the state of binding is the DHCPv4 initial state.
Step 5.2: if there is DHCPv4 Acknowledgement message to send to this main frame, deployment facility will write down this address in binding, and note the time of lease.The state of binding is changed into the DHCPv4 state of activation.If do not receive this message within a certain period of time, delete this binding.
Step 5.3:, the state of binding is changed into the DHCPv4 acquisition mode if receive the Gratuitous ARP message that main frame sends at this address.If a period of time is not received this message, delete this binding.
Step 5.4:, delete this binding if receive the DHCPv4 Decline message that main frame sends at this address.If a period of time is not received any ARP Response at this Gratuitous ARP message, the state of binding is changed into the DHCPv4 binding state.If receive the ARP Response that other main frames send, delete this binding at this address.
Step 5.5:, will more become new lease time the life cycle of binding if receive the DHCPv4Renew/Rebind message that Dynamic Host Configuration Protocol server sends at this address.
Step 5.6: if receive the DHCPv4 Release message that main frame sends, perhaps main frame disconnects from deployment facility, perhaps expires Bang Ding life cycle, and deletion is binding accordingly.
Step 6: how this step explanation sets up binding according to the DHCPv6 agreement, and to the modification and the deletion of this binding:
Step 6.1: visit DHCPv6 Request/Confirm message if smell from the main frame that directly links to each other, deployment facility will a newly-built binding in the binding state table, and the state of binding is the DHCPv6 initial state.
Step 6.2: if there is DHCPv6 Reply message to send to this main frame, deployment facility will write down this address in binding, and note the time of lease.The state of binding is changed into the DHCPv6 state of activation.If do not receive this message within a certain period of time, delete this binding.
Step 6.3:, the state of binding is changed into the DHCPv6 acquisition mode if receive the Duplicated AddressDetection Neighbor Solicitation message that main frame sends at this address.If a period of time is not received this message, delete this binding.
Step 6.4:, delete this binding if receive the DHCPv6 Decline message that main frame sends at this address.If a period of time is not received any Neighbor Advertisement message at this Duplicated AddressDetection Neighbor Solicitation message, the state of binding is changed into the DHCPv6 binding state.If receive the Neighbor Advertisement that other main frames send, delete this binding at this address.
Step 6.5:, will more become new lease time the life cycle of binding if receive the DHCPv6Renew/Rebind message that Dynamic Host Configuration Protocol server sends at this address.
Step 6.6: if receive the DHCPv6 Release message that main frame sends, perhaps main frame disconnects from deployment facility, perhaps expires Bang Ding life cycle, and deletion is binding accordingly.
Step 7: how this step explanation sets up binding according to Neighbor Discovery Protocol agreement, and to the modification and the deletion of this binding:
Step 7.1:, the state of binding is changed into IPv6 stateless initial state if receive the Duplicated AddressDetection Neighbor Solicitation message that main frame sends at certain address.And in binding the destination address of recorded message.
Step 7.2:, the state of binding is changed into IPv6 stateless binding state if a period of time is not received any Neighbor Advertisement message at this Duplicated AddressDetection Neighbor Solicitation message.If receive the Neighbor Advertisement that other main frames send, delete this binding at this address.
Step 7.3: if receive NeighborSolicitation message,, delete this binding,, lifetime of binding is re-set as maximum lifespan if main frame has answer if main frame is not replied to the address that is in IPv6 stateless binding state.
Step 7.4: if main frame disconnects from deployment facility, deletion is binding accordingly.If the lifetime of binding expires, deployment facility sends the Neighbor Solicitation message at this address, if obtain replying, the lifetime of binding is re-set as maximum lifespan, if do not reply, deletes this binding.
Step 8: how this step explanation sets up binding according to the ARP agreement, and to the modification and the deletion of this binding:
Step 8.1:, the state of binding is changed into the manual initial state of IPv4 if receive the Gratuitous ARP message that main frame sends at certain address.And in binding the destination address of recorded message.
Step 8.2:, the state of binding is changed into the manual binding state of IPv4 if a period of time is not received any ARP Response message at this Gratuitous ARP message.If receive the ARP Response that other main frames send, delete this binding at this address.
Step 8.3: if receive ARP Request message,, delete this binding,, lifetime of binding is re-set as maximum lifespan if main frame has answer if main frame is not replied to the address that is in the manual binding state of IPv4.
Step 8.4: if main frame disconnects from deployment facility, deletion is binding accordingly.If the lifetime of binding expires, deployment facility sends the ARP Request message at this address, if obtain replying, the lifetime of binding is re-set as maximum lifespan, if do not reply, deletes this binding.
As one embodiment of the present of invention, binding relationship uses two data structures: binding relationship table and binding state table, as shown in Table 1 and Table 2.The binding relationship table is used to store binding itself, and is used for filtering.The binding state table is used to store binding corresponding state and life cycle, is not directly used in filtration.
Table 1: binding relationship table
Table 2: binding state table
Fig. 3 shows schematic representation of apparatus according to an embodiment of the invention.Wherein switch has some directly continuous main frames and the main frame that is connected by other network equipments according to an embodiment of the invention.Wherein the switch of embodiments of the invention comprises:
Judge module, its be used to judge the message that receives whether be from the main frame that does not directly link to each other message, from the data message of the main frame that directly links to each other or from the control message of the main frame that directly links to each other;
First processing module, it is used at described message is when coming from the message of the main frame that does not directly link to each other, to check whether the source address of described message is present in the binding relationship table, if exist, then abandons described message; If there is no, then transmit described message;
Second processing module, it is used at described message for from the data message of the main frame that directly links to each other the time, whether the combination of checking source link layer address in message source address and message arrival port or the message is present in the binding relationship table, if do not exist, then abandon described message, if exist, then transmit described message;
The 3rd processing module, it is used at described message checking whether the source address of described message is legal for from the control message of the main frame that directly links to each other the time, if described control message from directly continuous main frame is illegal, then abandons described message; If described control message from the main frame that directly links to each other is legal, then transmit described message;
The bindings module, it is used for according to the type of described message the binding relationship of described binding relationship table being operated.
As example, binding table is:
Port one, address 10.1.1.1
Port one, address 2001::1
Port one, address 2002::1
The binding state table is:
Port one, address 10.1.1.1, DHCPv4 binding, lifetime 65535
Port one, address 2001::1, DHCPv6 binding, lifetime 65535
Port one, address 2002::1, the binding of IPv6 stateless, lifetime 650
Exchange opportunity is set up binding relationship by smelling of control message visited, and binding relationship leaves in binding relationship table and the binding state table.In the example, switch is visited the address binding relation of setting up on the port one by smelling in the drawings, and port one directly links to each other with main frame.By DHCPv4 addresses distributed 10.1.1.1, by DHCPv6 addresses distributed 2001::1, the address 2002::1 that obtains by the stateless mode is bundled on the port one.
After above-mentioned binding relationship is set up, do not allow to have above-mentioned source address from all messages of port 2,3.Port 2 directly links to each other with another main frame, and what port 3 connected is other network equipments.But still can apply for other addresses on the port 2 and bind.Although port 3 also has the message of applied address, equipment is not bound the address on the port 3.
The method of checking source address proposed by the invention and device can be supported IPv4 and IPv6, can reach the main frame granularity, do not revise main frame and protocol stack, do not increase new agreement, satisfy all address distribution.Than the ingress filtering method, it has characteristics such as fine granularity and support IPv6.Than IP Source Guard (IP source address protection), it can support IPv6.Compare and additive method, its major advantage is not revise main frame, and can satisfy all address distribution.The expanded function that the present invention can be used as switch, router and WAP (wireless access point) realizes.
Although illustrated and described embodiments of the invention, for the ordinary skill in the art, be appreciated that without departing from the principles and spirit of the present invention and can carry out multiple variation, modification, replacement and modification that scope of the present invention is by claims and be equal to and limit to these embodiment.
Claims (8)
1. a method of verifying source address is characterized in that, may further comprise the steps:
Network access equipment judge the message receive whether be from the main frame that does not directly link to each other message, from the data message of the main frame that directly links to each other or from the control message of the main frame that directly links to each other;
If described message is the message that comes from the main frame that does not directly link to each other, check then whether the source address of described message is present in the binding relationship table, if exist, then abandon described message; If there is no, then transmit described message;
If described message is the data message from the main frame that directly links to each other, check then whether the combination that message IP source address and message arrive source link layer address in the combination of port or message IP source address and the message is present in the binding relationship table, if do not exist, then abandon described message, if exist, then transmit described message;
If described message is the control message from the main frame that directly links to each other,,, then abandon described message if described control message from directly continuous main frame is illegal then by checking source address judges whether described message is legal; If described control message from the main frame that directly links to each other is legal, then transmit described message;
According to control message the binding relationship in the described binding relationship table is operated from the main frame that directly links to each other by the source address inspection.
2. the method for checking source address according to claim 1 is characterized in that, checks whether legal step comprises for control message from the main frame that directly links to each other:
For dynamic host configuration protocol DHCP, ARP, Neighbor Discovery Protocol NDP message, if its source address is the address that has been tied to described main frame, or complete 0 address, judge that then described message is legal;
If described message is a gratuitous ARP packet, judge that then described message is legal;
Declare message for neighbours,, judge that then described message is legal if its destination address has been tied to the address of this main frame.
3. the method for checking source address according to claim 1 is characterized in that, the binding relationship in the described binding relationship table is operated comprise:
Reply message according to DHCP edition 4 DHCPv4 response message, DHCP version 6DHCPv6 and set up binding relationship;
According to this locality the ARP message of bind address and the imploring message of neighbours, address inquires to local address of having bound and whether still be used, do not obtain replying if address inquires to, delete described binding relationship;
Be in not fully according to this locality that the arp reply and the neighbours of the address of binding state declare message, delete described binding relationship.
4. the method for checking source address according to claim 1 is characterized in that, the binding relationship in the described binding relationship table is operated comprise:
If described message is for smelling the DHCPv4 request message of visiting from the main frame that directly links to each other, a newly-built binding relationship in described binding state table then, the state of described binding relationship is set to the DHCPv4 initial state;
If described message is the DHCPv4 response message, then write down this address in described binding relationship table, and note the time of lease, the state of described binding relationship is set to the DHCPv4 state of activation, if do not receive this message within a certain period of time, then delete described binding relationship;
If described message is the gratuitous ARP packet at this address that main frame sends, then the state of binding relationship is set to the DHCPv4 acquisition mode, if do not receive this message within a certain period of time, deletes described binding relationship;
The DHCPv4 refusal message that if described message is a main frame to be sent at this address, then delete described binding relationship, if do not receive arp reply at described gratuitous ARP packet at certain hour, the state of described binding relationship is set to the DHCPv4 binding state, if receive the arp reply that other main frames send, delete described binding relationship at this address;
If the DHCPv4 at this address that described message is a Dynamic Host Configuration Protocol server to be sent delay/heavily binds message, then life cycle of binding relationship is changed to new lease time;
If the DHCPv4 that described message is a main frame to be sent discharges message, perhaps main frame disconnects from described network access equipment, perhaps expires Bang Ding life cycle, deletes corresponding binding relationship.
5. the method for checking source address according to claim 1 is characterized in that, the binding relationship in the described binding relationship table is operated comprise:
If described message is for smelling the DHCPv6 request/confirmation message of visiting from the main frame that directly links to each other, a newly-built binding relationship in described binding state table then, the state of described binding relationship is set to the DHCPv6 initial state;
If being the DHCPv6 that sends to main frame, described message replys message, then described network access equipment writes down this address in described binding relationship table, and note time of lease, the state of binding relationship is set to the DHCPv6 state of activation, if do not receive this message within a certain period of time, delete described binding relationship;
The imploring message of neighbours at the conflict address detected of this address that if described message is a main frame to be sent, the state of binding relationship is set to the DHCPv6 acquisition mode, if a period of time is not received this message, then deletes described binding relationship;
If receive the DHCPv6 refusal message that main frame sends at this address, then delete described binding relationship, if do not receive that at certain hour the neighbours at the imploring message of the neighbours of described conflict address detected declare message, then the state of described binding relationship is set to the DHCPv6 binding state, declare message if receive the neighbours that other main frames send, then delete described binding relationship at this address;
If the DHCPv6 at this address that described message is a Dynamic Host Configuration Protocol server to be sent delay/heavily binds message, then life cycle of described binding relationship is more become new lease time;
If the DHCPv6 that described message is a main frame to be sent discharges message, perhaps main frame disconnects from network access equipment, perhaps expires Bang Ding life cycle, then deletes corresponding binding relationship.
6. the method for checking source address according to claim 1 is characterized in that, the binding relationship in the described binding relationship table is operated comprise:
If the imploring message of neighbours at the conflict address detected of certain address of receiving that main frame sends, then Bang Ding state is set to IPv6 stateless initial state, and writes down the destination address of described message in described binding relationship table;
If a period of time does not receive that the neighbours at the imploring message of neighbours of described conflict address detected declare message, then the state of described binding relationship is set to IPv6 stateless binding state, declare message if receive the neighbours that other main frames send, then delete described binding relationship at this address;
If receive the imploring message of neighbours of the address that is in IPv6 stateless binding state, if main frame is not replied, then delete described binding relationship, if host response, then the lifetime of described binding relationship is set to maximum lifespan;
If main frame disconnects from network access equipment, then delete corresponding binding relationship, if the lifetime of binding relationship expires, network access equipment sends the imploring message at the neighbours of this address, reply if obtain, then the lifetime with described binding relationship is re-set as maximum lifespan, if do not reply, then deletes described binding relationship.
7. the method for checking source address according to claim 1 is characterized in that, the binding relationship in the described binding relationship table is operated comprise:
If receive the gratuitous ARP packet at certain address that main frame sends, then Bang Ding state is set to the manual initial state of IPv4, and in described binding relationship table the destination address of recorded message;
If do not receive any arp reply message within a certain period of time at described gratuitous ARP packet, then the state of described binding relationship is set to the manual binding state of IPv4, if receive the arp reply message that other main frames send, then delete described binding relationship at this address;
If receive ARP request message to the address that is in the manual binding state of IPv4, if main frame is not replied, then delete described binding relationship, if host response, then the lifetime of described binding relationship is set to maximum lifespan;
If main frame disconnects from network access equipment, then delete corresponding binding relationship, if the lifetime of binding relationship expires, then network access equipment sends the ARP request message at this address, reply if obtain, then the lifetime of described binding relationship is set to maximum lifespan, if do not reply, then deletes described binding relationship.
8. a device of verifying source address is characterized in that, comprising:
Judge module, its be used to judge the message that receives whether be from the main frame that does not directly link to each other message, from the data message of the main frame that directly links to each other or from the control message of the main frame that directly links to each other;
First processing module, it is used at described message is when coming from the message of the main frame that does not directly link to each other, to check whether the source address of described message is present in the binding relationship table, if exist, then abandons described message; If there is no, then transmit described message;
Second processing module, it is used at described message for from the data message of the main frame that directly links to each other the time, whether the combination of source link layer address is present in the binding relationship table in the combination of inspection message IP source address and message arrival port or message IP source address and the message, if do not exist, then abandon described message, if exist, then transmit described message;
The 3rd processing module, it is used at described message judging by checking source address whether described message is legal for from the control message of the main frame that directly links to each other the time, if described control message from directly continuous main frame is illegal, then abandons described message; If described control message from the main frame that directly links to each other is legal, then transmit described message;
The bindings module, it is used for according to the described control message from the main frame that directly links to each other by the source address inspection binding relationship of described binding relationship table being operated.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100881906A CN101605070B (en) | 2009-07-10 | 2009-07-10 | Method and device for verifying source address based on control message monitoring |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100881906A CN101605070B (en) | 2009-07-10 | 2009-07-10 | Method and device for verifying source address based on control message monitoring |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101605070A CN101605070A (en) | 2009-12-16 |
| CN101605070B true CN101605070B (en) | 2011-09-14 |
Family
ID=41470630
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009100881906A Active CN101605070B (en) | 2009-07-10 | 2009-07-10 | Method and device for verifying source address based on control message monitoring |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101605070B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101764822B (en) * | 2010-01-29 | 2013-02-13 | 北京天地互连信息技术有限公司 | Method for testing certification of IPv6 source address |
| US8832238B2 (en) * | 2011-09-12 | 2014-09-09 | Microsoft Corporation | Recording stateless IP addresses |
| CN103259764B (en) * | 2012-02-17 | 2017-12-15 | 精品科技股份有限公司 | A kind of local area network protection system and method |
| CN103327572B (en) * | 2013-07-11 | 2015-11-25 | 广州中国科学院沈阳自动化研究所分所 | A kind of neighbor discovering method of IEEE802.15.4e network |
| CN103561026B (en) * | 2013-11-04 | 2017-03-15 | 神州数码网络(北京)有限公司 | The update method of hardware access control list, updating device and switch |
| CN106487742B (en) * | 2015-08-24 | 2020-01-03 | 阿里巴巴集团控股有限公司 | Method and device for verifying source address validity |
| CN110336836B (en) * | 2019-08-06 | 2021-10-15 | 郑州信大捷安信息技术股份有限公司 | Network filtering service system and method |
-
2009
- 2009-07-10 CN CN2009100881906A patent/CN101605070B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN101605070A (en) | 2009-12-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101605070B (en) | Method and device for verifying source address based on control message monitoring | |
| CN101572712B (en) | Method for preventing attack of counterfeit message and repeater equipment thereof | |
| Davies et al. | IPv6 transition/co-existence security considerations | |
| Jeong et al. | IPv6 router advertisement options for DNS configuration | |
| KR100908320B1 (en) | Method for protecting and searching host in internet protocol version 6 network | |
| Durdağı et al. | IPV4/IPV6 security and threat comparisons | |
| Ullrich et al. | {IPv6} Security: Attacks and Countermeasures in a Nutshell | |
| WO2005036831A1 (en) | Frame relay device | |
| CN101827138B (en) | Optimized method and device for processing IPV6 filter rule | |
| CN101459653B (en) | Method for preventing DHCP packet attack based on Snooping technique | |
| CN101552783A (en) | Method and apparatus for preventing counterfeit message attack | |
| CN102594834B (en) | Method and device for defending network attack and network equipment | |
| EP2677716A1 (en) | Access control method, access device and system | |
| KR100533785B1 (en) | Method for preventing arp/ip spoofing automatically on the dynamic ip address allocating environment using dhcp packet | |
| CN102118398A (en) | Access control method, device and system | |
| CN101197836B (en) | Data communication control method and data communication control device | |
| EP2418819A1 (en) | Device and method for preventing internet protocol version 6 (ipv6) address being fraudulently attacked | |
| KR100831088B1 (en) | Supporting mobile internet protocol in a correspondent node firewall | |
| US7567522B2 (en) | Suppression of router advertisement | |
| Bi et al. | Source address validation improvement (SAVI) solution for DHCP | |
| CN112217783A (en) | Device and method for attack recognition in a communication network | |
| CN101494536A (en) | Method, apparatus and system for preventing ARP aggression | |
| KR100757874B1 (en) | METHOD AND SYSTEM OF PROTECTION IPv6 PACKET FORGERY IN DSTM OF IPv6-IPv4 NETWORK | |
| EP2671401B1 (en) | Verification in wireless local area network | |
| JPWO2008155888A1 (en) | Prefix information confirmation device and communication device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |