CN101931662A - Method and system for conflicted address detection and address resolution/address unreachable detection - Google Patents
Method and system for conflicted address detection and address resolution/address unreachable detection Download PDFInfo
- Publication number
- CN101931662A CN101931662A CN2010102676985A CN201010267698A CN101931662A CN 101931662 A CN101931662 A CN 101931662A CN 2010102676985 A CN2010102676985 A CN 2010102676985A CN 201010267698 A CN201010267698 A CN 201010267698A CN 101931662 A CN101931662 A CN 101931662A
- Authority
- CN
- China
- Prior art keywords
- address
- node
- described request
- request node
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a system for conflicted address detection/address resolution/address unreachable detection, which is applied to the network node of an IPv6 (Internet Protocol Version 6) protocol stack and comprises a request node and a response node, wherein the request node carries out unidirectional hash value computation on a generated IP (Internet Protocol) address or the IP address to be resolved or detected; a hash value is published onto other nodes of the same link; and the response node of the IP address, configured with the same hash value with the request node, responds the corresponding IP address thereof to the request node after the published message of the request node is received, and the request node correspondingly carries out conflicted address detection, address resolution or address unreachable detection according to the responded IP address. The invention can improve the reliability and the usability of stateless address autoconfiguration in an IPv6 network.
Description
Technical field
The invention belongs to Internet technical field, relate in particular to the technology of internet protocol version 6 (IPv6) stateless address configuration (SLAAC).
Background technology
The IPv6 agreement is used widely as the main agreement of Next Generation Internet.The SLAAC agreement provides stateless, automatic address configuration for the IPv6 main frame.Whether unique address conflict detects (DAD) mechanism provides the self-produced dried rhizome of rehmannia of main frame location detection in the SLAAC agreement.
Yet in open accesses network, the assailant can utilize DAD mechanism, and by the mode of continuous answer probe response, the malicious node directtissima is exposed to the address in the imploring message, makes other main frame configuration address normally; When simultaneously DAD mechanism can't be avoided detecting packet loss, main frame used address in use, causes the address to use conflict.
In addition, also exist same safety and integrity problem in the unreachable detection process in address resolution and address.
Summary of the invention
Purpose of the present invention is intended to one of solve the aforementioned problems in the prior at least.
For this reason, embodiments of the invention propose a kind of safe unreachable detection method in conflict address detected, address resolution and address, improve stateless address disposes automatically in the IPv6 network reliability, availability.
According to an aspect of the present invention, the embodiment of the invention has proposed a kind of method of the address detected of conflicting, and is applied on the network node of IPv6 protocol stack, said method comprising the steps of: carry out one-way Hash value calculating according to the IP address that requesting node generates; Described cryptographic Hash is published on other nodes of same link from the described request node; The node that disposes the IP address of identical cryptographic Hash responds its corresponding IP address to the described request node; And the described request node is according to the IP address address detected of conflicting of response.
According to a further aspect in the invention, embodiments of the invention propose the method for the unreachable detection in a kind of address resolution/address, be applied on the network node of IPv6 protocol stack, said method comprising the steps of: carry out one-way Hash value calculating according to the IP address that the requesting node needs are resolved or surveyed; Described cryptographic Hash is published on other nodes of same link from the described request node; The node that disposes the IP address of identical cryptographic Hash responds its corresponding IP address to the described request node; And the described request node correspondingly carries out the unreachable detection in address resolution or address according to the IP address of response.
In accordance with a further aspect of the present invention, embodiments of the invention propose a kind of system of the address detected of conflicting, and are applied on the network node of IPv6 protocol stack, and described system comprises requesting node and responsive node, the described request node carries out one-way Hash value to the IP address that generates and calculates; Described cryptographic Hash is published on other nodes of same link; And according to the IP address address detected of conflicting of response; Described responsive node disposes the IP address with the identical cryptographic Hash of described request node, responds its corresponding IP address in the back that publishes the news that receives the described request node to the described request node.
According to another aspect of the invention, embodiments of the invention propose the system of the unreachable detection in a kind of address resolution/address, be applied on the network node of IPv6 protocol stack, described system comprises requesting node and responsive node, the described request node carries out one-way Hash value calculating to the IP address that needs are resolved or surveyed; Described cryptographic Hash is published on other nodes of same link; And according to the response the IP address correspondingly carry out the unreachable detection in address resolution or address; Described responsive node disposes the IP address with the identical cryptographic Hash of described request node, responds its corresponding IP address in the back that publishes the news that receives the described request node to the described request node.
According to a further aspect in the invention, embodiments of the invention propose a kind of requesting node, are contained on the network node of IPv6 protocol stack, and the described request node comprises: the address generation module is used to generate IP address at random; Computing module is used for that one-way Hash value is carried out in the IP address that generates and calculates; Announce module, described cryptographic Hash is published on other nodes of same link; And detection module, according to the IP address address detected of conflicting of response.
In accordance with a further aspect of the present invention, embodiments of the invention propose a kind of requesting node, are contained on the network node of IPv6 protocol stack, and the described request node comprises: computing module is used for that one-way Hash value is carried out in the IP address that needs are resolved or surveyed and calculates; Announce module, described cryptographic Hash is published on other nodes of same link; And parsing/detecting module, correspondingly carry out the unreachable detection in address resolution or address according to the IP address of response.
According to a further aspect in the invention, embodiments of the invention propose a kind of responsive node, be contained on the network node of IPv6 protocol stack, described responsive node disposes the IP address that has identical cryptographic Hash with the requesting node that carries out address conflict detection/address resolution/unreachable detection in address, described responsive node comprises: respond module responds its corresponding IP address in the back that publishes the news that receives the described request node to the described request node.
The invention provides a kind of safe IPv6 conflict address detected, the unreachable detection method of address resolution and address and system based on Hash calculation and pull-mode.The present invention can guarantee that the malicious host in consolidated network can't make the main frame can't the normal configuration address by the mode of continuous answer probe response, parse addresses and carry out the unreachable detection in address.The unreachable detection method in conflict address detected, address resolution and address of safety of the present invention can improve in the IPv6 network, and stateless address is reliability, the availability of configuration automatically.
Aspect that the present invention adds and advantage part in the following description provide, and part will become obviously from the following description, or recognize by practice of the present invention.
Description of drawings
Above-mentioned and/or additional aspect of the present invention and advantage are from obviously and easily understanding becoming the description of embodiment below in conjunction with accompanying drawing, wherein:
Fig. 1 is the method flow diagram of the conflict address detected of the embodiment of the invention;
Fig. 2 is the method flow diagram of the unreachable detection in address resolution/address of the embodiment of the invention;
Fig. 3 is the block diagram of system of the conflict address detected of the embodiment of the invention;
Fig. 4 is the system configuration block diagram of the unreachable detection in address resolution/address of the embodiment of the invention.
Embodiment
Describe embodiments of the invention below in detail, the example of described embodiment is shown in the drawings, and wherein identical from start to finish or similar label is represented identical or similar elements or the element with identical or similar functions.Below by the embodiment that is described with reference to the drawings is exemplary, only is used to explain the present invention, and can not be interpreted as limitation of the present invention.
Security conflicts address detected of the present invention, the unreachable detection method of address resolution and address can be applied on the network node of IPv6 protocol stack, comprise equipment such as main frame, router, be used for improving stateless address disposes automatically in the IPv6 network reliability, availability.
With reference to figure 1, this figure is the method flow diagram of the conflict address detected of the embodiment of the invention.
As shown in the figure, at first one-way Hash value calculating is carried out in the IP address that generates according to requesting node, obtains the cryptographic Hash (step 102) of a definite length.
Then, the cryptographic Hash that obtains is published on other nodes of same link the already used address (step 104) that request has identical cryptographic Hash from requesting node.
Other nodes that are in same link are after receiving the message that the request node is announced, if disposed address with identical cryptographic Hash, then reply these addresses to requesting node, the node that promptly disposes the IP address of identical cryptographic Hash responds its corresponding IP address (step 106) to requesting node.
Requesting node checks whether the address (i.e. the address of Sheng Chenging) of required configuration is present in the response address that receives after receiving a period of time, thereby according to the IP address that the responds address detected (step 108) of conflicting.
Particularly, when having the address identical with the IP address of requesting node generation in the IP address of response, requesting node abandons using the IP address (step 110) of generation, and carrying out next time, the address generates and collision detection.
If when not having the address identical with the IP address of requesting node generation in the IP address of response, requesting node uses the IP address that generates to be configured (step 112).
With reference to figure 2, this figure is the unreachable detection method flow chart in the address resolution/address of the embodiment of the invention.
As shown in the figure, method as the conflict address detected of Fig. 1, at first one-way Hash value calculating (step 202) is carried out in the IP address of resolving or surveying according to the requesting node needs, and the IP address of resolving here or surveying can obtain from the information of upper layer transfers, or the information of other node transmission is obtained.
Then, the cryptographic Hash of calculating is published on other nodes of same link the already used address (step 204) that request has identical cryptographic Hash from requesting node;
If a node configuration have the address of identical cryptographic Hash, will reply this address to requesting node, the node that promptly disposes the IP address of identical cryptographic Hash responds its corresponding IP address (step 206) to requesting node; And
Requesting node is checked the address that whether exists corresponding needs to ask in the destination address of the response message that receives after accepting the message of a period of time, and correspondingly carries out the unreachable detection in address resolution or address (step 208) according to the IP address of response.
Exist in the IP address of response when needing identical address, the IP address of resolving/surveying with requesting node, what the requesting node correspondence had been finished the parsing of address or address can not arrive detection (step 210);
Do not exist in the IP address of response when needing identical address, the IP address of resolving/surveying with requesting node, the address of failure of requesting node parse addresses or detection can not arrive (step 212).
In addition, Fig. 3 gives the block diagram of system of the conflict address detected of the embodiment of the invention, is applied on the network node of IPv6 protocol stack.
As shown in the figure, this system comprises requesting node 10 and responsive node 20,30 or the like.Wherein requesting node 10 comprises address generation module 12, computing module 14, announces module 16 and detection module 18, and address generation module 12 is used to generate IP address at random; Computing module 14 is used for that one-way Hash value is carried out in the IP address that generates and calculates; Announce that module 16 is published to the cryptographic Hash of calculating on other nodes of same link; And detection module 18 is according to the IP address address detected of conflicting of response.
Responsive node the 20, the 30th is in the node of same link, disposes the node of the IP address identical with requesting node 10 cryptographic Hash of announcing with requesting node 10, and responsive node can have one or more.After receiving the publishing the news of requesting node 10, responsive node 20,30 is to requesting node 10 its corresponding IP addresses of response.
As shown in Figure 3, responsive node 20,30 can be respectively by its respond module that comprises 22,32, to requesting node 10 its corresponding IP addresses of response after receiving the publishing the news of requesting node 10.
Requesting node 10 checks by detection module 18 whether the address of required configuration is present in the response address that receives after receiving a period of time.When in the IP address of response, having the address identical with the IP address of address generation module 12 generations, detection module 18 detects this generation IP address and has address conflict, then requesting node 10 abandons using the IP address of generation, and carries out address generation next time and collision detection.
If when not having the address identical with the IP address of requesting node generation in the IP address of response, detection module 18 detects this generation IP addresses and does not have address conflict, and the IP address that 10 of requesting nodes use address generation module 12 to generate is configured.
The system that is deployed with this address conflict detection system detects address conflict by the cryptographic Hash of calculating the IP address and the method for announcing cryptographic Hash when carrying out the address conflict detection.Have identical cryptographic Hash IP address of host return address conflict message.Initiate main frame and judge whether to find address conflict according to the IP address in the respond packet.
Fig. 4 has provided the block diagram of system of the unreachable detection in address resolution/address of the embodiment of the invention, and this system applies is on the network node of IPv6 protocol stack.
As shown in the figure, this system comprises requesting node 40 and responsive node 50,60 or the like.Wherein requesting node 40 comprises computing module 44, announces module 46 and detection module 48.
Compare with the system of the conflict address detected of Fig. 3 embodiment, this system has saved address generation module 12, because the IP address of resolving here or surveying is the address of non-requesting node 40, can obtain from the information of upper layer transfers, or the information of other node transmission is obtained.
Computing module 44 is used for the IP address of parsing of requesting node 40 needs or detection and carries out one-way Hash value calculating; Announce that module 46 is published to the cryptographic Hash of calculating on other nodes of same link; And detection module 48 is according to the IP address address detected of conflicting of response.
Similarly, responsive node the 50, the 60th is in the node of same link, disposes the node of the IP address identical with requesting node 40 cryptographic Hash of announcing with requesting node 40, and responsive node can have one or more.After receiving the publishing the news of requesting node 40, responsive node 50,60 is to requesting node 40 its corresponding IP addresses of response.
As shown in Figure 4, responsive node 50,60 can be respectively by its respond module that comprises 52,62, to requesting node 40 its corresponding IP addresses of response after receiving the publishing the news of requesting node 40.
Requesting node 40 is checked the address that whether exists corresponding needs to ask in the destination address of the response message that receives by detection module 48 after receiving a period of time, and correspondingly carries out the unreachable detection in address resolution or address according to the IP address of response.
Particularly, detection module 48 exists in the IP address of detecting response when needing identical address, the IP address of resolving/surveying with requesting node 40, and what requesting node 40 correspondences had been finished the parsing of address or address can not arrive detection;
Detection module 48 does not exist in the IP address of detecting response when needing identical address, the IP address of resolving/surveying with requesting node 40, and the address of failure of requesting node 40 parse addresses or detection can not arrive.
The system that is deployed with this unreachable detection system in address resolution/address is when address resolution or the unreachable detection in address, and main frame calculates and announce IP address cryptographic Hash, has identical cryptographic Hash IP address of host and replys the IP address.Initiate main frame according to the IP address judged result in the respond packet.
The invention provides a kind of safe IPv6 conflict address detected, the unreachable detection method of address resolution and address and system based on Hash calculation and pull-mode.
The present invention can guarantee that the malicious host in consolidated network can't make the main frame can't the normal configuration address by the mode of continuous answer probe response, parse addresses and carry out the unreachable detection in address.The unreachable detection method in conflict address detected, address resolution and address of safety of the present invention can improve in the IPv6 network, and stateless address is reliability, the availability of configuration automatically.
In addition, relative and other scheme of the same type of the present invention has the complex password of need not student movement and calculates, and realizes and dispose characteristic of simple.
Although illustrated and described embodiments of the invention, for the ordinary skill in the art, be appreciated that without departing from the principles and spirit of the present invention and can carry out multiple variation, modification, replacement and modification that scope of the present invention is by claims and be equal to and limit to these embodiment.
Claims (9)
1. the method for the address detected of conflicting is applied on the network node of IPv6 protocol stack, it is characterized in that, said method comprising the steps of:
Carry out one-way Hash value calculating according to the IP address that requesting node generates;
Described cryptographic Hash is published on other nodes of same link from the described request node;
The node that disposes the IP address of identical cryptographic Hash responds its corresponding IP address to the described request node; And
The described request node is according to the IP address address detected of conflicting of response.
2. the method for claim 1 is characterized in that,
When having the address identical with the IP address of described request node generation in the IP address of response, the described request node abandons using the IP address of generation;
When not having the address identical with the IP address of described request node generation in the IP address of response, the described request node uses the IP address that generates to be configured.
3. the method for the unreachable detection in address resolution/address is applied on the network node of IPv6 protocol stack, it is characterized in that, said method comprising the steps of:
Carry out one-way Hash value calculating according to the IP address that the requesting node needs are resolved or surveyed;
Described cryptographic Hash is published on other nodes of same link from the described request node;
The node that disposes the IP address of identical cryptographic Hash responds its corresponding IP address to the described request node; And
The described request node correspondingly carries out the unreachable detection in address resolution or address according to the IP address of response.
4. method as claimed in claim 3 is characterized in that,
Exist in the IP address of response when needing identical address, the IP address of resolving/surveying with the described request node, what described request node correspondence had been finished the parsing of address or address can not arrive detection;
Do not exist in the IP address of response when needing identical address, the IP address of resolving/surveying with the described request node, the address of failure of described request node parse addresses or detection can not arrive.
5. the system of the address detected of conflicting is applied on the network node of IPv6 protocol stack, it is characterized in that, described system comprises requesting node and responsive node,
The described request node carries out one-way Hash value to the IP address that generates and calculates; Described cryptographic Hash is published on other nodes of same link; And according to the IP address address detected of conflicting of response;
Described responsive node disposes the IP address with the identical cryptographic Hash of described request node, responds its corresponding IP address in the back that publishes the news that receives the described request node to the described request node.
6. the system of the unreachable detection in address resolution/address is applied on the network node of IPv6 protocol stack, it is characterized in that, described system comprises requesting node and responsive node,
The described request node carries out one-way Hash value calculating to the IP address that needs are resolved or surveyed; Described cryptographic Hash is published on other nodes of same link; And according to the response the IP address correspondingly carry out the unreachable detection in address resolution or address;
Described responsive node disposes the IP address with the identical cryptographic Hash of described request node, responds its corresponding IP address in the back that publishes the news that receives the described request node to the described request node.
7. a requesting node is contained on the network node of IPv6 protocol stack, it is characterized in that, the described request node comprises:
The address generation module is used to generate IP address at random;
Computing module is used for that one-way Hash value is carried out in the IP address that generates and calculates;
Announce module, described cryptographic Hash is published on other nodes of same link; And
Detection module is according to the IP address address detected of conflicting of response.
8. a requesting node is contained on the network node of IPv6 protocol stack, it is characterized in that, the described request node comprises:
Computing module is used for that one-way Hash value is carried out in the IP address that needs are resolved or surveyed and calculates;
Announce module, described cryptographic Hash is published on other nodes of same link; And
Parsing/detecting module correspondingly carries out the unreachable detection in address resolution or address according to the IP address of response.
9. responsive node, be contained on the network node of IPv6 protocol stack, it is characterized in that described responsive node disposes the IP address that has identical cryptographic Hash with the requesting node that carries out address conflict detection/address resolution/unreachable detection in address, described responsive node comprises:
Respond module responds its corresponding IP address in the back that publishes the news that receives the described request node to the described request node.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010267698.5A CN101931662B (en) | 2010-08-30 | 2010-08-30 | Method and system for conflicted address detection and address resolution/address unreachable detection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010267698.5A CN101931662B (en) | 2010-08-30 | 2010-08-30 | Method and system for conflicted address detection and address resolution/address unreachable detection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101931662A true CN101931662A (en) | 2010-12-29 |
| CN101931662B CN101931662B (en) | 2015-05-13 |
Family
ID=43370586
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010267698.5A Active CN101931662B (en) | 2010-08-30 | 2010-08-30 | Method and system for conflicted address detection and address resolution/address unreachable detection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101931662B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102143248A (en) * | 2011-02-28 | 2011-08-03 | 华为数字技术有限公司 | Method and device for detecting IP (Internet Protocol) address conflict |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1980252A (en) * | 2005-12-06 | 2007-06-13 | 华为技术有限公司 | Address-conflict detection realizing method and address conflict detection agent apparatus |
| CN101267663A (en) * | 2007-03-15 | 2008-09-17 | 华为技术有限公司 | A method, system and device for user identity validation |
| CN101404579A (en) * | 2008-10-31 | 2009-04-08 | 成都市华为赛门铁克科技有限公司 | Method and device for preventing network attack |
| CN101690135A (en) * | 2007-06-22 | 2010-03-31 | 艾利森电话股份有限公司 | System and method for access network multi-homing |
-
2010
- 2010-08-30 CN CN201010267698.5A patent/CN101931662B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1980252A (en) * | 2005-12-06 | 2007-06-13 | 华为技术有限公司 | Address-conflict detection realizing method and address conflict detection agent apparatus |
| CN101267663A (en) * | 2007-03-15 | 2008-09-17 | 华为技术有限公司 | A method, system and device for user identity validation |
| CN101690135A (en) * | 2007-06-22 | 2010-03-31 | 艾利森电话股份有限公司 | System and method for access network multi-homing |
| CN101404579A (en) * | 2008-10-31 | 2009-04-08 | 成都市华为赛门铁克科技有限公司 | Method and device for preventing network attack |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102143248A (en) * | 2011-02-28 | 2011-08-03 | 华为数字技术有限公司 | Method and device for detecting IP (Internet Protocol) address conflict |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101931662B (en) | 2015-05-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8606940B2 (en) | DHCP address conflict detection/enforcement | |
| US20200112539A1 (en) | Topic handling in mqtt networks | |
| CN103391272B (en) | The method and system of detection of false attack source | |
| JP2007036374A (en) | Packet transfer apparatus, communication network, and packet transfer method | |
| WO2017215492A1 (en) | Device detection method and apparatus | |
| CN106790746B (en) | Distributed domain name storage and analysis method and system | |
| CN101820432A (en) | Safety control method and device of stateless address configuration | |
| CN101179515B (en) | Method and device for inhibiting black hole routing | |
| CN103414575A (en) | Method, system and device for network wakeup | |
| CN103957289A (en) | DNSSEC analytic method based on complex network | |
| CN102801825B (en) | Terminal multiple IP (Internet Protocol) address validity detection method | |
| CN103795581A (en) | Address processing method and address processing device | |
| JP4941117B2 (en) | Server apparatus, network system, and network connection method used therefor | |
| CN108667957B (en) | IP address allocation method, first electronic device and first server | |
| US10680930B2 (en) | Method and apparatus for communication in virtual network | |
| JP2007104396A (en) | Unjust connection preventing system, method, and program | |
| CN101931662A (en) | Method and system for conflicted address detection and address resolution/address unreachable detection | |
| CN113992685B (en) | Service controller determining method, system and device | |
| CN103546439A (en) | Processing method and processing device for content requests | |
| CN102333134B (en) | Medium/media access control address conflict detection method, device and system | |
| CN102413194B (en) | Node device, network access device as well as address conflict processing method and system | |
| CN113726647B (en) | Identification analysis method and device | |
| US9912557B2 (en) | Node information detection apparatus, node information detection method, and program | |
| CN105025114A (en) | Domain name resolution method and domain name resolution system | |
| CN113992583B (en) | Table item maintenance method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |