CN101945143A - Method and device for preventing message address spoofing on mixed network - Google Patents
Method and device for preventing message address spoofing on mixed network Download PDFInfo
- Publication number
- CN101945143A CN101945143A CN2010102890531A CN201010289053A CN101945143A CN 101945143 A CN101945143 A CN 101945143A CN 2010102890531 A CN2010102890531 A CN 2010102890531A CN 201010289053 A CN201010289053 A CN 201010289053A CN 101945143 A CN101945143 A CN 101945143A
- Authority
- CN
- China
- Prior art keywords
- ipv6
- message
- ipv6 address
- address
- user terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a method and a device for preventing message address spoofing on a mixed network. The method comprises the following steps of: binding an IPv6 address allocated for a user terminal by a dynamic host configuration protocol server in the process of the user terminal dialing to establish dynamic host configuration protocol service; after the IPv6 message sent by the user terminal is received, judging whether the IPv6 message is the valid message by judging whether the IPv6 source address in the IPv6 message is the same as the bound IPv6 address. The device of the invention is applied to the mixed networks of stateful autoconfiguration and stateless autoconfiguration, can effectively implement source protection for the IPv6 address and the IPv6 address prefix and simultaneously realizes flexible network formation.
Description
Technical field
The present invention relates to the Network Communicate Security field, relate in particular to a kind of method and device that under mixed networking, prevents the message address deception.
Background technology
Along with the high speed development of internet and the rapid expansion of network size, the address of network IPv4 is about to exhaust, and realizes early having become the urgent demand of vast operator from the IPv4 network to the IPv6 network transition.Present digital subscriber line access multiplex DSLAM (Digital Subscriber Line AccessMultiplexer, be called for short DSLAM) as Digital Subscriber Line (Digital Subscriber Line, abbreviation DSL) main access device, also will be to two mode stack evolution, thus play the effect that wide and narrow strip inserts " first mile Ethernet " better.Along with application and the test of IPv6, the user of IPv6 inserts and the safety problem identical with IPv4 also occurred, and the IPv6 false address attack is exactly one of them.
" plug and play " is one of key property of IPv6, and IPv6 provides two kinds of mechanism to realize this characteristic: state disposes automatically and stateless disposes automatically.
As shown in Figure 1, be the structure chart of DHCP (Dynamic Host Configuration Protocol is called for short DHCP) business network, wherein DHCPv6 is meant the DHCP business of using the IPv6 agreement.DHCPv6 server and DSLAM or optical network unit (Optical Network Unit is called for short ONU) are by optical line terminal equipment (Optical Line Terminal is called for short OLT) communication.User terminal directly or by home gateway is communicated by letter with DSLAM.User terminal can be PC (PC) or set-top box (STB).
Under the automatic configuration mode of state, user terminal can directly insert the DHCPv6 server by DSLAM, and directly to DHCPv6 server application IPv6 address, DSLAM can carry out source protection to the IPv6 address by monitoring this DHCPv6 business.
Under the automatic configuration mode of stateless, user terminal inserts DSLAM by home gateway (HomeGate), inserts the DHCPv6 server by DSLAM again.User terminal via home gateway, DSLAM to DHCPv6 server application IPv6 address prefix, the DHCPv6 server returns by DSLAM and home gateway before and after the IPv6 address of distribution, and the mode that user terminal disposes automatically by stateless utilizes the IPv6 address prefix of home gateway bulletin and the IEEE EUI-64 link layer address of self to generate the IPv6 address.DSLAM carries out source protection to this address prefix, thereby reaches the function that source protection is carried out in the IPv6 address of PC or STB terminal by monitoring the business of home gateway application IPv6 address prefix.This networking mode has ensured equipment " plug and play ", reduced the load of DHCPv6 server, also significantly reduce messages such as application IP address among the DSLAM, renewed treaty, good prospects for application is arranged, but how to realize that anti-efficiently IPv6 false address attack has brought difficulty for equally DSLAM.
In view of the IPv6 address allocation scheme, state configuration automatically is divided into IPv6 address assignment and the distribution of IPv6 address prefix.Usually have above-mentioned two kinds of network construction forms that mechanism is used in combination in application, promptly certain customers' terminal directly inserts DSLAM and directly obtains the IPv6 address by the automatic configuration mode of state; Certain customers' terminal inserts DSLAM by home gateway, utilizes the IPv6 address prefix of home gateway bulletin and the IEEE EUI-64 link layer address of self to generate the IPv6 address by the automatic configuration mode of stateless.How in this mixed networking, the IPv6 address that generates with above-mentioned dual mode is protected, prevented that the IPv6 false address attack from being the problem that needs solve.
Summary of the invention
The technical problem to be solved in the present invention provides a kind of method and device that prevents the message address deception under mixed networking; automatically dispose the mixed networking situation at automatic configuration of state and stateless, effectively source protection is carried out in IPv6 address and IPv6 address prefix.
In order to solve the problems of the technologies described above, the invention provides a kind of method that under mixed networking, prevents message address deception, comprising: carry out the DHCP business at user terminal and set up that the binding Dynamic Host Configuration Protocol server is the IPv6 address that described user terminal distributes in the dialing procedure; After receiving the IPv6 message that user side sends, by judging whether whether identical this IPv6 message of judging is legal message with the described IPv6 address of being bound for IPv6 source address in the described IPv6 message.
Further, said method can also have following characteristics:
Set up in the dialing procedure in the DHCP business, when described user terminal inserted described Dynamic Host Configuration Protocol server by digital subscriber line access multiplex, the described IPv6 address of being bound was complete IPv6 address; When described user terminal inserted described Dynamic Host Configuration Protocol server by home gateway, the described IPv6 address of being bound was the IPv6 address field that comprises the IPv6 address prefix.
Further, said method can also have following characteristics:
Set up dialing procedure for each DHCP business and set up a user profile record, parse the IPv6 address information and charge to described user profile record IPv6 address request of sending from described user terminal or the IPv6 address prefix request message, after receiving the response message that Dynamic Host Configuration Protocol server sends the dialing request of user terminal, keep or the DHCP business therewith of revising or delete in the described user profile record is set up the record of dialing procedure correspondence according to response message.
Further, said method can also have following characteristics:
Comprise in the described user profile record that the DHCP business sets up VLAN ID, data-link layer address and the IPv6 address under the user terminal in the dialing procedure.
Further, said method can also have following characteristics:
After receiving the response message that Dynamic Host Configuration Protocol server sends the dialing request of user terminal, need to revise or delete in the described user profile record when setting up the corresponding record of dialing procedure with the DHCP business, under the situation that Transaction Identifier is identical with the DHCP unique identification with Transaction Identifier during the DHCP unique identification writes down therewith in the auth response message, revise or delete this record.
In order to solve the problems of the technologies described above, the present invention also provides the device that prevents the message address spoofing attack under mixed networking, and described device is arranged in digital subscriber line access multiplex or optical network unit; Comprise protection module and driver module in the described device; Described protection module, being used for carrying out the DHCP business at user terminal, to set up dialing procedure binding Dynamic Host Configuration Protocol server be the IPv6 address that described user terminal distributes; And described binding is set to described driver module; Described driver module is used for after receiving the IPv6 message that user side sends, by judging whether whether identical this IPv6 message of judging is legal message with the described IPv6 address of being bound for IPv6 source address in the described IPv6 message.
Further, said apparatus can also have following characteristics:
Set up in the dialing procedure in the DHCP business, when described user terminal inserted described Dynamic Host Configuration Protocol server by digital subscriber line access multiplex, the described IPv6 address that described protection module is bound was complete IPv6 address; When described user terminal inserted described Dynamic Host Configuration Protocol server by home gateway, the described IPv6 address that described protection module is bound was the IPv6 address field that comprises the IPv6 address prefix.
Further, said apparatus can also have following characteristics:
Described device also comprises the subscriber information management module that all links to each other with described protection module and described driver module; Described driver module also is used for extracting the dynamic host configuration protocol message that uses the IPv6 agreement from the packet that user side receives, and is sent to described subscriber information management module; Described subscriber information management module, be used to each DHCP business to set up dialing procedure and set up a user profile record, parse the IPv6 address information and charge to described user profile record IPv6 address request of sending from described user terminal or the IPv6 address prefix request message, after receiving the response message that Dynamic Host Configuration Protocol server sends the dialing request of user terminal, keep or the DHCP business therewith of revising or delete in the described user profile record is set up the record of dialing procedure correspondence according to response message; Described protection module also is used for carrying out the binding of IPv6 address according to the information that the described user profile that described subscriber information management module is set up writes down.
Further, said apparatus can also have following characteristics:
Described subscriber information management module, also be used for after receiving the response message that Dynamic Host Configuration Protocol server sends the dialing request of user terminal, need to revise or delete in the described user profile record when setting up the corresponding record of dialing procedure with the DHCP business, under the situation that Transaction Identifier is identical with the DHCP unique identification with Transaction Identifier during the DHCP unique identification writes down therewith in the auth response message, revise or delete this record.
Further, said apparatus can also have following characteristics:
Described device also comprises the configuration module that links to each other with described protection module with described subscriber information management module, described configuration module, and the function that is used to control described subscriber information management module and described protection module enables or disable.
The present invention can dispose the mixed networking situation automatically at automatic configuration of state and stateless, effectively source protection is carried out in IPv6 address and IPv6 address prefix, realizes flexible networking simultaneously.
Description of drawings
Fig. 1 is the structure chart of DHCP operation system;
Fig. 2 is the structure chart that prevents the device of message address deception among the embodiment under mixed networking;
Fig. 3 is the method flow diagram that prevents the device of message address deception among the embodiment under mixed networking.
Embodiment
As shown in Figure 2, the device that prevents the message address spoofing attack under mixed networking is arranged in digital subscriber line access multiplex or optical network unit.Comprise protection module and driver module in this device; The subscriber information management module that all links to each other with protection module and driver module; The configuration module that all links to each other with driver module and subscriber information management module, the database module that all links to each other with subscriber information management module and configuration module.
Protection module is used for carrying out the DHCP business at user terminal, and to set up dialing procedure binding Dynamic Host Configuration Protocol server be the IPv6 address that described user terminal distributes; And described binding is set to described driver module.Concrete, set up in the dialing procedure in the DHCP business, when described user terminal inserted described Dynamic Host Configuration Protocol server by digital subscriber line access multiplex, the described IPv6 address that described protection module is bound was complete IPv6 address; When described user terminal inserted described Dynamic Host Configuration Protocol server by home gateway, the described IPv6 address that described protection module is bound was the IPv6 address field that comprises the IPv6 address prefix.This IPv6 address prefix is applicable to mixed networking as a kind of compatibility mode of IPv6 address binding of feature, also can thinks this by the stateless protection of the IPv6 address that generates of the mode of configuration automatically the protection of IPv6 address prefix.
Driver module is used for after receiving the IPv6 message that user side sends, by judging whether whether identical this IPv6 message of judging is legal message with the described IPv6 address of being bound for IPv6 source address in the described IPv6 message, when being defined as legal message, this message of transparent transmission, when being defined as invalid packet, abandon this message, thereby stop the attack of illegal IP v6 address.
The function that configuration module is used to control described subscriber information management module and described protection module enables or disable; each user port can also be set be used to carry out the maximum number of user that DHCPv6 dials up on the telephone, can also determine the information content that shows to the supervisor.
Database module is used to preserve the enabled state information of user profile record and each module that configuration module disposed.
Realize above-mentioned binding by the record that sets user information in this device, concrete:
Driver module also is used for extracting the dynamic host configuration protocol message (using the mode of intercepting) that uses the IPv6 agreement from the packet that user side receives, and is sent to the subscriber information management module.Driver module can also carry out processing such as IP packet filtering.
The subscriber information management module is used to each DHCP business to set up dialing procedure and sets up a user profile record, parse the IPv6 address information and charge to described user profile record IPv6 address request of sending from described user terminal or the IPv6 address prefix request message, after receiving the response message that Dynamic Host Configuration Protocol server sends the dialing request of user terminal, keep or the DHCP business therewith of revising or delete in the described user profile record is set up the record of dialing procedure correspondence according to response message.
Concrete, the subscriber information management module is resolved IPv6 Address requests and the request of IPv6 address prefix respectively according to the standard of rfc3315 and rfc3633, parses VLAN ID (VLAN), data-link layer address (MAC), IPv6 address (IPv6 Address address), prefix length (Prefix Len) and port numbers (PORT), permanent virtual circuit number information such as (PVC) and charges in the user profile record and set up in the corresponding record of dialing procedure with the DHCP business.Prefix length was set to 128 when wherein, the message of parsing was the IPv6 Address requests.
Protection module also is used for carrying out the binding of IPv6 address according to the information that the described user profile that described subscriber information management module is set up writes down, and defends the IPv6 false address attack effectively.
Wherein the subscriber information management module comprises the management of user profile record and sets up record, and modification or deletion record.
The subscriber information management module parses VLAN ID (VLAN), data-link layer address (MAC) and IPv6 address (IPv6 Address address) in the IPv6 address request of receiving the user terminal transmission or IPv6 address prefix request message, judge in the described user profile record and do not have the record that comprises the parameter value that parameter value is corresponding identical therewith, a then newly-built record.
The subscriber information management module is after receiving the response message that Dynamic Host Configuration Protocol server sends the dialing request of user terminal, need to revise or deletion user profile record in when setting up the corresponding record of dialing procedure with the DHCP business, under the situation that Transaction Identifier is identical with the DHCP unique identification with Transaction Identifier during the DHCP unique identification writes down therewith in the auth response message, revise or delete this record.
As shown in Figure 3, the method that prevents message address deception under mixed networking comprises: carry out the DHCP business at user terminal and set up that the binding Dynamic Host Configuration Protocol server is the IPv6 address that described user terminal distributes in the dialing procedure; After receiving the IPv6 message that user side sends, by judging whether whether identical this IPv6 message of judging is legal message with the described IPv6 address of being bound for IPv6 source address in the described IPv6 message.
Wherein, the IPv6 address is meant: set up in the dialing procedure in the DHCP business, when described user terminal inserted described Dynamic Host Configuration Protocol server by digital subscriber line access multiplex, the described IPv6 address of being bound was complete IPv6 address; When described user terminal inserted described Dynamic Host Configuration Protocol server by home gateway, the described IPv6 address of being bound was the IPv6 address field that comprises the IPv6 address prefix.
Finish above-mentioned binding by making up the user profile record in this method, concrete: set up dialing procedure for each DHCP business and set up a user profile record, parse the IPv6 address information and charge to described user profile record IPv6 address request of sending from described user terminal or the IPv6 address prefix request message, after receiving the response message that Dynamic Host Configuration Protocol server sends the dialing request of user terminal, keep or the DHCP business therewith of revising or delete in the described user profile record is set up the record of dialing procedure correspondence according to response message.
Comprise in this user profile record that the DHCP business sets up VLAN ID, data-link layer address and the IPv6 address under the user terminal in the dialing procedure.
In the IPv6 address request of receiving the user terminal transmission or IPv6 address prefix request message, parse VLAN ID (VLAN), data-link layer address (MAC) and IPv6 address (IPv6Address address), judge in the described user profile record and do not have the record that comprises the parameter value that parameter value is corresponding identical therewith, a then newly-built record.
After receiving the response message that Dynamic Host Configuration Protocol server sends the dialing request of user terminal, need to revise or deletion user profile record in when setting up the corresponding record of dialing procedure with the DHCP business, under the situation that Transaction Identifier is identical with the DHCP unique identification with Transaction Identifier during the DHCP unique identification writes down therewith in the auth response message, revise or delete this record.
Specific embodiment:
The method that prevents the message address deception in the specific embodiment under mixed networking specifically may further comprise the steps:
Step S1, the DSLAM initialization prevents the correlation function module of message address deception, and enables each functional module.
The dual stack of compatible Ipv4 of DSLAM while and Ipv6, the correlation function module of IPv6 is defaulted as closed condition, need be provided with just to start corresponding function, comprises the false address attack that prevents IPv6.
Step S2, DSLAM intercepting formula is extracted the DHCPv6 message.
Step S3, DHCPv6 message and address prefix that DSLAM Option information analysis in the DHCP business is set up in the dialing procedure by analytic message goes out the address assignment type distribute the DHCPv6 message of type, and the information that parses is recorded in the user profile record.
DSLAM need compatible simultaneously only existence automatically configuration address assignment, only existence automatically the address prefix of configuration distribute and mixed networking in the situation of this dual mode combination.DSLAM can carry out dissimilar packet parsing flow processs.
The DHCPv6 message of address assignment is with the resolved information that goes out client identification (ClientIdentifier), server identification (Server Identifier), non-temporary address sign alliance's options (Option) such as (IdentityAssociation for Non-temporary Address) and the corresponding sub-option (Sub Option) of DHCPv6 header; The DHCPv6 that address prefix distributes is with the information of client identification (Client Identifier), server identification (Server Identifier), prefix addresses sign alliance's options (Option) such as (Identity Association for Prefix Delegation) and the corresponding sub-option (Sub Option) of resolved DHCPv6 header.DSLAM distinguishes the DHCPv6 message of address assignment type and the DHCPv6 message of address prefix distribution type according to non-temporary address identification information collection (Identity Association for Non-temporary Address) and prefix addresses identification information collection (Identity Association for Prefix Delegation).
DSLAM parses VLAN ID (VLAN), data-link layer address (MAC), IPv6 address (IPv6 Address address), prefix length (Prefix Len) and port numbers (PORT), permanent virtual circuit number information such as (PVC) from the DHCPv6 message.
DSLAM need to judge whether a newly-built record according to VLAN ID (VLAN), data-link layer address (MAC) and IPv6 address (IPv6 Address address) in the message that parses, if existed in the user profile record and comprised the record identical, then need not newly-built with the above-mentioned parameter value; Otherwise a newly-built record also is initialized as complete 0,128 respectively with IPv6 address, address prefix length.
In order to guarantee the fail safe of DHCPv6 message interaction, in the DHCPv6 message interaction, DSLAM sets up the Transaction Identifier (Transaction-ID) and DHCP unique identification (the DHCP Unique Identifier of this subscriber dialing message according to the record in each bar user profile record, be called for short DUID), this information need not to show to the supervisor.
DSLAM after receiving the response message that Dynamic Host Configuration Protocol server sends the dialing request of user terminal, according to the option in the response message (Option) information with this packet parsing for confirming address assignment or confirming that address prefix distributes, confirms to renew a contract, confirms heavily to bind, confirms to discharge, refuse address assignment or address prefix distributes, refusal is renewed a contract, refuse the response message of respective type such as heavily binding.Respond style is for confirming address assignment, confirming that address prefix distributes, confirms to renew a contract, when confirming heavily to bind, then revises lease, IPv6 Address, the Prefix Len information of record in the user profile record.Respond style is for confirming that release, refusal address assignment and address prefix distribute, refusal is renewed a contract, when refusing heavily to bind, then going to delete the respective record in the user profile record.Because in the process of DHCPv6 dialing, the message of DHCPv6 client and DHCPv6 server interaction is to occur in pairs, so needs revise or deletion user profile record in when setting up the corresponding record of dialing procedure with the DHCP business, under Transaction Identifier in the auth response message (Transaction-ID) situation identical with the DHCP unique identification with Transaction Identifier during DHCP unique identification (DUID) writes down therewith, revise or delete this record, effectively avoid the malice spoofing attack.
S4, DSLAM carries out the DHCP business at user terminal, and to set up in the dialing procedure binding Dynamic Host Configuration Protocol server be the IPv6 address that described user terminal distributes, and this binding is configured to driver module.
S5, DSLAM are after receiving the IPv6 message that user side sends, by judging whether whether identical this IPv6 message of judging is legal message with the IPv6 address of being bound for IPv6 address in the described IPv6 message.When being defined as legal message, this message of transparent transmission when being defined as invalid packet, abandons this message, thereby stops the attack of illegal IP v6 address.
In addition, because among the IPv6, adopt the Neighbor Discovery Protocol of ICMP to substitute the ARP message among the IPv4, so be necessary to relax the drop policy of IPv6 message at driver module, promptly allow neighbor request and neighbours among the ICMP to declare that message passes through DSLAM, other user who avoids influencing under the same port carries out the DHCP session service.
The present invention disposes automatically with stateless at state and disposes automatically under the mode of mixed networking access, it is that 128 special IPv6 address prefix is handled that a kind of prefix addresses length is used as in the IPv6 address, sets up the function that the binding of carrying out the IPv6 address in the dialing procedure realizes anti-IPv6 false address attack by the DHCP business.
Certainly; the present invention also can have other various embodiments; under the situation that does not deviate from spirit of the present invention and essence thereof; those of ordinary skill in the art work as can make various corresponding changes and distortion according to the present invention, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.
One of ordinary skill in the art will appreciate that all or part of step in the said method can instruct related hardware to finish by program, described program can be stored in the computer-readable recording medium, as read-only memory, disk or CD etc.Alternatively, all or part of step of the foregoing description also can use one or more integrated circuits to realize.Correspondingly, each the module/unit in the foregoing description can adopt the form of hardware to realize, also can adopt the form of software function module to realize.The present invention is not restricted to the combination of the hardware and software of any particular form.
Claims (10)
1. a method that prevents the message address deception under mixed networking is characterized in that,
Carrying out the DHCP business at user terminal, to set up in the dialing procedure binding Dynamic Host Configuration Protocol server be the IPv6 address that described user terminal distributes; After receiving the IPv6 message that user side sends, by judging whether whether identical this IPv6 message of judging is legal message with the described IPv6 address of being bound for IPv6 source address in the described IPv6 message.
2. the method for claim 1 is characterized in that,
Set up in the dialing procedure in the DHCP business, when described user terminal inserted described Dynamic Host Configuration Protocol server by digital subscriber line access multiplex, the described IPv6 address of being bound was complete IPv6 address; When described user terminal inserted described Dynamic Host Configuration Protocol server by home gateway, the described IPv6 address of being bound was the IPv6 address field that comprises the IPv6 address prefix.
3. the method for claim 1 is characterized in that,
Set up dialing procedure for each DHCP business and set up a user profile record, parse the IPv6 address information and charge to described user profile record IPv6 address request of sending from described user terminal or the IPv6 address prefix request message, after receiving the response message that Dynamic Host Configuration Protocol server sends the dialing request of user terminal, keep or the DHCP business therewith of revising or delete in the described user profile record is set up the record of dialing procedure correspondence according to response message.
4. method as claimed in claim 3 is characterized in that,
Comprise in the described user profile record that the DHCP business sets up VLAN ID, data-link layer address and the IPv6 address under the user terminal in the dialing procedure.
5. method as claimed in claim 3 is characterized in that,
After receiving the response message that Dynamic Host Configuration Protocol server sends the dialing request of user terminal, need to revise or delete in the described user profile record when setting up the corresponding record of dialing procedure with the DHCP business, under the situation that Transaction Identifier is identical with the DHCP unique identification with Transaction Identifier during the DHCP unique identification writes down therewith in the auth response message, revise or delete this record.
6. under mixed networking, prevent the device of message address spoofing attack, it is characterized in that,
Described device is arranged in digital subscriber line access multiplex or optical network unit; Comprise protection module and driver module in the described device;
Described protection module, being used for carrying out the DHCP business at user terminal, to set up dialing procedure binding Dynamic Host Configuration Protocol server be the IPv6 address that described user terminal distributes; And described binding is set to described driver module;
Described driver module is used for after receiving the IPv6 message that user side sends, by judging whether whether identical this IPv6 message of judging is legal message with the described IPv6 address of being bound for IPv6 source address in the described IPv6 message.
7. device as claimed in claim 6 is characterized in that,
Set up in the dialing procedure in the DHCP business, when described user terminal inserted described Dynamic Host Configuration Protocol server by digital subscriber line access multiplex, the described IPv6 address that described protection module is bound was complete IPv6 address;
When described user terminal inserted described Dynamic Host Configuration Protocol server by home gateway, the described IPv6 address that described protection module is bound was the IPv6 address field that comprises the IPv6 address prefix.
8. device as claimed in claim 6 is characterized in that,
Described device also comprises the subscriber information management module that all links to each other with described protection module and described driver module;
Described driver module also is used for extracting the dynamic host configuration protocol message that uses the IPv6 agreement from the packet that user side receives, and is sent to described subscriber information management module;
Described subscriber information management module, be used to each DHCP business to set up dialing procedure and set up a user profile record, parse the IPv6 address information and charge to described user profile record IPv6 address request of sending from described user terminal or the IPv6 address prefix request message, after receiving the response message that Dynamic Host Configuration Protocol server sends the dialing request of user terminal, keep or the DHCP business therewith of revising or delete in the described user profile record is set up the record of dialing procedure correspondence according to response message;
Described protection module also is used for carrying out the binding of IPv6 address according to the information that the described user profile that described subscriber information management module is set up writes down.
9. device as claimed in claim 7 is characterized in that,
Described subscriber information management module, also be used for after receiving the response message that Dynamic Host Configuration Protocol server sends the dialing request of user terminal, need to revise or delete in the described user profile record when setting up the corresponding record of dialing procedure with the DHCP business, under the situation that Transaction Identifier is identical with the DHCP unique identification with Transaction Identifier during the DHCP unique identification writes down therewith in the auth response message, revise or delete this record.
10. device as claimed in claim 7 is characterized in that,
Described device also comprises the configuration module that links to each other with described protection module with described subscriber information management module,
Described configuration module, the function that is used to control described subscriber information management module and described protection module enables or disable.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102890531A CN101945143A (en) | 2010-09-16 | 2010-09-16 | Method and device for preventing message address spoofing on mixed network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102890531A CN101945143A (en) | 2010-09-16 | 2010-09-16 | Method and device for preventing message address spoofing on mixed network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101945143A true CN101945143A (en) | 2011-01-12 |
Family
ID=43436911
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010102890531A Pending CN101945143A (en) | 2010-09-16 | 2010-09-16 | Method and device for preventing message address spoofing on mixed network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101945143A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104243454A (en) * | 2014-08-28 | 2014-12-24 | 杭州华三通信技术有限公司 | IPv6 message filtering method and device |
| CN108540461A (en) * | 2018-03-26 | 2018-09-14 | 河南工程学院 | A kind of addresses IPv6 saltus step active defense method based on sliding time window |
| CN115277190A (en) * | 2022-07-27 | 2022-11-01 | 北京国领科技有限公司 | Method for realizing neighbor discovery on network by link layer transparent encryption system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1357997A (en) * | 2000-12-15 | 2002-07-10 | 华为技术有限公司 | Virtual local area network access method in Ethernet access network |
| CN1416239A (en) * | 2001-10-31 | 2003-05-07 | 华为技术有限公司 | Method for switching in virtual local area network of the access network with mixed optical fiber and coaxial line |
| CN1553674A (en) * | 2003-05-26 | 2004-12-08 | 广东省电信有限公司科学技术研究院 | Method for wideband connection server to obtain port numbers of its uers |
| US20060036733A1 (en) * | 2004-07-09 | 2006-02-16 | Toshiba America Research, Inc. | Dynamic host configuration and network access authentication |
-
2010
- 2010-09-16 CN CN2010102890531A patent/CN101945143A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1357997A (en) * | 2000-12-15 | 2002-07-10 | 华为技术有限公司 | Virtual local area network access method in Ethernet access network |
| CN1416239A (en) * | 2001-10-31 | 2003-05-07 | 华为技术有限公司 | Method for switching in virtual local area network of the access network with mixed optical fiber and coaxial line |
| CN1553674A (en) * | 2003-05-26 | 2004-12-08 | 广东省电信有限公司科学技术研究院 | Method for wideband connection server to obtain port numbers of its uers |
| US20060036733A1 (en) * | 2004-07-09 | 2006-02-16 | Toshiba America Research, Inc. | Dynamic host configuration and network access authentication |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104243454A (en) * | 2014-08-28 | 2014-12-24 | 杭州华三通信技术有限公司 | IPv6 message filtering method and device |
| CN108540461A (en) * | 2018-03-26 | 2018-09-14 | 河南工程学院 | A kind of addresses IPv6 saltus step active defense method based on sliding time window |
| CN108540461B (en) * | 2018-03-26 | 2020-09-11 | 河南工程学院 | IPv6 address hopping active defense method based on sliding time window |
| CN115277190A (en) * | 2022-07-27 | 2022-11-01 | 北京国领科技有限公司 | Method for realizing neighbor discovery on network by link layer transparent encryption system |
| CN115277190B (en) * | 2022-07-27 | 2023-08-15 | 北京国领科技有限公司 | Method for realizing neighbor discovery on network by link layer transparent encryption system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1876754B1 (en) | Method system and server for implementing dhcp address security allocation | |
| US8875233B2 (en) | Isolation VLAN for layer two access networks | |
| US8897255B2 (en) | Dynamic VLANs in wireless networks | |
| US8260887B2 (en) | Method for automatic configuration of an access router compatible with the DHCP protocol, for specific automatic processing of IP flows from a client terminal | |
| EP0943200B1 (en) | Secure dhcp server | |
| US8862705B2 (en) | Secure DHCP processing for layer two access networks | |
| EP1909452B1 (en) | An access device routing decive and method thereof supporting stateless address configuration in communication network | |
| CN101047618B (en) | Method and system for acquiring network route information | |
| CN101179603B (en) | Method and device for controlling user network access in IPv6 network | |
| CN101471936B (en) | Method, device and system for establishing IP conversation | |
| CN101729500B (en) | Method, device and system for identifying IP session | |
| CN107707435B (en) | Message processing method and device | |
| CN102014109A (en) | Flood attack prevention method and device | |
| CN101309197B (en) | Network system and access node apparatus, IP edge apparatus and access control method | |
| CN101252587B (en) | User terminal access right identifying method and apparatus | |
| CA2774281C (en) | User access method, system, access server, and access device | |
| EP2182683B1 (en) | Self-configuration of a forwarding tabel in an access node | |
| EP2677716A1 (en) | Access control method, access device and system | |
| US20120054865A1 (en) | Device and Method for Preventing Internet Protocol Version 6 (IPv6) Address Being Fraudulently Attacked | |
| CN102882861B (en) | The method of anti-IP address swindle is realized based on parsing DHCP message | |
| CN100525179C (en) | Method for preventing IP address leakage | |
| CN101945143A (en) | Method and device for preventing message address spoofing on mixed network | |
| CN105591848A (en) | Authentication method and device of IPv6 stateless automatic configuration | |
| EP3029913A1 (en) | Method for processing raw ip packet, and corresponding apparatus | |
| CN113556337A (en) | Terminal address identification method, network system, electronic device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20110112 |