CN102130905B - A kind of method and device improving safety of neighbor discovery snooping - Google Patents
A kind of method and device improving safety of neighbor discovery snooping Download PDFInfo
- Publication number
- CN102130905B CN102130905B CN201110029943.3A CN201110029943A CN102130905B CN 102130905 B CN102130905 B CN 102130905B CN 201110029943 A CN201110029943 A CN 201110029943A CN 102130905 B CN102130905 B CN 102130905B
- Authority
- CN
- China
- Prior art keywords
- message
- ipv6
- address
- ipv6 address
- state
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5092—Address allocation by self-assignment, e.g. picking addresses at random and testing if they are already in use
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/622—Layer-2 addresses, e.g. medium access control [MAC] addresses
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a kind of method and the device that improve safety of neighbor discovery snooping, be applied to network communication field.The method comprises: access device extracts neighbor uni-cast message, determines whether the message of duplicate address detection; If so, then judge the maximum restriction entry number whether the IPv6 address of the source MAC carry of this neighbor uni-cast message has reached default, if reached, then arranging this IPv6 address is init state; If do not reach, then newly-increased IPv6 addressed nodes, this newly-increased IPv6 address enters initial state, and transfers other IPv6 addresses of this MAC Address user to query State.The function of maximum restriction entry number can avoid user's malice constantly newly-increased IPv6 address effectively, attacks neighbor uni-cast monitoring mechanism.
Description
Technical field
The present invention relates to network communication field, particularly relate to a kind of method and the device that improve ND Snooping (neighbor uni-cast monitoring) fail safe.
Background technology
Along with the progressively application of IPv6 technology, the safety problem of IPv6 user's access can not be ignored, and becomes problem in the urgent need to address, has also become the focus of attention of vast communication equipment business and operator.IPv6 false address attack is exactly a wherein class safety issue, ND Snooping (Neighbor Discovery Snooping is proposed in draft " Control Packet Snooping BasedBinding ", neighbor uni-cast is monitored) technology, for solving the problem of IPv6 false address attack.ND Snooping technology is the IPv6 address duplicate address detection process by monitoring IPv6 user terminal, sets up legal access user information table, thus stops access and the attack of illegal IPv6 user.ND Snooping technology to some extent solves IPv6 false address attack, and can prevent the ND of some type from attacking, but ND Snooping technology self is with certain defective.
By the legal access user information table that ND Snooping technology is set up, need to utilize IPv6Source Guard technology by legal IPv6 address binding to access device user port, access device realizes the filtration of message by the IPv6 address, source of Match IP v6 message.The realization of IPv6 address binding needs the hardware policy resource consuming access device, and namely the IPv6 address binding entry number of each access device can not be greatly unconfined, there is bottleneck, and this just utilize by network attack person.The technology of current ND Snooping is safeguarded the foundation of user's list item, state machine, and be all based on single IPv6 address, and the overtime ageing time of binding state is 2h, this mechanism causes ND Snooping to there are two defects:
1, when network attack person constantly adds IPv6 address at IPv6 user terminal, will cause access device constantly for this user carries out IPv6 address binding, and all cannot be aging in the overtime ageing time of binding state, will soon occur that the IPv6 address binding entry of access device reaches maximum, thus cause cannot normally accessing of other common IPv6 users;
2, ND Snooping technology is the state machine set up based on single IPv6 address, namely relevance consideration is not carried out in the different IP v6 address under same MAC Address, but when actual user uses, may reach the standard grade simultaneously or roll off the production line simultaneously in different IP v6 address under usual same MAC Address, ND Snooping technology does not consider this relevance, causes the hardware resource of IPv6 address binding consumption can not discharge timely and effectively.
ND Snooping technology be problem in order to solve IPv6 false address attack, but current self existing defects of NDSnooping technology, by the object that the person that becomes network attack attacks, method provided by the invention can solve this problem, effectively improves the fail safe of ND Snooping.
Summary of the invention
The invention provides a kind of method and the device that improve ND Snooping fail safe, for solving user's malice constantly newly-increased IPv6 address in prior art, attacking the problem of ND Snooping mechanism.
The embodiment of the present invention provides a kind of method improving ND Snooping fail safe, comprising:
Access device extracts neighbor uni-cast message, judges that whether this neighbor uni-cast message is the message of duplicate address detection;
If the message of duplicate address detection, then judge the maximum restriction entry number whether the IPv6 address of the source MAC carry of this neighbor uni-cast message has reached default, if reached, then in ND Snooping mechanism, the state arranging this IPv6 address is init state; If do not reach, then newly-increased IPv6 addressed nodes, this newly-increased IPv6 address enters initial state, and transfers other IPv6 addresses of described source MAC carry to query State.
Improve a device for ND Snooping fail safe, comprising:
Duplicate address detection module, for extracting neighbor uni-cast message, judges that whether this neighbor uni-cast message is the message of duplicate address detection, if determine it is the message of duplicate address detection, then proceeds to access number limiting module;
Access number limiting module, for judging the maximum restriction entry number whether the IPv6 address of the source MAC carry of described neighbor uni-cast message has reached default, if so, then gets back to init state; Otherwise newly-increased IPv6 addressed nodes, this newly-increased IPv6 address enters initial state, and transfers other IPv6 addresses of described source MAC carry to query State.
Method and apparatus provided by the invention is configured the IPv6 address number allowing same MAC Address effectively to access on access device; person constantly increases IPv6 address newly on IPv6 user terminal to avoid network attack; malice consumes the IPv6 address binding resource on access device, thus reaches the object protected ND Snooping mechanism.
Accompanying drawing explanation
Fig. 1 is a kind of flow chart improving the method for neighbor uni-cast monitoring ND Snooping fail safe of the embodiment of the present invention;
Fig. 2 is ND Snooping message when being Neighbor Solicit message, the flow chart of embodiment of the present invention specific implementation;
Fig. 3 is ND Snooping message when being Neighbor Advertise message, the flow chart of embodiment of the present invention specific implementation;
Fig. 4 is a kind of structure chart improving the device of neighbor uni-cast monitoring ND Snooping fail safe of the embodiment of the present invention.
Embodiment
The embodiment of the present invention provides a kind of method and the device that improve safety of neighbor discovery snooping, and the method comprises: access device extracts neighbor uni-cast message, judges that whether this neighbor uni-cast message is the message of duplicate address detection; If the message of duplicate address detection, then judge the maximum restriction entry number whether the IPv6 address of the source MAC carry of this neighbor uni-cast message has reached default, if reached, then in NDSnooping mechanism, the state arranging this IPv6 address is init state; If do not reach, then newly-increased IPv6 addressed nodes, this newly-increased IPv6 address enters initial state, and transfers other IPv6 addresses of described source MAC carry to query State.
As shown in Figure 1, a kind of method improving safety of neighbor discovery snooping that the embodiment of the present invention provides, specifically comprises:
Step 101, access device carries out validity checking to neighbor uni-cast (Neighbor Discovery) message extracted, if be legal message, then determine that whether this Neighbor Discovery message is the message of duplicate address detection according to the type of Neighbor Discovery message and information.
Message validity inspection in embodiments of the present invention, mainly comprises two classes: the requirement whether meeting standard agreement of Neighbor Discovery message; Whether the source MAC of Neighbor Discovery message and IPv6 address, source are the user existed in ND Snooping records, but IPv6 address, source is empty adjacent area request (Neighbor Solicit) message does not carry out Equations of The Second Kind inspection.If do not meet the message of validity checking, directly enter and abandon flow process, can effectively stop illegal Neighbor Discovery to attack.
Step 102, if described Neighbor Discovery message is the message of duplicate address detection, then judge the maximum restriction entry number whether the IPv6 address of the source MAC carry of this Neighbor Discovery message has reached default, if so, then get back to init state; Otherwise newly-increased IPv6 addressed nodes, this newly-increased IPv6 address enters initial state, and notifies other IPv6 addresses of this MAC Address user, and transfers other IPv6 addresses of this MAC Address user to query State.
Wherein, determine that whether this NeighborDiscovery message is that the message of duplicate address detection comprises according to the type of Neighbor Discovery message and information:
According to the type field in the ICMPv6 packets head of Neighbor Discovery message, determine that described message is adjacent area request (Neighbor Solicit) message or adjacent area notice (Neighbor Advertise) message;
If described Neighbor Discovery message is Neighbor Solicit message, then whether be empty according to the IPv6 address, source of NeighborSolicit message, if not, be then defined as the message of the Neighbor Solicit of duplicate address detection.
If described Neighbor Discovery message is Neighbor Advertise message, resolve the destination address (Target Address) of the ICMPv6 packets head (Head) of this message, according to destination address lookup addressed nodes, if this IPv6 address is in initial state, then delete this IPv6 addressed nodes; If this IPv6 address is in query State, then revising IPv6 address state is binding state, arranges maximum effective vital values of this binding state.
Step 103, timer access user record, determine that whether the state of each IPv6 address is overtime, if it is specifically comprise timeout treatment:
The initial state time-out of IPv6 address, then determine that this IPv6 address have passed duplicate address detection, this IPv6 addressed nodes moved to binding state, call IPv6Source Guard module, by IPv6 address binding to user-side port;
The binding state time-out of IPv6 address, then determine to initiate the unreachable detection of neighbours, confirms whether this IPv6 address is still being used by user, and this IPv6 addressed nodes is moved to query State, and access device initiatively initiates the unreachable detection of neighbours;
The query State time-out of IPv6 address, then determine that this IPv6 address is not used, call IPv6Source Guard module and delete this IPv6 address binding, this IPv6 addressed nodes is deleted, and the IPv6 address transfer other under same MAC being in binding state is to query State, access device initiatively initiates the unreachable detection of neighbours, confirms that whether other IPv6 addresses of this MAC user are in use.
The IPv6 address information of same MAC Address in inventive embodiments, devise the data structure of this ND Snooping table record, adopt the data structure of all IPv6 address carries in same chained list under same MAC Address, each IPv6 address still retains self state, independently can carry out state transition, but also may be subject to the impact of the different IP v6 address of same MAC Address thus carry out state transition, and the maximum IPv6 address entry number of same MAC Address can be limited.In the realization of data structure, by the user profile of IPv6, comprising: PORT, MAC, VLAN, PVC, MaxAddress Num is recorded in the head node of chained list as essential information, link address link list corresponding to this MAC Address at use pointer.Wherein Max Address Num is for limiting the entry number that can be used in the IPv6 address of effectively access of this MAC Address user, for the IPv6 address exceeding maximum address entry number, no longer monitors, also no longer binds, therefore cannot effectively access.Each node of address link list, preserves IPv6Address, AddressStatus, Time, Next Address Node Pointer.
May reach the standard grade for the different IP v6 address under same MAC Address usual in prior art simultaneously or roll off the production line simultaneously, ND Snooping technology does not consider this relevance, the hardware resource causing IPv6 address binding to consume can release And Spread of Solute timely and effectively, in state transition process, using all IPv6 addresses under same MAC Address as one group of data, carry out state transition association, namely the IPv6 address state migration under same MAC Address can influence each other, and the specific implementation of state transition comprises:
After ND Snooping function is enable, enter init state;
In init state, if listen to duplicate address detection, first judge whether the IPv6 address of this MAC Address user has reached maximum restriction entry number, if so, then gets back to init state; Otherwise, newly-increased IPv6 addressed nodes, this IPv6 address enters initial state, and notifies other IPv6 addresses of this MAC Address user, mandatory requirement its transfer query State to; The function of maximum restriction entry number can avoid user's malice constantly newly-increased IPv6 address effectively, attacks ND Snooping mechanism, exhausts access network equipment IPv6 address binding resource.
At the initial state of IPv6 address, if receive the response of duplicate address detection, then delete this IPv6 addressed nodes, move to init state; Otherwise after repeat to address (RA) checks time-out (1s), by IPv6 address transition to binding state, and to arrange its effective life time be 2h.
At the binding state of IPv6 address, meet one of following three conditions, just the pressure of this IPv6 address is moved to query State, and to arrange its effective life time be 1s, and carry out the unreachable detection of neighbours.
1, in binding time-out time (2h), under same MAC Address, other IPv6 addresses move to init state from query State; 2, in binding time-out time (2h), under same MAC Address, increased IPv6 address newly, moved to initial state from init state; 3, binding time time-out.Wherein, condition 1, it is identical to be linearly that the IPv6 address considered in same MAC Address has usually, namely uses simultaneously, leaves simultaneously, when user leaves, access device cannot be learnt, so once there be IPv6 address unreachable under listening to this MAC Address, then carry out a unreachable detection of neighbours to all IPv6 addresses under this MAC Address, thus effectively accelerate the aging of invalid IPv6 address binding, improve the efficiency of ND Snooping; Condition 2, in MAC Address, during newly-increased IPv6 address, access device initiatively carries out a unreachable detection of neighbours to all IPv6 addresses under this MAC Address, user's malice can be effectively avoided to initiate duplicate address detection, but really do not use this IPv6 address, expend access device IPv6 address binding resource; Condition 3, be then that common IPv6 address validity detects, avoid occurring that user leaves, access network equipment always cannot releasing resource.
When IPv6 address is in query State, if receive the unreachable detection response of neighbours, then think that this IPv6 address is still used by user, query State is moved to binding state, resetting effective life time is 2h.If unreachable detection time-out (1s) of neighbours, then think that this IPv6 addressed users does not re-use, delete this addressed nodes, move to init state from query State, and under notifying this MAC Address, the unreachable detection of neighbours is carried out in other IPv6 addresses, and move to query State.
As shown in Figure 2, according to the method that the embodiment of the present invention provides, if according to the type field in the ICMPv6 packets head of ND Snooping message, determine that ND Snooping message is Neighbor Solicit message, then the concrete steps of protocol service handling process comprise:
Step 201: access network equipment enable ND Snooping switch, drive module setting chip extracts Neighbor Discovery message, and handling process is in initial state.
Step 202: message validity inspection, legal, proceed to step 203, otherwise dropping packets process ends;
Mainly comprise two classes: the requirement whether meeting standard agreement of Neighbor Discovery message; Whether the source MAC of Neighbor Discovery message and IPv6 address, source are the user existed in ND Snooping records, but IPv6 address, source is empty Neighbor Solicit message does not carry out Equations of The Second Kind inspection.If do not meet the message of validity checking, directly enter and abandon flow process, can effectively stop illegal Neighbor Discovery to attack.
Step 203: whether the IPv6 address, source according to Neighbor Solicit message is empty, if it is empty, is then the message of the Neighbor Solicit of duplicate address detection, enters step 204 and start process, otherwise, enter step 209, directly forward.
Step 204: carry out searching user record according to the Port of Neighbor Solicit message and source MAC, if do not found, then enter step 205, carry out establishment user record; If found, then enter step 206, carry out the inspection of maximum address number.
Step 205: according to the information of Neighbor Solicit message, records Port, MAC, VLAN, PVC information of this message, creates user record, and proceeds to step 208.
Step 206: judge the user record found, whether addressed nodes number has reached maximum restriction entry number, if so, then proceeds to step 209; Otherwise proceed to step 207.
Step 207: the IPv6 address of other addressed nodes in user record is set to query State, and the Neighbor Solicit message of initiating the unreachable request of neighbours.
Step 208: add IPv6 addressed nodes, and the state of this IPv6 address is set to initial state, effective life time is set to 1s.
Step 209: the Neighbor Advertise message by object MAC being unicast address, forwards according to MAC and VLAN; All the other messages all will in VLAN inundation.
Step 210: protocol processes flow process terminates.
As shown in Figure 3, according to the method that the embodiment of the present invention provides, if according to the type field in the ICMPv6 packets head of ND Snooping message, determine that ND Snooping message is NeighborAdvertise message, then the concrete steps of protocol service handling process comprise:
Step 301: access network equipment enable ND Snooping switch, drive module setting chip extracts Neighbor Discovery message, and handling process is in initial state.
Step 302: message validity inspection, legal, proceed to step 303, otherwise proceed to step 312;
Mainly comprise two classes: the requirement whether meeting standard agreement of Neighbor Discovery message; Whether the source MAC of Neighbor Discovery message and IPv6 address, source are the user existed in ND Snooping records, but IPv6 address, source is empty Neighbor Solicit message does not carry out Equations of The Second Kind inspection.If do not meet the message of validity checking, directly enter and abandon flow process, can effectively stop illegal Neighbor Discovery to attack.
Step 303: according to the IPv6 address of the destination address of the ICMPv6 packets head of Neighbor Advertise message, goes to search all addressed nodes being in initial state or being in query State, if found, then enter step 304 and start process, otherwise, enter step 311, directly forward.
Step 304: judge the addressed nodes found, whether this IPv6 address is in initial state, if so, then enters step 307, otherwise enters step 305.
Step 305: judge the addressed nodes found, whether this IPv6 address is in query State, if so, then proceeds to step 306; Otherwise proceed to step 311.
Step 306: call IPv6Source Guard module and bind IPv6 address, the state of the IPv6 address of modified address node is binding state, and arranging maximum effective vital values is 2h, and proceeds to step 311.
Step 307: call the binding of IPv6Source Guard module deletion to this IPv6 address, delete this IPv6 addressed nodes.
Step 308: judge that whether the addressed nodes chained list of this user record is for empty, if so, then proceeds to step 310; Otherwise proceed to step 309.
Step 309: delete user record, process ends after E-Packeting.
Step 310: the IPv6 address of other addressed nodes in user record is set to query State, and the Neighbor Solicit message of initiating the unreachable request of neighbours.
Step 311, is the Neighbor Advertise message of unicast address by object MAC, forwards according to MAC and VLAN; All the other messages all will in VLAN inundation, process ends.
Step 312: abandon this message.
Step 313: protocol processes flow process terminates.
As Fig. 4 be also provide a kind of device improving safety of neighbor discovery snooping according to the said method embodiment of the present invention, comprising:
According to the type of neighbor uni-cast message and information, message validity detection module 401, for carrying out validity checking to the neighbor uni-cast message extracted, if be legal message, then determines that whether this neighbor uni-cast message is the message of duplicate address detection.
In embodiments of the present invention, if do not meet the message of validity checking, directly enter and abandon flow process, can effectively stop illegal neighbor uni-cast to be attacked.
Duplicate address detection module 402, for extracting neighbor uni-cast message, and judges that whether this neighbor uni-cast message is the message of duplicate address detection, if so, then proceeds to access number limiting module;
Access number limiting module 403, for judging the maximum restriction entry number whether the IPv6 address of the source MAC carry of described neighbor uni-cast message has reached default, if so, then gets back to init state; Otherwise newly-increased IPv6 addressed nodes, this newly-increased IPv6 address enters initial state, and transfers other IPv6 addresses of described source MAC carry to query State.
According to the type of neighbor uni-cast message and information, described message validity detection module 401 determines that whether this neighbor uni-cast message is that the message of duplicate address detection comprises:
According to the type field in neighbor uni-cast message ICMPv6 packets head, determine that described message is adjacent area request message or adjacent area notice message;
If described neighbor uni-cast message is adjacent area request message, then determines whether the IPv6 address, source of adjacent area request message is empty, if be empty, be then defined as the message of the adjacent area request of duplicate address detection.
In addition, if message validity detection module 401 determines that described neighbor uni-cast message is adjacent area notice message, resolve the destination address of the ICMPv6 packets head of this message, according to destination address lookup addressed nodes, if this IPv6 address is in initial state, then delete this IPv6 addressed nodes; If this IPv6 address is in query State, then revising IPv6 address state is binding state, arranges maximum effective vital values of this binding state.
Timeout treatment module 404, for timer access user record, determine that whether the state of each IPv6 address is overtime, if the initial state time-out of IPv6 address, then determine that this IPv6 address have passed duplicate address detection, this IPv6 addressed nodes is moved to binding state, by IPv6 address binding to user-side port; If the binding state time-out of IPv6 address, then initiate neighbours unreachable detection, confirm this IPv6 address whether still by user in use, this IPv6 addressed nodes is moved to query State, initiatively initiates the unreachable detection of neighbours; If the query State time-out of IPv6 address, delete this IPv6 address binding, and the IPv6 address transfer other under same MAC being in binding state is to query State, initiatively initiates the unreachable detection of neighbours, confirm that whether other IPv6 addresses of this MAC user are in use.
In the method that the embodiment of the present invention provides; access device can be configured the IPv6 address number allowing same MAC Address effectively to access; person constantly increases IPv6 address newly on IPv6 user terminal to avoid network attack; malice consumes the IPv6 address binding resource on access device, thus reaches the object protected ND Snooping mechanism.
In sum, by the above embodiment of the present invention, provide a kind of method, the network element device that improve ND Snooping functional safety, effectively can improve the fail safe of ND Snooping, avoid NDSnooping function self under attack.
Method of the present invention is not limited to the embodiment described in embodiment, and those skilled in the art's technical scheme according to the present invention draws and other execution mode belongs to technological innovation scope of the present invention equally.
Obviously, those skilled in the art can carry out various change and modification to the present invention and not depart from the spirit and scope of the present invention.Like this, if these amendments of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification.
Claims (8)
1. improve a method for safety of neighbor discovery snooping, it is characterized in that, comprising:
Access device extracts neighbor uni-cast message, if determine, described neighbor uni-cast message is neighbor advertisement messages, resolve the IPv6 address of the destination address of the ICMPv6 packets head of this message, according to this IPv6 address search addressed nodes, if this IPv6 address is in initial state, then delete this IPv6 addressed nodes; If this IPv6 address is in query State, then revising IPv6 address state is binding state, arranges maximum effective vital values of this binding state, and judges that whether this neighbor uni-cast message is the message of duplicate address detection;
If the message of duplicate address detection, then judge the maximum restriction entry number whether the IPv6 address of the source MAC carry of this neighbor uni-cast message has reached default, if reached, then in neighbor uni-cast snoop procedure, the state arranging this IPv6 address is init state; If do not reach, then newly-increased IPv6 addressed nodes, this newly-increased IPv6 address enters initial state, and transfers other IPv6 addresses of described source MAC carry to query State.
2. the method for claim 1, is characterized in that, described judge whether this neighbor uni-cast message is the message of duplicate address detection before, also comprise further:
Validity checking is carried out to the neighbor uni-cast message extracted, if be legal message, then determines that whether this neighbor uni-cast message is the message of duplicate address detection according to the type of neighbor uni-cast message and information.
3. method as claimed in claim 2, is characterized in that, determines that whether this neighbor uni-cast message is that the message of duplicate address detection comprises according to the type of neighbor uni-cast message and information:
According to the type field in neighbor uni-cast message ICMPv6 packets head, determine that described message is adjacent area request message or adjacent area notice message;
If described neighbor uni-cast message is adjacent area request message, then determines whether the IPv6 address, source of adjacent area request message is empty, if be empty, be then defined as the message of the adjacent area request of duplicate address detection.
4. the method for claim 1, is characterized in that, after transferring other IPv6 addresses of this MAC Address user to query State, comprises further:
Timer access user record, determine that whether the state of each IPv6 address is overtime, if so, specifically comprise:
The initial state time-out of IPv6 address, then determine that this IPv6 address have passed duplicate address detection, this IPv6 addressed nodes moved to binding state, by IPv6 address binding to user-side port;
The binding state time-out of IPv6 address, then determine to initiate the unreachable detection of neighbours, confirms whether this IPv6 address is still being used by user, and this IPv6 addressed nodes is moved to query State, and access device initiatively initiates the unreachable detection of neighbours;
The query State time-out of IPv6 address, then determine that this IPv6 address is not used, delete this IPv6 address binding, and the IPv6 address transfer other under same MAC being in binding state is to query State, access device initiatively initiates the unreachable detection of neighbours, confirms that whether other IPv6 addresses of this MAC user are in use.
5. improve a device for safety of neighbor discovery snooping, it is characterized in that, comprising:
Duplicate address detection module, for extracting neighbor uni-cast message, judges that whether this neighbor uni-cast message is the message of duplicate address detection, if so, then proceeds to access number limiting module;
Message validity checking module, for determining that described neighbor uni-cast message is adjacent area notice message, resolve the IPv6 address of the destination address of the ICMPv6 packets head of this message, according to this IPv6 address search addressed nodes, if this IPv6 address is in initial state, then delete this IPv6 addressed nodes; If this IPv6 address is in query State, then revising IPv6 address state is binding state, arranges maximum effective vital values of this binding state;
Access number limiting module, for judging the maximum restriction entry number whether the IPv6 address of the source MAC carry of described neighbor uni-cast message has reached default, if so, then gets back to init state; Otherwise newly-increased IPv6 addressed nodes, this newly-increased IPv6 address enters initial state, and transfers other IPv6 addresses of described source MAC carry to query State.
6. device as claimed in claim 5, it is characterized in that, this device also comprises:
According to the type of neighbor uni-cast message and information, message validity detection module, for carrying out validity checking to the neighbor uni-cast message extracted, if be legal message, then determines that whether this neighbor uni-cast message is the message of duplicate address detection.
7. device as claimed in claim 5, is characterized in that, described message validity detection module is used for determining that whether this neighbor uni-cast message is that the message of duplicate address detection comprises according to the type of neighbor uni-cast message and information:
For according to the type field in neighbor uni-cast message ICMPv6 packets head, determine that described message is adjacent area request message or adjacent area notice message; If described neighbor uni-cast message is adjacent area request message, then determines whether the IPv6 address, source of adjacent area request message is empty, if be empty, be then defined as the message of the adjacent area request of duplicate address detection.
8. device as claimed in claim 5, it is characterized in that, this device also comprises:
Timeout treatment module, for timer access user record, determine that whether the state of each IPv6 address is overtime, if the initial state time-out of IPv6 address, then determine that this IPv6 address have passed duplicate address detection, this IPv6 addressed nodes is moved to binding state, by IPv6 address binding to user-side port; If the binding state time-out of IPv6 address, then initiate neighbours unreachable detection, confirm this IPv6 address whether still by user in use, this IPv6 addressed nodes is moved to query State, initiatively initiates the unreachable detection of neighbours; If the query State time-out of IPv6 address, delete this IPv6 address binding, and the IPv6 address transfer other under same MAC being in binding state is to query State, initiatively initiates the unreachable detection of neighbours, confirm that whether other IPv6 addresses of this MAC user are in use.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110029943.3A CN102130905B (en) | 2011-01-27 | 2011-01-27 | A kind of method and device improving safety of neighbor discovery snooping |
| PCT/CN2011/075977 WO2012100494A1 (en) | 2011-01-27 | 2011-06-20 | Method and apparatus for improving security of neighbor discovery snooping |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110029943.3A CN102130905B (en) | 2011-01-27 | 2011-01-27 | A kind of method and device improving safety of neighbor discovery snooping |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102130905A CN102130905A (en) | 2011-07-20 |
| CN102130905B true CN102130905B (en) | 2015-09-16 |
Family
ID=44268795
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110029943.3A Expired - Fee Related CN102130905B (en) | 2011-01-27 | 2011-01-27 | A kind of method and device improving safety of neighbor discovery snooping |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102130905B (en) |
| WO (1) | WO2012100494A1 (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103414641B (en) * | 2013-07-25 | 2016-12-28 | 福建星网锐捷网络有限公司 | Neighbor table item release, device and the network equipment |
| CN104394243B (en) * | 2014-12-15 | 2018-10-19 | 北京搜狐新媒体信息技术有限公司 | A kind of repeat address detecting method and device |
| US10630700B2 (en) | 2016-10-28 | 2020-04-21 | Hewlett Packard Enterprise Development Lp | Probe counter state for neighbor discovery |
| CN114760264A (en) * | 2022-04-20 | 2022-07-15 | 浪潮思科网络科技有限公司 | Neighbor state optimization method, device and medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101582888A (en) * | 2009-06-01 | 2009-11-18 | 杭州华三通信技术有限公司 | Method for creating neighbor discovery table item and server |
| CN101651696A (en) * | 2009-09-17 | 2010-02-17 | 杭州华三通信技术有限公司 | Method and device for preventing neighbor discovery (ND) attack |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007046597A1 (en) * | 2005-10-15 | 2007-04-26 | Electronics And Telecommunications Research Institute | Method for supporting ipv6 neighbor discovery in point-to-point oriented broadband wireless network |
| KR100656378B1 (en) * | 2005-10-15 | 2006-12-11 | 한국전자통신연구원 | Method and system for ipv6 neighbor discovery method for point-to-point oriented broadband wireless network |
| CN101552783B (en) * | 2009-05-20 | 2012-07-04 | 杭州华三通信技术有限公司 | Method and apparatus for preventing counterfeit message attack |
| CN101938411B (en) * | 2010-08-03 | 2012-04-18 | 杭州华三通信技术有限公司 | Method and equipment for processing ND snooping item |
-
2011
- 2011-01-27 CN CN201110029943.3A patent/CN102130905B/en not_active Expired - Fee Related
- 2011-06-20 WO PCT/CN2011/075977 patent/WO2012100494A1/en active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101582888A (en) * | 2009-06-01 | 2009-11-18 | 杭州华三通信技术有限公司 | Method for creating neighbor discovery table item and server |
| CN101651696A (en) * | 2009-09-17 | 2010-02-17 | 杭州华三通信技术有限公司 | Method and device for preventing neighbor discovery (ND) attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102130905A (en) | 2011-07-20 |
| WO2012100494A1 (en) | 2012-08-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101179583B (en) | Method and equipment preventing user counterfeit internet | |
| KR100992968B1 (en) | Network switch and method for protecting ip address conflict thereof | |
| CN101453495B (en) | Method, system and equipment for preventing authentication address resolution protocol information loss | |
| CN100344132C (en) | Method for assuring automatic protecting system regular service of Ethernet | |
| CN103609089B (en) | A kind of preventing is attached to the method and device of Denial of Service attack on the main frame of subnet | |
| EP2744178B1 (en) | Method for rapidly establishing dual-stack wireless connection and wireless terminal device | |
| CN102130905B (en) | A kind of method and device improving safety of neighbor discovery snooping | |
| EP2169877A1 (en) | Processing method and device for qinq termination configuration | |
| CN101764734A (en) | Method for improving neighbor discovery safety in IPv6 (Internet Protocol Version 6) environment and broadband access equipment | |
| CN102014109A (en) | Flood attack prevention method and device | |
| CN103595638B (en) | A kind of MAC address learning method and device | |
| CN107241313B (en) | Method and device for preventing MAC flooding attack | |
| CN104579718A (en) | Device and method for optimizing ARP aging mechanism | |
| CN101453447A (en) | Customer aging method for dynamic host configuration protocol DHCP and access equipment | |
| JP5134141B2 (en) | Unauthorized access blocking control method | |
| CN101552783A (en) | Method and apparatus for preventing counterfeit message attack | |
| CN106331190A (en) | IP address withdrawing method and device, and dynamic host configuration protocol server | |
| JP2006287299A (en) | Network control method and device, and control program | |
| CN103347031B (en) | A kind of method and apparatus taking precautions against ARP message aggression | |
| CN103516821A (en) | Address resolution method, corresponding system, switch, and server | |
| CN109246762A (en) | A kind of local service shunt method and device | |
| CN101043356A (en) | Method for preventing MAC address cheat | |
| CN101729314A (en) | Method and device for recovering dynamic table entries and dynamic host configuration protocol snoopingsnooping equipment | |
| WO2012139466A1 (en) | Resource management method and device | |
| CN103078799B (en) | The processing method of neighbor entry and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150916 Termination date: 20200127 |