CN102136985A - Access method and equipment - Google Patents
Access method and equipment Download PDFInfo
- Publication number
- CN102136985A CN102136985A CN2010101037950A CN201010103795A CN102136985A CN 102136985 A CN102136985 A CN 102136985A CN 2010101037950 A CN2010101037950 A CN 2010101037950A CN 201010103795 A CN201010103795 A CN 201010103795A CN 102136985 A CN102136985 A CN 102136985A
- Authority
- CN
- China
- Prior art keywords
- client
- address
- message
- access device
- physical
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an access method and equipment. The method comprises the following steps of: when the access equipment learns an IP address of a client, starting a neighbour learning function, temporarily forwarding or discarding a message from the client when a neighbour is learned; and when the access equipment adopts the neighbour learning function to learn that physical information of the client and the IP address are in an actual correspondence, forwarding the message from the client, and allowing the client to access. By adopting the invention, access control on the client can be realized based on the IP address, and false source address attack can be prevented.
Description
Technical field
The present invention relates to the access authentication technique field, particularly a kind of cut-in method and access device.
Background technology
In existing IPv4/IPv6 network organizing, use the 802.1X agreement that access authentication to client is provided simply.As Fig. 1 is existing 802.1X Verification System structural representation, and this Verification System comprises client, access device and certificate server; Wherein, client must be supported the Extensible Authentication Protocol (EAPol, Extensible Authentication Protocol over LAN) on the local area network (LAN); Access device is the network equipment that is positioned at local area network (LAN) one end, and the client that is connected is authenticated, and access device is supported the 802.1X agreement usually, and the port of access to LAN is provided for client; Certificate server is the entity that authentication service is provided for access device, be used to realize authentication to client, certificate server is generally remote authentication dialing authentication server (RADIUS, Remote AuthenticationDial-In User Service).
In the existing IPv4/IPv6 network organizing, some uses the 802.1X authentication protocol to carry out access authentication, this mode can only authenticate and control client based on port information simply, the network manager can not know the IPv4/IPv6 address of inserting client, can not use the IPv4/IPv6 address of client that client is carried out access control.
For not using the 802.1X authentication protocol to carry out the IPv4/IPv6 network organizing of access authentication, access device is wished and can be carried out access authentication at the source IP address that inserts the user, E-Packets so that monitor all, stops to forge source IP address and attacks.The prerequisite that adopts this authentication mode is the IP address that access device can get access to client, this just requires network must use DHCP (DHCP, Dynamic Host Configuration Protocol) address distribution is client distributing IP address; Yet, in practical IP v4/IPv6 network organizing, the IP address that also has a lot of clients is not to adopt the dhcp address method of salary distribution to distribute, for this part client, access device can't obtain its IP address, also just can't carry out access control to client based on the IP address.
As fully visible, in the prior art, can't carry out access control to client, prevent cook source address aggression based on the IP address.
Summary of the invention
The present invention proposes a kind of cut-in method, is used for based on the IP address client being carried out access control, prevents cook source address aggression.
The present invention also proposes a kind of access device, is used for based on the IP address client being carried out access control, prevents cook source address aggression.
Technical scheme of the present invention is achieved in that
A kind of cut-in method comprises:
When access device is learnt the IP address of client, start neighbours' learning functionality, in the process of neighbours' study, will temporarily transmit or abandon from the message of described client;
When there is actual corresponding relation in the physical message that adopts neighbours' learning functionality to learn described client when access device with described IP address, will transmit, allow described client access from the message of described client.
A kind of access device comprises CPU and forwarding processor, and wherein CPU comprises source address study module and instruction sending module;
Described source address study module, the IP address that is used to learn client; Also be used to adopt neighbours' learning functionality, whether the physical address and the IP address of study client exist actual corresponding relation;
Described instruction sending module is used for when the source address study module is learnt the IP address of client, sends first instruction to forwarding processor, and described first instruction is: will temporarily transmit or abandon from the message of described client; Also be used for learning the physical address of client and IP address when having actual corresponding relation when the source address study module, send second indication to forwarding processor, described second is designated as: will transmit from the message of described client;
Described forwarding processor is used for will temporarily transmitting or abandoning from the message of client according to described first indication; Also be used for to transmit from the message of client according to described second indication.
As fully visible, method and access device that the present invention proposes can obtain a plurality of IP address of client easily, based on the IP address client are carried out access control, thereby prevent that effectively client from carrying out cook source address aggression.In addition, start in neighbours' learning functionality process, when access device does not determine whether client has forged the IP address as yet, can avoid data collision temporarily with transmitting or abandon from the message of this client.
Description of drawings
Fig. 1 is existing 802.1X Verification System structural representation;
Fig. 2 is the realization flow figure of cut-in method of the present invention;
Fig. 3 is the realization flow figure of embodiment of the invention cut-in method;
Fig. 4 is the structural representation of embodiment of the invention access device.
Embodiment
The present invention proposes a kind of cut-in method, be applied to comprise access authentication system shown in Figure 1, the present invention mainly improves the access device in the system, thereby realizes will being described in detail access device and function thereof in the following specific embodiment the IP address-based access control of client.
Referring to Fig. 2, Fig. 2 is the realization flow figure of cut-in method of the present invention.Comprise:
Step 201: when access device is learnt the IP address of client, start neighbours' learning functionality, in the process of neighbours' study, will temporarily transmit or abandon from the message of described client;
Step 202: when there is actual corresponding relation in the physical message that adopts neighbours' learning functionality to learn described client when access device with described IP address, will transmit, allow described client access from the message of described client.
Said method can further include:
Step 203: when there is not actual corresponding relation in the physical address that adopts neighbours' learning functionality to learn described client when access device with described IP address, will not allow described client access from the packet loss of described client.
In the said process, to message forwarding with abandon that to wait processings be by generation a series of Access Control List (ACL) (ACL, Access Control List) in access device, and utilize these ACL realizations.
Access device comprises CPU and forwarding processor, and in order to realize above-mentioned flow process, the access device that the present invention adopts is provided with the source address study module in CPU, be used to learn the IP address of client and carry out neighbours' learning functionality.Below lifting specific embodiment introduces in detail:
Referring to Fig. 3, Fig. 3 is the realization flow figure of embodiment of the invention cut-in method, in the present embodiment, the cut-in method that the present invention is proposed combine with existing 802.11X authentication protocol give an example (certain, the present invention also can with other authentication protocol, as PORTAL, the combination of MAC address authentication agreement, perhaps do not combine) with existing authentication protocol.Present embodiment comprises:
Step 301: access device receives the message from client 1, after authentication is passed through to the 802.11X of client 1, the source address study module that is arranged in the CPU of access device is bound the physical message of client 1 (comprising incoming end slogan, VLAN sign, MAC Address or multinomial) with the title of client 1, form a list item in the client-side information table, the state of this list item is set to AUTH, the expression access device has passed through the access authentication to client 1, but the IP address of not learning client 1 as yet.Referring to table 1, table 1 is for after access device passes through the access authentication of client 1, the initial client-side information table of setting up of source address study module.
| Client name | The IPv4 address | The IPv6 link local address | The IPv6 global address | MAC Address | The VLAN sign | Port numbers | State |
| Client 1 | ?LA1 | VLAN1 | P1 | AUTH | |||
| Client 2 |
Table 1---initial client-side information table
Step 302: according to the client-side information table in the table 1, CPU is provided with ACL1, and ACL1 is handed down to forwarding processor.The content of ACL1 is as shown in table 2:
| Matching content | Handle action |
| Source MAC=LA1; VLAN sign=VLAN1; Port numbers=P1; | Transmitted to CPU |
Table 2---ACL1
The implication of ACL1 is: require forwarding processor will satisfy the message of this matching content, just with all from all message up sending of client 1 to CPU.
Step 303: forwarding processor in the access device receives message, and when this message satisfies the matching content of ACL1, when just this message came from client 1, forwarding processor was carried out the processing action of ACL1, that is: with this message up sending to CPU.
The effect of step 302 and step 303 is, after the authentication of client 1 was passed through, the message up sending that client 1 is sent was to CPU, for the IP address of the study of the source address study module among CPU client 1.
Step 304:CPU receives this message, source address study module among the CPU extracts the source address IP1 (just sending the IP address of the client of this message) of this message, user message table shown in the look-up table 1, judge and whether have IP1 in the client-side information table, if there is no, execution in step 305 then; If exist, then execution in step 311;
Step 305: judge whether and need carry out the IP address verification to this client, if desired, then execution in step 306; If do not need, then execution in step 308.
Step 306: access device is linked up by authentication protocol and server, checks the legitimacy of this IP1, if illegal, then execution in step 307; If legal, then execution in step 308.
Step 307:CPU is provided with ACL2 according to the source address IP1 that extracts in client-side information table and the step 304, and ACL2 is handed down to forwarding processor, and ACL2 is placed before the ACL1 that issues before.The content of ACL2 is as shown in table 3:
| Matching content | Handle action |
| Source MAC=LA1; VLAN sign=VLAN1; Port numbers=P1; Source IP address=IP1 | Abandon or transmit |
Table 3---ACL2
After this step is finished, finish current flow process.
In addition, the survival time that can ACL2 is set to SOURCE_DENYTIME (being defaulted as 5 minutes), avoids taking excess resource.
Follow-up, after access device receives message from client 1, forwarding processor at first mates this message and ACL2, if the relevant information of this message satisfies the matching content of ACL2, illustrate that then this message is illegal, directly abandon or transmit this message (the illegal reason that still will transmit of message is, does not judge client 1 and has forged the IP address owing to start neighbours' address learning function as yet, therefore can temporarily the message from client 1 be transmitted) herein; If do not satisfy, then continue this message and ACL1 are mated, finish the present embodiment flow process afterwards.
Step 308:CPU is provided with ACL3 according to the source address IP1 that extracts in user message table and the step 304, and ACL3 is handed down to forwarding processor, and ACL3 is placed before the ACL1 that issues before.Simultaneously start neighbours' learning functionality immediately, promptly execution in step 309.
The content of ACL3 is as shown in table 4:
| Matching content | Handle action |
| Source MAC=LA1; VLAN sign=VLAN1; Port numbers=P1; Source IP address=IP1 | Abandon or transmit |
Table 4A---CL3
In addition, the survival time that can ACL3 is set to LEARN_TIME (being defaulted as for 5 seconds).As seen, the short temporary access control lists of compole when ACL3 is survival, when the IP address that access device is learnt a certain client, and before the neighbours' learning functionality that starts at this IP address, access device does not also know whether this IP address of this client use is legal; Use ACL3 this moment, with should all abandoning from message of client or temporarily transmit of receiving in during this period of time, can prevent that too much message from impacting.
Step 309: the source address study module starts ARP or ND neighbours' address learning function, and surveying and sending source IP address is whether the true address of client of the message of IP1 is IP1, if illustrate that this client is exactly the user of this IP1, not cook source address.The source address study module is packed into user message table with IP1, and the state of this list item is set to SOURCELEARNED, the IP address (being IP1) that this client has been learnt in expression.Referring to table 5, table 5 is for learning the user message table behind the IP address.
| User name | The IPv4 address | The IPv6 link local address | The IPv6 global address | The MAC address | The VLAN sign | Port numbers | State |
| Client 1 | IP1 | LA1 | VLAN1 | P1 | SOURCELEARNED |
Table 5---learn the user message table behind the IP address
In the present embodiment, be that IPv4 address example is given an example with the IP address of client 1, for the IPv6 address, the present invention is suitable equally.
Step 310: according to the user message table of learning in the step 309 behind the IP address, CPU is provided with ACL4, and ACL4 is handed down to forwarding processor, and before the ACL1 that issues before ACL4 placed.After issuing ACL4, if also have ACL2 and ACL3 in the forwarding processor simultaneously, then can be with ACL2 and ACL3 deletion.
The content of ACL4 is as shown in table 6:
| Matching content | Handle action |
| Source MAC=LA1; VLAN sign=VLAN1; Port numbers=P1; Source IP address=IP1 | Transmit |
Table 6---ACL4
After this step is finished, finish current flow process.
Follow-up, after access device received message from client, forwarding processor at first mated this message and ACL4, if the relevant information of this message satisfies the matching content of ACL4, illustrates that then this message is legal, directly E-Packets; If do not satisfy, then continue this message and ACL1 are mated.
Step 311:(connects above-mentioned step 304, and when CPU receives the message that source address is IP1, and when having IP1 in the user message table, to have learnt the IP address of certain client be IP1 to the source address study module before the expression.) CPU judges in information such as the incoming end slogan, VLAN sign, MAC Address of this message reality and the user message table whether information such as IP1 corresponding port number, VLAN sign, MAC Address consistent, if it is consistent, illustrate and learn IP1, and the client that sends this message is cook source address not, and then execution in step 312; If inconsistent, illustrate and learn IP1, but the client that sends this message has been forged source address, then execution in step 313;
Step 312:CPU is issued to forwarding processor with message, is transmitted by forwarding processor.After this step is finished, finish current flow process.
Step 313:CPU abandons this message, issues ACL2 ' to forwarding processor, and ACL2 ' is placed before the ACL1 that issues before.The content of ACL2 ' is as shown in table 7:
| Matching content | Handle action |
| Source MAC=LA1; VLAN sign=VLAN1; Port numbers=P1; Source IP address=IP1 | Abandon |
Table 7---ACL2 '
Subsequently, when access device was received from the message of client 1, forwarding processor at first mated this message and ACL2 ', if the relevant information of this message satisfies the matching content of ACL2 ', illustrate that then client 1 forged the IP address, directly abandon this message.
In the said process, the message that described client sends is meant by the first IP message after the authentication, also comprises messages such as ARP/ND; Thereby these messages are resolved the operation that obtains source IP address to be finished according to existing related protocol standard.
By said process, access device has been finished the IP address-based access control of client.And carrying out neighbours between the learning period, whether do not forging source address owing to determine client as yet, access device can adopt provisional ACL (being ACL3), to temporarily transmitting or abandon from the message of this client, thereby avoids data to impact.In addition, adopt the IP address learn, access device can be easily carries out the IP address to client to be checked and manages, and comprises filtering according to the IP address etc.; Simultaneously, the gateway server in the network also can utilize the IP address of the IP address butt joint access customer that access device learns to check, manage and authorize.
The present invention also proposes a kind of access device, referring to Fig. 4, Fig. 4 is the structural representation of embodiment of the invention access device, access device links to each other with client, access device comprises CPU 410 and forwarding processor 420, and wherein said CPU 410 comprises source address study module 411 and instruction sending module 412;
Wherein, source address study module 411, the IP address that can be used to learn client; Can also be used to adopt neighbours' learning functionality, whether the physical address and the IP address of study client exist actual corresponding relation;
Above-mentioned instruction sending module 412 can also be used for, when source address study module 411 is learnt the physical address of client and IP address when not having actual corresponding relation, send the 3rd indication to forwarding processor 420, the described the 3rd is designated as: will be from the packet loss of described client;
Above-mentioned forwarding processor can also be used for according to the 3rd indication, will be from the packet loss of described client.
Above-mentioned source address study module 411 can also be used for, and when access device passes through the authentication of client, sets up the client-side information table, comprises the physical message of this client; The IP address that the source address study module adopts the message of the client of sending on the forwarding processor to learn described client;
Above-mentioned instruction sending module 412 can also be used for according to described client-side information table ACL1 being set before the IP address of source address study module study client, and ACL1 is issued to forwarding processor; Described ACL1 is: the message up sending that will satisfy described client physical message is to the source address study module;
Above-mentioned forwarding processor 420 also is used for according to described ACL1, will satisfy the message up sending of client physical message to source address study module 411.
First instruction that above-mentioned instruction sending module 412 sends comprises that ACL3, instruction sending module 412 also are provided with the survival time of ACL3; Described ACL3 is: the message that will satisfy client physical message and IP address is transmitted or is abandoned;
Above-mentioned forwarding processor 420 can will satisfy the message of client physical message and IP address and transmit or abandon according to described ACL3 in the survival time of ACL3.
Second instruction that above-mentioned instruction sending module 412 sends comprises ACL4; ACL4 is: the message that will satisfy client physical message and IP address is transmitted;
Above-mentioned forwarding processor 420 can be transmitted the message that satisfies client physical message and IP address according to described ACL4.
The 3rd instruction that above-mentioned instruction sending module 412 sends comprises ACL2; ACL2 is: will satisfy the packet loss of client physical message and IP address;
Above-mentioned forwarding processor 420 can will satisfy the packet loss of client physical message and IP address according to described ACL2.
In sum, cut-in method and access device that the present invention proposes can obtain a plurality of IP address of client easily, and based on the IP address client are carried out access control, prevent that effectively the forgery of source address of client from attacking.The present invention realizes the transmission process to message by a series of ACL; During obtaining the IP address, can avoid data collision by acl rule.The present invention can be embodied in Access Layer, can also be implemented in other scenes that need monitor user's source IP address such as convergence-level in the network.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being made, is equal to replacement, improvement etc., all should be included within the scope of protection of the invention.
Claims (15)
1. cut-in method, described method is applied to comprise the access authentication system of client and access device, it is characterized in that, described method comprises:
When access device is learnt the IP address of client, start neighbours' learning functionality, in the process of neighbours' study, will temporarily transmit or abandon from the message of described client;
When there is actual corresponding relation in the physical message that adopts neighbours' learning functionality to learn described client when access device with described IP address, will transmit, allow described client access from the message of described client.
2. method according to claim 1 is characterized in that, described method further comprises:
When there is not actual corresponding relation in the physical address that adopts neighbours' learning functionality to learn described client when access device with described IP address, will not allow described client access from the packet loss of described client.
3. according to described claim 1 or 2 described methods, it is characterized in that described method further comprises:
Behind the new IP address of described client configuration, described access device re-executes the step of described study client ip address.
4. method according to claim 2 is characterized in that described access device comprises CPU and forwarding processor, and the source address study module is set among the described CPU;
Before the IP address of described access device study client, further comprise:
When access device passed through the authentication of client, the source address study module was set up the client-side information table, comprises the physical message of this client in the described client-side information table;
CPU is provided with ACL1 according to described client-side information table, and ACL1 is issued to forwarding processor; Described ACL1 is: the message up sending that will satisfy described client physical message is to CPU;
Forwarding processor receives message, described message and ACL1 mated, and when the match is successful, will be from the message up sending of described client to CPU.
5. method according to claim 4, it is characterized in that, the process of the IP address of described access device study client and startup neighbours learning functionality comprises: CPU receives the message from described client that send on the forwarding processor, and the source address study module extracts the IP address of this client from this message; When not having this IP address in the client-side information table, start neighbours' learning functionality;
The described mode that will temporarily transmit or abandon from the message of described client in the process of neighbours' study is:
CPU is provided with ACL3 according to the client-side information table, and the survival time of ACL3 is set, and ACL3 is issued to forwarding processor; Described ACL3 is: the message that will satisfy described client physical message and IP address is transmitted or is abandoned;
When described forwarding processor receives from the message of client, in the described survival time, described message and ACL3 are mated, when the match is successful, will transmit or abandon from the message of this client.
6. method according to claim 5, it is characterized in that, described access device is learnt the physical message of described client and IP address when having actual corresponding relation, further the IP address with described client is packed into the client-side information table, and the client-side information table after the filling comprises the physical message of described client and the corresponding relation of IP address.
7. method according to claim 6 is characterized in that, the mode that described access device will be transmitted from the message of described client is:
The client-side information table of CPU after according to described filling is provided with ACL4, and ACL4 is issued to forwarding processor; Described ACL4 is: the message that will satisfy described client physical message and IP address is transmitted;
When described forwarding processor receives from the message of client, described message and ACL4 are mated, when the match is successful, will transmit from the message of this client.
8. method according to claim 6 is characterized in that, physical address and IP address that described access device adopts neighbours' learning functionality to learn described client do not exist the process of actual corresponding relation to comprise:
After the source address study module is learnt the IP address of client, search the client-side information table after the described filling, judge whether described IP address corresponding physical information is identical with described client actual physical information, if inequality, represent that then there are not actual corresponding relation in the physical message of described client and IP address.
9. method according to claim 8 is characterized in that, described when there are not actual corresponding relation in the physical address of learning client and IP address access device will comprise from the step of the packet loss of described client:
CPU is provided with ACL2 according to the client-side information table, and described ACL2 is issued to forwarding processor; Described ACL2 is: will satisfy the packet loss of described client physical message and IP address;
Forwarding processor receives message, described message and ACL2 mated, and when the match is successful, will be from the packet loss of described client.
10. an access device is characterized in that, described access device comprises CPU and forwarding processor, and wherein CPU comprises source address study module and instruction sending module;
Described source address study module, the IP address that is used to learn client; Also be used to adopt neighbours' learning functionality, whether the physical address and the IP address of study client exist actual corresponding relation;
Described instruction sending module is used for when the source address study module is learnt the IP address of client, sends first instruction to forwarding processor, and described first instruction is: will temporarily transmit or abandon from the message of described client; Also be used for learning the physical address of client and IP address when having actual corresponding relation when the source address study module, send second indication to forwarding processor, described second is designated as: will transmit from the message of described client;
Described forwarding processor is used for will temporarily transmitting or abandoning from the message of client according to described first indication; Also be used for to transmit from the message of described client according to described second indication.
11. access device according to claim 10, it is characterized in that, described instruction sending module also is used for, when the source address study module is learnt the physical address of client and IP address when not having actual corresponding relation, send the 3rd indication to forwarding processor, the described the 3rd is designated as: will be from the packet loss of described client;
Described forwarding processor also is used for according to described the 3rd indication, will be from the packet loss of described client.
12. according to claim 10 or 11 described access devices, it is characterized in that,
Described source address study module also is used for, and when access device passes through the authentication of client, sets up the client-side information table, comprises the physical message of this client; The IP address that described source address study module adopts the message of the client of sending on the forwarding processor to learn described client;
Described instruction sending module also is used for according to described client-side information table ACL1 being set before the IP address of source address study module study client, and ACL1 is issued to forwarding processor; Described ACL1 is: the message up sending that will satisfy described client physical message is to the source address study module;
Described forwarding processor also is used for according to described ACL1, will satisfy the message up sending of client physical message to the source address study module.
13. access device according to claim 10 is characterized in that, first instruction that described instruction sending module sends comprises that ACL3, described instruction sending module also are provided with the survival time of ACL3;
Described ACL3 is: the message that will satisfy client physical message and IP address is transmitted or is abandoned;
Described forwarding processor is used for according to described ACL3, will satisfy the message of client physical message and IP address and transmit or abandon in the survival time of ACL3.
14. access device according to claim 10 is characterized in that, second instruction that described instruction sending module sends comprises ACL4;
Described ACL4 is: the message that will satisfy client physical message and IP address is transmitted;
Described forwarding processor is used for according to described ACL4, and the message that satisfies client physical message and IP address is transmitted.
15. access device according to claim 11 is characterized in that, the 3rd instruction that described instruction sending module sends comprises ACL2;
Described ACL2 is: will satisfy the packet loss of client physical message and IP address;
Described forwarding processor is used for according to described ACL2, will satisfy the packet loss of client physical message and IP address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010103795.0A CN102136985B (en) | 2010-01-22 | 2010-01-22 | Access method and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010103795.0A CN102136985B (en) | 2010-01-22 | 2010-01-22 | Access method and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102136985A true CN102136985A (en) | 2011-07-27 |
| CN102136985B CN102136985B (en) | 2014-04-16 |
Family
ID=44296645
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010103795.0A Active CN102136985B (en) | 2010-01-22 | 2010-01-22 | Access method and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102136985B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106254269A (en) * | 2016-08-18 | 2016-12-21 | 杭州迪普科技有限公司 | A kind of message forwarding method and device |
| CN106842915A (en) * | 2016-12-22 | 2017-06-13 | 首都师范大学 | A kind of formal modeling method and device for robot distributed control system |
| WO2017219322A1 (en) * | 2016-06-23 | 2017-12-28 | 华为技术有限公司 | Visible light communication access method, apparatus, device, and system |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030169713A1 (en) * | 2001-12-12 | 2003-09-11 | Hui Luo | Zero-configuration secure mobility networking technique with web-base authentication interface for large WLAN networks |
| CN1630256A (en) * | 2003-12-16 | 2005-06-22 | 华为技术有限公司 | A realizing method for preventing IP address embezzlement during connection to Internet |
| US20060114872A1 (en) * | 2004-12-01 | 2006-06-01 | Canon Kabushiki Kaisha | Wireless control apparatus, system, control method, and program |
| CN1829190A (en) * | 2005-03-01 | 2006-09-06 | 杭州华为三康技术有限公司 | Distributed ARP realizing method |
| CN1929483A (en) * | 2006-09-19 | 2007-03-14 | 清华大学 | Admittance control method for IPv6 switch-in network true source address access |
| CN101212398A (en) * | 2006-12-29 | 2008-07-02 | 王立刚 | Access system and method |
| CN101309197A (en) * | 2007-05-18 | 2008-11-19 | 华为技术有限公司 | Network system and access node apparatus, IP edge apparatus and access control method |
| CN101345743A (en) * | 2007-07-09 | 2009-01-14 | 福建星网锐捷网络有限公司 | Method and system for preventing network attack by utilizing address analysis protocol |
| CN101370019A (en) * | 2008-09-26 | 2009-02-18 | 北京星网锐捷网络技术有限公司 | Method and switchboard for preventing packet cheating attack of address analysis protocol |
| CN101621525A (en) * | 2009-08-05 | 2010-01-06 | 杭州华三通信技术有限公司 | Method and equipment for treating legal entries |
| CN101635628A (en) * | 2009-08-28 | 2010-01-27 | 杭州华三通信技术有限公司 | Method and device for preventing ARP attacks |
-
2010
- 2010-01-22 CN CN201010103795.0A patent/CN102136985B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030169713A1 (en) * | 2001-12-12 | 2003-09-11 | Hui Luo | Zero-configuration secure mobility networking technique with web-base authentication interface for large WLAN networks |
| CN1630256A (en) * | 2003-12-16 | 2005-06-22 | 华为技术有限公司 | A realizing method for preventing IP address embezzlement during connection to Internet |
| US20060114872A1 (en) * | 2004-12-01 | 2006-06-01 | Canon Kabushiki Kaisha | Wireless control apparatus, system, control method, and program |
| CN1829190A (en) * | 2005-03-01 | 2006-09-06 | 杭州华为三康技术有限公司 | Distributed ARP realizing method |
| CN1929483A (en) * | 2006-09-19 | 2007-03-14 | 清华大学 | Admittance control method for IPv6 switch-in network true source address access |
| CN101212398A (en) * | 2006-12-29 | 2008-07-02 | 王立刚 | Access system and method |
| CN101309197A (en) * | 2007-05-18 | 2008-11-19 | 华为技术有限公司 | Network system and access node apparatus, IP edge apparatus and access control method |
| CN101345743A (en) * | 2007-07-09 | 2009-01-14 | 福建星网锐捷网络有限公司 | Method and system for preventing network attack by utilizing address analysis protocol |
| CN101370019A (en) * | 2008-09-26 | 2009-02-18 | 北京星网锐捷网络技术有限公司 | Method and switchboard for preventing packet cheating attack of address analysis protocol |
| CN101621525A (en) * | 2009-08-05 | 2010-01-06 | 杭州华三通信技术有限公司 | Method and equipment for treating legal entries |
| CN101635628A (en) * | 2009-08-28 | 2010-01-27 | 杭州华三通信技术有限公司 | Method and device for preventing ARP attacks |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017219322A1 (en) * | 2016-06-23 | 2017-12-28 | 华为技术有限公司 | Visible light communication access method, apparatus, device, and system |
| US10623098B2 (en) | 2016-06-23 | 2020-04-14 | Huawei Technologies Co., Ltd. | Access method, apparatus, device, and system for visible light communication |
| CN106254269A (en) * | 2016-08-18 | 2016-12-21 | 杭州迪普科技有限公司 | A kind of message forwarding method and device |
| CN106254269B (en) * | 2016-08-18 | 2019-08-06 | 杭州迪普科技股份有限公司 | A kind of message forwarding method and device |
| CN106842915A (en) * | 2016-12-22 | 2017-06-13 | 首都师范大学 | A kind of formal modeling method and device for robot distributed control system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102136985B (en) | 2014-04-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101127600B (en) | A method for user access authentication | |
| CN101635628B (en) | Method and device for preventing ARP attacks | |
| CN102244651B (en) | Method for preventing attack of illegal neighbor discovery protocol message and access equipment | |
| CN102255918A (en) | DHCP (Dynamic Host Configuration Protocol) Option 82 based user accessing authority control method | |
| CA2419853A1 (en) | Location-independent packet routing and secure access in a short-range wireless networking environment | |
| CN106376003A (en) | Method and device for detecting wireless local area network connection and wireless local area network data transmission | |
| CN102437946B (en) | Access control method, network access server (NAS) equipment and authentication server | |
| CN102946385B (en) | A kind of preventing forges the method and apparatus discharging message and carry out attacking | |
| CN102404346A (en) | Method and system for controlling access right of internet users | |
| CN104618522B (en) | The method and Ethernet access equipment that IP address of terminal automatically updates | |
| CN101808097B (en) | Method and equipment for preventing ARP attack | |
| KR20130005973A (en) | A network security system and network security method | |
| CN102571811A (en) | User access authority control system and method thereof | |
| CN112910863A (en) | Network tracing method and system | |
| JP2002124952A (en) | Approval method and system of wireless terminal in wireless network | |
| CN114422474A (en) | User IPv6 address generation method based on RADIUS server | |
| CN104581977B (en) | WLAN user management method, apparatus and system | |
| US20110055571A1 (en) | Method and system for preventing lower-layer level attacks in a network | |
| CN102136985B (en) | Access method and equipment | |
| CN105188057B (en) | A kind of method and system for improving network access authentication safety | |
| CN102447709A (en) | Access authority control method and system based on DHCP (Dynamic host configuration protocol) and 802.1x | |
| KR100856918B1 (en) | Method for IP address authentication in IPv6 network, and IPv6 network system | |
| CN102447710B (en) | A kind of access privilege control method and system | |
| CN101945053A (en) | Method and device for transmitting message | |
| CN106330654B (en) | A kind of radio data transmission method between virtual LAN based on WPA2-PSK |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |