CN102136985B - Access method and equipment - Google Patents
Access method and equipment Download PDFInfo
- Publication number
- CN102136985B CN102136985B CN201010103795.0A CN201010103795A CN102136985B CN 102136985 B CN102136985 B CN 102136985B CN 201010103795 A CN201010103795 A CN 201010103795A CN 102136985 B CN102136985 B CN 102136985B
- Authority
- CN
- China
- Prior art keywords
- client
- address
- message
- access device
- forwarding processor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention provides an access method and equipment. The method comprises the following steps of: when the access equipment learns an IP address of a client, starting a neighbour learning function, temporarily forwarding or discarding a message from the client when a neighbour is learned; and when the access equipment adopts the neighbour learning function to learn that physical information of the client and the IP address are in an actual correspondence, forwarding the message from the client, and allowing the client to access. By adopting the invention, access control on the client can be realized based on the IP address, and false source address attack can be prevented.
Description
Technical field
The present invention relates to access authentication technique field, particularly a kind of cut-in method and access device.
Background technology
In existing IPv4/IPv6 network organizing, use simply 802.1X agreement that the access authentication to client is provided.If Fig. 1 is existing 802.1X Verification System structural representation, this Verification System comprises client, access device and certificate server; Wherein, client must be supported the Extensible Authentication Protocol (EAPol, Extensible Authentication Protocol over LAN) on local area network (LAN); Access device is the network equipment that is positioned at local area network (LAN) one end, and connected client is authenticated, and access device is supported 802.1X agreement conventionally, for client provides the port of access to LAN; Certificate server is that the entity of authentication service is provided for access device, for realizing the authentication,authorization,accounting to client, certificate server is generally remote authentication dialing authentication server (RADIUS, Remote AuthenticationDial-In User Service).
In existing IPv4/IPv6 network organizing, some uses 802.1X authentication protocol to carry out access authentication, this mode can only authenticate and control client based on port information simply, network manager can not know the IPv4/IPv6 address of access client, can not use the IPv4/IPv6 address of client to carry out access control to client.
For not using 802.1X authentication protocol to carry out the IPv4/IPv6 network organizing of access authentication, access device wishes to carry out access authentication for the source IP address of access user, to monitor all E-Packeting, stops to forge source IP address and attacks.The prerequisite that adopts this authentication mode is the IP address that access device can get client, this just requires network must use DHCP (DHCP, Dynamic Host Configuration Protocol) address distribution is client distributing IP address; Yet, in practical IP v4/IPv6 network organizing, the IP address that also has a lot of clients is not to adopt the dhcp address method of salary distribution to distribute, for this part client, access device cannot obtain its IP address, also just cannot to client, carry out access control based on IP address.
As fully visible, in the prior art, cannot to client, carry out access control based on IP address, prevent cook source address aggression.
Summary of the invention
The present invention proposes a kind of cut-in method, for based on IP address, client being carried out to access control, prevents cook source address aggression.
The present invention also proposes a kind of access device, for based on IP address, client being carried out to access control, prevents cook source address aggression.
Technical scheme of the present invention is achieved in that
A cut-in method, comprising:
When access device is learnt the IP address of client, start neighbor learning function, in the process of neighbor learning, the message from described client is temporarily forwarded or abandoned;
When the physical message that adopts neighbor learning function to learn described client when access device exists actual corresponding relation with described IP address, by the message repeating from described client, allow described client to access.
An access device, comprises CPU and forwarding processor, and wherein CPU comprises source address study module and instruction sending module;
Described source address study module, for learning the IP address of client; Also, for adopting neighbor learning function, whether physical address and the IP address of study client there is actual corresponding relation;
Described instruction sending module, when learning the IP address of client when source address study module, sends the first instruction to forwarding processor, and described the first instruction is: the message from described client is temporarily forwarded or abandoned; Also, for learning the physical address of client and IP address when source address study module while there is actual corresponding relation, to forwarding processor, send the second indication, described second is designated as: by the message repeating from described client;
Described forwarding processor, for according to described the first indication, temporarily forwards the message from client or abandons; Also for according to described second indication, by the message repeating from client.
As fully visible, method and access device that the present invention proposes, can obtain a plurality of IP address of client easily, based on IP address, client carried out to access control, thereby effectively prevent that client from carrying out cook source address aggression.In addition, start in neighbor learning function course, when access device not yet determines whether client has forged IP address, can be temporarily by the message repeating from this client or abandon, avoid data collision.
Accompanying drawing explanation
Fig. 1 is existing 802.1X Verification System structural representation;
Fig. 2 is the realization flow figure of cut-in method of the present invention;
Fig. 3 is the realization flow figure of embodiment of the present invention cut-in method;
Fig. 4 is the structural representation of embodiment of the present invention access device.
Embodiment
The present invention proposes a kind of cut-in method, be applied to comprise the access authentication system shown in Fig. 1, the present invention mainly improves the access device in system, thereby realizes the IP address-based access control of client, in following specific embodiment, will be described in detail access device and function thereof.
Referring to Fig. 2, the realization flow figure that Fig. 2 is cut-in method of the present invention.Comprise:
Step 201: when access device is learnt the IP address of client, start neighbor learning function, in the process of neighbor learning, the message from described client is temporarily forwarded or abandoned;
Step 202: when the physical message that adopts neighbor learning function to learn described client when access device exists actual corresponding relation with described IP address, by the message repeating from described client, allow described client to access.
Said method can further include:
Step 203: when the physical address that adopts neighbor learning function to learn described client when access device does not exist actual corresponding relation with described IP address, by the packet loss from described client, do not allow described client to access.
In said process, to the forwarding of message with the processing such as to abandon be by generate a series of Access Control List (ACL) (ACL, Access Control List) in access device, and utilize these ACL to realize.
Access device comprises CPU and forwarding processor, and in order to realize above-mentioned flow process, the access device that the present invention adopts arranges source address study module in CPU, for learning the IP address of client and carrying out neighbor learning function.Below lifting specific embodiment introduces in detail:
Referring to Fig. 3, Fig. 3 is the realization flow figure of embodiment of the present invention cut-in method, in the present embodiment, the cut-in method that the present invention is proposed is combined with existing 802.11X authentication protocol and is given an example (certainly, the present invention also can with other authentication protocol, as PORTAL, the combination of MAC address authentication agreement, or be not combined with existing authentication protocol).The present embodiment comprises:
Step 301: access device receives the message from client 1, after the 802.11X authentication of client 1 is passed through, the source address study module of CPU that is arranged in access device is the name binding with client 1 by the physical message of client 1 (comprising the one or more of incoming end slogan, VLAN sign, MAC Address), form a list item in client-side information table, the state of this list item is set to AUTH, represent that access device has passed through the access authentication to client 1, but not yet learn the IP address of client 1.Referring to table 1, table 1 is after access device passes through the access authentication of client 1, the initial client-side information table of setting up of source address study module.
| Client name | IPv4 address | IPv6 link local address | IPv6 global address | MAC Address | VLAN sign | Port numbers | State |
| Client 1 | LA1 | VLAN1 | P1 | AUTH | |||
| Client 2 |
Table 1---initial client-side information table
Step 302: according to the client-side information table in table 1, CPU arranges ACL1, and ACL1 is handed down to forwarding processor.The content of ACL1 is as shown in table 2:
| Matching content | Process action |
| Source MAC=LA1; VLAN sign=VLAN1; Port numbers=P1; | Transmitted to CPU |
Table 2---ACL1
The implication of ACL1 is: require forwarding processor to meet the message of this matching content, namely by all message up sending from client 1 to CPU.
Step 303: forwarding processor in access device receives message, when this message meets the matching content of ACL1, when namely this message comes from client 1, forwarding processor is carried out the processing action of ACL1, that is: by this message up sending to CPU.
The effect of step 302 and step 303 is that, after the authentication of client 1 is passed through, the message up sending that client 1 is sent is to CPU, for the IP address of the source address study module study client 1 in CPU.
Step 304:CPU receives this message, source address study module in CPU extracts the source address IP1 (namely sending the IP address of the client of this message) of this message, user message table shown in look-up table 1, judge and in client-side information table, whether have IP1, if there is no, perform step 305; If exist, perform step 311;
Step 305: judge whether to carry out IP address verification to this client, if needed, perform step 306; If do not needed, perform step 308.
Step 306: access device is linked up by authentication protocol and server, checks the legitimacy of this IP1, if illegal, performs step 307; If legal, perform step 308.
Step 307:CPU, according to the source address IP1 extracting in client-side information table and step 304, arranges ACL2, and ACL2 is handed down to forwarding processor, and before the ACL1 issuing before ACL2 is placed in.The content of ACL2 is as shown in table 3:
| Matching content | Process action |
| Source MAC=LA1; VLAN sign=VLAN1; Port numbers=P1; Source IP address=IP1 | Abandon or forward |
Table 3---ACL2
After this step completes, finish current flow process.
In addition, can be SOURCE_DENYTIME (being defaulted as 5 minutes) by the survival set of time of ACL2, avoid taking excess resource.
Follow-up, access device receives after the message from client 1, first forwarding processor mates this message with ACL2, if the relevant information of this message meets the matching content of ACL2, illustrate that this message is illegal, directly abandon or forward this message (the illegal reason that still will forward of message is, judges client 1 and has forged IP address owing to not yet starting neighbours' address learning function, therefore can be temporarily by the message repeating from client 1) herein; If do not met, continue this message to mate with ACL1, finish afterwards the present embodiment flow process.
Step 308:CPU, according to the source address IP1 extracting in user message table and step 304, arranges ACL3, and ACL3 is handed down to forwarding processor, and before the ACL1 issuing before ACL3 is placed in.Start immediately neighbor learning function, perform step 309 simultaneously.
The content of ACL3 is as shown in table 4:
| Matching content | Process action |
| Source MAC=LA1; VLAN sign=VLAN1; Port numbers=P1; Source IP address=IP1 | Abandon or forward |
Table 4A---CL3
In addition, can by the survival set of time of ACL3, be LEARN_TIME (being defaulted as for 5 seconds).Visible, the short temporary access control lists of compole when ACL3 is survival, when the IP address that access device is learnt a certain client, and before the neighbor learning function starting for this IP address, access device does not also know that whether this IP address of this client use is legal; Now use ACL3, by what receive in during this period of time, should from the message of client, all abandon or temporarily forward, can prevent that too much message from impacting.
Step 309: source address study module starts ARP or ND neighbours' address learning function, whether the true address of surveying the client that sends the message that source IP address is IP1 is IP1, if so, illustrates that this client is exactly the user of this IP1, not cook source address.Source address study module is packed into user message table by IP1, and the state of this list item is set to SOURCELEARNED, the IP address (being IP1) that this client has been learnt in expression.Referring to table 5, table 5 is for learning the user message table behind IP address.
| User name | IPv4 address | IPv6 link local address | IPv6 global address | MAC address | VLAN sign | Port numbers | State |
| Client 1 | IP1 | LA1 | VLAN1 | P1 | SOURCELEARNED |
Table 5---the user message table behind IP address is arrived in study
In the present embodiment, take the IP address of client 1 to give an example as IPv4 address example, for IPv6 address, the present invention is applicable equally.
Step 310: to the user message table behind IP address, CPU arranges ACL4, and ACL4 is handed down to forwarding processor according to step 309 learning, and before the ACL1 issuing before ACL4 is placed in.After issuing ACL4, if also there is ACL2 and ACL3 in forwarding processor simultaneously, ACL2 and ACL3 can be deleted.
The content of ACL4 is as shown in table 6:
| Matching content | Process action |
| Source MAC=LA1; VLAN sign=VLAN1; Port numbers=P1; Source IP address=IP1 | Forward |
Table 6---ACL4
After this step completes, finish current flow process.
Follow-up, access device receives after the message from client, and first forwarding processor mates this message with ACL4, if the relevant information of this message meets the matching content of ACL4, illustrate that this message is legal, directly E-Packets; If do not met, continue this message to mate with ACL1.
Step 311:(connects above-mentioned steps 304, and when CPU receives the message that source address is IP1, and while there is IP1 in user message table, before representing, to have learnt the IP address of certain client be IP1 to source address study module.) CPU judges that whether the information such as the information such as the incoming end slogan, VLAN sign, MAC Address of this message reality port numbers corresponding with IP1 in user message table, VLAN sign, MAC Address consistent, if consistent, illustrate and learn IP1, and the client that sends this message is cook source address not, performs step 312; If inconsistent, illustrate and learn IP1, but the client that sends this message forged source address, performs step 313;
Step 312:CPU is issued to forwarding processor by message, by forwarding processor, is forwarded.After this step completes, finish current flow process.
Step 313:CPU abandons this message, to forwarding processor, issues ACL2 ', and before the ACL1 issuing before ACL2 ' is placed in.The content of ACL2 ' is as shown in table 7:
| Matching content | Process action |
| Source MAC=LA1; VLAN sign=VLAN1; Port numbers=P1; Source IP address=IP1 | Abandon |
Table 7---ACL2 '
Subsequently, when access device is received from the message of client 1, first forwarding processor mates this message with ACL2 ', if the relevant information of this message meets the matching content of ACL2 ', illustrate that client 1 forged IP address, directly abandon this message.
In said process, the message that described client sends refers to by the first IP message after authentication, also comprises the messages such as ARP/ND; Thereby the operation of these messages being resolved to acquisition source IP address completes according to existing related protocol standard.
By said process, access device has completed the IP address-based access control of client.And during carrying out neighbor learning, owing to not yet determining whether client has forged source address, and access device can adopt provisional ACL (being ACL3), and the message from this client is temporarily forwarded or abandoned, thereby avoid data to impact.In addition, the IP address that adopts study to arrive, access device can carry out IP address to client easily to be checked and manages, and comprises according to IP address, filtering etc.; Meanwhile, the gateway server in network also can utilize the IP address that access device is learnt that the IP address of access user is checked, managed and authorizes.
The present invention also proposes a kind of access device, referring to Fig. 4, Fig. 4 is the structural representation of embodiment of the present invention access device, access device is connected with client, access device comprises CPU 410 and forwarding processor 420, and wherein said CPU 410 comprises source address study module 411 and instruction sending module 412;
Wherein, source address study module 411, can be for the IP address of study client; Can also be for adopting neighbor learning function, whether physical address and the IP address of study client there is actual corresponding relation;
Above-mentioned instruction sending module 412 can also be for, when there is not actual corresponding relation to the physical address of client and IP address in source address study module 411 study, to forwarding processor 420, send the 3rd indication, the described the 3rd is designated as: by the packet loss from described client;
Above-mentioned forwarding processor, can also for according to the 3rd indication, by the packet loss from described client.
Above-mentioned source address study module 411 can also be for, when access device to the authentication of client by time, set up client-side information table, the physical message that comprises this client; The IP address that source address study module adopts the message of the client of sending on forwarding processor to learn described client;
Above-mentioned instruction sending module 412, can also arrange ACL1 according to described client-side information table for before the IP address in source address study module study client, and ACL1 is issued to forwarding processor; Described ACL1 is: by the message up sending that meets described client physical message to source address study module;
Above-mentioned forwarding processor 420, also for according to described ACL1, by the message up sending that meets client physical message to source address study module 411.
The first instruction that above-mentioned instruction sending module 412 sends comprises ACL3, and instruction sending module 412 also arranges the survival time of ACL3; Described ACL3 is: will meet the message repeating of client physical message and IP address or abandon;
Above-mentioned forwarding processor 420 can, according to described ACL3, will meet the message repeating of client physical message and IP address or abandon within the survival time of ACL3.
The second instruction that above-mentioned instruction sending module 412 sends comprises ACL4; ACL4 is: will meet the message repeating of client physical message and IP address;
Above-mentioned forwarding processor 420, can, according to described ACL4, will meet the message repeating of client physical message and IP address.
The 3rd instruction that above-mentioned instruction sending module 412 sends comprises ACL2; ACL2 is: will meet the packet loss of client physical message and IP address;
Above-mentioned forwarding processor 420, can, according to described ACL2, will meet the packet loss of client physical message and IP address.
In sum, cut-in method and access device that the present invention proposes, can obtain easily a plurality of IP address of client, and based on IP address, client be carried out to access control, effectively prevents that the forgery of source address of client from attacking.The present invention, by a series of ACL, realizes the transmission process to message; During obtaining IP address, can avoid data collision by acl rule.The present invention can be embodied in Access Layer, can also be implemented in other scenes that need to monitor user's source IP address such as convergence-level in network.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of making, be equal to replacement, improvement etc., within all should being included in the scope of protection of the invention.
Claims (13)
1. a cut-in method, described method is applied to comprise the access authentication system of client and access device, it is characterized in that, described method comprises:
When access device is learnt the IP address of client, start neighbor learning function, in the process of neighbor learning, the message from described client is temporarily forwarded or abandoned;
When access device adopts neighbor learning function, learn, when the physical message of described client and described IP address exist actual corresponding relation, by the message repeating from described client, allow described client access;
Wherein, described access device comprises CPU and forwarding processor, and source address study module is set in described CPU;
Before the IP address of described access device study client, further comprise:
When access device passes through the authentication of client, source address study module is set up client-side information table, the physical message that comprises this client in described client-side information table;
CPU arranges ACL1 according to described client-side information table, and ACL1 is issued to forwarding processor; Described ACL1 is: by the message up sending that meets described client physical message to CPU;
Forwarding processor receives message, described message is mated with ACL1, when the match is successful, by the message up sending from described client to CPU.
2. method according to claim 1, is characterized in that, described method further comprises:
When the physical message that adopts neighbor learning function to learn described client when access device does not exist actual corresponding relation with described IP address, by the packet loss from described client, do not allow described client to access.
3. according to the method described in described claim 1 or 2, it is characterized in that, described method further comprises:
Behind the new IP address of described client configuration, described access device re-executes the step of described study client ip address.
4. method according to claim 1, it is characterized in that, the process of the IP address of described access device study client and startup neighbor learning function comprises: CPU receives the message from described client sending on forwarding processor, and source address study module extracts the IP address of this client from this message; While there is not this IP address in client-side information table, start neighbor learning function;
The described mode that in the process of neighbor learning, the message from described client is temporarily forwarded or abandoned is:
CPU arranges ACL3 according to client-side information table, and the survival time of ACL3 is set, and ACL3 is issued to forwarding processor; Described ACL3 is: will meet the message repeating of described client physical message and IP address or abandon;
When described forwarding processor receives from the message of client, within the described survival time, described message is mated with ACL3, when the match is successful, by the message repeating from this client or abandon.
5. method according to claim 4, it is characterized in that, described access device is learnt the physical message of described client and IP address while there is actual corresponding relation, further the IP address of described client is packed into client-side information table, the physical message that the client-side information table after filling comprises described client and the corresponding relation of IP address.
6. method according to claim 5, is characterized in that, described access device by the mode of the message repeating from described client is:
CPU arranges ACL4 according to the client-side information table after described filling, and ACL4 is issued to forwarding processor; Described ACL4 is: will meet the message repeating of described client physical message and IP address;
When described forwarding processor receives from the message of client, described message is mated with ACL4, when the match is successful, by the message repeating from this client.
7. method according to claim 5, is characterized in that, physical message and IP address that described access device adopts neighbor learning function to learn described client do not exist the process of actual corresponding relation to comprise:
Source address study module is learnt behind the IP address of client, search the client-side information table after described filling, judge that whether physical message corresponding to described IP address be identical with the physical message of described client reality, if not identical, represent that the physical message of described client and IP address do not exist actual corresponding relation.
8. method according to claim 7, is characterized in that, described when there is not actual corresponding relation to the physical message of client and IP address in study access device the step of the packet loss from described client is comprised:
CPU arranges ACL2 according to client-side information table, and described ACL2 is issued to forwarding processor; Described ACL2 is: will meet the packet loss of described client physical message and IP address;
Forwarding processor receives message, described message is mated with ACL2, when the match is successful, by the packet loss from described client.
9. an access device, is characterized in that, described access device comprises CPU and forwarding processor, and wherein CPU comprises source address study module and instruction sending module;
Described source address study module, for learning the IP address of client; While there is not IP address corresponding to the physical message of this client in described client-side information table, adopt neighbor learning function, the physical message of study client and described study to IP address whether there is actual corresponding relation;
Described instruction sending module, when learning the IP address of client when source address study module, sends the first instruction to forwarding processor, and described the first instruction is: the message from described client is temporarily forwarded or abandoned; Also, for learning the physical message of client and IP address when source address study module while there is actual corresponding relation, to forwarding processor, send the second indication, described second is designated as: by the message repeating from described client;
Described forwarding processor, for according to described the first indication, temporarily forwards the message from client or abandons; Also for according to described second indication, by the message repeating from described client;
Wherein, described source address study module also for, when access device to the authentication of client by time, set up client-side information table, the physical message that comprises this client; The IP address that described source address study module adopts the message of the client of sending on forwarding processor to learn described client;
Described instruction sending module, also, for before the IP address in source address study module study client, arranges ACL1 according to described client-side information table, and ACL1 is issued to forwarding processor; Described ACL1 is: by the message up sending that meets described client physical message to source address study module;
Described forwarding processor, also for according to described ACL1, by the message up sending that meets client physical message to source address study module.
10. access device according to claim 9, it is characterized in that, described instruction sending module also for, when source address study module is learnt the physical message of client and IP address while there is not actual corresponding relation, to forwarding processor, send the 3rd indication, the described the 3rd is designated as: by the packet loss from described client;
Described forwarding processor, also for according to described the 3rd indication, by the packet loss from described client.
11. access devices according to claim 9, is characterized in that, the first instruction that described instruction sending module sends comprises ACL3, and described instruction sending module also arranges the survival time of ACL3;
Described ACL3 is: will meet the message repeating of client physical message and IP address or abandon;
Described forwarding processor for according to described ACL3, will meet the message repeating of client physical message and IP address or abandon within the survival time of ACL3.
12. access devices according to claim 9, is characterized in that, the second instruction that described instruction sending module sends comprises ACL4;
Described ACL4 is: will meet the message repeating of client physical message and IP address;
Described forwarding processor, for according to described ACL4, will meet the message repeating of client physical message and IP address.
13. access devices according to claim 10, is characterized in that, the 3rd instruction that described instruction sending module sends comprises ACL2;
Described ACL2 is: will meet the packet loss of client physical message and IP address;
Described forwarding processor, for according to described ACL2, will meet the packet loss of client physical message and IP address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010103795.0A CN102136985B (en) | 2010-01-22 | 2010-01-22 | Access method and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010103795.0A CN102136985B (en) | 2010-01-22 | 2010-01-22 | Access method and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102136985A CN102136985A (en) | 2011-07-27 |
| CN102136985B true CN102136985B (en) | 2014-04-16 |
Family
ID=44296645
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010103795.0A Active CN102136985B (en) | 2010-01-22 | 2010-01-22 | Access method and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102136985B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017219322A1 (en) * | 2016-06-23 | 2017-12-28 | 华为技术有限公司 | Visible light communication access method, apparatus, device, and system |
| CN106254269B (en) * | 2016-08-18 | 2019-08-06 | 杭州迪普科技股份有限公司 | A kind of message forwarding method and device |
| CN106842915B (en) * | 2016-12-22 | 2020-02-18 | 首都师范大学 | Formal modeling method and device for robot distributed control system |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1829190A (en) * | 2005-03-01 | 2006-09-06 | 杭州华为三康技术有限公司 | Distributed ARP realizing method |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8817757B2 (en) * | 2001-12-12 | 2014-08-26 | At&T Intellectual Property Ii, L.P. | Zero-configuration secure mobility networking technique with web-based authentication interface for large WLAN networks |
| CN1630256A (en) * | 2003-12-16 | 2005-06-22 | 华为技术有限公司 | A realizing method for preventing IP address embezzlement during connection to Internet |
| JP4908819B2 (en) * | 2004-12-01 | 2012-04-04 | キヤノン株式会社 | Wireless control apparatus, system, control method, and program |
| CN100405796C (en) * | 2006-09-19 | 2008-07-23 | 清华大学 | Admittance control method for IPv6 switch-in network true source address access |
| CN101212398A (en) * | 2006-12-29 | 2008-07-02 | 王立刚 | Access system and method |
| CN101309197B (en) * | 2007-05-18 | 2011-12-28 | 华为技术有限公司 | Network system and access node apparatus, IP edge apparatus and access control method |
| CN101345743B (en) * | 2007-07-09 | 2011-12-28 | 福建星网锐捷网络有限公司 | Method and system for preventing network attack by utilizing address analysis protocol |
| CN101370019B (en) * | 2008-09-26 | 2011-06-22 | 北京星网锐捷网络技术有限公司 | Method and switchboard for preventing packet cheating attack of address analysis protocol |
| CN101621525B (en) * | 2009-08-05 | 2012-09-05 | 杭州华三通信技术有限公司 | Method and equipment for treating legal entries |
| CN101635628B (en) * | 2009-08-28 | 2012-01-04 | 杭州华三通信技术有限公司 | Method and device for preventing ARP attacks |
-
2010
- 2010-01-22 CN CN201010103795.0A patent/CN102136985B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1829190A (en) * | 2005-03-01 | 2006-09-06 | 杭州华为三康技术有限公司 | Distributed ARP realizing method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102136985A (en) | 2011-07-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101127600B (en) | A method for user access authentication | |
| CN103685272B (en) | Authentication method and system | |
| US8806565B2 (en) | Secure network location awareness | |
| CN102244651B (en) | Method for preventing attack of illegal neighbor discovery protocol message and access equipment | |
| CN101888389B (en) | Method and system for realizing uniform authentication of ICP union | |
| CN102255918A (en) | DHCP (Dynamic Host Configuration Protocol) Option 82 based user accessing authority control method | |
| WO2009035829A1 (en) | Improved dynamic host configuration protocol | |
| CN106302353B (en) | Identity authentication method, identity authentication system and related equipment | |
| CN102437946B (en) | Access control method, network access server (NAS) equipment and authentication server | |
| CN101635628A (en) | Method and device for preventing ARP attacks | |
| CN102404293A (en) | Dual-stack user managing method and broadband access server | |
| CN101471936A (en) | Method, device and system for establishing IP conversation | |
| CN102946385B (en) | A kind of preventing forges the method and apparatus discharging message and carry out attacking | |
| CN104618522B (en) | The method and Ethernet access equipment that IP address of terminal automatically updates | |
| CN102404346A (en) | Method and system for controlling access right of internet users | |
| KR20130005973A (en) | A network security system and network security method | |
| CN102571811A (en) | User access authority control system and method thereof | |
| CN101808097B (en) | Method and equipment for preventing ARP attack | |
| CN112910863A (en) | Network tracing method and system | |
| JP2002124952A (en) | Approval method and system of wireless terminal in wireless network | |
| CN102136985B (en) | Access method and equipment | |
| US20110055571A1 (en) | Method and system for preventing lower-layer level attacks in a network | |
| CN105188057B (en) | A kind of method and system for improving network access authentication safety | |
| CN101232369B (en) | Method and system for distributing cryptographic key in dynamic state host computer collocation protocol | |
| CN114710388B (en) | Campus network security system and network monitoring system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CP03 | Change of name, title or address |