Background technology
DynamicHost is provided with agreement (Dynamic Host Configuration Protocol; DHCP) be the procotol of a local area network (LAN); The work of use udp protocol mainly contains two purposes: give the internal network keeper as the means of all computers being made central management to the user for internal network or Internet service provider's automatic IP address allocation.
DHCP SNOOPING function refers to that switch monitoring DHCP CLIENT obtains the process of IP through the DHCP agreement.It prevents that through trusted port and untrusted port are set DHCP from attacking and setting up illegally DHCPSERVER.The DHCP message that receives from trusted port need not verification and can transmit.The typical setting is that trusted port is connected DHCP SERVE or DHCP RELAY agency.The untrusted port connects DHCP CLIENT, and switch will be transmitted the DHCP request message that receives from the untrusted port, does not transmit the DHCP back message using that receives from the untrusted port.If receive the DHCP back message using from the untrusted port, except sending warning information, and can carry out corresponding action to this port according to being provided with, such as SHUTDOWN, issue BLACKHOLE.If launched DHCP SNOOPING binding function; Then switch will be preserved the binding information of the DHCPCLIENT under the untrusted port; Each bar binding information comprises MAC Address, IP address, rental period, vlan number and the port numbers of this DHCP CLIENT, and these binding informations are deposited in the binding table of DHCP SNOOPING.
DHCP OPTION 82 is the relay agent information options (Relay Agent Information Option) in the DHCP message, and its option number is 82.DHCP OPTION 82 is in order to strengthen the fail safe of Dynamic Host Configuration Protocol server, improves IP address configuration strategy and a kind of mechanism of proposing.Through configuration DHCP relay agent feature on network access equipment; Relay agent adds OPTION 82 options into (information such as access physical port and access device sign that wherein comprised client) to the DHCP request message that receives from client; And then be transmitted to Dynamic Host Configuration Protocol server to this message; After the Dynamic Host Configuration Protocol server of support OPTION 82 functions receives message; Give client according to the 82 information distribution IP addresses of OPTION in pre-configured strategy and the message and other configuration information, simultaneously also can the be possible DHCP attack message of Dynamic Host Configuration Protocol server and make strick precaution according to the information Recognition among the OPTION 82.
DHCP OPTION 82 utilizes in dhcp relay agent (DHCP RELAY), if in inserting environment configuration DHCP RELAY not, then can't utilize the function of DHCP OPTION 82, plan and manage the distribution of incoming end User IP.
If the DHCP binding number to each switch ports themselves does not limit, then have malicious user and forge a large amount of DHCP requests, thereby exhaust the resource of switch and the address space of DHCP SERVER.
Because general access switch itself does not have the non-volatile memory medium (like flash) of large space, after in a single day switch abnormal restarting occurs, perhaps behind the cycle power; The DHCPSNOOPING binding table that leaves in the switch memory will disappear, and because the user possibly pass through other network equipments (such as hub HUB etc.) access switch, user's perception has been restarted less than switch; User's DHCP CLIENT can not remove applied address again; Perhaps re-rent, in this case, owing to there is not user's binding information; This can cause the user can't access network, and this will cause the user to cause great inconvenience.
Summary of the invention
The object of the present invention is to provide a kind of safety access method, effectively solved the safety and the reliability of distributing the address to bring, can effectively control and manage safety issue through DHCP mode access network through DHCP based on DHCP SNOOPING.
For reaching above-mentioned purpose, the present invention adopts technical scheme following:
A kind of safety access method based on DHCP SNOOPING may further comprise the steps:
Step 1, the user DHCP request message of receiving for switch add the OPTION82 of definition or default setting;
Step 2, the DHCP binding number upper limit of switch ports themselves is set;
Step 3, bind, and the DHCP request message is forwarded to trusted port for the user creates an interim REQUEST;
Step 4, receive DHCP ACK from trusted port after, inquire about interim REQUEST and bind, if there is same subscriber MAC, then create DHCP user's binding information, and binding information be issued to hardware;
Step 5, binding information is joined DHCP SNOOPING bind in the message, and message is encrypted and hash is handled to binding, and is transmitted to the background server backup again;
In a single day step 6, switch restart, and obtain binding information from background server, and binding information are carried out ARP confirm, confirm whether binding information is effective.
DHCP user binding information comprises: the MAC Address of DHCP CLIENT, IP address, rental period, vlan number and port numbers.
Encrypt and adopt the DES mode of sharing key, hash to handle the MD5 mode that adopts.
If do not receive the corresponding binding information of User IP in the binding of answer, the MAC during perhaps ARP responds is inconsistent with the MAC of binding, thinks that then this bindings is invalid, and binding is somebody's turn to do in deletion; Otherwise think that this binding is effective, binding will be retained.
Beneficial effect of the present invention: the user DHCP request message of receiving for switch adds the OPTION 82 of definition or default setting; These options can distribute the IP of the specific network segment for this user; The keeper can dispose ACL on first line of a couplet switch, router or fire compartment wall, come the access rights of these IP are managed.To on port, dispose and bind quantity, above after this quantity, new request will be abandoned by switch, avoid people's malice to send the DHCP request and exhaust dhcp address pool and switch software and hardware resources.(VLAN PORT) is issued to hardware to exchange opportunity for IP, MAC, stops illegal IP to transmit through switch with user's binding information.The binding information of switch will upload to a background server, avoids switch to restart back user binding table and disappears, and causes the user to surf the Net.In case after switch is restarted, will obtain binding information from background server, for the sake of security, background server and switch are uploaded when downloading binding information and all need be encrypted these information; The binding information of downloading need send the ARP request to be confirmed binding, confirms whether binding information is effective.Adopt technical scheme of the present invention effectively to solve the safety and the reliability of distributing the address to bring, can effectively control and manage safety issue through DHCP mode access network through DHCP.
Embodiment
Further specify the present invention below in conjunction with description of drawings and embodiment.
The network environment of the inventive method is as shown in Figure 1.
According to the technical scheme of foregoing invention content, the detailed step of its realization is following, and is as shown in Figure 2:
(1) switch starts after the DHCP SNOOPING, and port is provided with DHCP SNOOPING user control mode, and hardware table item is set, and all messages all can not be transmitted, and the DHCP message redirecting is to CPU.DHCP user is before dynamically obtaining IP, except to Dynamic Host Configuration Protocol server request IP, not visiting other resources.The interpolation content of configuration DHCP OPTION 82 can be specified a specific character string and hexadecimal string, and default content down is switch CPU MAC, user vlan and port numbers.
(2) switch configuration background server address and port numbers are provided with the port binding number upper limit, and casually (DHCP SERVER is used to communicate by letter).
(3) after the DHCP SNOOPING module of access switch is intercepted and captured user's DHCP request; According to source MAC inquiry binding table; If this MAC exists in binding table; Perhaps the upper limit is counted in the binding that do not reach configuration of the binding number under this port, the switch additional identification PTION 82 options (its neutron option one is user definition or default setting, and sub-option 2 is deposited the CPU MAC Address of access switch) through authentication to DHCP request message afterbody; Other part of DHCP request message is not made an amendment, from can casually forwarding.Simultaneously, exchange opportunity is created an interim REQUEST and is bound the MAC of recording user, port and vlan information.
(4) after DHCP SNOOPING module is intercepted and captured user's DHCP response packet, if wherein comprise OPTION 82 options, taking out two sub-options wherein, is not this machine MAC Address like the MAC Address of fruit option 2, abandons this response packet.According to the inquiry of the chaddr field in message REQUEST binding table,, then create a binding information simultaneously, MAC Address, IP address, rental period, vlan number and the port numbers of record DHCP CLIENT if there is same subscriber MAC.From response message, peel off OPTION 82, according to the port numbers in binding message is transmitted to client from this port then.(VLAN PORT) is issued to hardware for IP, MAC, stops illegal IP to transmit through switch with user's binding information.
(5) DHCP SNOOPING binding information is joined DHCP SNOOPING and bind in the message, be transmitted to the background server backup again.DHCP SNOOPING binding message between switch and the background server uses UDP to be connected on the network and propagates; In order to guarantee fail safe and anti-tamper; Can encrypt with hash DHCP SNOOPING binding message and handle; The present invention encrypts the DES mode of sharing key that adopts, and hash adopts the MD5 mode.
DHCP SNOOPING binds message and is carried among the UDP, and its message format is as shown in Figure 3, and each field is explained as follows:
Version: version number is 1 at present
Type: type is 1 at present, and expression comprises binding information
SeqNo: sequence number, message of every transmission adds 1
SecretLen: the length of encrypted message
Signature:DHCP SNOOPING binds the MD5 hash result of all fields of message
SwitchIPAddr: the IP address of switch
SwitchID: switch ID, get switch CPU MAC
Count: bind quantity
ClientMAC: the PC terminal MAC Address of renting the address
Reserved: keep, fill out 0
The Vlan ID of ClientVlanId:DHCP user's access switch
The switch ports themselves at PortNum:DHCP user place number
ClientIP: IP address
ClientMask: address mask
ClientGateway: gateway parameter
The ClientLease:DHCP address rental period
BindingTimeStamp: the timestamp that distributes the address
In order to prevent to be maliciously tampered in user profile leakage and the transmission course, need carry out des encryption and the processing of MD5 hash to message, the DES key is disposed by the user, and switch must be guaranteed consistent with the key of background server.
Before sending message, encrypt earlier, after carry out hash and handle, detailed process is following:
Begin from the SwitchIPAddr field; Until the message content of ending carries out des encryption; Ciphertext is isometric with expressly; Ciphertext is put into DHCP SNOOPING and is bound the message zone that message SwitchIPAddr field begins, and ciphertext length places DHCP SNOOPING to bind the SecretLen field of message, gives the hash processing module then.Bind message for the DHCP SNOOPING behind the switch des encryption; Signature field elder generation zero clearing when calculating the MD5 hash; Then whole message is made hash operations, hashed value was inserted the Signature field after hash operation was accomplished, and at this moment message can send switch.
After receiving message, carry out hash computations earlier, deciphering again, detailed process is following:
Back up the value of signature field during calculating earlier; Signature field zero clearing is then calculated the MD5 hashed value of whole message, again if hashed value is the same with the value of the signature field of backup; Then hash verification success continues that DHCP SNOOPING is bound message and makes the DES decryption processing.If the hash verification failure abandons this DHCP SNOOPING and binds message.For the successful message of MD5 hash verification that receives; Switch begins position after the Signature field; Length is carried out the DES decryption processing by the message content of SecretLen field appointment, restores the DHCP SNOOPING that begins from the SwitchIPAddr field and binds message content.
(6) in case after switch is restarted, will obtain binding information from background server according to the background server IP address and the port numbers of configuration; After having downloaded these and bind from background server, still effective in order to ensure binding information needs to send the ARP request these information confirmed; Request IP is the User IP in binding, and does not receive the corresponding binding information of IP of answer, if the MAC of MAC during perhaps ARP responds and binding is inconsistent; Binding will be deleted, and will be retained otherwise bind.
It is the OPTION 82 that the user DHCP request message received of switch adds definition or default setting that the present invention adopts technical scheme; These options can distribute the IP of the specific network segment for this user; The keeper can dispose ACL on first line of a couplet switch, router or fire compartment wall, come the access rights of these IP are managed.To on port, dispose and bind quantity, above after this quantity, new request will be abandoned by switch, avoid people's malice to send the DHCP request and exhaust dhcp address pool and switch software and hardware resources.(VLAN PORT) is issued to hardware to exchange opportunity for IP, MAC, stops illegal IP to transmit through switch with user's binding information.The binding information of switch will upload to a background server, avoids switch to restart back user binding table and disappears, and causes the user to surf the Net.In case after switch is restarted, will obtain binding information from background server, for the sake of security, background server and switch are uploaded when downloading binding information and all need be encrypted these information; The binding information of downloading need send the ARP request to be confirmed binding, does not receive that the corresponding binding information of IP of answer will be deleted.Through safety and the reliability that DHCP distributes the address to bring, can effectively control and manage safety issue through DHCP mode access network.