CN102457432A - Control VLAN protection method and node equipment in Ethernet ring network - Google Patents
Control VLAN protection method and node equipment in Ethernet ring network Download PDFInfo
- Publication number
- CN102457432A CN102457432A CN2010105246264A CN201010524626A CN102457432A CN 102457432 A CN102457432 A CN 102457432A CN 2010105246264 A CN2010105246264 A CN 2010105246264A CN 201010524626 A CN201010524626 A CN 201010524626A CN 102457432 A CN102457432 A CN 102457432A
- Authority
- CN
- China
- Prior art keywords
- eaps
- node
- ring
- protocol massages
- point
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides a control VLAN (Virtual Local Area Network) protection method for preventing an attacker from forging an EAPS (Ethernet Automatic Protection Switching) protocol message to attack an EAPS ring and node equipment for realizing the method. When EAPS nodes receive the EAPS protocol message, the forwarding of the EAPS protocol message to the user data ports on the nodes is forbidden; and the nodes comprises a main node and a transmission node. Through adopting the technical measure that the forwarding of the EAPS protocol message by the user data ports is forbidden, not only the EAPS protocol message of the EAPS ring is prevented from entering into a user network through the user data ports, but also the EAPS protocol message forged by the attacker is prevented from entering into the EAPS ring through the user data ports to cause protocol error operation. Therefore, the EAPS protocol message can not reach the EAPS ring, and the attack path of the protocol message forged by the attacker is blocked from a physical layer.
Description
Technical field
The present invention relates to the ethernet ring network technology, particularly EAPS (Ethernet Automatic Protection Switching, Ethernet APS) looped network technology.
Background technology
Comprised one group of protected professional VLAN (VLAN that is used for the user data service forwarding in the EAPS Ethernet ring protection method; And a host node and a plurality of transmission node Virtual Local Area Network) and a control VLAN who is used to protect the control message to transmit.Wherein, a master port and a secondary port are arranged respectively on the host node of this Ethernet protected field, the control message is transmitted the VLAN that uses and is control VLAN, and protected user data service is transmitted the VLAN that uses and is user data VLAN.Under the normal condition; Host node will block the user data VLAN forwarding capability (spanning-tree state of the user data VLAN on the secondary port is set to block) of secondary port, and loop free produces in the looped network, thereby prevents because network loop; User data Cheng Huan, the network storm that causes.
But the EAPS ring can be attacked, and the faulty operation of EAPS protocol massages occurs; Serious; Can cause the spanning-tree state of the user data VLAN on the secondary by error port of host node in the EAPS ring to be set to forwarding state, user data Cheng Huan causes network paralysis.
These wrong reasons occurring often is that the EAPS protocol massages entering EAPS ring that has the assailant to forge is attacked.Among the relevant standard RFC3619, suggestion is protected the EAPS protocol massages through the mode of message encryption in the EAPS looped network technology.But,, will influence interconnecting of equipment between the different manufacturers if use privately owned cipher mode that the EAPS protocol massages is encrypted.Use standard mode that the EAPS protocol massages is encrypted, victim cracks AES easily again.And, no matter be privately owned encryption method or Standard Encryption method at present, all possibly crack AES by victim.That is to say no matter to make how the EAPS protocol massages is encrypted, the assailant has an opportunity to take advantage of.Especially, if the assailant adopts the EAPS protocol massages of forgery that ethernet ring network is attacked, will cause serious consequence.
Summary of the invention
Technical problem to be solved by this invention is to provide a kind of assailant of preventing to forge the EAPS protocol massages EAPS is encircled control VLAN guard method of attacking and the node device of realizing this method.
The present invention solves the problems of the technologies described above the technical scheme that is adopted to be, the guard method of control VLAN in the Ethernet looped network comprises step:
When the EAPS node receives the EAPS protocol massages, forbid that the user data port on this node is transmitted the EAPS protocol massages; Said node comprises host node and transmission node.
Through the EAPS ring of being attacked is analyzed discovery; Cause the EAPS protocol massages of forgery to get into the reason that the EAPS ring attacks to be; There are many users to be accustomed to adding all VLAN to the user data port; So just forging the EAPS protocol massages to the assailant gets into the EAPS ring through the user data port and attack possibility is provided: the EAPS protocol massages is broadcasted in its control VLAN, so, on the arbitrary node of EAPS ring; As long as the user data port has added the control VLAN of EAPS ring; The EAPS protocol massages will get into user network, and this moment, the assailant analyzed the EAPS protocol massages through the packet catcher packet capturing, and then forges the EAPS protocol massages EAPS looped network is attacked.The present invention transmits the technological means of EAPS protocol massages through forbidding the user data port; The EAPS protocol massages that both can prevent the EAPS ring gets into user network through the user data port; Can prevent that again the EAPS protocol massages that the assailant forges from getting into the EAPS ring through the user data port, causes the faulty operation of agreement.Like this, the EAPS protocol massages can't arrive EAPS ring, has blocked the attack path that the assailant forges protocol massages from physical layer.
Concrete, on the user data port, block the control VLAN that EAPS encircles, then can forbid the EAPS protocol massages through transmitting at the user data port, promptly simple to operate, the resource that does not consume Ethernet switch again.
Any node is by two or more EAPS ring processes in the Ethernet looped network; And when each EAPS ring has two ports on this node; This node is the point of contact node of these two or more EAPS rings, and said two or more EAPS rings are the tangent EAPS ring of this point of contact node; At this moment, if the EAPS protocol massages of a tangent EAPS ring gets into another tangent EAPS ring, these EAPS protocol massages have been wasted the bandwidth of another tangent EAPS ring, and the EAPS protocol massages of also going up operation for another tangent EAPS has brought excess treating.Therefore, the present invention is further, forbids that two ports on each EAPS ring of node place, said point of contact are transmitted the protocol massages that other tangent EAPS encircles on this EAPS ring.
Two ports of EAPS ring process, one is master port, one is secondary port.
Preferably; Through on any two ports, blocking control VLAN of other tangent EAPS ring of all these point of contact nodes of process, forbid that two ports on each EAPS ring of node place, said point of contact are transmitted the protocol massages that other tangent EAPS encircles on this EAPS encircles through the tangent EAPS ring correspondence of point of contact node
To transmitting the EAPS protocol massages through other tangent EAPS ring of this point of contact node.
Node device in the Ethernet looped network comprises the first protection control module, the message judge module;
The message judge module is used for, and when receiving the EAPS protocol massages, triggers the first protection control module;
The first protection control module is used for, and forbids user data port forwarding EAPS protocol massages.
Preferably, the first protection control module is through blocking the control VLAN of EAPS ring on the user data port, forbids that the EAPS protocol massages transmits on the user data port.
Further, also comprise point of contact node judge module, the second protection control module;
Point of contact node judge module is used for; When local node equipment is passed through by two or more EAPS rings; And when each EAPS ring has two ports on local node equipment; Point of contact node judge module judges that local node equipment is the point of contact node of these two or more EAPS rings, and said two or more EAPS rings are the tangent EAPS ring of this point of contact node;
The message judge module also is used for, and when receiving the EAPS protocol massages, and point of contact node judge module triggers the second protection control module when judging local node equipment and being the point of contact node;
The second protection control module is used for, and forbids the protocol massages of two ports other tangent EAPS ring of forwarding on this EAPS ring that any tangent EAPS ring is corresponding on the local node equipment
Preferably; The second protection control module is used for; Block all control VLAN on two corresponding ports through encircling, forbid that any tangent EAPS that belongs on the local node equipment encircles two corresponding ports are transmitted other tangent EAPS ring on this EAPS ring protocol massages through other EAPS ring of these local node equipment at any EAPS through local node equipment.
The invention has the beneficial effects as follows, guaranteed the safety of EAPS looped network, further, when having avoided the tangent EAPS of appearance to encircle, the bandwidth of EAPS ring is taken by the EAPS protocol massages of other tangent EAPS ring.
Description of drawings
Fig. 1 is the sketch map of the node device in the Ethernet looped network;
Fig. 2 is an EAPS ring sketch map among the embodiment 1;
Fig. 3 is a tangent EAPS ring sketch map among the embodiment 2.
Embodiment
Node device as shown in Figure 1 comprises the first protection control module, message judge module, point of contact node judge module, the second protection control module;
The message judge module is used for, and when receiving the EAPS protocol massages, triggers the first protection control module; When receiving the EAPS protocol massages, and point of contact node judge module triggers the second protection control module when judging local node equipment and being the point of contact node;
Point of contact node judge module is used for; When local node equipment is passed through by two or more EAPS rings; And when each EAPS ring has two ports on local node equipment; Point of contact node judge module judges that local node equipment is the point of contact node of these two or more EAPS rings, and said two or more EAPS rings are the tangent EAPS ring of this point of contact node;
The first protection control module is used for, and on the user data port, blocks the control VLAN of EAPS ring.
The second protection control module is used for, and on any two ports through the EAPS ring correspondence of local node equipment, blocks all control VLAN through other EAPS ring of this local node equipment.
Embodiment 1
Like Fig. 1, in EAPS ring R, comprise host node M, transmission node T1, T2, T3.Among the node T2, port p1 is the EAPS master port, and port p2 is the secondary port of EAPS, and port p3 is the user data port, and port p3 is the port of user data discrepancy EAPS node, does not move the EAPS agreement on it.In order to prevent that the EAPS protocol massages from getting into user network from user data port p3, takies the user network bandwidth; Simultaneously in order to prevent that the assailant from from user network malice structure EAPS protocol message aggression EAPS ring R, letting protocol error move.For this reason, the message judge module of node T2 receives the EAPS protocol massages, and the control first protection control module is blocked the EAPS ring on user data port p3 control VLAN forbids the forwarding of EAPS protocol massages.
It is multiple to forbid that through the control VLAN that blocks the EAPS ring method of EAPS protocol massages forwarding has, and filters like common ACL (ACL, Access Control List) etc.But the user data port on the switch of some node devices is many; It is too much that the method for on the user data port, using ACL that the EAPS protocol massages is filtered consumes the ACL resource; And the ACL resource is a resource very valuable on the Ethernet switch, can not abuse.Therefore, can on FPDP P3, be set to block by the spanning-tree state of the control VLAN of EAPS ring, then can forbid the EAPS protocol massages through FPDP P3 forwarding, simple to operate relatively, the resource that does not consume Ethernet switch.
Embodiment 2
Like Fig. 2, two EAPS rings, an EAPS ring R1 comprises host node M, transmission node T1, T2, T3; Another EAPS ring R2 comprises host node m, transmission node t1, t2, T3; Wherein these two EAPS rings all pass through node T3; And each ring has two ports at node T3, the port p11 on the node T3, the corresponding EAPS ring of p22 R1, port p21, the corresponding EAPS ring of p22 R2.So, EAPS ring R1 and EAPS ring R2 are tangential on point of contact node T3, and EAPS ring R1 and EAPS ring R2 are tangent EAPS ring.
In the present embodiment except the message judge module of node T3 after receiving the EAPS protocol massages; The control first protection control module is blocked the control VLAN of EAPS ring on the user data port of node T3; Outside forbidding that the EAPS protocol massages is transmitted, also need do special processing to the situation of tangent EAPS ring---
When having two or more tangent EAPS to encircle on the same node device of process, a tangent EAPS ring blocks the control VLAN of other tangent EAPS ring on two ports of point of contact node.Present embodiment such as Fig. 2, the point of contact node judge module of node T3 judge EAPS ring R1 and EAPS ring R2 is tangential on node T3.The master port of R1 on node T3 is p11, and secondary port is p12, and the master port of EAPS ring R2 on node T3 is p21, and secondary port is p22.When the message judge module of node T3 received the EAPS protocol massages that comes from EAPS ring R1, the second protection control module was blocked the control VLAN of EAPS ring R2 on port p11 and p12; When the message judge module of node T3 received the EAPS protocol massages that comes from EAPS ring R2, the second protection control module was blocked the control VLAN of EAPS ring R1 on port p21 and p22.
Claims (8)
1. the guard method of control VLAN in the Ethernet looped network is characterized in that, when the EAPS node receives the EAPS protocol massages, forbids that the user data port on this node is transmitted the EAPS protocol massages; Said node comprises host node and transmission node.
2. the guard method of control VLAN in the Ethernet looped network according to claim 1 is characterized in that, the user data port on the said EAPS of the forbidding node is transmitted the EAPS protocol massages and is meant and on the user data port, blocks EAPS control VLAN.
3. the guard method of control VLAN in the Ethernet looped network according to claim 1 or claim 2; It is characterized in that; Any node is by two or more EAPS ring processes in the EAPS looped network; And when each EAPS ring had two ports on this node, this node was forbidden the protocol massages of two ports other the tangent EAPS ring of forwarding on this EAPS ring on this each EAPS ring of node place, point of contact as the point of contact node of these two or more EAPS rings.
4. as controlling the guard method of VLAN in the said Ethernet looped network of claim 3; It is characterized in that; The protocol massages of forbidding two ports other the tangent EAPS ring of forwarding on this EAPS ring on this each EAPS ring of node place, point of contact is meant, each EAPS ring is set on two ports of said point of contact node, blocks control VLAN that all encircle through other tangent EAPS of this point of contact node.
5. the node device in the Ethernet looped network is characterized in that, comprises the first protection control module, the message judge module;
Said message judge module is used for, and when receiving the EAPS protocol massages, triggers the first protection control module;
The said first protection control module is used for, and forbids that the user data port in the EAPS looped network is transmitted the EAPS protocol massages.
6. like the node device in the said Ethernet looped network of claim 5, it is characterized in that the said first protection control module is used for,, forbid that the EAPS protocol massages is through the forwarding of user data port through on the user data port, blocking the control VLAN of EAPS ring.
7. like the node device in claim 5 or the 6 said Ethernet looped networks, it is characterized in that, also comprise point of contact node judge module, the second protection control module;
Said point of contact node judge module is used for; When local node equipment is passed through by two or more EAPS rings; And when each EAPS ring has two ports on local node equipment; Point of contact node judge module judges that local node equipment is the point of contact node of these two or more EAPS rings, and said two or more EAPS rings are the tangent EAPS ring of this point of contact node;
Said message judge module also is used for, and when receiving the EAPS protocol massages, and point of contact node judge module triggers the second protection control module when judging local node equipment and being the point of contact node;
The said second protection control module is used for, and forbids the protocol massages of two ports other tangent EAPS ring of forwarding on this EAPS ring that any tangent EAPS ring is corresponding on the local node equipment.
8. like the said node device of netting very much in the looped network of claim 7; It is characterized in that; The said second protection control module is used for; Through on any two ports, blocking control VLAN of other EAPS ring of all these local node equipment of process, forbid the protocol massages of two ports other tangent EAPS ring of forwarding on this EAPS ring of an EAPS ring correspondence on the local node equipment through the EAPS ring correspondence of local node equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010524626.4A CN102457432B (en) | 2010-10-29 | 2010-10-29 | Control VLAN protection method and node equipment in Ethernet ring network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010524626.4A CN102457432B (en) | 2010-10-29 | 2010-10-29 | Control VLAN protection method and node equipment in Ethernet ring network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102457432A true CN102457432A (en) | 2012-05-16 |
| CN102457432B CN102457432B (en) | 2015-04-01 |
Family
ID=46040123
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010524626.4A Active CN102457432B (en) | 2010-10-29 | 2010-10-29 | Control VLAN protection method and node equipment in Ethernet ring network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102457432B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1812361A (en) * | 2006-01-23 | 2006-08-02 | 杭州华为三康技术有限公司 | Fast ring network protecting method and system |
| CN101217445A (en) * | 2008-01-21 | 2008-07-09 | 杭州华三通信技术有限公司 | A method of loop generation protection and Ethernet ring system |
| US20080298260A1 (en) * | 2007-05-30 | 2008-12-04 | Electronics & Telecommunications Research Institute | Operational status testing apparatus and method for ethernet-based automatic protection switching process |
| CN101345683A (en) * | 2007-07-11 | 2009-01-14 | 中兴通讯股份有限公司 | Protocol packet transmission control method of Ethernet automatic protection switch system |
-
2010
- 2010-10-29 CN CN201010524626.4A patent/CN102457432B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1812361A (en) * | 2006-01-23 | 2006-08-02 | 杭州华为三康技术有限公司 | Fast ring network protecting method and system |
| US20080298260A1 (en) * | 2007-05-30 | 2008-12-04 | Electronics & Telecommunications Research Institute | Operational status testing apparatus and method for ethernet-based automatic protection switching process |
| CN101345683A (en) * | 2007-07-11 | 2009-01-14 | 中兴通讯股份有限公司 | Protocol packet transmission control method of Ethernet automatic protection switch system |
| CN101217445A (en) * | 2008-01-21 | 2008-07-09 | 杭州华三通信技术有限公司 | A method of loop generation protection and Ethernet ring system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102457432B (en) | 2015-04-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101662359B (en) | Security protection method of communication data of special electricity public network | |
| US9749011B2 (en) | Physical unidirectional communication apparatus and method | |
| CN102594814B (en) | Terminal-based network access control system | |
| US8887240B2 (en) | Wireless network security system | |
| US20070140275A1 (en) | Method of preventing denial of service attacks in a cellular network | |
| CN101820383B (en) | Method and device for restricting remote access of switcher | |
| EP1519541B1 (en) | DOS attack mitigation using upstream router suggested remedies | |
| CN104683333A (en) | Method for implementing abnormal traffic interception based on SDN | |
| CN106209883A (en) | Based on link selection and the multi-chain circuit transmission method and system of broken restructuring | |
| CN103210609A (en) | Electronic device for communication in a data network including a protective circuit for identifying unwanted data | |
| CN109510841B (en) | Safety isolation gateway of control device and system | |
| CN101257379B (en) | Collocating method for preventing attack of network, method and apparatus for preventing attack | |
| JP2023517107A (en) | Wireless intrusion prevention system, wireless network system including same, and method of operating wireless network system | |
| CN101340440A (en) | Method and apparatus for defending network attack | |
| CN106506540A (en) | A kind of intranet data transmission method of attack resistance and system | |
| US20110145572A1 (en) | Apparatus and method for protecting packet-switched networks from unauthorized traffic | |
| CN102868523B (en) | IKE (Internet Key Exchange) negotiation method | |
| CN104660572A (en) | Novel method and device for controlling mode data for denial of service attack in access network | |
| CN102457432B (en) | Control VLAN protection method and node equipment in Ethernet ring network | |
| CN105635145A (en) | Chip-level safety protection method of CAPWAP DTLS tunnel | |
| CN101300807A (en) | Network access remote front-end processor for a communication network and method for operating a communications system | |
| Tanabe et al. | Secure communication method in mobile wireless networks | |
| KR20200116773A (en) | Cyber inspection system | |
| Kamarei et al. | AT2A: Defending Unauthenticated Broadcast Attacks in Mobile Wireless Sensor Networks | |
| CN108462702B (en) | Method and device for operating a control unit on a bus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP02 | Change in the address of a patent holder |
Address after: 610041 15-24 floor, 1 1 Tianfu street, Chengdu high tech Zone, Sichuan Patentee after: MAIPU COMMUNICATION TECHNOLOGY Co.,Ltd. Address before: 610041 Sichuan city of Chengdu province high tech Zone nine Hing Road No. 16 building, Maipu Patentee before: MAIPU COMMUNICATION TECHNOLOGY Co.,Ltd. |
|
| CP02 | Change in the address of a patent holder | ||
| CP02 | Change in the address of a patent holder |
Address after: 610041 nine Xing Xing Road 16, hi tech Zone, Sichuan, Chengdu Patentee after: MAIPU COMMUNICATION TECHNOLOGY Co.,Ltd. Address before: 610041 15-24 floor, 1 1 Tianfu street, Chengdu high tech Zone, Sichuan Patentee before: MAIPU COMMUNICATION TECHNOLOGY Co.,Ltd. |
|
| CP02 | Change in the address of a patent holder |