CN102546429A - Method and system for authenticating intra-site automatic tunnel addressing protocol (ISATAP) tunnels based on dynamic host configuration protocol (DHCP) monitoring - Google Patents
Method and system for authenticating intra-site automatic tunnel addressing protocol (ISATAP) tunnels based on dynamic host configuration protocol (DHCP) monitoring Download PDFInfo
- Publication number
- CN102546429A CN102546429A CN2012100244505A CN201210024450A CN102546429A CN 102546429 A CN102546429 A CN 102546429A CN 2012100244505 A CN2012100244505 A CN 2012100244505A CN 201210024450 A CN201210024450 A CN 201210024450A CN 102546429 A CN102546429 A CN 102546429A
- Authority
- CN
- China
- Prior art keywords
- router
- address
- message
- isatap
- binding information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000012544 monitoring process Methods 0.000 title claims abstract description 18
- 230000009977 dual effect Effects 0.000 claims description 62
- 239000000284 extract Substances 0.000 claims description 8
- 238000012795 verification Methods 0.000 claims description 8
- 238000004321 preservation Methods 0.000 claims description 3
- 238000000605 extraction Methods 0.000 claims 1
- 238000012545 processing Methods 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000002950 deficient Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 238000004353 relayed correlation spectroscopy Methods 0.000 description 1
- 238000009941 weaving Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a method and a system for authenticating intra-site automatic tunnel addressing protocol (ISATAP) tunnels based on dynamic host configuration protocol (DHCP) monitoring. The method includes that A an access switch monitors DHCP request processes of an internet protocol version 4/internal protocol version 6 (IPv4/IPv6) double-protocol stack host, binding information containing a media access control (MAC) address, an internet protocol (IP) address, a tenancy, a virtual local area network identifier and a port number of the double-protocol stack host is built, the binding information is packaged in a binding message, and the binding message is sent to a ISATAP router; B the double-protocol stack host to be accessed in a IPv6 network sends a router request message to the ISATAP router to request a prefix of a global IPv6 address; and C the ISATAP router inquires the binding information to determine whether a router advertisement is sent to notify the double-protocol stack host of the prefix of the global IPv6 address according to the IP address of the double-protocol stack host in the router request message.
Description
Technical field
The present invention relates to the Computer Data Communication field, relate in particular to a kind of authentication method and system of monitoring the Intra-site Automatic Tunnel Addressing Protocol of (DHCP Snooping) based on DHCP.
Background technology
DynamicHost be provided with agreement (Dynamic Host Configuration Protocol, DHCP) be one from BOOTP agreement development and come procotol, be used for to main frame dynamic assignment IP address and other relevant information.DHCP adopts the customer end/server mode dhcp client to be used to propose configuring request; Dhcp server response is returned configuration information according to predetermined policy to dhcp client in said configuring request; All DHCP messages all adopt user datagram protocol (User Datagram Protocol, UDP) encapsulation.
DHCP monitors (DHCP Snooping) function and refers to that switch monitoring dhcp client obtains the process of IP through the DHCP agreement.It prevents that through trusted port and untrusted port are set DHCP from attacking and setting up illegally Dynamic Host Configuration Protocol server.The DHCP message that receives from trusted port need not verification and can transmit.The typical setting is that trusted port is connected Dynamic Host Configuration Protocol server or dhcp relay agent (DHCP RELAY).The untrusted port connects dhcp client, and switch will be transmitted the DHCP request message that receives from the untrusted port, does not transmit the DHCP back message using that receives from the untrusted port.
Automatic tunnel addressing protocol (Intra-Site Automatic Tunnel Addressing Protocol in standing; ISATAP) be that a kind of address assignment and host-to-host, main frame are technological to the automatic tunnel of main frame to router and router, it is for providing the clean culture IPv6 that crosses over the IPv4 internal network connective between the IPv6 main frame.ISATAP generally is used for the internodal communication of IPv6/IPv4 of IPv4 network.ISATAP uses the interface identifier of local management:: 0:5EFE:w.x.y.z, wherein: 0:5EFE is combined by internet numbers distributing center (IANA) fixing mechanism unit identifier (00-00-5E) that is distributed and the style number (FE) of representing embedded IPv4 address style.W.x.y.z partly is clean culture IPv4 address arbitrarily, both can be privately owned address, also can be public address./ 64), global prefix (comprising the 6to4 prefix) and website this locality prefix 64 prefixs of any effective I Pv6 unicast address can combine with the ISATAP interface identifier and form the ISATAP address, and said prefix comprises link local address prefix (FE80::.
IPv6/IPv4 dual stack main frame (being called for short the dual stack main frame) in the back with other main frames or router communication before, at first to obtain an ISATAP address.The dual stack main frame sends route requests to the ISATAP server earlier; Obtain one 64 IPv6 address prefix; And then add 64 interface identifier:: 0:5EFE:X.X.X.X (the X.X.X.X here is the IPv4 unicast address of dual stack main frame) so just constitutes an ISATAP address.The dual stack host configuration behind the ISATAP address, just become an ISATAP client computer, and then just can be in the IPv4 territory have communicated with other ISATAP client computer.
Simultaneously; Intra-site Automatic Tunnel Addressing Protocol is very general in IPv6 network application initial stage use at present; It makes remote double protocol stack host node can see through the IPv4 network and arrives local IPv6 access network router; Obtain the IPv6 address prefix, generate the legal address of local IPv6 network, realize the purpose of visit IPv6 network.
Intra-site Automatic Tunnel Addressing Protocol both can also can be implemented in network-external at the enterprise network internal implementation.Remote double protocol stack host node can reach the Intra-site Automatic Tunnel Addressing Protocol router address that inserts the IPv6 network on the IPv4 route but a defective of Intra-site Automatic Tunnel Addressing Protocol is; Need not the address that authentication just can obtain this IPv6 access network; This is not enough in fail safe, and it is that springboard is attacked the IPv6 network that the malice unauthorized user is easy to just can borrow Intra-site Automatic Tunnel Addressing Protocol.
Summary of the invention
The object of the present invention is to provide the Intra-site Automatic Tunnel Addressing Protocol authentication method and the system that have more fail safe, insert the IPv6 network through Intra-site Automatic Tunnel Addressing Protocol with weaving malice unauthorized user.
The invention discloses a kind of authentication method, comprising based on automatic tunnel addressing protocol (ISATAP) tunnel in the station of DHCP (DHCP) monitoring:
A, access switch are monitored the DHCP request process of IPv4/IPv6 dual stack main frame; Foundation comprises the binding information of MAC Address, IP address, rental period, VLAN ID and the port numbers of said dual stack main frame, this binding information is packaged in to bind in the message send to the ISATAP router;
B, the dual stack main frame that will insert the IPv6 network send the router solicitation message to the ISATAP router, request global I Pv6 address prefix;
C, ISATAP router determine whether to send router advertisement according to the inquiry of the dual stack host IP address in said router solicitation message binding information and inform said pair of protocol host global I Pv6 address prefix.
Preferably, said steps A also comprises:
Said ISATAP router extracts said binding information from the binding message that receives, set up and renewal binding information table according to said binding information.
Preferably, said step C comprises:
After receiving said router solicitation message; Whether the IPv4 address that comprises in the IPv6 address, source of the said route requests message of ISATAP router authentication has record at the binding information table of ISATAP router; If have; Then respond the router advertisement message (Router Advertisement) that has IPv6 global address prefix and inform dual stack host ip v6 global address prefix,, then do not respond if do not have; Make unauthorized remote double protocol stack main frame just can not obtain the IPv6 address thus, can not insert the IPv6 network through the ISATAP router.
Preferably, said steps A comprises:
A01, access switch are intercepted and captured the interim binding of setting up the MAC Address, access interface and the VLAN ID that comprise this dual stack main frame behind the DHCP request message of dual stack main frame;
A02, access switch intercept and capture behind the DHCP response message that sends to the dual stack main frame according to interim binding of the inquiry of the MAC Address in this message and extract the binding information that said DHCP response message IP address and rental period set up the MAC Address, IP address, rental period, VLAN ID and the port numbers that comprise the dual stack main frame;
Behind A03, access switch establishment and the preservation binding information, binding information is encapsulated in the binding message, binding information is sent to the ISATAP router according to pre-configured ISATAP router address;
A04, ISATAP router receive the binding message, from said binding message, extract binding information and are saved in the local binding information table.
Preferably, access switch described in the said steps A 03 is encrypted said binding message and is sent to the ISATAP router after handling with hash again.
Preferably, said encryption is a des encryption, and said hash is treated to the MD5 hash and handles.
The invention also discloses a kind of based on automatic tunnel addressing protocol (ISATAP) tunnel Verification System in the station of DHCP (DHCP) monitoring; Said system comprises dual stack main frame, access switch, Dynamic Host Configuration Protocol server and ISATAP router, wherein:
Said dual stack main frame is used for sending router solicitation with request global I Pv6 address prefix to Dynamic Host Configuration Protocol server request IPv4 address and when needs insert the IPv6 network to said ISATAP router;
Said access switch is used to monitor the DHCP request process of IPv4/IPv6 dual stack main frame; Foundation comprises the binding information of MAC Address, IP address, rental period, VLAN ID and the port numbers of said dual stack main frame, this binding information is packaged in to bind in the message send to the ISATAP router;
Said Dynamic Host Configuration Protocol server is used for the request in response to said dual stack main frame, to said dual stack host assignment IPv4 address;
Said ISATAP router is used for determining whether to send router advertisement according to the dual stack host IP address of said router solicitation message inquiry binding information and informs said pair of protocol host global I Pv6 address prefix.
Preferably, said ISATAP router extracts said binding information from the binding message that receives, and sets up and renewal binding information table according to said binding information.
Preferably; After receiving said router solicitation message; Whether the IPv4 address that comprises in the IPv6 address, source of the said route requests message of ISATAP router authentication has record at the binding information table of ISATAP router, if having, then responds the router advertisement message (Router Advertisement) that has IPv6 global address prefix and informs dual stack host ip v6 global address prefix; If do not have; Then do not respond, make unauthorized remote double protocol stack main frame just can not obtain the IPv6 address thus, can not insert the IPv6 network through the ISATAP router.
The present invention is through monitoring the binding information that the DHCP request process obtains the dual stack main frame at access switch; And binding information is uploaded the ISATAP router preserve; Make the ISATAP router when receiving the routing information request of dual stack main frame; Can insert the legitimacy of the main frame of IPv6 network according to binding information list deciding described request, thereby avoid attacking as the disparate networks that springboard carries out.
Description of drawings
Fig. 1 is the structural representation of Verification System of the Intra-site Automatic Tunnel Addressing Protocol of monitoring based on DHCP of the embodiment of the invention;
Fig. 2 is the method flow diagram of authentication method of the Intra-site Automatic Tunnel Addressing Protocol of monitoring based on DHCP of the embodiment of the invention;
Fig. 3 is the sketch map of the binding message format of embodiment of the invention use.
Embodiment
Further specify technical scheme of the present invention below in conjunction with accompanying drawing and through embodiment.
Fig. 1 is the structural representation of Verification System of the Intra-site Automatic Tunnel Addressing Protocol of monitoring based on DHCP of the embodiment of the invention.As shown in Figure 1; Said system comprises dual stack main frame, access switch, the Dynamic Host Configuration Protocol server that connects based on the IPv4 network and is used to make the dual stack main frame to insert the ISATAP router of IPv6 network; Wherein the dual stack main frame is connected to access switch; Access switch is connected with Dynamic Host Configuration Protocol server with the ISATAP router through the IPv4 network, connects IPv4 and IPv6 network.
In said system; Said access switch comprises that DHCP monitors binding module; Said DHCP monitors the DHCP request process that binding module is used to monitor the dual stack main frame; Foundation comprises the binding information of MAC Address, IP address, rental period, VLAN ID (VLAN ID) and the port numbers of said dual stack main frame, this binding information is packaged in to bind in the message send to the ISATAP router.
The dual stack main frame generates the ISTAP address when the dual stack main frame is hoped from IPv4 network insertion IPv6 network; Promptly generate interface identifier according to its IPv4 address w.x.y.z:: 0:5EFE:w.x.y.z; Add link-local prefix fe80 then to self ISTAP address fe80::0:5EFE:w.x.y.z, form thus with the ISATAP router between IPv6 be connected.
If insert the IPv6 network; Then the dual stack main frame need obtain the IPv6 address prefix of the overall situation, so the dual stack main frame need be informed global I Pv6 address prefix to said ISATAP router transmission router solicitation message (Router Solicitation) request ISATAP router.
The ISATAP router is set up and continuous updating binding information table according to the binding information of binding in the message.Behind the router solicitation message that receives said dual stack main frame transmission; Whether the IPv4 address x.y.z.w that contains among IPv6 address, the source fe80::5efe:x.y.z.w of the said route requests message of ISATAP router authentication has record at the binding table of ISATAP router; If have; Then respond the router advertisement message (Router Advertisement) that has the global address prefix and inform dual stack host ip v6 global address prefix,, then do not respond if do not have; Unauthorized remote double protocol stack main frame just can not obtain the IPv6 address through the ISATAP router like this, can not insert the IPv6 network.
Fig. 2 shows the method flow diagram of authentication method of the Intra-site Automatic Tunnel Addressing Protocol of monitoring based on DHCP of the embodiment of the invention.As shown in Figure 2, said method comprises the steps:
Step 100, access switch are monitored the DHCP request process of dual stack main frame, set up the binding information of the MAC Address, IP address, rental period, VLAN ID (VLAN ID) and the port numbers that comprise said dual stack main frame.This binding information is packaged in to bind in the message sends to the ISATAP router.The ISATAP router is set up and continuous updating binding information table according to the binding information of binding in the message.
Specifically, on access switch, enable DHCP and monitor module, trusted port is set, and the IP address of the ISATAP router of configuration reception binding information, enable the Intra-site Automatic Tunnel Addressing Protocol authentication module on the interface of ISATAP router.
The DHCP monitoring module of access switch issues the rule of DHCP message redirecting to switch DHCP monitoring module to exchanging chip; After the switch exchange chip is received the DHCP message; Do not carry out hardware and transmit behavior, but with message redirecting to switch DHCP monitoring module.
Access switch is monitored the DHCP request process of dual stack main frame through DHCP, and detailed process is following:
101, after the DHCP of access switch monitors the DHCP request message of module intercepting and capturing dual stack main frame,,, forward from pre-configured trusted port if this MAC exists in binding table according to source MAC inquiry binding table; Otherwise exchange opportunity is created interim a binding, writes down the MAC of said main frame, and port and VLANID forward from pre-configured trusted port.
102, after the DHCP of access switch monitors module intercepting and capturing user's DHCP response message (DHCP ACK); Bind according to the inquiry of the chaddr field in the message is interim; If have same subscriber MAC in interim the binding; Then create a binding information, write down MAC Address, IP address, rental period, vlan number and the port numbers of said dual stack main frame according to IP address allocated and rental period in said interim binding and the said DHCP response message.
103, behind access switch establishment and the preservation binding information; Binding information is encapsulated in the binding message; And to binding message is encrypted and hash is handled, according to the IP address of the ISATAP router of pre-configured reception binding information binding information is sent to the ISATAP router;
Binding information is joined in the binding message, be transmitted to the ISATAP router again.Binding message between switch and the ISATAP router utilizes udp protocol to carry, and its message format is as shown in Figure 3, and each field is explained as follows:
Version: version number is 1 at present
Type: type is 1 at present, and expression comprises binding information
SeqNo: sequence number, message of every transmission adds 1
SecretLen: the length of encrypted message
Signature:DHCP SNOOPING binds the MD5 hash result of all fields of message
SwitchIPAddr: the IP address of switch
SwitchID: switch ID, get the switch CPU MAC Address
Count: bind quantity
ClientMAC: the PC terminal MAC Address of renting the address
Reserved: keep, fill out 0
The VLAN ID of ClientVlanId:DHCP user's access switch
The switch ports themselves at PortNum:DHCP user place number
ClientIP: IP address
ClientMask: address mask
ClientGateway: gateway parameter
The ClientLease:DHCP address rental period
BindingTimeStamp: the timestamp that distributes the address
In order to prevent to be maliciously tampered in user profile leakage and the transmission course; Can encrypt with hash the binding message and handle; Encrypt in embodiments of the present invention and hash processing selecting des encryption and the processing of MD5 hash; The DES key is disposed by the user, and access switch must be guaranteed consistent with the key of ISATAP router.
Before sending message, encrypt earlier, after carry out hash and handle, detailed process is following:
Begin from the SwitchIPAddr field; Until the message content of ending carries out des encryption; Ciphertext is isometric with expressly; Ciphertext is put into DHCP SNOOPING and is bound the message zone that message SwitchIPAddr field begins, and ciphertext length places DHCP SNOOPING to bind the SecretLen field of message, gives the hash processing module then.Bind message for the DHCP SNOOPING behind the switch des encryption; Signature field elder generation zero clearing when calculating the MD5 hash; Then whole message is made hash operations, hashed value was inserted the Signature field after hash operation was accomplished, and at this moment message can send switch.
104, the ISATAP router receives the binding message, from said binding message, extracts binding information and is saved in the local binding information table.
After receiving the binding message, the ISATAP router carries out hash computations earlier, deciphering again, and detailed process is following:
Back up the value of signature field during calculating earlier; Signature field zero clearing is then calculated the MD5 hashed value of whole message, again if hashed value is the same with the value of the signature field of backup; Then hash verification success continues to make the DES decryption processing to binding message.If the hash verification failure abandons this binding message.For the successful message of MD5 hash verification that receives; Switch begins position after the Signature field; Length is carried out the DES decryption processing by the message content of SecretLen field appointment, restores the binding message content that begins from the SwitchIPAddr field.
Step 200, the dual stack main frame that will insert the IPv6 network send the router solicitation message to the ISATAP router, request global I Pv6 address prefix.
Step 300, after receiving the router solicitation message that said dual stack main frame sends; Whether the IPv4 address of containing in the IPv6 address, source of the said route requests message of ISATAP router authentication has record at the binding information table of ISATAP router; If have; Then respond the router advertisement message (Router Advertisement) that has the global address prefix and inform dual stack host ip v6 global address prefix,, then do not respond if do not have; Unauthorized remote double protocol stack main frame just can not obtain the IPv6 address through the ISATAP router like this, can not insert the IPv6 network.
The present invention is through monitoring the binding information that the DHCP request process obtains the dual stack main frame at access switch; And binding information is uploaded the ISATAP router preserve; Make the ISATAP router when receiving the routing information request of dual stack main frame; Can insert the legitimacy of the main frame of IPv6 network according to binding information list deciding described request, thereby avoid attacking as the disparate networks that springboard carries out.
Above-mentioned preferred embodiment of the present invention and the institute's application technology principle of being merely, any technical staff who is familiar with the present technique field is in the technical scope that the present invention discloses, and the variation that can expect easily or replacement all should be encompassed in protection scope of the present invention.
Claims (9)
1. the authentication method in automatic tunnel addressing protocol (ISATAP) tunnel in the station of monitoring based on DHCP (DHCP) comprises:
A, access switch are monitored the DHCP request process of IPv4/IPv6 dual stack main frame; Foundation comprises the binding information of MAC Address, IP address, rental period, VLAN ID and the port numbers of said dual stack main frame, this binding information is packaged in to bind in the message send to the ISATAP router;
B, the dual stack main frame that will insert the IPv6 network send the router solicitation message to the ISATAP router, request global I Pv6 address prefix;
C, ISATAP router determine whether to send router advertisement according to the inquiry of the dual stack host IP address in said router solicitation message binding information and inform said pair of protocol host global I Pv6 address prefix.
2. the method for claim 1 is characterized in that, said steps A also comprises:
Said ISATAP router extracts said binding information from the binding message that receives, set up and renewal binding information table according to said binding information.
3. method as claimed in claim 2 is characterized in that, said step C comprises:
After receiving said router solicitation message; Whether the IPv4 address that comprises in the IPv6 address, source of the said route requests message of ISATAP router authentication has record at the binding information table of ISATAP router; If have; Then respond the router advertisement message (Router Advertisement) that has IPv6 global address prefix and inform dual stack host ip v6 global address prefix,, then do not respond if do not have; Make unauthorized remote double protocol stack main frame just can not obtain the IPv6 address thus, can not insert the IPv6 network through the ISATAP router.
4. the method for claim 1 is characterized in that, said steps A comprises:
A01, access switch are intercepted and captured the interim binding of setting up the MAC Address, access interface and the VLAN ID that comprise this dual stack main frame behind the DHCP request message of dual stack main frame;
A02, access switch inquire about said interim binding according to the MAC Address in this message after intercepting and capturing the DHCP response message that sends to the dual stack main frame, comprise the binding information of MAC Address, IP address, rental period, VLAN ID and the port numbers of dual stack main frame according to IP address in the said DHCP response message of interim binding that inquires and extraction and rental period foundation;
Behind A03, access switch establishment and the preservation binding information, binding information is encapsulated in the binding message, binding information is sent to the ISATAP router according to pre-configured ISATAP router address;
A04, ISATAP router receive the binding message, from said binding message, extract binding information and are saved in the local binding information table.
5. method as claimed in claim 4 is characterized in that, access switch described in the said steps A 03 is encrypted said binding message and sent to the ISATAP router after handling with hash again.
6. method as claimed in claim 5 is characterized in that, said encryption is a des encryption, and said hash is treated to the MD5 hash and handles.
7. automatic tunnel addressing protocol (ISATAP) tunnel Verification System in the station of monitoring based on DHCP (DHCP), said system comprises dual stack main frame, access switch, Dynamic Host Configuration Protocol server and ISATAP router, wherein:
Said dual stack main frame is used for sending router solicitation with request global I Pv6 address prefix to Dynamic Host Configuration Protocol server request IPv4 address and when needs insert the IPv6 network to said ISATAP router;
Said access switch is used to monitor the DHCP request process of IPv4/IPv6 dual stack main frame; Foundation comprises the binding information of MAC Address, IP address, rental period, VLAN ID and the port numbers of said dual stack main frame, this binding information is packaged in to bind in the message send to the ISATAP router;
Said Dynamic Host Configuration Protocol server is used for the request in response to said dual stack main frame, to said dual stack host assignment IPv4 address;
Said ISATAP router is used for determining whether to send router advertisement according to the dual stack host IP address of said router solicitation message inquiry binding information and informs said pair of protocol host global I Pv6 address prefix.
8. system as claimed in claim 7 is characterized in that: said ISATAP router extracts said binding information from the binding message that receives, and sets up and renewal binding information table according to said binding information.
9. system as claimed in claim 8; It is characterized in that: after receiving said router solicitation message; Whether the IPv4 address that comprises in the IPv6 address, source of the said route requests message of ISATAP router authentication has record at the binding information table of ISATAP router, if having, then responds the router advertisement message (Router Advertisement) that has IPv6 global address prefix and informs dual stack host ip v6 global address prefix; If do not have; Then do not respond, make unauthorized remote double protocol stack main frame just can not obtain the IPv6 address thus, can not insert the IPv6 network through the ISATAP router.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210024450.5A CN102546429B (en) | 2012-02-03 | 2012-02-03 | The authentication method of Intra-site Automatic Tunnel Addressing Protocol based on DHCP monitoring and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210024450.5A CN102546429B (en) | 2012-02-03 | 2012-02-03 | The authentication method of Intra-site Automatic Tunnel Addressing Protocol based on DHCP monitoring and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102546429A true CN102546429A (en) | 2012-07-04 |
| CN102546429B CN102546429B (en) | 2016-12-14 |
Family
ID=46352417
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210024450.5A Active CN102546429B (en) | 2012-02-03 | 2012-02-03 | The authentication method of Intra-site Automatic Tunnel Addressing Protocol based on DHCP monitoring and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102546429B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103227844A (en) * | 2013-04-19 | 2013-07-31 | 深圳市吉祥腾达科技有限公司 | Method and device for automatically solving secondary route IP conflict in DHCP |
| CN106332084A (en) * | 2016-09-08 | 2017-01-11 | 上海斐讯数据通信技术有限公司 | Wireless network expanding method, wireless network expanding system and wireless network |
| CN111343295A (en) * | 2020-02-18 | 2020-06-26 | 支付宝(杭州)信息技术有限公司 | Method and device for determining risk of IPv6 address |
| CN112468475A (en) * | 2020-11-19 | 2021-03-09 | 清华大学 | Verification method and system for access sub-network source address |
| CN112565018A (en) * | 2020-12-04 | 2021-03-26 | 北京天融信网络安全技术有限公司 | Flow statistical method, device, gateway equipment and storage medium |
| CN114006854A (en) * | 2020-07-16 | 2022-02-01 | 北京华为数字技术有限公司 | Communication method and network equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1571334A (en) * | 2003-07-18 | 2005-01-26 | 华为技术有限公司 | Access authentication method for tunnel of intra-site automatic addressing protocol |
| CN1901449A (en) * | 2006-07-19 | 2007-01-24 | 华为技术有限公司 | Method for connecting network |
| CN101656725A (en) * | 2009-09-24 | 2010-02-24 | 杭州华三通信技术有限公司 | Method for implementing safety access and access equipment |
| CN102244651A (en) * | 2010-05-14 | 2011-11-16 | 杭州华三通信技术有限公司 | Method for preventing attack of illegal neighbor discovery protocol message and access equipment |
| CN102316101A (en) * | 2011-08-09 | 2012-01-11 | 神州数码网络(北京)有限公司 | Safe access method based on dynamic host configuration protocol (DHCP) SNOOPING |
-
2012
- 2012-02-03 CN CN201210024450.5A patent/CN102546429B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1571334A (en) * | 2003-07-18 | 2005-01-26 | 华为技术有限公司 | Access authentication method for tunnel of intra-site automatic addressing protocol |
| CN1901449A (en) * | 2006-07-19 | 2007-01-24 | 华为技术有限公司 | Method for connecting network |
| CN101656725A (en) * | 2009-09-24 | 2010-02-24 | 杭州华三通信技术有限公司 | Method for implementing safety access and access equipment |
| CN102244651A (en) * | 2010-05-14 | 2011-11-16 | 杭州华三通信技术有限公司 | Method for preventing attack of illegal neighbor discovery protocol message and access equipment |
| CN102316101A (en) * | 2011-08-09 | 2012-01-11 | 神州数码网络(北京)有限公司 | Safe access method based on dynamic host configuration protocol (DHCP) SNOOPING |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103227844A (en) * | 2013-04-19 | 2013-07-31 | 深圳市吉祥腾达科技有限公司 | Method and device for automatically solving secondary route IP conflict in DHCP |
| CN103227844B (en) * | 2013-04-19 | 2016-04-20 | 深圳市吉祥腾达科技有限公司 | In DHCP, second grade router IP conflicts automatic solution and device |
| CN106332084A (en) * | 2016-09-08 | 2017-01-11 | 上海斐讯数据通信技术有限公司 | Wireless network expanding method, wireless network expanding system and wireless network |
| CN111343295A (en) * | 2020-02-18 | 2020-06-26 | 支付宝(杭州)信息技术有限公司 | Method and device for determining risk of IPv6 address |
| CN111343295B (en) * | 2020-02-18 | 2022-09-27 | 支付宝(杭州)信息技术有限公司 | Method and device for determining risk of IPv6 address |
| CN114006854A (en) * | 2020-07-16 | 2022-02-01 | 北京华为数字技术有限公司 | Communication method and network equipment |
| CN114006854B (en) * | 2020-07-16 | 2023-06-06 | 北京华为数字技术有限公司 | Communication method and network equipment |
| CN112468475A (en) * | 2020-11-19 | 2021-03-09 | 清华大学 | Verification method and system for access sub-network source address |
| CN112468475B (en) * | 2020-11-19 | 2021-11-30 | 清华大学 | Verification method and system for access sub-network source address |
| CN112565018A (en) * | 2020-12-04 | 2021-03-26 | 北京天融信网络安全技术有限公司 | Flow statistical method, device, gateway equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102546429B (en) | 2016-12-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8713305B2 (en) | Packet transmission method, apparatus, and network system | |
| JP4231042B2 (en) | Communication method, mobile agent device, and home agent device | |
| CN103188351B (en) | IPSec VPN traffic method for processing business and system under IPv6 environment | |
| US20220124041A1 (en) | Data transmission method, switch, and site | |
| CN102546429A (en) | Method and system for authenticating intra-site automatic tunnel addressing protocol (ISATAP) tunnels based on dynamic host configuration protocol (DHCP) monitoring | |
| US10044841B2 (en) | Methods and systems for creating protocol header for embedded layer two packets | |
| CN102316101A (en) | Safe access method based on dynamic host configuration protocol (DHCP) SNOOPING | |
| CN107534643A (en) | Mobile service is changed between IP VPN and transport layer VPN | |
| KR20160122992A (en) | Integrative Network Management Method and Apparatus for Supplying Connection between Networks Based on Policy | |
| EP2086179A1 (en) | A method, system and device for transmitting media independent handover information | |
| CN102546661B (en) | A kind of method and system preventing IPv6 gateway neighbours spoofing attack | |
| JP6128352B2 (en) | Method, relay device, server, and system for transferring authentication information | |
| US10341286B2 (en) | Methods and systems for updating domain name service (DNS) resource records | |
| CN102546428A (en) | System and method for internet protocol version 6 (IPv6) message switching based on dynamic host configuration protocol for IPv6 (DHCPv6) interception | |
| CN101459653B (en) | Method for preventing DHCP packet attack based on Snooping technique | |
| CN109428884B (en) | Communication protection device, control method, and recording medium | |
| CN105516062A (en) | L2TP over IPsec access realizing method | |
| CN105491169A (en) | Data proxy method and system | |
| CN109981820A (en) | A kind of message forwarding method and device | |
| US7254835B2 (en) | Method and apparatus for conveying a security context in addressing information | |
| JP2006180480A (en) | Network system and method for performing routing using dynamic address | |
| CN102594882A (en) | Neighbor discovery proxy method and system based on Dynamic Host Configuration Protocol for Internet Protocol Version 6 (DHCPv6) monitoring | |
| CN101309270B (en) | Method, system, gateway and network node implementing internet security protocol | |
| CN108924157B (en) | Message forwarding method and device based on IPSec VPN | |
| JP2019050628A (en) | System and method for providing ReNAT communication environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 100085 Beijing Haidian District, No. 9 Shangdi Jiujie Digital Science and Technology Plaza Patentee after: Beijing Shenzhou Digital Cloud Information Technology Co.,Ltd. Country or region after: China Address before: 100085 Beijing Haidian District, No. 9 Shangdi Jiujie Digital Science and Technology Plaza Patentee before: DIGITAL CHINA NETWORKS (BEIJING) Ltd. Country or region before: China |
|
| CP03 | Change of name, title or address | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240806 Address after: 100085 No.301, 3rd floor, 9 shangdijiu street, Haidian District, Beijing Patentee after: Beijing Shenzhou Digital Cloud Information Technology Co.,Ltd. Country or region after: China Patentee after: Shenzhou Kuntai (Xiamen) Information Technology Co.,Ltd. Address before: 100085 Beijing Haidian District, No. 9 Shangdi Jiujie Digital Science and Technology Plaza Patentee before: Beijing Shenzhou Digital Cloud Information Technology Co.,Ltd. Country or region before: China |
|
| TR01 | Transfer of patent right |