CN102571816B - A kind of method and system preventing neighbor learning attack - Google Patents
A kind of method and system preventing neighbor learning attack Download PDFInfo
- Publication number
- CN102571816B CN102571816B CN201210034007.6A CN201210034007A CN102571816B CN 102571816 B CN102571816 B CN 102571816B CN 201210034007 A CN201210034007 A CN 201210034007A CN 102571816 B CN102571816 B CN 102571816B
- Authority
- CN
- China
- Prior art keywords
- neighbor
- message
- binding information
- dhcpv6
- binding
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 230000008569 process Effects 0.000 claims abstract description 13
- 238000012544 monitoring process Methods 0.000 claims abstract description 6
- 230000006399 behavior Effects 0.000 claims description 8
- 230000008676 import Effects 0.000 claims description 4
- 238000013478 data encryption standard Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 6
- 238000012795 verification Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 241000700605 Viruses Species 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The present invention discloses a kind of method preventing neighbor learning attack, comprises; The threshold value of the imperfect state neighbor entry that convergence switch allows is set; Access switch intercepts the DHCPv6 request process monitoring client by DHCPv6, create and preserve binding information, and this binding information is sent to convergence switch; Convergence switch receives binding information, and is saved in binding information table; Convergence switch is when forwarding IPv6 message, if the link layer address that the destination address of this message is corresponding does not exist, whether the quantity then detecting imperfect state neighbor entry in neighbor table reaches described threshold value, if do not reach, then sends neighbor request message to neighbor node; If reach, then inquire about the address of this neighbor node whether in binding information table, if exist, then send neighbor request message, if do not exist, then do not send neighbor request message.The present invention efficiently solves the problem of the neighbor learning attack in IPv6.
Description
Technical field
The present invention relates to Computer Data Communication field, particularly relate to a kind of method and system preventing neighbor learning attack.
Background technology
At present, virus and the Internet worm are the most nerve-wracking attacks.But, this circulation way is at IPV6 (Internet Protocol Version 6, version number is the Internet protocol of 6) network in just no longer applicable, because IPv6 address host machine part normally 64 bits, this means that the host number that an IPv6 network segment can hold is far longer than IPv4 (Internet Protocol Version 4, version number is the Internet protocol of 4) network segment, make to be that the virus of means and the Internet worm are had little scope for one's talents in IPv6 network with address scan.
But the feature that IPv6 address space is larger may be utilized by long-range malicious attacker.Long-range malicious attacker malice sends a large amount of destination addresses and belongs to an IPv6 network segment, but in fact there is not packet in these addresses in this IPv6 network, these packets will be caused like this when arriving last-hop Router, make this router that a large amount of neighbor learning behaviors occur, generate a large amount of invalid neighbor entries, not only increase the burden of router processor (CPU), and normal neighbor entry also cannot be generated, this is actually a kind of Denial of Service attack, but this attack is only for global unicast address, inapplicable link local address.Wherein, neighbor learning behavior refers to: node is by the link layer address (Link-Layer Address) of self, complete IP addresses, the address configuration information such as nodename send to other nodes in network by the neighbor request message in Neighbor Discovery Protocol, and receive the link layer address of node by self of this neighbor request message, complete IP addresses, the configuration informations such as nodename return to the node sending neighbor request message by the neighbor advertisement message in Neighbor Discovery Protocol, like this, other nodes sent in the node of neighbor request message and network just can know the address configuration information of Correspondent Node, thus carry out normal neighbor table operation according to address configuration information, such as, the address configuration information of Correspondent Node is added in the neighbor table of oneself and set up new neighbor entry, or revise original neighbor entry etc., complete neighbor learning.
Summary of the invention
For above-mentioned technical problem, the object of the present invention is to provide a kind of method and system preventing neighbor learning attack, it effectively solves the problem of the neighbor learning attack existed in IPv6 network.
For achieving the above object, the present invention is achieved through the following technical solutions:
Prevent a method for neighbor learning attack, described method comprises the steps:
A, the threshold value of imperfect state neighbor entry that convergence switch allows is set;
B, access switch intercept the DHCPv6 request process monitoring client by DHCPv6, create and preserve binding information, and this binding information is sent to described convergence switch;
C, convergence switch receive binding information, and are saved in binding information table;
D, convergence switch are when forwarding IPv6 message, if the link layer address that the destination address of this message is corresponding does not exist, whether the quantity then detecting imperfect state neighbor entry in neighbor table reaches described threshold value, if do not reached, then sends neighbor request message to neighbor node; If reached, then inquire about the address of this neighbor node whether in described binding information table, if exist, then send neighbor request message, if do not exist, then do not send neighbor request message;
After E, convergence switch receive the neighbor advertisement message corresponding with described neighbor request message, the quantity of state neighbor entry imperfect in its neighbor table is subtracted 1.
Especially, described step B also comprises:
Access switch issues the rule of DHCPv6 message redirecting to this exchange processor to exchange chip, after exchange chip receives DHCPv6 message, do not perform hardware and forward behavior, but by described message redirecting to access switch processor, carry out software parses and forwarding by processor.
Especially, described step B comprises further:
Described binding information is joined DHCPv6 and intercepts in binding message by access switch, and described binding message is encrypted and hashing, then, according to the address of the convergence switch of the reception binding information of access switch configuration, described binding message is sent to convergence switch.
Especially, institute step C specifically comprises:
Convergence switch parses DHCPv6 and intercepts the binding information bound in message, and is saved in by this binding information in local binding information table, and wherein, described binding message refers to the binding message that all access switch be connected with described convergence switch import into.
Especially, in described step D, if the quantity of imperfect state neighbor entry does not reach threshold value in neighbor table, then send neighbor request message to neighbor node, and a neighbor entry is inserted in described neighbor table, state is set to imperfect state, and the quantity of state neighbor entry imperfect in neighbor table is added 1.
Especially, described step e specifically also comprises:
Convergence switch is according to the destination address inquiry neighbor table of the IPv6 stem of neighbor advertisement message, if find the neighbor entry corresponding with this destination address, then the link layer address of described neighbor entry is updated to the link layer address carried in neighbor advertisement message, and the state of this neighbor entry is set to reachable state, the quantity of state neighbor entry imperfect in neighbor table is subtracted 1.
The invention also discloses a kind of system preventing neighbor learning attack, described system comprises:
Access switch, with client's side link, intercepts the DHCPv6 request process monitoring client by DHCPv6, create and preserve binding information, and this binding information is sent to convergence switch;
Convergence switch, is connected with access switch, arranges the threshold value of the imperfect state neighbor entry of permission thereon, is saved to by the binding information received in binding information table; And when forwarding IPv6 message, if the link layer address that the destination address of this message is corresponding does not exist, whether the quantity then detecting imperfect state neighbor entry in neighbor table reaches described threshold value, if do not reached, then send neighbor request message to neighbor node, and a neighbor entry is inserted in described neighbor table, state is set to imperfect state, and the quantity of state neighbor entry imperfect in neighbor table is added 1; If reached, then the address inquiring about this neighbor node, whether in described binding information table, if do not exist, does not then send neighbor request message, if exist, then sends neighbor request message.
Especially, described access switch concrete also for
The rule of DHCPv6 message redirecting to this exchange processor is issued to exchange chip, after exchange chip receives DHCPv6 message, do not perform hardware and forward behavior, but by described message redirecting to access switch processor, carry out software parses and forwarding by processor; Described binding information being joined DHCPv6 intercepts in binding message, and described binding message is encrypted and hashing, then, according to the address of the convergence switch of the reception binding information of access switch configuration, described binding message is sent to convergence switch.
Especially, described convergence switch also for
Parse DHCPv6 and intercept the binding information bound in message, and be saved in by this binding information in local binding information table, wherein, described binding message refers to the binding message that all access switch be connected with described convergence switch import into.
Especially, described convergence switch concrete also for
Destination address according to the IPv6 stem of the neighbor advertisement message corresponding with neighbor request message received inquires about neighbor table, if find the neighbor entry corresponding with this destination address, then the link layer address of described neighbor entry is updated to the link layer address carried in neighbor advertisement message, and the state of this neighbor entry is set to reachable state, the quantity of state neighbor entry imperfect in neighbor table is subtracted 1.
Beneficial effect of the present invention is, described a kind of method and system preventing neighbor learning attack, by arranging the threshold value of the imperfect state neighbor entry that convergence switch allows; When in neighbor table, the quantity of imperfect state neighbor entry is above threshold value, according to the binding information table of being intercepted acquisition by DHCPv6, judge the accessibility of neighbor node, thus avoid to malicious data unwrap exhibition a large amount of neighbor learning, effectively solve the problem of the neighbor learning attack existed in IPv6 network.
Accompanying drawing explanation
The method flow diagram preventing neighbor learning attack that Fig. 1 provides for the embodiment of the present invention;
Fig. 2 intercepts binding message format schematic diagram for DHCPv6 that the embodiment of the present invention provides;
The convergence switch that Fig. 3 provides for the embodiment of the present invention is to the process chart of imperfect state neighbor entry;
The system block diagram preventing neighbor learning attack that Fig. 4 provides for the embodiment of the present invention.
Embodiment
For making the object, technical solutions and advantages of the present invention clearly, below in conjunction with drawings and Examples, the invention will be further described.
Please refer to shown in Fig. 1, the method flow diagram preventing neighbor learning attack that Fig. 1 provides for the embodiment of the present invention.
Prevent the method for neighbor learning attack from comprising the steps: in the present embodiment
Step 101, the threshold value of imperfect (Incomplete) state neighbor entry that convergence switch allows is set.The enable IPv6 version based on DHCP (Dynamic HostConfiguration Protocol for IPv6 on convergence switch, DHCPv6) intercept the function preventing neighbor learning attack of (SNOOPING), and the threshold value of the imperfect state neighbor entry that this convergence switch allows is set.
Step 102, on access switch, enable DHCPv6 intercepts, and arranges trusted port, and configuration receives the address of the described convergence switch of binding information.
After the enable DHCPv6 of access switch intercepts, the rule of DHCPv6 message redirecting to this exchange processor (CPU) is issued to exchange chip, after exchange chip receives DHCPv6 message, do not perform hardware and forward behavior, but by described message redirecting to access switch processor, carry out software parses and forwarding by processor.
Step 103, access switch intercept the DHCPv6 request process monitoring client by DHCPv6.
Concrete snoop procedure is as follows:
(1) after access switch intercepts the DHCPv6 request message intercepting and capturing client by DHCPv6, according to the binding table of source medium access control (MAC) address lookup access switch, if this Media Access Control address is in binding table, then described DHCPv6 request message is forwarded from trusted port, otherwise, access switch first can create interim request (REQUEST) binding table, for recording the Media Access Control address of client, the Transaction Identifier number (Transaction-ID) of DHCPv6 request message, port and VLAN (Virtual Local Area Network, VLAN) information, and then DHCPv6 request message is forwarded from trusted port.
(2) after access switch intercepts the DHCPv6 response message intercepting and capturing client by DHCPv6, resolve the Transaction Identifier number of DHCPv6 response message, IPv6 address that the Internet digital distribution mechanism (Internet AssignedNumbers Authority, IANA) distributes and effective life cycle.Inquiry request binding table is searched according to Transaction Identifier number, if there is corresponding Transaction Identifier number, then create a binding information, for recording the Media Access Control address of client (i.e. DHCPv6 client), IPv6 address, rental period, virtual local area network No. and port numbers.
Step 104, access switch will create and the binding information preserved joins DHCPv6 intercepts (SNOOPING) and bind in message, and described binding message is encrypted and hashing, then, according to the address of the convergence switch of the reception binding information of access switch configuration, described binding message is sent to convergence switch.
DHCPv6 between access switch and convergence switch intercepts binding message and uses User Datagram Protocol (User Datagram Protocol, UDP) to be connected to after on network, propagates.In order to ensure fail safe and anti-tamper, binding message can be intercepted to DHCPv6 and being encrypted and hashing.Encryption of the present invention adopts data encryption standard (the Data Encryption Standard of shared key, DES) mode, hash adopts Message Digest Algorithm 5 (Message Digest Algorithm MD5 is called for short MD5) mode.
As shown in Figure 2, Fig. 2 intercepts binding message format schematic diagram for DHCPv6 that the embodiment of the present invention provides.
DHCPv6 intercepts binding message and is carried in User Datagram Protocol, and the implication of each field of this message is as follows:
Version: version number is 1 at present;
Type: type is 1 at present, represents and comprises binding information;
SeqNo: sequence number, often sends a message, adds 1;
SecretLen: the length of encrypted message;
Signature:DHCPv6 intercepts the MD5 hashed result of all fields in binding message, and wherein 16octets represents 16 hytes;
SwitchIPAddr: the IPv4 address of switch;
SwitchID: switch identification number (ID), generally get the Media Access Control address of exchange processor, wherein 6octets represents 6 hytes;
Count: binding quantity;
ClientMAC: the Media Access Control address renting the client of address, wherein 6octets represents 6 hytes;
Reserved: retain, insert 0;
ClientVlanId: the VLAN ID number of the switch of client access;
PortNum: the switch ports themselves number at client place;
ClientIP: the IPv6 address of client, wherein 16octets represents 16 hytes;
Effective life cycle of the address that ClientValidLifetime:DHCPv6 distributes;
BindingTimeStamp: the timestamp of allocation address.
DES key is by client configuration, and access switch must be guaranteed consistent with the key of convergence switch.Send DHCPv6 intercept binding message before, be first encrypted, after carry out hashing, process is as follows:
From SwitchIPAddr field, until the described binding message content of ending carries out des encryption, ciphertext is with expressly isometric, ciphertext puts into the message region that starts of SwitchIPAddr field that DHCPv6 intercepts binding message, ciphertext length is placed in the SecretLen field that DHCPv6 intercepts binding message, then gives hashing unit.Binding message is intercepted for the DHCPv6 after access switch des encryption, when calculating MD5 hash, first Signature field resets, then hash operations is done to whole binding message, after Hash operation completes, hashed value is inserted Signature field, at this moment DHCPv6 intercepts binding message and just can send access switch.
Step 105, convergence switch parse DHCPv6 and intercept the binding information bound in message, and are saved in by this binding information in local binding information table.
Convergence switch is after receiving DHCPv6 binding message, and first carry out hash calculating, then decipher, last solution separates out binding information wherein, and detailed process is as follows:
When carrying out hash and calculating, first back up the value of Signature field, then Signature field resets, and then calculates the MD5 hashed value of whole message; If hashed value is the same with the value of the Signature field of backup, then Hash verification success, continues to intercept binding message to DHCPv6 and makes DES decryption processing.If Hash verification failure, then abandon this DHCPv6 and intercept binding message.Binding message is intercepted for the successful DHCPv6 of MD5 Hash verification received, convergence switch is to from position after Signature field, and the binding message content that length is specified by SecretLen field carries out DES decryption processing, restore the DHCPv6 started from SwitchIPAddr field and intercept binding message content.
Step 106, convergence switch, when forwarding destination address is the IPv6 message of this network segment, if the link layer address that the destination address of this message is corresponding (Link-Layer Address) does not exist, with reference to shown in Fig. 3, are handled as follows:
In step 1061, detection neighbor table, whether the quantity of imperfect state neighbor entry reaches described threshold value.
Step 1062, testing result according to step 1061, if the quantity of imperfect state neighbor entry does not reach described threshold value, then send neighbor request message to neighbor node, and a neighbor entry is inserted in described neighbor table, state is set to imperfect state, and the quantity of state neighbor entry imperfect in neighbor table is added 1.
Step 1063, testing result according to step 1061, if the quantity of imperfect state neighbor entry reaches described threshold value, then inquire about the address of this neighbor node whether in described binding information table.
Step 1064, Query Result according to step 1063, if the address of this neighbor node is in described binding information table, then send neighbor request message to described neighbor node.
Step 1065, Query Result according to step 1063, if the address of this neighbor node is not in described binding information table, then do not send neighbor request message to described neighbor node, and abandon the IPv6 message that will forward.
After step 107, convergence switch receive the neighbor advertisement message corresponding with described neighbor request message, the quantity of state neighbor entry imperfect in its neighbor table is subtracted 1.
After convergence switch receives neighbor advertisement message, according to the destination address inquiry neighbor table of the IPv6 stem of neighbor advertisement message, if find the neighbor entry corresponding with this destination address, then the link layer address of described neighbor entry is updated to the link layer address carried in neighbor advertisement message, and the state of this neighbor entry is set to can reach (Reachable) state, in neighbor table, the quantity of imperfect state neighbor entry subtracts 1.
With reference to shown in Fig. 4, the system block diagram preventing neighbor learning attack that Fig. 4 provides for the embodiment of the present invention.
Prevent the system of neighbor learning attack from comprising in the present embodiment: access switch 402 and convergence switch 403.Wherein, described convergence switch 403 is three-layer network switching equipment, connects multiple IPv6 network segment.
Described access switch 402, is connected with client 401, arranges trusted port, and is intercepted the DHCPv6 request process monitoring client 401 by DHCPv6, creates and preserves binding information, this binding information is sent to convergence switch 403.
Access switch 402 configures the address of the described convergence switch 403 receiving binding information, and issue the rule of DHCPv6 message redirecting to this exchange processor (CPU) to exchange chip, after exchange chip receives DHCPv6 message, do not perform hardware and forward behavior, but by described message redirecting to access switch 402 processor, carry out software parses and forwarding by processor.
The detailed process monitored: (1) access switch 402 intercepts the DHCPv6 request message intercepting and capturing client 401 by DHCPv6 after, according to the binding table of source medium access control (MAC) address lookup access switch 402, if this Media Access Control address is in binding table, then described DHCPv6 request message is forwarded from trusted port, otherwise, access switch 402 first can create interim request (REQUEST) binding table, for recording the Media Access Control address of client 401, the Transaction Identifier number (Transaction-ID) of DHCPv6 request message, port and VLAN (Virtual Local Area Network, VLAN) information, and then DHCPv6 request message is forwarded from trusted port.(2) after access switch 402 intercepts the DHCPv6 response message intercepting and capturing client 401 by DHCPv6, resolve the Transaction Identifier number of DHCPv6 response message, IPv6 address that the Internet digital distribution mechanism (Internet Assigned Numbers Authority, IANA) distributes and effective life cycle.Inquiry request binding table is searched according to Transaction Identifier number, if there is corresponding Transaction Identifier number, then create a binding information, for recording the Media Access Control address of client 401 (i.e. DHCPv6 client), IPv6 address, rental period, virtual local area network No. and port numbers.
Audible for prison binding information is joined DHCPv6 and intercepts in binding message by access switch 402, and described binding message is encrypted and hashing, then, according to the address of the convergence switch 403 of the reception binding information of access switch 402 configuration, described binding information is sent to convergence switch 403.
In order to ensure fail safe and anti-tamper, binding message can be intercepted to DHCPv6 and being encrypted and hashing.Encryption of the present invention adopts the data encryption standard mode of shared key, and hash adopts Message Digest Algorithm 5 mode.
DES key is configured by client 401, and access switch 402 must be guaranteed consistent with the key of convergence switch 403.Send DHCPv6 intercept binding message before, be first encrypted, after carry out hashing, process is as follows:
From SwitchIPAddr field, until the described binding message content of ending carries out des encryption, ciphertext is with expressly isometric, ciphertext puts into the message region that starts of SwitchIPAddr field that DHCPv6 intercepts binding message, ciphertext length is placed in the SecretLen field that DHCPv6 intercepts binding message, then gives hashing unit.Binding message is intercepted for the DHCPv6 after access switch 402DES encrypts, when calculating MD5 hash, first Signature field resets, then hash operations is done to whole binding message, after Hash operation completes, hashed value is inserted Signature field, at this moment DHCPv6 intercepts binding message and just can send access switch 402.
Described convergence switch 403, is connected with several access switch 402, arranges the threshold value of the imperfect state neighbor entry of permission thereon, is saved to by the binding information received in binding information table; And when forwarding IPv6 message, if the link layer address that the destination address of this message is corresponding does not exist, whether the quantity then detecting imperfect state neighbor entry in neighbor table reaches described threshold value, if do not reached, then send neighbor request message to neighbor node, and a neighbor entry is inserted in described neighbor table, state is set to imperfect state, and the quantity of state neighbor entry imperfect in neighbor table is added 1; If reached, then the address inquiring about this neighbor node, whether in described binding information table, if do not exist, does not then send neighbor request message, if exist, then sends neighbor request message.
Convergence switch 403 is after receiving DHCPv6 binding message, and first carry out hash calculating, then decipher, last solution separates out binding information wherein, and detailed process is as follows:
When carrying out hash and calculating, first back up the value of Signature field, then Signature field resets, and then calculates the MD5 hashed value of whole message; If hashed value is the same with the value of the Signature field of backup, then Hash verification success, continues to intercept binding message to DHCPv6 and makes DES decryption processing.If Hash verification failure, then abandon this DHCPv6 and intercept binding message.Binding message is intercepted for the successful DHCPv6 of MD5 Hash verification received, convergence switch 403 is to from position after Signature field, and the binding message content that length is specified by SecretLen field carries out DES decryption processing, restore the DHCPv6 started from SwitchIPAddr field and intercept binding message content.
After convergence switch 403 receives the neighbor advertisement message corresponding with described neighbor request message, according to the destination address inquiry neighbor table of the IPv6 stem of neighbor advertisement message, if find the neighbor entry corresponding with this destination address, then the link layer address of described neighbor entry is updated to the link layer address carried in neighbor advertisement message, and the state of this neighbor entry is set to reachable state, the quantity of state neighbor entry imperfect in neighbor table is subtracted 1.
The system of what the embodiment of the present invention provided prevent neighbor learning attack, by arranging the threshold value of the imperfect state neighbor entry that convergence switch 403 allows; When in neighbor table, the quantity of imperfect state neighbor entry is above threshold value, according to the binding information table of being intercepted acquisition by DHCPv6, judge the accessibility of neighbor node, thus avoid to malicious data unwrap exhibition a large amount of neighbor learning, effectively solve the problem of the neighbor learning attack existed in IPv6 network.
Above are only preferred embodiment of the present invention and institute's application technology principle, be anyly familiar with those skilled in the art in the technical scope that the present invention discloses, the change that can expect easily or replacement, all should be encompassed in protection scope of the present invention.
Claims (10)
1. prevent a method for neighbor learning attack, it is characterized in that, comprise the steps:
A, the threshold value of imperfect (Incomplete) state neighbor entry that convergence switch allows is set;
B, access switch intercept (SNOOPING) to monitor the DHCPv6 request process of client by the IPv6 version (DHCPv6) of DHCP, create and preserve binding information, and this binding information is sent to described convergence switch;
C, convergence switch receive binding information, and are saved in binding information table;
D, convergence switch are when forwarding IPv6 message, if the link layer address that the destination address of this message is corresponding does not exist, whether the quantity then detecting imperfect state neighbor entry in neighbor table reaches described threshold value, if do not reached, then sends neighbor request message to neighbor node; If reached, then inquire about the address of this neighbor node whether in described binding information table, if exist, then send neighbor request message, if do not exist, then do not send neighbor request message;
After E, convergence switch receive the neighbor advertisement message corresponding with described neighbor request message, the quantity of state neighbor entry imperfect in its neighbor table is subtracted 1.
2. the method preventing neighbor learning attack according to claim 1, is characterized in that, described step B also comprises:
Access switch issues the rule of DHCPv6 message redirecting to this exchange processor to exchange chip, after exchange chip receives DHCPv6 message, do not perform hardware and forward behavior, but by described message redirecting to access switch processor, carry out software parses and forwarding by processor.
3. the method preventing neighbor learning attack according to claim 2, is characterized in that, described step B comprises further:
Described binding information is joined DHCPv6 and intercepts in binding message by access switch, and described binding message is encrypted and hashing, then, according to the address of the convergence switch of the reception binding information of access switch configuration, described binding message is sent to convergence switch.
4. the method preventing neighbor learning attack according to claim 3, is characterized in that, institute step C specifically comprises:
Convergence switch parses DHCPv6 and intercepts the binding information bound in message, and is saved in by this binding information in local binding information table, and wherein, described binding message refers to the binding message that all access switch be connected with described convergence switch import into.
5. the method preventing neighbor learning attack according to claim 4, it is characterized in that, in described step D, if the quantity of imperfect state neighbor entry does not reach threshold value in neighbor table, then send neighbor request message to neighbor node, and a neighbor entry is inserted in described neighbor table, state is set to imperfect state, and the quantity of state neighbor entry imperfect in neighbor table is added 1.
6. the method preventing neighbor learning attack according to claim 5, is characterized in that, described step e specifically also comprises:
Convergence switch is according to the destination address inquiry neighbor table of the IPv6 stem of neighbor advertisement message, if find the neighbor entry corresponding with this destination address, then the link layer address of described neighbor entry is updated to the link layer address carried in neighbor advertisement message, and the state of this neighbor entry is set to can reach (Reachable) state, the quantity of state neighbor entry imperfect in neighbor table is subtracted 1.
7. prevent a system for neighbor learning attack, it is characterized in that, comprising:
Access switch, with client's side link, intercepts the DHCPv6 request process monitoring client by DHCPv6, create and preserve binding information, and this binding information is sent to convergence switch;
Convergence switch, is connected with access switch, arranges the threshold value of the imperfect state neighbor entry of permission thereon, is saved to by the binding information received in binding information table; And when forwarding IPv6 message, if the link layer address that the destination address of this message is corresponding does not exist, whether the quantity then detecting imperfect state neighbor entry in neighbor table reaches described threshold value, if do not reached, then send neighbor request message to neighbor node, and a neighbor entry is inserted in described neighbor table, state is set to imperfect state, and the quantity of state neighbor entry imperfect in neighbor table is added 1; If reached, then the address inquiring about this neighbor node, whether in described binding information table, if do not exist, does not then send neighbor request message, if exist, then sends neighbor request message.
8. the system preventing neighbor learning attack according to claim 7, is characterized in that, described access switch concrete also for
The rule of DHCPv6 message redirecting to this exchange processor is issued to exchange chip, after exchange chip receives DHCPv6 message, do not perform hardware and forward behavior, but by described message redirecting to access switch processor, carry out software parses and forwarding by processor; Described binding information being joined DHCPv6 intercepts in binding message, and described binding message is encrypted and hashing, then, according to the address of the convergence switch of the reception binding information of access switch configuration, described binding message is sent to convergence switch.
9. the system preventing neighbor learning attack according to claim 8, is characterized in that, described convergence switch also for
Parse DHCPv6 and intercept the binding information bound in message, and be saved in by this binding information in local binding information table, wherein, described binding message refers to the binding message that all access switch be connected with described convergence switch import into.
10. the system preventing neighbor learning attack according to claim 9, is characterized in that, described convergence switch concrete also for
Destination address according to the IPv6 stem of the neighbor advertisement message corresponding with neighbor request message received inquires about neighbor table, if find the neighbor entry corresponding with this destination address, then the link layer address of described neighbor entry is updated to the link layer address carried in neighbor advertisement message, and the state of this neighbor entry is set to reachable state, the quantity of state neighbor entry imperfect in neighbor table is subtracted 1.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210034007.6A CN102571816B (en) | 2012-02-15 | 2012-02-15 | A kind of method and system preventing neighbor learning attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210034007.6A CN102571816B (en) | 2012-02-15 | 2012-02-15 | A kind of method and system preventing neighbor learning attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102571816A CN102571816A (en) | 2012-07-11 |
| CN102571816B true CN102571816B (en) | 2015-09-30 |
Family
ID=46416290
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210034007.6A Active CN102571816B (en) | 2012-02-15 | 2012-02-15 | A kind of method and system preventing neighbor learning attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102571816B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103560960A (en) * | 2013-11-04 | 2014-02-05 | 神州数码网络(北京)有限公司 | Access control list dynamic updating method and Ethernet switch |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101022340A (en) * | 2007-03-30 | 2007-08-22 | 武汉烽火网络有限责任公司 | Intelligent control method for realizing city Ethernet exchanger switch-in security |
| CN101631130A (en) * | 2009-08-27 | 2010-01-20 | 杭州华三通信技术有限公司 | Route advertising method and device among direct-connecting EBGP neighbors |
| CN101764734A (en) * | 2008-12-25 | 2010-06-30 | 中兴通讯股份有限公司 | Method for improving neighbor discovery safety in IPv6 (Internet Protocol Version 6) environment and broadband access equipment |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8161549B2 (en) * | 2005-11-17 | 2012-04-17 | Patrik Lahti | Method for defending against denial-of-service attack on the IPV6 neighbor cache |
-
2012
- 2012-02-15 CN CN201210034007.6A patent/CN102571816B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101022340A (en) * | 2007-03-30 | 2007-08-22 | 武汉烽火网络有限责任公司 | Intelligent control method for realizing city Ethernet exchanger switch-in security |
| CN101764734A (en) * | 2008-12-25 | 2010-06-30 | 中兴通讯股份有限公司 | Method for improving neighbor discovery safety in IPv6 (Internet Protocol Version 6) environment and broadband access equipment |
| CN101631130A (en) * | 2009-08-27 | 2010-01-20 | 杭州华三通信技术有限公司 | Route advertising method and device among direct-connecting EBGP neighbors |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102571816A (en) | 2012-07-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9654502B2 (en) | Protecting address resolution protocol neighbor discovery cache against denial of service attacks | |
| CN102546661B (en) | A kind of method and system preventing IPv6 gateway neighbours spoofing attack | |
| US8107396B1 (en) | Host tracking in a layer 2 IP ethernet network | |
| CN101674306B (en) | Address resolution protocol message processing method and switch | |
| US20110026529A1 (en) | Method And Apparatus For Option-based Marking Of A DHCP Packet | |
| Supriyanto et al. | Survey of internet protocol version 6 link local communication security vulnerability and mitigation methods | |
| CN101459653B (en) | Method for preventing DHCP packet attack based on Snooping technique | |
| CN102546428A (en) | System and method for internet protocol version 6 (IPv6) message switching based on dynamic host configuration protocol for IPv6 (DHCPv6) interception | |
| US7826447B1 (en) | Preventing denial-of-service attacks employing broadcast packets | |
| Hassan et al. | Enhancing security for IPv6 neighbor discovery protocol using cryptography | |
| CN102546308B (en) | The method and system of neighbor uni-cast agency is realized based on duplicate address detection | |
| CN106878326A (en) | The guard method of IPv6 neighbor caches and its device based on inverse detection | |
| CN102572013B (en) | A kind of method and system realizing proxy ARP based on gratuitous ARP | |
| CN102546663A (en) | Method and device for preventing duplication address detection attack | |
| CN102546429A (en) | Method and system for authenticating intra-site automatic tunnel addressing protocol (ISATAP) tunnels based on dynamic host configuration protocol (DHCP) monitoring | |
| Kumar et al. | Host based IDS for NDP related attacks: NS and NA Spoofing | |
| CN101552677B (en) | Processing method and exchange equipment for address detected message | |
| Praptodiyono et al. | Improvement of address resolution security in IPv6 local network using trust-ND | |
| CN102594882A (en) | Neighbor discovery proxy method and system based on Dynamic Host Configuration Protocol for Internet Protocol Version 6 (DHCPv6) monitoring | |
| CN102571816B (en) | A kind of method and system preventing neighbor learning attack | |
| CN101552724A (en) | Generation method and apparatus for neighbor table items | |
| CN102546307B (en) | The method and system realizing proxy arp function is intercepted based on DHCP | |
| KR101188308B1 (en) | Pseudo packet monitoring system for address resolution protocol spoofing monitoring of malicious code and pseudo packet monitoring method therefor | |
| Al-Ani et al. | Preventing denial of service attacks on address resolution in IPv6 link-local network: AR-match security technique | |
| CN102594816B (en) | A kind of method of preventing malicious neighbor learning attack and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 100085 Beijing Haidian District, No. 9 Shangdi Jiujie Digital Science and Technology Plaza Patentee after: Beijing Shenzhou Digital Cloud Information Technology Co.,Ltd. Country or region after: China Address before: 100085 Beijing Haidian District, No. 9 Shangdi Jiujie Digital Science and Technology Plaza Patentee before: DIGITAL CHINA NETWORKS (BEIJING) Ltd. Country or region before: China |
|
| CP03 | Change of name, title or address | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240814 Address after: 100085 No.301, 3rd floor, 9 shangdijiu street, Haidian District, Beijing Patentee after: Beijing Shenzhou Digital Cloud Information Technology Co.,Ltd. Country or region after: China Patentee after: Shenzhou Kuntai (Xiamen) Information Technology Co.,Ltd. Address before: 100085 Beijing Haidian District, No. 9 Shangdi Jiujie Digital Science and Technology Plaza Patentee before: Beijing Shenzhou Digital Cloud Information Technology Co.,Ltd. Country or region before: China |
|
| TR01 | Transfer of patent right |