CN103873478A - Method for ensuring security of ARP message - Google Patents
Method for ensuring security of ARP message Download PDFInfo
- Publication number
- CN103873478A CN103873478A CN201410122667.9A CN201410122667A CN103873478A CN 103873478 A CN103873478 A CN 103873478A CN 201410122667 A CN201410122667 A CN 201410122667A CN 103873478 A CN103873478 A CN 103873478A
- Authority
- CN
- China
- Prior art keywords
- arp
- message
- authentication
- mode
- switch
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention provides a method for ensuring security of an ARP message. The method includes the steps of firstly, verifying the ARP message for an exchanger and/or a router; secondly, selecting a method for verifying the ARP message; thirdly, corrugating the corresponding verification means according to the method for verifying the ARP message. According to the method, security of the ARP message is greatly improved, and the ARP message can not be intercepted or forged by an attacker. The method is simple in mode and high in practicability.
Description
Technical field
The present invention relates to a kind of method that strengthens network environment safety, especially relate to the method that strengthens ARP message safety.
Background technology
ARP agreement is the abbreviation of " Address Resolution Protocol " (address resolution protocol).The MAC Address of ARP agreement for becoming LAN hardware to use IP address resolution.IP packet often sends by Ethernet, but 32 IP addresses of ethernet device nonrecognition, they are with 48 ethernet address transmission Ethernet data bags.Therefore, IP destination address must be converted to Ethernet destination address.ARP agreement is for being target hardware address (MAC Address) by the IP address resolution of network, to guarantee carrying out smoothly of communication.
OSI pattern is divided into seven layers network work, does not directly come into contacts with each other, only by interface (layer interface).IP address is at the 3rd layer, and MAC Address is at the second layer.In the time sending packet, obtain the header that first encapsulates the 3rd layer (IP address), the second layer (MAC Address), but only know the IP address of destination node, do not know its MAC Address, again can not be across second and third layer, so handy ARP agreement.
ARP agreement has more than and just receives arp reply having sent ARP request.In the time that computer receives arp reply packet, will upgrade local arp cache, the IP in replying and MAC Address are stored in ARP cache.Therefore, when certain machine B in local area network (LAN) sends an arp reply of oneself pretending to be C to A, be that IP address is the IP of C, and MAC Address is forged, when A receives after the arp reply that B pretends to be C, will upgrade local ARP cache, do not become in the IP address of A C like this, and its MAC Address not be original.Because the network circulation of local area network (LAN) is not to carry out according to IP address, but transmit according to MAC Address.So originally the real MAC address of C is changed to a non-existent MAC Address on A, will cause like this network obstructed, cause can not the Ping logical C! of A A simple ARP deception that Here it is.
ARP deception can cause object-computer and gateway communication failure, more frighteningly can cause communication redirection, and all data all can, by assailant's machine, therefore exist great potential safety hazard.
Summary of the invention
The technical problem that the present invention need solve is to provide a kind of method of the ARP of assurance message safety, improves network environment.
For solving above-mentioned technical problem, the present invention has designed a kind of method of the ARP of assurance message safety, and it comprises the following steps:
Step 1: for switch and/or router enable ARP authentication of message;
Step 2: the mode of selecting a kind of ARP authentication of message;
Step 3: according to the mode of ARP authentication of message, configure corresponding checking means.
Further improve as the present invention, enable the order of ARP authentication of message in the capable configuration of user interface command of switch and/or router.
Further improve as the present invention, the order that enables ARP authentication of message is switch (config) #arp authentication.
Further improve as the present invention, in step 2, select plain text authentication mode.
Further improve as the present invention, the order of plain text authentication mode is switch (config) #arp authentication-key mypassword.
Further improve as the present invention, in step 2, select md5 encryption verification mode.
Further improve as the present invention, the order of md5 encryption verification mode is switch (config) #arp message-digest-key10md5mypassword.
The present invention has increased the fail safe of ARP message greatly, and ARP message can not be intercepted and captured or forge by victim.The present invention's mode used is easy, practical.
Embodiment
In order to make relevant technical staff in the field understand better technical scheme of the present invention, below in conjunction with embodiments of the present invention, technical scheme of the present invention is clearly and completely described, obviously, described execution mode is only the present invention's part execution mode, rather than whole execution modes.
The invention provides a kind of method of the ARP of assurance message safety, can be used on local area network (LAN) or wide area network.First, the gateway device being necessary in local area network (LAN) or in wide area network is opened ARP authentication of message switch, be gateway device configuration and enable ARP authentication of message, gateway device of the present invention is routers all in network environment and/or switch, but be and PC end ARP message compatibility, the router or the switch arp message that connect PC do not use verification mode.When in network environment, while not needing the checking of ARP message encryption, can turn off ARP authentication of message in order line configuration switch (config) #no arp authentication order.
Configuration ARP message enables to verify that concrete method of operation is, enable the order of ARP authentication of message in the capable configuration of user interface command of switch and router, in embodiments of the present invention, the order that enables ARP authentication of message is switch (config) #arp authentication.
After having opened ARP authentication of message switch, then select a kind of mode of ARP authentication of message.The mode of authentication of message of the present invention comprises and is not limited to plain text authentication mode and md5 encryption verification mode.
Select plain text authentication mode, its order is switch (config) #arp authentication-key mypassword.Select md5 encryption verification mode, its order is switch (config) #arp message-digest-key10md5mypassword.
According to plain text authentication mode or md5 encryption verification mode, then configure corresponding checking means, for example, configure the secret information of wanting of clear-text passwords and md5 encryption.After encrypting, can before original ARP message, encapsulate an infill layer head, encrypt head and comprise encryption and verify required information, such as, username and password, identifying code, encrypts secret wanting.
The present invention has increased the fail safe of ARP message greatly, and ARP message can not be intercepted and captured or forge by victim.The present invention's mode used is easy, practical.
Below only expressed one embodiment of the present invention, it describes comparatively concrete and detailed, but can not therefore be interpreted as the restriction to the scope of the claims of the present invention.It should be pointed out that for the person of ordinary skill of the art, without departing from the inventive concept of the premise, can also make some distortion and improvement, these all belong to protection scope of the present invention.Therefore, the protection range of patent of the present invention should be as the criterion with claims.
Claims (7)
1. a method that guarantees ARP message safety, is characterized in that, comprises the following steps:
Step 1: for switch and/or router enable ARP authentication of message;
Step 2: the mode of selecting a kind of ARP authentication of message;
Step 3: according to the mode of ARP authentication of message, configure corresponding checking means.
2. the method for assurance ARP message safety according to claim 1, is characterized in that,
Enable the order of ARP authentication of message in the capable configuration of user interface command of switch and/or router.
3. the method for assurance ARP message safety according to claim 2, is characterized in that,
The order that enables ARP authentication of message is switch (config) #arp authentication.
4. the method for assurance ARP message safety according to claim 1, is characterized in that, selects plain text authentication mode in step 2.
5. the method for assurance ARP message safety according to claim 4, is characterized in that, the order of plain text authentication mode is switch (config) #arp authentication-key mypassword.
6. the method for assurance ARP message safety according to claim 1, is characterized in that, selects md5 encryption verification mode in step 2.
7. the method for assurance ARP message safety according to claim 6, is characterized in that, the order of md5 encryption verification mode is switch (config) #arp message-digest-key10md5mypassword.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410122667.9A CN103873478A (en) | 2014-03-28 | 2014-03-28 | Method for ensuring security of ARP message |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410122667.9A CN103873478A (en) | 2014-03-28 | 2014-03-28 | Method for ensuring security of ARP message |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103873478A true CN103873478A (en) | 2014-06-18 |
Family
ID=50911605
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410122667.9A Pending CN103873478A (en) | 2014-03-28 | 2014-03-28 | Method for ensuring security of ARP message |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103873478A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100571272C (en) * | 2006-03-30 | 2009-12-16 | 迈普通信技术股份有限公司 | Improve the method for LAN communication safety |
| US20100088399A1 (en) * | 2008-10-03 | 2010-04-08 | Yoel Gluck | Enterprise security setup with prequalified and authenticated peer group enabled for secure DHCP and secure ARP/RARP |
| CN101808097A (en) * | 2010-03-25 | 2010-08-18 | 杭州华三通信技术有限公司 | Method and equipment for preventing ARP attack |
| CN103152335A (en) * | 2013-02-20 | 2013-06-12 | 神州数码网络(北京)有限公司 | Method and device for preventing ARP (address resolution protocol) deceit on network equipment |
| CN101945083B (en) * | 2009-07-08 | 2013-08-07 | 中兴通讯股份有限公司 | Authentication method and counterfeit judgment method for virtual router redundancy protocol |
-
2014
- 2014-03-28 CN CN201410122667.9A patent/CN103873478A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100571272C (en) * | 2006-03-30 | 2009-12-16 | 迈普通信技术股份有限公司 | Improve the method for LAN communication safety |
| US20100088399A1 (en) * | 2008-10-03 | 2010-04-08 | Yoel Gluck | Enterprise security setup with prequalified and authenticated peer group enabled for secure DHCP and secure ARP/RARP |
| CN101945083B (en) * | 2009-07-08 | 2013-08-07 | 中兴通讯股份有限公司 | Authentication method and counterfeit judgment method for virtual router redundancy protocol |
| CN101808097A (en) * | 2010-03-25 | 2010-08-18 | 杭州华三通信技术有限公司 | Method and equipment for preventing ARP attack |
| CN103152335A (en) * | 2013-02-20 | 2013-06-12 | 神州数码网络(北京)有限公司 | Method and device for preventing ARP (address resolution protocol) deceit on network equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Arbaugh et al. | Your 80211 wireless network has no clothes | |
| CN102347870B (en) | A kind of flow rate security detection method, equipment and system | |
| US8886934B2 (en) | Authorizing physical access-links for secure network connections | |
| US11075907B2 (en) | End-to-end security communication method based on mac protocol using software defined-networking, and communication controller and computer program for the same | |
| CN108848112A (en) | Cut-in method, equipment and the system of user equipment (UE) | |
| CN102546661B (en) | A kind of method and system preventing IPv6 gateway neighbours spoofing attack | |
| US20130283050A1 (en) | Wireless client authentication and assignment | |
| CN105162787A (en) | Method and apparatus of external network terminal for accessing manufacture device or internal network terminal | |
| CN103795728A (en) | EAP authentication method capable of hiding identities and suitable for resource-constrained terminal | |
| CN105207778A (en) | Method of realizing package identity identification and digital signature on access gateway equipment | |
| CN105025016A (en) | Internal-network terminal admission control method | |
| Jiang et al. | Secure DHCPv6 Using CGAs | |
| CN108900306A (en) | A kind of production method and system of wireless router digital certificate | |
| CN101394395B (en) | Authentication method, system and device | |
| CN106603512B (en) | A kind of authentic authentication method of the Intermediate System-Intermediate System based on SDN framework | |
| Kumar et al. | Design of secure session key using unique addressing and identification scheme for smart home Internet of Things network | |
| Narayana et al. | An Adaptive Threat Defence Mechanism Through Self Defending Network to Prevent Hijacking in WiFi Network | |
| Rehman et al. | Novel mechanism to prevent denial of service (DoS) attacks in IPv6 duplicate address detection process | |
| Katz | Wpa vs. wpa2: Is wpa2 really an improvement on wpa? | |
| Sathyadevan et al. | Portguard-an authentication tool for securing ports in an IoT gateway | |
| Petroni et al. | The dangers of mitigating security design flaws: a wireless case study | |
| Jerschow et al. | CLL: A cryptographic link layer for local area networks | |
| CN103873478A (en) | Method for ensuring security of ARP message | |
| CN104113889A (en) | Connection establishment method and device based on return channel | |
| Song et al. | Anonymous-address-resolution model |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140618 |
|
| RJ01 | Rejection of invention patent application after publication |