CN106302456A - Session keeping method and device - Google Patents
Session keeping method and device Download PDFInfo
- Publication number
- CN106302456A CN106302456A CN201610673308.1A CN201610673308A CN106302456A CN 106302456 A CN106302456 A CN 106302456A CN 201610673308 A CN201610673308 A CN 201610673308A CN 106302456 A CN106302456 A CN 106302456A
- Authority
- CN
- China
- Prior art keywords
- equipment
- safety equipment
- service end
- service
- session
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1083—In-session procedures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/143—Termination or inactivation of sessions, e.g. event-controlled end of session
- H04L67/145—Termination or inactivation of sessions, e.g. event-controlled end of session avoiding end of session, e.g. keep-alive, heartbeats, resumption message or wake-up for inactive or interrupted session
Abstract
The present invention is about session keeping method and device, and described method includes: after described safety equipment are switched to service equipment, receives the sync message that upper one chosen service equipment sends;Wherein, described sync message carries session information mutual between chosen service equipment and upstream service end and a downstream client;Keep and described upstream service end and the session of downstream client based on the described session information carried in described sync message.The application present invention can on the basis of not affecting upper-layer service switching at runtime link so that penetration attack etc. cannot persistently be carried out for the attack of link, efficiently solve correlation technique problem of protective capacities difference when protection is for the attack of link.
Description
Technical field
The present invention relates to communication technical field, particularly relate to a kind of session keeping method and device.
Background technology
Along with the development of IP technology, IP-based attack is also becoming increasingly rampant.In order to protect IP-based attack, correlation technique
Propose agency from the detection degree of depth and detection frequency two aspect of message or add the settling mode of fort machine.Act on behalf of or add
Although the mode of fort machine can filter out part attack content by the data of transmission to Target IP carry out detection, but
The identification and the protective capacities that penetration attack etc. are seemed to the attack of " normally " are poor.Therefore, when malicious user is by even
Connecing the link of Target IP when carrying out the attack that penetration attack realizes Target IP, correlation technique cannot be carried out effectively protecting.
Summary of the invention
For overcoming problem present in correlation technique, the invention provides session keeping method and device.
The present invention provides a kind of session keeping method, is applied to include some safety equipment, upstream service end and descending
Arbitrary safety equipment in the network safety system of client, wherein, the safety equipment in described some safety equipment are based in advance
If cycle switched to service equipment at random, and keep and described upstream service end and described descending visitor in handoff procedure
Session between the end of family is constant, described some safety equipment are the most pre-configured identical with described upstream service end downstream IP ground
Location, and all it is configured with the identical up IP address corresponding to described upstream service end;Described method includes:
After described safety equipment are switched to service equipment, receive the synchronization report that upper one chosen service equipment sends
Literary composition;Wherein, described sync message carries and hands between chosen service equipment and upstream service end and a downstream client
Mutual session information;
Keep and described upstream service end and descending client based on the described session information carried in described sync message
The session of end.
As improvement, described method also includes:
When described safety equipment are switched to service equipment, MAC Address based on described safety equipment and described on
Row IP address generates ARP message;
Described ARP message is sent, so that described upstream service end group is in the ARP message received to described upstream service end
Update MAC address entries.
As improvement, described method also includes:
When described safety equipment are switched to service equipment, MAC Address based on described safety equipment and described under
Row IP address generates ARP message;
Described ARP message is sent, so that described downstream client is based on the ARP message received to described downstream client
Update MAC address entries.
As improvement, described some safety equipment include different operating system.
As improvement, described in be switched between the safety equipment of service equipment and described upper one chosen service equipment
Described session information is synchronized by two layers of Ethernet message.
The present invention also provides for a kind of session holding means simultaneously, be applied to include some safety equipment, upstream service end with
And the arbitrary safety equipment in the network safety system of downstream client, wherein, the safety equipment in described some safety equipment
Switched to service equipment at random based on the default cycle, and kept in handoff procedure and described upstream service end and described
Session between downstream client is constant, and it is identical with described upstream service end descending that described some safety equipment are the most pre-configured
IP address, and all it is configured with the identical up IP address corresponding to described upstream service end;Described device includes:
Sync message receiver module, for after described safety equipment are switched to service equipment, receive upper one and is selected
Service equipment send sync message;Wherein, described sync message carries chosen service equipment and a upstream service
Session information mutual between end and downstream client;
Session keeps module, for keeping and described up clothes based on the described session information carried in described sync message
Business end and the session of downstream client.
As improvement, described device also includes:
First generation module, for when described safety equipment are switched to service equipment, based on described safety equipment
MAC Address and described up IP address generate ARP message;
First sending module, for sending described ARP message to described upstream service end, so that described upstream service end group
MAC address entries is updated in the ARP message received.
As improvement, described device also includes:
Second generation module, for when described safety equipment are switched to service equipment, based on described safety equipment
MAC Address and described downstream IP address generate ARP message;
Second sending module, for sending described ARP message to described downstream client, so that described downstream client base
MAC address entries is updated in the ARP message received.
As improvement, described some safety equipment include different operating system.
As improvement, described in be switched between the safety equipment of service equipment and described upper one chosen service equipment
Described session information is synchronized by two layers of Ethernet message.
In the present invention, when the safety equipment in the network equipment are switched to service equipment, one can be received selected
The sync message that fixed service equipment sends, wherein, this sync message can carry a chosen service equipment with up
Session information mutual between service end and downstream client, then, the above-mentioned safety equipment being switched to service equipment can
To keep and upstream service end and the session of downstream client based on the session information carried in above-mentioned sync message.
The application present invention can on the basis of not affecting upper-layer service switching at runtime link so that penetration attack etc.
Attack for link cannot persistently be carried out, and efficiently solves correlation technique protective capacities when protection is for the attack of link
The problem of difference.
Accompanying drawing explanation
Accompanying drawing herein is merged in description and constitutes the part of this specification, it is shown that meet the enforcement of the present invention
Example, and for explaining the principle of the present invention together with description.
Fig. 1 is the networking diagram of a kind of network safety system illustrated;
Fig. 2 is the flow chart of a kind of session keeping method shown in one embodiment of the invention;
Fig. 3 is the part socket hum pattern that a kind of TCP illustrated connects;
Fig. 4 is the session label information figure of a kind of SIP session illustrated;
Fig. 5 is the hardware block diagram of session holding means in the embodiment of the present invention;
Fig. 6 is the present invention block diagram according to a kind of session holding means shown in an exemplary embodiment.
Detailed description of the invention
Here will illustrate exemplary embodiment in detail, its example represents in the accompanying drawings.Explained below relates to
During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represents same or analogous key element.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the present invention.On the contrary, they are only with the most appended
The example of the apparatus and method that some aspects that described in detail in claims, the present invention are consistent.
Refer to Fig. 1, the networking diagram of a kind of network safety system for illustrating.
In the network safety system shown in Fig. 1, including client, switch, service end and be arranged at service end, friendship
Some safety equipment between changing planes.Wherein, these some safety equipment can may be contained between service end and switch.
Data interaction can be carried out, in order to prevent above-mentioned client from will not conform between above-mentioned client and above-mentioned service end
Method, attack and unauthorized etc. may damage the hostile content of above-mentioned service end and send to above-mentioned service end, network security system
System adds safety equipment the data of above-mentioned client transmission to above-mentioned service end are carried out safety detection.
After the data of above-mentioned client transmission to above-mentioned service end are confirmed as normal data by safety equipment, above-mentioned client
End can set up a link based on the data sent to above-mentioned service end with above-mentioned service end.This link can be always maintained at,
Until above-mentioned client or above-mentioned service end close this link.During this link keeps, malicious user can pass through
This link carries out penetration attack, thus reaches to attack the purpose of above-mentioned service end.
Correlation technique use the mode acting on behalf of or adding fort machine above-mentioned service end is protected, but, due to generation
Reason or to add the mode of fort machine be to the detection degree of depth of message and detection frequency come, therefore, correlation technique substantially without
Method detects penetration attack, also cannot effectively protect penetration attack.Therefore, correlation technique is protection oozing for link
When thoroughly attacking, protective capacities is poor.
In view of this, the invention provides a kind of session keeping method and device, solve correlation technique protection for
The problem of protective capacities difference during the attack of link.In the present invention, set when the safety equipment in the network equipment are switched to service
Time standby, can receive the sync message that a chosen service equipment sends, wherein, this sync message can carry a quilt
Session information mutual between selected service equipment and upstream service end and downstream client, then, above-mentioned is switched to
The safety equipment of service equipment can based on the session information that carries in above-mentioned sync message keep with upstream service end and under
The session of row client.
The application present invention can on the basis of not affecting upper-layer service switching at runtime link so that penetration attack etc.
Attack for link cannot persistently be carried out, and efficiently solves correlation technique protective capacities when protection is for the attack of link
The problem of difference.
Seeing Fig. 2, for the flow chart of a kind of session keeping method shown in one embodiment of the invention, this embodiment is applied to
Including the arbitrary safety equipment in the network safety system of some safety equipment, comprise the following steps:
Step 201: after described safety equipment are switched to service equipment, receives upper one chosen service equipment and sends
Sync message;Wherein, described sync message carries a chosen service equipment and upstream service end and descending client
Session information mutual between end.
In the present invention, above-mentioned network safety system can include some safety equipment, upstream service end and descending visitor
Family end.Wherein, downstream client can be one or more, and the present invention is without limitation.
Certainly, this network safety system can also include switch, and wherein, above-mentioned some safety equipment can may be contained within
Between upstream service end and switch.
It should be noted that these some safety equipment can include different operating system, such as these some safety equipment
In can there are the safety equipment that operating system is windows, it is also possible to there are the safety equipment that operating system is linux, this
Invent without limitation.
In the present invention, above-mentioned some safety equipment can the most preset and above-mentioned upstream service end identical downstream IP ground
Location, and the most preset identical up IP address corresponding to above-mentioned upstream service end.
In the embodiment illustrated, it can be assumed that the IP address of above-mentioned upstream service end is 192.168.1.1, then this
The downstream IP address of the some safety equipment of Shi Shangshu can be each configured to 192.168.1.1.When client to IP address is
192.168.1.1, when upstream service end sends data, above-mentioned some safety equipment can receive these data, and to this number
After carrying out safety detection, these data are forwarded to upstream service end.
When carrying out data interaction with upstream service end, above-mentioned some safety equipment can all configure identical correspondence with upper
State the up IP address of upstream service end.Now, these some safety equipment can be based on this identical up IP address with up
Service end carries out data interaction, such as the data etc. after up service end transmission safety detection.
After being prefixed identical up IP address and downstream IP address, the safety equipment in these some safety equipment can
To be switched to service equipment at random based on the default cycle, and keep in handoff procedure with above-mentioned upstream service end and on
State the session between downstream client constant, wherein, this preset cycle can be system default value or by user according to reality
Situation carries out self-defined setting, for example, it is possible to be 3 minutes.
In the embodiment illustrated, the safety equipment in these some safety equipment can pass through random algorithm and time
The combinational algorithm of stamp is switched to service equipment at random, and wherein, this random algorithm can be hash algorithm, and this is not done by the present invention
Limit.
It should be noted that in once switching, these some safety equipment have and only safety equipment can be by
Switch to service equipment.
In the present invention, when the safety equipment in these some safety equipment are switched to service equipment, these safety equipment
Can based on its MAC Address and above-mentioned up IP address generate an ARP (Address Reso lution Protocol,
Address resolution protocol) message, then an ARP message can be sent to above-mentioned upstream service end by these safety equipment, so that
This upstream service end group updates local mac list item in the ARP message received.
In the embodiment illustrated, it can be assumed that the MAC Address of the safety equipment being switched to service equipment is 00-
23-5A-15-99-42, up IP address are 22.22.22.22, the MAC Address of above-mentioned upstream service end is 05-31-13-25-
19-36, IP address is 33.33.33.33, then these safety equipment can be such as table 1 institute to up service end transmission the oneth ARP message
Show:
Source MAC | Source IP address | Target MAC (Media Access Control) address | Purpose IP address |
00-23-5A-15-99-42 | 22.22.22.22 | 05-31-13-25-19-36 | 33.33.33.33 |
Table 1
It should be noted that table 1 can only show the partial information of an above-mentioned ARP message, the letter shown except table 1
Outside breath, an above-mentioned ARP message can also include the header information etc. of message, and the present invention is without limitation.
Receive above-mentioned safety equipment send an ARP message after, above-mentioned upstream service end can according to this first
ARP message updates local mac list item.
In the present invention, similarly, when the safety equipment in these some safety equipment are switched to service equipment, this peace
Full equipment can generate the 2nd ARP message based on its MAC Address and above-mentioned downstream IP address, and then these safety equipment can be by
2nd ARP message sends to above-mentioned downstream client, so that this downstream client updates this locality based on the ARP message received
MAC address entries.
In the embodiment illustrated, it can be assumed that the MAC Address of the safety equipment being switched to service equipment is 00-
23-5A-15-99-42, downstream IP address are 192.168.1.1, the MAC Address of above-mentioned downstream client is 05-22-14-52-
12-11, IP address is 192.137.3.1, then these safety equipment can be such as table 2 to the 2nd ARP message that downstream client sends
Shown in:
Source MAC | Source IP address | Target MAC (Media Access Control) address | Purpose IP address |
00-23-5A-15-99-42 | 192.168.1.1 | 05-22-14-52-12-11 | 192.137.3.1 |
Table 2
Needing also exist for explanation, table 2 can only show the partial information of above-mentioned 2nd ARP message, except table 2 shows
Information outside, above-mentioned 2nd ARP message can also include header information etc., and this is not limited by the present invention.
Certainly, when above-mentioned network safety system includes switch and gateway device, above-mentioned safety equipment can be at quilt
When switching to service equipment, send the 2nd ARP message to switch and gateway device.
When receiving the 2nd ARP message that above-mentioned safety equipment send, above-mentioned downstream client, switch and gateway
Equipment etc. can update local mac list item according to the 2nd ARP message.
In the present invention, when the above-mentioned safety equipment being switched to service equipment send ARP message, above-mentioned some safety
Other safety equipment in equipment equally receive ARP message, and determine according to the ARP message received and be switched to
The safety equipment of service equipment.
Continuing with seeing Fig. 1, in the embodiment illustrated, it can be assumed that in the safety equipment of 3 shown in Fig. 1, peace
Full equipment 3 is switched to service equipment, and the most now safety equipment 3 can send ARP message, and now safety equipment 1 and safety set
According to the source MAC in ARP message, standby 2 can determine that safety equipment 3 are switched to service after receiving ARP message
Equipment.
In the present invention, after the safety equipment in these some safety equipment are switched to service equipment, these safety equipment
Can receive the sync message that a chosen service equipment sends, wherein, this sync message can carry one and be selected
Service equipment and upstream service end and downstream client between mutual session information.
Continuing with seeing Fig. 1, in the embodiment illustrated, it can be assumed that in the safety equipment of 3 shown in Fig. 1, peace
Full equipment 3 is switched to service equipment, and safety equipment 1 are upper one chosen service equipment.Then safety equipment 1 are receiving peace
After the ARP message that full equipment 3 sends, it may be determined that safety equipment 3 are switched to service equipment.Now, safety equipment 1 can be to
Safety equipment 3 send sync message, wherein, this sync message can with equipment safe to carry 1 and above-mentioned upstream service end and under
Session information mutual between row client.
In the present invention, the session information that above-mentioned sync message carries can include above-mentioned upper one chosen service equipment
(Transmission Control Protocol, transmission controls to set up TCP with above-mentioned upstream service end and downstream client
Agreement) or the socket information that connects of UDP (User Datagram Protocol, UDP) and based on TCP
Or the session label information of the session connection of UDP connection establishment.
In the embodiment illustrated, it can be assumed that above-mentioned upper one chosen service equipment and above-mentioned upstream service end
And downstream client sets up session even based on SIP (Session Initiation Protocol, session initiation protocol) agreement
Connect, then go up a chosen service equipment and can extract the session label information of this session connection, i.e. CALL-ID information, and incite somebody to action
This session label information is synchronized to be switched to the safety equipment of service equipment by above-mentioned sync message.
When the host-host protocol carrying this SIP session is Transmission Control Protocol, above-mentioned upper one chosen service equipment can incited somebody to action
When this session label information is synchronized to the safety equipment being switched to service equipment, the socket information connected by this TCP is also same
Step is to the safety equipment being switched to service equipment.And synchronize TCP connect socket information time, above-mentioned upper one be selected
Five-tuple information that this TCP can be connected by service equipment and serial number and response sequence information are all synchronized to be switched to
The safety equipment of service equipment.
When the host-host protocol carrying this SIP session is udp protocol, above-mentioned upper one chosen service equipment can incited somebody to action
When this session label information is synchronized to the safety equipment being switched to service equipment, the socket information connected by this UDP is also same
Step is to the safety equipment being switched to service equipment.And synchronize UDP connect socket information time, above-mentioned upper one be selected
Source port number that this UDP can be connected by service equipment and destination slogan synchronizing information are to the safety switching to service equipment
Equipment.
It should be noted that owing to the IP address of these some safety equipment is identical, therefore, above-mentioned it is switched to service equipment
Safety equipment and above-mentioned upper one chosen service equipment between can be by two layers of Ethernet message Tong Bus above-mentioned sessions letter
Breath, the most above-mentioned sync message can be two layers of Ethernet message.
Below with carry this SIP session host-host protocol as Transmission Control Protocol as a example by, above-mentioned upper one chosen clothes are discussed in detail
Mutual session information between above-mentioned upstream service end or downstream client is synchronized to be switched to service equipment by business equipment
The process of safety equipment:
Refer to Fig. 3, the part socket hum pattern that a kind of TCP for illustrating connects.Wherein, this TCP connection can be
The TCP that upper one chosen service equipment is set up with above-mentioned upstream service end is connected, it is also possible to set for upper one chosen service
The standby TCP set up with above-mentioned downstream client is connected.Upper one chosen service equipment can be from the socket information shown in Fig. 3
Figure extracts five-tuple information and serial number and response sequence information that this TCP connects, and according to the information structure extracted
Build connection table to be sent as shown in table 3:
Source IP address | Purpose IP address | Source port number |
202.100.10.168 | 10.220.4.45 | 54098 |
Destination slogan | Sequence (sequence) number | Respond Sequence (sequence) number |
49159 | 1363601166 | 3405140802 |
Table 3
Refer to Fig. 4, the session label information figure of a kind of SIP session for illustrating.Wherein, this SIP session can be upper
The SIP session that one chosen service equipment is set up with above-mentioned upstream service end, it is also possible to for upper one chosen service equipment
The SIP session set up with above-mentioned downstream client.Upper one chosen service equipment can be from the session label information shown in Fig. 4
Figure extracts the session label information (i.e. CALL-ID shown in Fig. 4) of this session connection, and according to the information architecture extracted such as
Session identification table to be sent shown in table 4:
CALL-ID | 424efb833e4efb833e4efb83ef4efb834@202.100.10.168 |
Table 4
Then, upper one chosen service equipment can generate sync message according to the content shown in table 3 and table 4, due to
Upper one service equipment being selected is identical with the IP address of the safety equipment being switched to service equipment, and therefore, upper one is selected
Service equipment cannot to be switched to service equipment safety equipment send IP message.Due to, upper one chosen service sets
For being successfully transmitted two layers of Ethernet message, therefore, upper one chosen clothes to the safety equipment being switched to service equipment
Business equipment can be by generating the data interaction that two layers of Ethernet message realized and be switched to the safety equipment of service equipment.
In an example assumed, the message of two layers of Ethernet sync message that upper one chosen service equipment generates
Information can be as shown in table 5:
Table 5
Wherein, the first row in table 5 can be the MAC Address of the safety equipment being switched to service equipment;In table 5
Two row can be the MAC Address of upper one chosen service equipment;The 3rd row in table 5 can be self-defining types value, this
Invent without limitation;The 4th row in table 5 can be that upper one chosen service equipment needs to be synchronized to be switched to clothes
The session information of the safety equipment of business equipment, wherein, the 4th row can include above-mentioned session label information CALL-ID to be sent
And the five-tuple information that connects of the i.e. TCP of link information to be sent and serial number and response sequence information.
Upper one chosen service equipment, can after generating two layers of Ethernet sync message that message information is as shown in table 5
So that these two layers of Ethernet sync messages are sent to the safety equipment being switched to service equipment.
Step 202: based on the described session information that carries in described sync message keep with described upstream service end and
The session of downstream client.
It is switched to the safety equipment sync message that chosen safety equipment send on receiving of service equipment
After, can keep and above-mentioned upstream service end and the meeting of downstream client based on the session information carried in this sync message
Words.
After receiving sync message, the safety equipment being switched to service equipment can obtain synchronization from sync message
Information, and keep and above-mentioned upstream service end and the session of downstream client according to this synchronizing information.
From above-described embodiment, in the present invention, when the safety equipment in the network equipment are switched to service equipment,
Can receive the sync message that a chosen service equipment sends, wherein, this sync message can carry one and be selected
Service equipment and upstream service end and downstream client between mutual session information, then, above-mentioned be switched to service
The safety equipment of equipment can keep and upstream service end and descending visitor based on the session information carried in above-mentioned sync message
The session of family end.
The application present invention can on the basis of not affecting upper-layer service switching at runtime link so that penetration attack etc.
Attack for link cannot persistently be carried out, and efficiently solves correlation technique protective capacities when protection is for the attack of link
The problem of difference.
Based on the inventive concept same with said method, the embodiment of the present invention additionally provides the enforcement of session holding means
Example.
Session holding means of the present invention can apply to the arbitrary peace including in the network safety system of some safety equipment
On full equipment.Wherein, this session holding means can be realized by software, it is also possible to by hardware or the side of software and hardware combining
Formula realizes.As a example by implemented in software, as the device on a logical meaning, it is the processor by its place, by non-volatile
Property memorizer in corresponding computer program instructions read internal memory runs and formed.For application, such as Fig. 5 institute
Show, be the hardware block diagram of session holding means in the embodiment of the present invention, except the processor shown in Fig. 5, network interface, interior
Deposit and outside nonvolatile memory, it is also possible to include other hardware, such as camera head, be responsible for processing the forwarding chip of message
Deng.
As shown in Figure 6, for the present invention according to the block diagram of a kind of session holding means shown in an exemplary embodiment.Described
Device includes: sync message receiver module 610 and session keep module 620.
Wherein, sync message receiver module 610, it is used for after described safety equipment are switched to service equipment, in reception
The sync message that one chosen service equipment sends;Wherein, described sync message carry a chosen service equipment with
Session information mutual between upstream service end and downstream client;
Session keeps module 620, for keeping with described based on the described session information carried in described sync message
Row service end and the session of downstream client.
In an optional implementation, described device can also include (not shown in Fig. 6):
First generation module, for when described safety equipment are switched to service equipment, based on described safety equipment
MAC Address and described up IP address generate ARP message;
First sending module, for sending described ARP message to described upstream service end, so that described upstream service end group
MAC address entries is updated in the ARP message received.
In an optional implementation, described device can also include (not shown in Fig. 6):
Second generation module, for when described safety equipment are switched to service equipment, based on described safety equipment
MAC Address and described downstream IP address generate ARP message;
Second sending module, for sending described ARP message to described downstream client, so that described downstream client base
MAC address entries is updated in the ARP message received.
In an optional implementation, some safety equipment include different operating system.
In an optional implementation, described in be switched to the safety equipment of service equipment chosen with described upper one
Service equipment between synchronize described session informations by two layers of Ethernet message.
In the present invention, when the safety equipment in the network equipment are switched to service equipment, one can be received selected
The sync message that fixed service equipment sends, wherein, this sync message can carry a chosen service equipment with up
Session information mutual between service end and downstream client, then, the above-mentioned safety equipment being switched to service equipment can
To keep and upstream service end and the session of downstream client based on the session information carried in above-mentioned sync message.
The application present invention can on the basis of not affecting upper-layer service switching at runtime link so that penetration attack etc.
Attack for link cannot persistently be carried out, and efficiently solves correlation technique protective capacities when protection is for the attack of link
The problem of difference.
Those skilled in the art, after considering the invention that description and practice are invented here, will readily occur to its of the present invention
Its embodiment.It is contemplated that contain any modification, purposes or the adaptations of the present invention, these modification, purposes or
Person's adaptations is followed the general principle of the present invention and includes the common knowledge in the art that the present invention does not invents
Or conventional techniques means.Description and embodiments is considered only as exemplary, and true scope and spirit of the invention are by following
Claim is pointed out.
It should be appreciated that the invention is not limited in precision architecture described above and illustrated in the accompanying drawings, and
And various modifications and changes can carried out without departing from the scope.The scope of the present invention is only limited by appended claim.
The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all essences in the present invention
Within god and principle, any modification, equivalent substitution and improvement etc. done, within should be included in the scope of protection of the invention.
Claims (10)
1. a session keeping method, is applied to include some safety equipment, upstream service end and the network of downstream client
Arbitrary safety equipment in security system, wherein, the safety equipment in described some safety equipment based on the default cycle by with
Machine switches to service equipment, and keeps the meeting between described upstream service end and described downstream client in handoff procedure
Talk about constant, it is characterised in that described some safety equipment the are the most pre-configured downstream IP address identical with described upstream service end,
And all it is configured with the identical up IP address corresponding to described upstream service end;Described method includes:
After described safety equipment are switched to service equipment, receive the sync message that upper one chosen service equipment sends;
Wherein, described sync message carries between chosen service equipment and upstream service end and a downstream client mutual
Session information;
Keep and described upstream service end and downstream client based on the described session information that carries in described sync message
Session.
Method the most according to claim 1, it is characterised in that described method also includes:
When described safety equipment are switched to service equipment, MAC Address based on described safety equipment and described up IP
Address generates ARP message;
Described ARP message is sent, so that described upstream service end group updates in the ARP message received to described upstream service end
MAC address entries.
Method the most according to claim 1, it is characterised in that described method also includes:
When described safety equipment are switched to service equipment, MAC Address based on described safety equipment and described downstream IP
Address generates ARP message;
Described ARP message is sent, so that described downstream client updates based on the ARP message received to described downstream client
MAC address entries.
Method the most according to claim 1, it is characterised in that described some safety equipment include different operating system.
Method the most according to claim 1, it is characterised in that described in be switched to the safety equipment of service equipment with described
Described session information is synchronized by two layers of Ethernet message between upper one chosen service equipment.
6. a session holding means, is applied to include some safety equipment, upstream service end and the network of downstream client
Arbitrary safety equipment in security system, wherein, the safety equipment in described some safety equipment based on the default cycle by with
Machine switches to service equipment, and keeps the meeting between described upstream service end and described downstream client in handoff procedure
Talk about constant, it is characterised in that described some safety equipment the are the most pre-configured downstream IP address identical with described upstream service end,
And all it is configured with the identical up IP address corresponding to described upstream service end;Described device includes:
Sync message receiver module, for after described safety equipment are switched to service equipment, receives upper one chosen clothes
The sync message that business equipment sends;Wherein, described sync message carry a chosen service equipment and upstream service end with
And mutual session information between downstream client;
Session keeps module, for keeping and described upstream service end based on the described session information carried in described sync message
And the session of downstream client.
Device the most according to claim 6, it is characterised in that described device also includes:
First generation module, is used for when described safety equipment are switched to service equipment, MAC based on described safety equipment ground
Location and described up IP address generate ARP message;
First sending module, for sending described ARP message to described upstream service end, so that described upstream service end group is in connecing
The ARP message received updates MAC address entries.
Device the most according to claim 6, it is characterised in that described device also includes:
Second generation module, is used for when described safety equipment are switched to service equipment, MAC based on described safety equipment ground
Location and described downstream IP address generate ARP message;
Second sending module, for sending described ARP message to described downstream client, so that described downstream client is based on connecing
The ARP message received updates MAC address entries.
Device the most according to claim 6, it is characterised in that described some safety equipment include different operating system.
Device the most according to claim 6, it is characterised in that described in be switched to safety equipment and the institute of service equipment
State and synchronize described session information by two layers of Ethernet message between a chosen service equipment.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610673308.1A CN106302456B (en) | 2016-08-15 | 2016-08-15 | Session keeping method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610673308.1A CN106302456B (en) | 2016-08-15 | 2016-08-15 | Session keeping method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106302456A true CN106302456A (en) | 2017-01-04 |
CN106302456B CN106302456B (en) | 2020-01-14 |
Family
ID=57671401
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610673308.1A Active CN106302456B (en) | 2016-08-15 | 2016-08-15 | Session keeping method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106302456B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110035039A (en) * | 2018-01-12 | 2019-07-19 | 华为技术有限公司 | A kind of method and apparatus that session is kept |
CN112165483A (en) * | 2020-09-24 | 2021-01-01 | Oppo(重庆)智能科技有限公司 | ARP attack defense method, device, equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101296238A (en) * | 2008-06-17 | 2008-10-29 | 杭州华三通信技术有限公司 | Method and equipment for remaining persistency of security socket layer conversation |
US20100217882A1 (en) * | 2007-10-29 | 2010-08-26 | Huawei Technologies Co., Ltd. | Method, system and apparatus for accessing a Layer-3 session |
CN103475727A (en) * | 2013-09-18 | 2013-12-25 | 浪潮电子信息产业股份有限公司 | Database auditing method based on bridged mode |
CN103797769A (en) * | 2011-09-19 | 2014-05-14 | 思科技术公司 | Services controlled session based flow interceptor |
WO2014198229A1 (en) * | 2013-06-14 | 2014-12-18 | 华为技术有限公司 | Packet processing method, device, and system |
-
2016
- 2016-08-15 CN CN201610673308.1A patent/CN106302456B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100217882A1 (en) * | 2007-10-29 | 2010-08-26 | Huawei Technologies Co., Ltd. | Method, system and apparatus for accessing a Layer-3 session |
CN101296238A (en) * | 2008-06-17 | 2008-10-29 | 杭州华三通信技术有限公司 | Method and equipment for remaining persistency of security socket layer conversation |
CN103797769A (en) * | 2011-09-19 | 2014-05-14 | 思科技术公司 | Services controlled session based flow interceptor |
WO2014198229A1 (en) * | 2013-06-14 | 2014-12-18 | 华为技术有限公司 | Packet processing method, device, and system |
CN103475727A (en) * | 2013-09-18 | 2013-12-25 | 浪潮电子信息产业股份有限公司 | Database auditing method based on bridged mode |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110035039A (en) * | 2018-01-12 | 2019-07-19 | 华为技术有限公司 | A kind of method and apparatus that session is kept |
CN110035039B (en) * | 2018-01-12 | 2020-09-18 | 华为技术有限公司 | Method and equipment for maintaining session |
CN112165483A (en) * | 2020-09-24 | 2021-01-01 | Oppo(重庆)智能科技有限公司 | ARP attack defense method, device, equipment and storage medium |
CN112165483B (en) * | 2020-09-24 | 2022-09-09 | Oppo(重庆)智能科技有限公司 | ARP attack defense method, device, equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN106302456B (en) | 2020-01-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107306214B (en) | Method, system and related equipment for connecting terminal with virtual private network | |
US9686279B2 (en) | Method and system for providing GPS location embedded in an IPv6 address using neighbor discovery | |
JP2011193477A (en) | Agile network protocol for secure communication with assured system availability | |
CN106982234A (en) | A kind of ARP attack defense methods and device | |
Dunlop et al. | The blind man's bluff approach to security using IPv6 | |
CN101635628A (en) | Method and device for preventing ARP attacks | |
CN102244651A (en) | Method for preventing attack of illegal neighbor discovery protocol message and access equipment | |
CN102438028A (en) | Method, device and system for preventing fraud of dynamic host configuration protocol (DHCP) server | |
CN108243176A (en) | Data transmission method and device | |
CN114844729B (en) | Network information hiding method and system | |
KR20130005973A (en) | A network security system and network security method | |
CN111131448B (en) | Edge management method, edge proxy equipment and computer readable storage medium for ADSL Nat operation and maintenance management | |
Rehman et al. | Rule-based mechanism to detect Denial of Service (DoS) attacks on Duplicate Address Detection process in IPv6 link local communication | |
CN109089263A (en) | A kind of message processing method and device | |
CN106302456A (en) | Session keeping method and device | |
CN111740943A (en) | Anti-attack method, device, equipment and machine readable storage medium | |
CN108259460A (en) | Apparatus control method and device | |
CN102752266B (en) | Access control method and equipment thereof | |
CN103067411A (en) | Method and device for preventing DoS (denial of service) attack in DS-Lite (dual stack-Lite) networking | |
US9338183B2 (en) | Session hopping | |
US8271678B2 (en) | Independent detection and filtering of undesirable packets | |
WO2015136842A1 (en) | Network management device, network system, network management method, and recording medium | |
Pandey et al. | Counter measures to combat misuses of mac address spoofing techniques | |
CN104601459A (en) | Method and device for processing messages in group-domain virtual private network | |
Kang et al. | ARP modification for prevention of IP spoofing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |