CN106302844A - Prohibited method and device are reclaimed in a kind of IPv6 address - Google Patents
Prohibited method and device are reclaimed in a kind of IPv6 address Download PDFInfo
- Publication number
- CN106302844A CN106302844A CN201510281223.4A CN201510281223A CN106302844A CN 106302844 A CN106302844 A CN 106302844A CN 201510281223 A CN201510281223 A CN 201510281223A CN 106302844 A CN106302844 A CN 106302844A
- Authority
- CN
- China
- Prior art keywords
- interface
- ipv6
- ipv6 address
- address
- monitoring device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 14
- 238000012806 monitoring device Methods 0.000 claims abstract description 42
- 238000001514 detection method Methods 0.000 claims abstract description 12
- 230000009471 action Effects 0.000 claims abstract description 4
- 238000004891 communication Methods 0.000 claims description 8
- 230000008859 change Effects 0.000 claims description 5
- 230000002265 prevention Effects 0.000 claims description 3
- 238000012360 testing method Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 230000000717 retained effect Effects 0.000 description 2
- 239000013256 coordination polymer Substances 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 1
- 230000007306 turnover Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The present invention reclaims prohibited method and device in open a kind of IPv6 address, after its step 1:DAD message monitoring device monitors the DAD message that access device sends in a local network, reclaim server by DAD message needing the interface ID carrying out duplicate address detection be sent to IPv6 address;Step 2:IPv6 address reclaim server by the interface ID received with prestore IPv6 disabling interface ID name unirecord compared with right;Step 3: result is that this interface is the most disabled, DAD message monitoring device will not carry out any action;Result is that this interface is the most disabled, and DAD message monitoring device sends a neighbor advertisement message to sender's access device of DAD message, then it represents that the IPv6 interface ID of detection repeats, and has been used;And send messages to access gateway, make access gateway refusal forward access device to send, source address still uses the IPv6 message of the most disabled interface ID.
Description
Technical field
The present invention relates to a kind of IP address access technology, particularly relate to a kind of IPv6 address and reclaim prohibited method and device, belong to field of IP network technology.
Background technology
1, latter 64 of IPv6 address are interface ID, and the size of the volume space of interface ID is 2^64.This makes in some scene, and IPv6 interface ID can the identity of permanent binding user.And different identity has different authorities, in being in order at the consideration of secure context, discarded IPv6 interface is needed to carry out reclaiming disabling, to prevent other people falsely use.Due to the huge redundancy of interface ID capacity, can directly prohibit the use of for the interface ID reclaimed, and sub-distribution again need not be considered, to reduce the complexity of IP address management.
2, existing IPv6 address access technology is divided into and automatically configures class big with manual configuration two.
It is divided into two kinds: stateless automatically configures [RFC 4862] and uses DHCPv6 [RFC for automatically configuring
3315]。
1) stateless auto-configuration process is described as follows:
The interface of main frame access link for the first time produces a link-local test address, first 64 of link-local test address uses Fixed CP FE80: :/the 64 of link-local address, latter 64 is interface ID, uses EUI-64 algorithm [RFC 4291] to be automatically generated by MAC Address.
Then duplicate address detection (DAD:Duplicate is carried out
Address Detection), determine whether link-local test address is unique in link-local.Interface adds the whole node multicast address of link-local (FF02::1) and the requested node multicast address of link-local (latter 24 of FF02::1:FF00:0000/104+ interface ID of test address, all IPv6 addresses with identical latter 24 in link-local will be sent to), interface, with full zero-address as source address, sends neighbor request message to requested node multicast address.If this test address is used by a node on link, then the node receiving neighbor request message will send a neighbor advertisement message to whole node multicast address.Receive neighbor advertisement message, represent that the test address automatically configured is unavailable, autoconfigured address failure, manual configuration must be changed into.Illustrating that this test address can be allocated to interface without receiving neighbor advertisement message, HPI can communicate in link.
It it is finally the prefix obtaining global address.The global unicast address of IPv6 is made up of plus interface ID prefix, the interface ID of 64 has the most been generated by EUI-64 algorithm, and checked by repeat to address (RA) and to determine the uniqueness of interface ID, remaining prefix is obtained by the prefix information option of Router Advertisement message.
2) DHCPv6 be one for configuring IP address needed for work IPv6 main frame on an ipv 6 network, IP prefix and/or the procotol of other configurations.The main frame of access network by with the DHCPv6 server interaction in network, obtain IPv6 address.
3) manual configuration is exactly by manually configuring a fixing IPv6 address on the interface of main frame.
But the IPv6 address either obtained by DHCPv6 or manual configuration, it is required for carrying out duplicate address detection (DAD), if DAD can not pass through, is required for reconfiguring IPv6 address, otherwise main frame will be unable to normal access network.
3., for the disabling of single IPv6 address, current existing technology has:
1) as accessing at router or the switch of gateway, use ACL(to access and control list, Access Control List), refuse the access of specific IPv6 address.ACL is the instruction list of router and exchange interface, is used for controlling the packet of port turnover.ACL is to provide the basic means of Secure Network Assecc.ACL can allow host A to access certain network, and refuse host B and access.
2) filtering rule of fire wall is used to forbid that specific IPv6 address is accessed at server end.Network level firewall can be considered a kind of IP Packet Filter, and running is on the ICP/IP protocol storehouse of bottom.The package that in the way of enumerating, can only permit compliance with ad hoc rule passes through, and remaining forbids passing through fire wall (except virus, fire wall can not prevent Virus entry) without exception.These rules generally can define via manager or amendment, but some firewall box may can only apply mechanically built-in rule.Also can formulate firewall rule with the angle that another kind is looser, as long as package does not meets any one, " negative rule " is just let pass.Operating system and network equipment built-in firewall function the most.
4. the problem that prior art exists:
1) disabling an IPv6 address in a LAN, need all gateways in local area network and server to configure one by one, workload is big, and work complexity is high.
2) for having the network of multiple LAN, needing to configure each gateway and server in each LAN, workload is huge.
Summary of the invention
For the problems referred to above and deficiency, it is an object of the invention to provide a kind of IPv6 address and reclaim prohibited method, make to realize in a network forbidding that the IPv6 address containing special interface ID is accessed efficiently and easily, solve and network system disables the workload of specific IPv6 address in known manner greatly, the difficult problem that work complexity is high.
It is a further object to provide a kind of IPv6 address and reclaim forbidden device, it is simple and reasonable so that the work efficiency of network system is greatly improved.
It is an object of the invention to be achieved through the following technical solutions: prohibited method is reclaimed in a kind of IPv6 address, including DAD message monitoring device, IPv6 address is reclaimed server and reclaims in server the list of IPv6 disabling interface ID by network manager's typing in IPv6 address, and its step is as follows:
After step 1:DAD message monitoring device monitors the DAD message that access device sends in a local network, server is reclaimed in the IPv6 address needing the interface ID carrying out duplicate address detection to be sent in backbone network in DAD message;
Step 2: IPv6 address in backbone network reclaim server by the interface ID received compared with being stored in advance in the IPv6 disabling interface ID name unirecord that IPv6 address is reclaimed in server right, then comparison result is transmitted back to DAD message monitoring device;
Step 3:
When step 2 return result be this interface ID be the most disabled, DAD message monitoring device will not carry out any action;
The result returned when step 2 be this interface ID be the most disabled, DAD message monitoring device sends neighbor advertisement message to the access device sending DAD message in step 1, then it represents that the IPv6 interface ID of detection repeats, and has been used;
When step 2 return result be this interface ID be the most disabled, for prevention access device refusal change interface ID, DAD message monitoring device sends messages to the access gateway of LAN, make access gateway refusal forward access device to send, source address still uses the IPv6 message of the most disabled interface ID.
Forbidden device is reclaimed in a kind of IPv6 address, including DAD message monitoring device, server is reclaimed in IPv6 address, its structure is as follows: each access device is connected with the access gateway of corresponding LAN letter, access gateway to be connected with DAD message monitoring device communication, each LAN is connected with backbone network respectively, and IPv6 address in backbone network is reclaimed server and is connected with the DAD message monitoring device of each LAN respectively communication.
Described access device uses IPv6 address, and latter 64 of this IPv6 address is interface ID.
Described DAD message monitoring device is to have the server of routing function.
Owing to using said method and device so that the present invention compared with prior art has a following advantages effect:
The method that present invention employs monitoring DAD message manages, disables IPv6 address, compared with traditional method arranging each gateway, server one by one, greatly reduces the complexity of workload and work.
Employ unified backbone network server, the monitoring device of all LANs all reports the interface ID of the IPv6 address of access to it, achieve the unified monitoring in the whole network, overcome the problem that DAD can only manage local address, arranging on backbone network server of unification simultaneously disables interface ID list, avoid the setting one by one at each LAN, solve that to disable the workload of specific IPv6 address in network system in known manner big, the difficult problem that work complexity is high, the work efficiency making network system is greatly improved, achieve incremental deployment, maintain the compatibility of existing network protocol.
Accompanying drawing explanation
Fig. 1 is the structural representation of the present invention.
In figure: access device 1, accessing gateway 2, LAN 3, DAD message monitoring device 4, backbone network 5, server 6 is reclaimed in IPv6 address.
Detailed description of the invention
Below in conjunction with specific embodiment, the present invention is further elaborated, but protection scope of the present invention is not limited by specific embodiment institute, is as the criterion with claims.It addition, with on the premise of technical solution of the present invention, within any change that those of ordinary skill in the art made for the present invention easily realize or change fall within scope of the presently claimed invention.
Embodiment 1
As it is shown in figure 1, prohibited method is reclaimed in a kind of IPv6 address, including DAD message monitoring device, IPv6 address reclaim server and in server is reclaimed in IPv6 address the list of IPv6 disabling interface ID by network manager's typing, its step is as follows:
After step 1:DAD message monitoring device monitors the DAD message that access device sends in a local network, server is reclaimed in the IPv6 address needing the interface ID carrying out duplicate address detection to be sent in backbone network in DAD message;
Step 2: IPv6 address in backbone network reclaim server by the interface ID received compared with being stored in advance in the IPv6 disabling interface ID name unirecord that IPv6 address is reclaimed in server right, then comparison result is transmitted back to DAD message monitoring device;
Step 3:
When step 2 return result be this interface ID be the most disabled, DAD message monitoring device will not carry out any action;
The result returned when step 2 be this interface ID be the most disabled, DAD message monitoring device sends neighbor advertisement message to the access device sending DAD message in step 1, then it represents that the IPv6 interface ID of detection repeats, and has been used;
When step 2 return result be this interface ID be the most disabled, for prevention access device refusal change interface ID, DAD message monitoring device sends messages to the access gateway of LAN, make access gateway refusal forward access device to send, source address still uses the IPv6 message of the most disabled interface ID.
Forbidden device is reclaimed in a kind of IPv6 address, including DAD message monitoring device, server is reclaimed in IPv6 address, its structure is as follows: each access device 1 is connected with the access gateway 2 of corresponding LAN communication, access gateway 2 to be connected with DAD message monitoring device 4 communication, each LAN 3 is connected with backbone network 5 respectively, and IPv6 address in backbone network 5 is reclaimed server 6 and is connected with the DAD message monitoring device 4 of each LAN respectively communication.
Described access device 1 uses IPv6 address, and latter 64 of this IPv6 address is interface ID.
Described DAD message monitoring device 4 is the server with routing function.
The operation principle that prohibited method is reclaimed in a kind of IPv6 of present invention address is as follows:
If needing to disable 64 interface ID:1:2:0:3 of an IPv6 in one network.Then first the IPv6 address that the interface ID:1:2:3:4 needing disabling is written in backbone network can be reclaimed in the disabling interface ID list on server by network manager.
Then, in the LAN that subnet prefix is 2001:0:0:1: :/64, the equipment of the IPv6 address 2001:0:0:1::5 of one non-disabling of a manual configuration is had to begin through LAN optimization gateway accessing network.
Access device adds area network link whole node multicast address FF02::1 and the area network link requested node multicast address FF02::1:FF00:0:5 of test address, then sends DAD message to area network link requested node multicast address FF02::1:FF00:0:5.
1, after DAD message monitoring device listens to DAD message, rear 64 the interface ID0:0:0:5 in the access device IPv6 address 2001:0:0:1::5 that will carry in DAD message extract and are sent to IPv6 address and reclaim server.
2, the IPv6 interface ID0:0:0:5 received is differentiated by the recovery of the IPv6 address in backbone network server, compares with the disabling IPv6 interface ID list retained in advance.Found that the item not matched, that illustrate that the equipment of access network uses is not disabled IPv6 interface ID.Then, IPv6 address is reclaimed server and identification result is returned to DAD message monitoring device.
3, DAD message monitoring device receives identification result, finds that the interface ID of the IPv6 address in DAD message is not disabled, then keeps silent, and allows access device continue normal access procedure.
It follows that the equipment being provided with the IPv6 address 2001:0:0:1:1:2:0:3 of a manual configuration one disabling begins through the access gateway access network of LAN.
Access device, add area network link whole node multicast address FF02::1 and the area network link requested node multicast address FF02::1:FF00:0:3 of test address, then send DAD message to area network link requested node multicast address FF02::1:FF00:0:3.
1, after DAD message monitoring device listens to DAD message, rear 64 the interface ID1:2:0:3 in the access device IPv6 address 2001:0:0:1:1:2:0:3 that will carry in DAD message extract and are sent to IPv6 address and reclaim server.
2, the IPv6 interface ID1:2:0:3 received is differentiated by the recovery of the IPv6 address in backbone network server, compares with the disabling IPv6 interface ID list retained in advance.Found that there is the item matched, illustrate that the equipment of access network uses disabled IPv6 interface ID.Then, IPv6 address is reclaimed server and identification result is returned to DAD message monitoring device.
3, DAD message monitoring device receives identification result, finds that the interface ID of the IPv6 address in DAD message is disabled, and then area network link whole node multicast address FF02::1 sends a neighbor advertisement message, informs that access device occurs that address is repeated.DAD message monitoring device sends notice to the accessing gateway equipment of LAN, forbids the IPv6 message forwarding source address to be 2001:0:0:1:1:2:0:3.
4, access device receives neighbor advertisement message at area network link whole node multicast address FF02::1, after learning that address is repeated, should again want to use IPv6 address interface ID by manual modification, and again carry out duplicate address detection.If access host refusal amendment can not normal access network.
Claims (4)
1. a prohibited method is reclaimed in IPv6 address, including DAD message monitoring device, IPv6 address reclaim server and in server is reclaimed in IPv6 address the list of IPv6 disabling interface ID by network manager's typing, it is characterised in that step is as follows:
After step 1:DAD message monitoring device monitors the DAD message that access device sends in a local network, server is reclaimed in the IPv6 address needing the interface ID carrying out duplicate address detection to be sent in backbone network in DAD message;
Step 2: IPv6 address in backbone network reclaim server by the interface ID received compared with being stored in advance in the IPv6 disabling interface ID name unirecord that IPv6 address is reclaimed in server right, then comparison result is transmitted back to DAD message monitoring device;
Step 3:
When step 2 return result be this interface ID be the most disabled, DAD message monitoring device will not carry out any action;
The result returned when step 2 be this interface ID be the most disabled, DAD message monitoring device sends neighbor advertisement message to the access device sending DAD message in step 1, then it represents that the IPv6 interface ID of detection repeats, and has been used;
When step 2 return result be this interface ID be the most disabled, for prevention access device refusal change interface ID, DAD message monitoring device sends messages to the access gateway of LAN, make access gateway refusal forward access device to send, source address still uses the IPv6 message of the most disabled interface ID.
2. forbidden device is reclaimed in IPv6 address described in a claim 1, including DAD message monitoring device, server is reclaimed in IPv6 address, it is characterized in that structure is as follows: each access device (1) is connected with the access gateway (2) of corresponding LAN communication, access gateway (2) to be connected with DAD message monitoring device (4) communication, each LAN (3) is connected with backbone network (5) respectively, and IPv6 address in backbone network (5) is reclaimed server (6) and is connected with DAD message monitoring device (4) of each LAN respectively communication.
Forbidden device is reclaimed in a kind of IPv6 address the most according to claim 2, it is characterised in that: described access device (1) uses IPv6 address, and latter 64 of this IPv6 address is interface ID.
Forbidden device is reclaimed in a kind of IPv6 address the most according to claim 2, it is characterised in that: described DAD message monitoring device (4) is the server with routing function.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510281223.4A CN106302844A (en) | 2015-05-28 | 2015-05-28 | Prohibited method and device are reclaimed in a kind of IPv6 address |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510281223.4A CN106302844A (en) | 2015-05-28 | 2015-05-28 | Prohibited method and device are reclaimed in a kind of IPv6 address |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106302844A true CN106302844A (en) | 2017-01-04 |
Family
ID=57635552
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510281223.4A Pending CN106302844A (en) | 2015-05-28 | 2015-05-28 | Prohibited method and device are reclaimed in a kind of IPv6 address |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106302844A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1901551A (en) * | 2005-07-19 | 2007-01-24 | 上海贝尔阿尔卡特股份有限公司 | Repeat address detecting method and its device for supporting IPv6 two layer access net |
| US20070153810A1 (en) * | 2006-01-04 | 2007-07-05 | Samsung Electronics Co., Ltd. | Emulation device and method for supporting IPv6 in WiBro terminal |
| CN101827138A (en) * | 2010-05-21 | 2010-09-08 | 杭州华三通信技术有限公司 | Optimized method and device for processing IPV6 filter rule |
| CN101951415A (en) * | 2010-08-30 | 2011-01-19 | 清华大学 | Method of increasing safety of address conflict detection process |
| CN102932491A (en) * | 2011-08-12 | 2013-02-13 | 中兴通讯股份有限公司 | Address configuration method and system |
-
2015
- 2015-05-28 CN CN201510281223.4A patent/CN106302844A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1901551A (en) * | 2005-07-19 | 2007-01-24 | 上海贝尔阿尔卡特股份有限公司 | Repeat address detecting method and its device for supporting IPv6 two layer access net |
| US20070153810A1 (en) * | 2006-01-04 | 2007-07-05 | Samsung Electronics Co., Ltd. | Emulation device and method for supporting IPv6 in WiBro terminal |
| CN101827138A (en) * | 2010-05-21 | 2010-09-08 | 杭州华三通信技术有限公司 | Optimized method and device for processing IPV6 filter rule |
| CN101951415A (en) * | 2010-08-30 | 2011-01-19 | 清华大学 | Method of increasing safety of address conflict detection process |
| CN102932491A (en) * | 2011-08-12 | 2013-02-13 | 中兴通讯股份有限公司 | Address configuration method and system |
Non-Patent Citations (1)
| Title |
|---|
| 曾斌等: "IPv6地址动态管理技术", 《计算机工程与科学》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR100908320B1 (en) | Method for protecting and searching host in internet protocol version 6 network | |
| US8862705B2 (en) | Secure DHCP processing for layer two access networks | |
| CN103209092B (en) | Broadcast storm suppressing method and system | |
| CN102025734B (en) | Method, system and switch for preventing MAC address spoofing | |
| WO2010072096A1 (en) | Method and broadband access device for improving the security of neighbor discovery in ipv6 environment | |
| EP2749010A1 (en) | Discovery and disconnection of client addresses in an access node for an ip network | |
| US9088608B2 (en) | Throttling and limiting the scope of neighbor solicitation (NS) traffic | |
| CN110233766B (en) | IPv 6-based OTN, PTN, IPRAN, SPN and PON network automatic deployment method | |
| CN106302525B (en) | Network space security defense method and system based on camouflage | |
| EP2093949B1 (en) | A method and apparatus for preventing the counterfeiting of the network-side media access control (mac) address | |
| Scott et al. | Addressing the Scalability of Ethernet with MOOSE | |
| KR102092015B1 (en) | Method, apparatus and computer program for recognizing network equipment in a software defined network | |
| CN204615859U (en) | Forbidden device is reclaimed in a kind of IPv6 address | |
| CN1518289B (en) | Safety filtering method based on Ethernet exchanger | |
| Cisco | setsn_su | |
| Cisco | setsn_su | |
| Cisco | setsn_su | |
| CN106302844A (en) | Prohibited method and device are reclaimed in a kind of IPv6 address | |
| Cisco | setsn_su | |
| Cisco | setsn_su | |
| CN111954102B (en) | Routing control method and device in DHCPV6 PD scene | |
| Cisco | setsn_su | |
| Cisco | Configuring the Switch IP Address and Default Gateway | |
| Cisco | Configuring the Switch IP Address and Default Gateway | |
| Cisco | Configuring the Switch IP Address and Default Gateway |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170104 |
|
| RJ01 | Rejection of invention patent application after publication |