CN106506200A - A kind of ARP protocol submodel based on SDN - Google Patents

A kind of ARP protocol submodel based on SDN Download PDF

Info

Publication number
CN106506200A
CN106506200A CN201610927543.7A CN201610927543A CN106506200A CN 106506200 A CN106506200 A CN 106506200A CN 201610927543 A CN201610927543 A CN 201610927543A CN 106506200 A CN106506200 A CN 106506200A
Authority
CN
China
Prior art keywords
arp
mac
datagram
module
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610927543.7A
Other languages
Chinese (zh)
Inventor
马绍良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
COMPUTER APPLICATION INST CHINA ENGINEERING PHYSICS ACADEMY
Original Assignee
COMPUTER APPLICATION INST CHINA ENGINEERING PHYSICS ACADEMY
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by COMPUTER APPLICATION INST CHINA ENGINEERING PHYSICS ACADEMY filed Critical COMPUTER APPLICATION INST CHINA ENGINEERING PHYSICS ACADEMY
Priority to CN201610927543.7A priority Critical patent/CN106506200A/en
Publication of CN106506200A publication Critical patent/CN106506200A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of ARP protocol submodel based on SDN, which includes:ARP datagram filtering modules:For to being entered the detection of row format correctness by the ARP messages that offers on switch;ARP request datagram processing module:For response ARP request message;Arp response message sending module:Construction and transmission for the arp response datagram of non-NULL Query Result;Arp traffic statistics and analysis module:Receive various ARP messages logouts and switch ports themselves information that ARP datagrams filtering module and ARP request processing module are sended over;IP MAC mapping table management configuration modules:For providing the interface of the management and configuration of IP MAC mapping tables.Applied in SDN using this model, the management and maintenance for can effectively isolate ARP broadcast, preventing ARP from cheating and follow the trail of its implementer and global I P MAC information.

Description

A kind of ARP protocol submodel based on SDN
Technical field
The present invention relates to network security and field of network management, specifically relate to a kind of ARP protocol based on SDN and aid in Model.
Background technology
ARP deceptions and ARP broadcast storms always are the basic problem faced by network management.ARP protocol is used for setting up Mapping in LAN between host ip and host-physical address, is the important basic unit's agreement in ICP/IP protocol.ARP protocol Simple effectively but lack security mechanism again simultaneously, the threshold to network attack is very low, under fire causes network bandwidth consumption, friendship afterwards The serious consequences such as resource of changing planes is taken in a large number, Session Hijack, Denial of Service attack, broadcast storm, and it is difficult to pursuit attack Source.In traditional computer network, ARP deceptions and ARP broadcast can be subject to a certain degree of control, but cost is to need to purchase High Configuration network equipment, and so far without basic solution.The Internet resources that SDN has concentrate the spy of control Property for SDN in ARP protocol attack Prevention Research provide good resolving ideas, be expected to maximum constraint network Interior arp traffic, fundamentally attacks to ARP and proposes solution.
SDN originates from the clean state projects of Stanford University earliest, and it is a kind of network architecture of innovation, Its core concept is that Forwarding plane and control plane are decoupled, and by centralized controller and uses the interface of standard to various The different network equipments are managed.At present, OpenFlow has been used widely as the interface of standard, master controller By become more meticulous monitoring and management of the OpenFlow protocol realizations to physical switches.Meanwhile, SDN has natural network virtual The advantage of change, especially for the network virtualization application of data center.For the requirement of deployment, virtualization is required to have and is concentrated The network architecture of formula control, and SDN is exactly exactly a kind of network architecture of centralized management.
Publication No. 105379228A, publication date are that the Chinese patent literature on March 2nd, 2016 discloses a kind of realization The method of ARP, switching equipment and control device, methods described include:Switching equipment receives ARP messages;The switching equipment will Information reporting message comprising the ARP messages is sent to control device;The switching equipment is sent according to the control device Information issuing message in the MAC Address that includes realize ARP, described information issuing message is the control device according to the letter The message that breath reporting message sends.Apply the inventive embodiments, although the switching equipment in SDN does not have supports ARP associations The ability of view, but switching equipment can by ARP messages are reported to control device, by the assistance of control device realize with ARP interactions between external equipment, so that improve the data transmission capabilities of SDN.
With the dangerous prior art as representative of above-mentioned patent, the restriction ability of the arp traffic in network is limited, it is impossible to The ARP fundamentally solved in network is attacked.
Content of the invention
It is contemplated that for defect and deficiency existing for above-mentioned prior art, there is provided a kind of ARP protocol based on SDN Submodel, is applied in SDN using this model, and the controller with global control ability can undertake ARP protocol work The task of the global coordinator in work, groundwork are that global I P-MAC mapping table is carried out safeguarding, ARP request is made correctly Response, follows the trail of the implementer that ARP is attacked in LAN, so as to effectively isolating ARP broadcast, preventing ARP from cheating and following the trail of in fact The person of applying and the management and maintenance of global I P-MAC information.
The present invention is by being realized using following technical proposals:
A kind of ARP protocol submodel based on SDN, it is characterised in that include:
ARP datagram filtering modules:For to being entered the detection of row format correctness by the ARP messages that offers on switch, detection is logical The ARP messages that crosses enter the process logic of ARP request datagram processing module;
ARP request datagram processing module:For response ARP request message, specifically:Inquired for ARP request datagram IP address, controller inquires about the IP-MAC mapping tables of internal maintenance, returns the MAC corresponding to the IP address, and construct ARP Response message, sends the arp response message to the main frame for sending the ARP request by the mechanism of giving out a contract for a project of SDN;
Arp response message sending module:Construction and transmission for the arp response datagram of non-NULL Query Result, specifically:Should Module constructs arp response message according to the information of ARP request message with the MAC data for inquiring, then using OpenFlow Instrument PackOut message of giving out a contract for a project in specification is sent out arp response datagram is sent from the correspondingly received port of SDN switch The main frame for going out ARP request receives this believable arp response message, completes ARP protocol and calls;
Arp traffic statistics and analysis module:It is each that reception ARP datagrams filtering module and ARP request processing module are sended over ARP messages logout and switch ports themselves information is planted, centralized maintenance the arp traffic statistics note of every main process equipment in network Record, and these data are dynamically analyzed, ARP broadcast warnings, ARP deception alert events is formed, and is believed with reference to switch ports themselves The device management module of breath and controller carrys out the main frame of trace trigger alert event;
IP-MAC mapping table management configuration modules:For providing the interface of the management and configuration of IP-MAC mapping tables, network management The interface that there is provided by the module of member is realizing all management to IP-MAC mapping tables.
Described ARP datagram filtering modules, more particularly:ARP datagrams filtering module is carried out to Layer 2 data frame Arp traffic data are tentatively filtered and record, ARP datagrams filtering module carries out two-layer inspection to Layer 2 data frame, detects the ARP Whether datagram is the datagram of a forgery, and the ARP datagrams detected by this two-layer can enter ARP request processing module Process in logic.
Described ARP request datagram processing module, more particularly:Examined by the two-layer of ARP datagram filtering modules After looking into, ARP request processing module extracts the source IP and source MAC of ARP request datagram, checks in IP-MAC mapping tables whether wrap The IP-MAC mapping entities are contained, if do not included, have illustrated that the ARP messages are with fraudulent ARP request message, send ARP deceptive practices implemented by the main frame of so ARP messages, send the ARP deceptions record and receive the exchange of the datagram Machine port information terminates to arp traffic statistics and analysis module, the handling process of the datagram;If wrapped in IP-MAC mapping tables Contain the IP-MAC mapping entities, just inquire about IP-MAC mapping tables again, inquire about the MAC of purpose IP asked by the request message, If purpose IP is not in IP-MAC mapping tables, i.e., Query Result is sky, and what that just illustrated ARP request is one without manager The main frame of registration, send the unknown host record of the request and receive the switch ports themselves information of the datagram to arp traffic and Analysis module, if purpose IP is in IP-MAC mapping tables, i.e., Query Result is MAC value, and that just sends normal ARP request record Arp traffic statistics and analysis module is given with the switch ports themselves information for receiving the datagram, and calls arp response message to send out Send module to construct and send arp response message.
Described arp response message sending module, more particularly:Arp response message sending module is received at ARP request The reason module ARP request message for transmitting, the MAC for inquiring and the switch ports themselves information for receiving ARP request message, according to ARP protocol specification, constructs arp response message with these data, using arp response message as PacketOut message data, Indicate that switch sends the arp response message from receiving port.
Described ARP request datagram processing module, further includes:An IP- is maintained inside ARP request processing module The memory mirror of MAC mapping tables.
Described arp traffic statistics and analysis module, more particularly:Arp traffic statistics and analysis module is per platform master Machine maintains four classes ARP record, and four classes ARP record includes respectively:First, the source MAC of Frame source MAC and ARP message is unequal ARP message accountings;2nd, arp response message accounting;3rd, source MAC and the unregistered ARP request message note of source IP mapping entities Record;4th, the ARP request message accounting of unknown main frame is asked.
Compared with prior art, what the present invention was reached has the beneficial effect that:
1. the present invention can effectively be reduced or even prevent the ARP broadcast in network.Original ARP protocol working method is distributed , and under the cooperation of the ARP protocol submodel, ARP protocol carrys out work with centralized fashion.ARP request datagram is not required to Carry Web broadcast again to send its own, but directly received by a safely controllable ARP protocol sectional center and returned Answer it.
2. the present invention can be effectively prevented and follow the trail of ARP attacks.The ARP protocol submodel can based on network in main frame The switch ports themselves connected with them by equipment send situation come the ARP packets for recording main frame, and according to these arp traffics letters Breath is diagnosed to be the implementer that ARP deceptions or ARP are attacked.If ARP attack traffics occupy substantial amounts of port bandwidth, can be with The model is extended, applies flexible control to arp traffic.
3. the present invention need not be changed or add any equipment in network, it is not necessary to which in network, any client installed by main frame End software, it is not necessary to which main frame is configured using static host(When IP-MAC configuration modules are operated in dynamic configuration pattern), i.e., originally Invention is transparent to the main frame in network.And, the present invention only needs to do corresponding software development on SDN controller platforms Work.The present invention will not have any interference to the normal work of existing ARP protocol, and the work of the present invention be based entirely on existing ARP protocol.The present invention provides preferable, believable working environment for APR, and filter and dispose abnormal interactive, right so as to complete The back work of ARP protocol.
4th, the present invention can provide the correct arp response of safety, the ARP deceptions intercepted in network, Suppression network to main frame Middle ARP broadcast storms, the saboteur that ARP can be avoided in early days to attack and can find to attempt to initiate that ARP is attacked, had both maintained ARP Correct workflow, network traffics have been purified, and easy management interface has been provided to manager and clearly network state View.
Description of the drawings
Below in conjunction with specification drawings and specific embodiments, the present invention is described in further detail, wherein:
Fig. 1 is ARP protocol submodel functional module and network topological diagram of the present invention based on SDN.
Fig. 2 is ARP protocol back work flow chart of the embodiment of the present invention based on SDN.
Specific embodiment
The key to work of ARP protocol submodel be by network manager unify centralized management network in main frame IP and MAC information, these key messages can also can be collected from the DHCP service of network by manager's manual configuration.When ARP numbers According to report sent by main frame and be transferred to the SDN switch direct-connected with main frame interface when, switch because mate flow table item not into Work(and report the packet to give SDN controllers.It is auxiliary that controller gives ARP protocol the Layer 2 data frame for being enclosed with ARP datagrams Help model to process.On this basis, ARP protocol submodel mainly includes:
ARP datagram filtering modules:For to being entered the detection of row format correctness by the ARP messages that offers on switch, detection is logical The ARP messages that crosses enter the process logic of ARP request datagram processing module;
Described correctness detection belongs to the Preliminary detection of ARP datagrams, specifically according to the message format of ARP protocol specification with And the field combination situation of normal ARP messages, record and filter out the message of those illegal forms and improper logic;For example count According to the ARP messages that the inconsistent message of the source MAC of link layer data frame and the source MAC of ARP messages just belongs to improper logic.
ARP request datagram processing module:For response ARP request message, specifically:For ARP request datagram institute The IP address of inquiry, controller inquire about the IP-MAC mapping tables of internal maintenance, return the MAC corresponding to the IP address, and structure Arp response message is made, the arp response message is sent to the main frame for sending the ARP request by the mechanism of giving out a contract for a project of SDN;
Main frame sends ARP request and receives this process of correct arp response, is desired at the beginning of ARP protocol is designed Optimal workflow, and the ARP workflows that this ARP protocol submodel is strongly safeguarded, and work as controller inquiry IP- The result of MAC mapping tables is space-time, the host information also not responded to is described, froms the perspective of from the angle of network management in current network, What ARP was asked is a non-existent main frame.
Arp response message sending module:Construction and transmission for the arp response datagram of non-NULL Query Result, specifically It is:The module constructs arp response message according to the information of ARP request message with the MAC data for inquiring, and then utilizes Instrument PackOut message of giving out a contract for a project in OpenFlow specifications comes the correspondingly received port arp response datagram from SDN switch Send, the main frame for sending ARP request receives this believable arp response message, completes ARP protocol and calls;
The module is derived from ARP request datagram processing module.ARP datagram processing modules are mainly responsible for the MAC to asking IP The inquiry of information and arp traffic statistics.
Arp traffic statistics and analysis module:Receive ARP datagrams filtering module and ARP request processing module is sended over Various ARP messages logouts and switch ports themselves information, centralized maintenance every main process equipment in network arp traffic system Meter record, and these data are dynamically analyzed, formation ARP broadcast is reported to the police, ARP deception alert events, and combines exchange generator terminal The device management module of message breath and controller carrys out the main frame of trace trigger alert event;
Essentially from flow collection module, flow collection module includes that ARP datagrams filtering module and ARP please to arp traffic information Processing module is sought, by the device management module of SDN controllers, the module maintains the ARP datagrams of every main frame and sends feelings Condition, wherein ARP datagrams include ARP request datagram and arp response datagram.The module can be from these numbers of multiple angle analysis According to, and response message is formed, such as certain main frame is have sent in a certain time interval more than a certain amount of arp response bag, or The person main frame have sent the ARP request bag for much asking unknown main frame, and the module will be in the form of alerting these statistical numbers Network manager is presented to according to corresponding inference conclusion.
IP-MAC mapping table management configuration modules:For providing the interface of the management and configuration of IP-MAC mapping tables, network The interface that manager is provided by the module is realizing all management to IP-MAC mapping tables.
The module maintains the storage of IP-MAC and internal logic, IP-MAC internal logics refer in whole mapping table IP and MAC can only be one-to-one relation, and IP-MAC mapping tables are most important data resources in whole model, in addition, from data The angle of safety and access performance is considered, and the data should be persisted to data base, and in module support data buffer storage.
IP-MAC mapping tables management configuration module provides static and dynamic two kinds of configuration modes.In static configuration pattern, office All hosts in the net of domain all adopt static host to configure, i.e., the static IP information that manual configuration is distributed by manager.Dynamic is matched somebody with somebody Put in pattern, the All hosts in LAN all adopt DHCP(DHCP)To automatically configure host ip information. Static configuration pattern, needs network manager's centralized distribution and configures host ip information, cumbersome, but from the configuration of information and Safeguard that angle is seen, ARP protocol submodel will be safer;Dynamic configuration pattern, it is allowed to which host-initiated DHCP carrys out dynamic configuration Main frame, meets the configuration custom of main frame in LAN, but needs to monitor in network when ARP protocol submodel system is realized DHCP service, IP-MAC data in collection network, and real-time update.
Described ARP datagram filtering modules, more particularly:ARP datagrams filtering module is carried out to Layer 2 data frame Arp traffic data are tentatively filtered and record, ARP datagrams filtering module carries out two-layer inspection to Layer 2 data frame, detects the ARP Whether datagram is the datagram of a forgery, and the ARP datagrams detected by this two-layer can enter ARP request processing module Process in logic.
Described two-layer inspection is specifically referred to:First check for the source MAC of two layers of frame whether with ARP datagrams in source MAC Equal, if unequal, can be concluded that be the ARP datagrams be a forgery datagram, send data falsification report note The switch ports themselves information for recording and receiving the datagram gives arp traffic statistics and analysis module, the handling process knot of the datagram Beam;If not the datagram that forges, then carry out second layer inspection, that is, check whether ARP datagrams are arp response data Report, in the presence of the ARP protocol submodel, ARP working methods by distributed changed into centralized, i.e., by SDN controllers Control the response to ARP request message completely, without network in any main frame sending arp response message, In the case of reaching without ARP request message, main frame transmission arp response message belongs to abnormal response, needs to send this without cause Arp response record and receive the switch ports themselves information of the arp response message and give arp traffic statistics and analysis module, should The handling process of datagram terminates, and the ARP datagrams detected by this two-layer can enter the process logic of ARP request processing module In.
Described ARP request datagram processing module, more particularly:Examined by the two-layer of ARP datagram filtering modules After looking into, ARP request processing module extracts the source IP and source MAC of ARP request datagram, checks in IP-MAC mapping tables whether wrap The IP-MAC mapping entities are contained, if do not included, have illustrated that the ARP messages are with fraudulent ARP request message, send ARP deceptive practices implemented by the main frame of so ARP messages, send the ARP deceptions record and receive the exchange of the datagram Machine port information terminates to arp traffic statistics and analysis module, the handling process of the datagram;If wrapped in IP-MAC mapping tables Contain the IP-MAC mapping entities, just inquire about IP-MAC mapping tables again, inquire about the MAC of purpose IP asked by the request message, If purpose IP is not in IP-MAC mapping tables, i.e., Query Result is sky, and what that just illustrated ARP request is one without manager The main frame of registration, send the unknown host record of the request and receive the switch ports themselves information of the datagram to arp traffic and Analysis module, if purpose IP is in IP-MAC mapping tables, i.e., Query Result is MAC value, and that just sends normal ARP request record Arp traffic statistics and analysis module is given with the switch ports themselves information for receiving the datagram, and calls arp response message to send out Send module to construct and send arp response message.
Described arp response message sending module, more particularly:Arp response message sending module is received at ARP request The reason module ARP request message for transmitting, the MAC for inquiring and the switch ports themselves information for receiving ARP request message, according to ARP protocol specification, constructs arp response message with these data, using arp response message as PacketOut message data, Indicate that switch sends the arp response message from receiving port.
In the case where the ARP protocol submodel is participated in, all arp response datagrams in network come from the module.
Described ARP request datagram processing module, further includes:The operation of inquiry IP-MAC mapping tables belongs to frequent Operation, in order to improve query performance, maintains the memory mirror of an IP-MAC mapping table inside ARP request processing module.Due to IP-MAC data resources will not frequent updating, so the data consistency of the memory mirror is easy to safeguard.
Described arp traffic statistics and analysis module, more particularly:Arp traffic statistics and analysis module is per platform master Machine maintains four classes ARP record, and the main frame for being connected to SDN switch in SDN per the chain of stations all correspond to an exchange generator terminal Mouthful, ARP datagrams filtering module and ARP request processing module send when ARP is recorded be with switch ports themselves information, by The equipment control service of controller can be recorded in ARP and set up mapping and main frame between, so as to remember for every host maintenance ARP Record;Four classes ARP record includes respectively:First, the unequal ARP message accountings of the source MAC of Frame source MAC and ARP message;Belong to ARP messages are forged, such forgery ARP messages use less, is rarely used for real ARP deceptions.2nd, arp response message note Record;In the case of having taken over ARP request process and the transmission of ARP back messages in by ARP protocol submodel Unified Set, normally In the case of main frame will not send arp response message.3rd, source MAC and the unregistered ARP request message note of source IP mapping entities Record;In the presence of ARP protocol submodel, occur unregistered IP-MAC mapping entities in ARP request datagram, this is described Individual ARP request message is an ARP deception message;4th, the ARP request message accounting of unknown main frame is asked;In former ARP workflows Cheng Zhong, requesting host be cannot from the arp response message of unknown main frame, so as to main frame continuously transmits ARP request message, Invalid arp traffic in a large number is caused in network, in the presence of the ARP protocol submodel, unknown ARP request message is limited in Between requesting host and switch ports themselves, so as to greatly avoid the ARP broadcast traffics in network.
Forge ARP records, arp response message accounting, unregistered IP-MAC mapping entities message accounting and belong to ARP deceptions Category, particularly unregistered IP-MAC mapping entities message accounting be APR deception conventional means, record out when there are these Now, arp traffic statistics and analysis module will report ARP deception alarms, forge the ARP request message in ARP records, do not note Volume IP-MAC mapping entity message accountings, the unknown main frame message accounting of request belong to ARP broadcast categories, when these records occur When, illustrating in network, have main frame to attack in enforcement ARP broadcast intentionally, arp traffic statistics and analysis module will report ARP to broadcast Alarm, the mapping relations recorded by main frame and four classes ARP, manager easily can track ARP attacks from warning information Implementer.
IP-MAC mapping table management configuration modules are also a background work module, mainly provide IP- to network manager The management interface of MAC mapping tables.
IP-MAC mapping table management configuration modules, more particularly:IP-MAC mapping tables management configuration module provides Web circle The configuration management interface of face or RestAPI forms, and the security access mechanism of certain forms is provided, such as user name and close Code;Network manager need to hold certain username and password information and carry out login configurations management module, then carry out IP-MAC and reflect The additions and deletions of firing table change looks into operation, and module maintains the conflict inspection inside IP-MAC, only allows IP and MAC to map correspondingly Relation is present.
When IP-MAC mapping table configuration modules are configured to dynamic configuration pattern, configuration module need to monitor the DHCP in network Request message and DHCP ACK messages, both message are critical message of the main frame in dynamic host configuration procedure, configuration Module parses the corresponding relation of IP and MAC in LAN from both message, and updates in IP-MAC mapping tables.

Claims (6)

1. a kind of ARP protocol submodel based on SDN, it is characterised in that include:
ARP datagram filtering modules:For to being entered the detection of row format correctness by the ARP messages that offers on switch, detection is logical The ARP messages that crosses enter the process logic of ARP request datagram processing module;
ARP request datagram processing module:For response ARP request message, specifically:Inquired for ARP request datagram IP address, controller inquires about the IP-MAC mapping tables of internal maintenance, returns the MAC corresponding to the IP address, and construct ARP Response message, sends the arp response message to the main frame for sending the ARP request by the mechanism of giving out a contract for a project of SDN;
Arp response message sending module:Construction and transmission for the arp response datagram of non-NULL Query Result, specifically:Should Module constructs arp response message according to the information of ARP request message with the MAC data for inquiring, then using OpenFlow Instrument PackOut message of giving out a contract for a project in specification is sent out arp response datagram is sent from the correspondingly received port of SDN switch The main frame for going out ARP request receives this believable arp response message, completes ARP protocol and calls;
Arp traffic statistics and analysis module:It is each that reception ARP datagrams filtering module and ARP request processing module are sended over ARP messages logout and switch ports themselves information is planted, centralized maintenance the arp traffic statistics note of every main process equipment in network Record, and these data are dynamically analyzed, ARP broadcast warnings, ARP deception alert events is formed, and is believed with reference to switch ports themselves The device management module of breath and controller carrys out the main frame of trace trigger alert event;
IP-MAC mapping table management configuration modules:For providing the interface of the management and configuration of IP-MAC mapping tables, network management The interface that there is provided by the module of member is realizing all management to IP-MAC mapping tables.
2. a kind of ARP protocol submodel based on SDN according to claim 1, it is characterised in that:Described ARP numbers According to filtering module is reported, more particularly:ARP datagrams filtering module is tentatively filtered to Layer 2 data frame and is recorded ARP streams Amount data, ARP datagrams filtering module carry out two-layer inspection to Layer 2 data frame, detect whether the ARP datagrams are with individual puppet The datagram that makes, the ARP datagrams detected by this two-layer can be entered in the process logic of ARP request processing module.
3. a kind of ARP protocol submodel based on SDN according to claim 2, it is characterised in that:Described ARP please Datagram processing module is sought, more particularly:After the two-layer of ARP datagram filtering modules is checked, ARP request processing module The source IP and source MAC of ARP request datagram is extracted, is checked Body, if do not included, illustrates that the ARP messages are the main frames for sending such ARP messages with fraudulent ARP request message Implementing ARP deceptive practices, the switch ports themselves information for sending the ARP deceptions record and receiving the datagram is flowed to ARP Amount statistics and analysis module, the handling process of the datagram terminate;If real comprising the IP-MAC mappings in IP-MAC mapping tables Body, just inquires about IP-MAC mapping tables again, inquires about the MAC of purpose IP asked by the request message, if purpose IP is not in IP- In MAC mapping tables, i.e., Query Result is sky, and what that just illustrated ARP request is a main frame that registers without manager, and sending should Ask unknown host record and the switch ports themselves information of the datagram is received to arp traffic and analysis module, if purpose In IP-MAC mapping tables, i.e., Query Result is MAC value to IP, and that just sends normal ARP request record and receives the datagram Switch ports themselves information give arp traffic statistics and analysis module, and call arp response message sending module concurrent to construct Send arp response message.
4. a kind of ARP protocol submodel based on SDN according to claim 3, it is characterised in that:Described ARP rings Message sending module is answered, more particularly:Arp response message sending module receives the ARP request that ARP request processing module is transmitted Message, the MAC for inquiring and the switch ports themselves information of ARP request message is received, according to ARP protocol specification, counted with these According to constructing arp response message, using arp response message as the data of PacketOut message, indicate switch from receiving port Place sends the arp response message.
5. a kind of ARP protocol submodel based on SDN according to claim 4, it is characterised in that:Described ARP please Datagram processing module is sought, is further included:The internal memory mirror of an IP-MAC mapping table is maintained inside ARP request processing module Picture.
6. a kind of ARP protocol submodel based on SDN according to claim 5, it is characterised in that:Described ARP streams Amount statistics and analysis module, more particularly:Arp traffic statistics and analysis module is that every main frame maintains four classes ARP record, Four classes ARP record includes respectively:First, the unequal ARP message accountings of the source MAC of Frame source MAC and ARP message;2nd, ARP Response message is recorded;3rd, source MAC and the unregistered ARP request message accounting of source IP mapping entities;4th, unknown main frame is asked ARP request message accounting.
CN201610927543.7A 2016-10-31 2016-10-31 A kind of ARP protocol submodel based on SDN Pending CN106506200A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610927543.7A CN106506200A (en) 2016-10-31 2016-10-31 A kind of ARP protocol submodel based on SDN

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610927543.7A CN106506200A (en) 2016-10-31 2016-10-31 A kind of ARP protocol submodel based on SDN

Publications (1)

Publication Number Publication Date
CN106506200A true CN106506200A (en) 2017-03-15

Family

ID=58318716

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610927543.7A Pending CN106506200A (en) 2016-10-31 2016-10-31 A kind of ARP protocol submodel based on SDN

Country Status (1)

Country Link
CN (1) CN106506200A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107370841A (en) * 2017-08-20 2017-11-21 中国人民解放军理工大学 A kind of method of address resolution efficient on multi-hop wireless network
CN107911297A (en) * 2017-11-21 2018-04-13 迈普通信技术股份有限公司 A kind of SDN network band control Path Setup method and apparatus
CN108566388A (en) * 2018-03-27 2018-09-21 西安电子科技大学 SDN stream rule conflict detection methods based on Bloom Filter and system
CN109547344A (en) * 2019-01-15 2019-03-29 浙江农林大学暨阳学院 A kind of ethernet frame retransmission method and its MSPG system based on MSPG
CN110247899A (en) * 2019-05-27 2019-09-17 南京大学 The system and method for ARP attack is detected and alleviated based on SDN cloud environment
CN111010362A (en) * 2019-03-20 2020-04-14 新华三技术有限公司 Monitoring method and device for abnormal host

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101247217A (en) * 2008-03-17 2008-08-20 北京星网锐捷网络技术有限公司 Method, unit and system for preventing address resolution protocol flux attack
CN101370019A (en) * 2008-09-26 2009-02-18 北京星网锐捷网络技术有限公司 Method and switchboard for preventing packet cheating attack of address analysis protocol
CN101674306A (en) * 2009-09-03 2010-03-17 中兴通讯股份有限公司 Address resolution protocol message processing method and switch
CN103209225A (en) * 2013-04-03 2013-07-17 北京邮电大学 Software defined network (SDN) broadcast processing method based on cycle trigger agent

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101247217A (en) * 2008-03-17 2008-08-20 北京星网锐捷网络技术有限公司 Method, unit and system for preventing address resolution protocol flux attack
CN101370019A (en) * 2008-09-26 2009-02-18 北京星网锐捷网络技术有限公司 Method and switchboard for preventing packet cheating attack of address analysis protocol
CN101674306A (en) * 2009-09-03 2010-03-17 中兴通讯股份有限公司 Address resolution protocol message processing method and switch
CN103209225A (en) * 2013-04-03 2013-07-17 北京邮电大学 Software defined network (SDN) broadcast processing method based on cycle trigger agent

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
HYUNJEONG CHO, SAEHOON KANG: "Centralized ARP proxy server on SDN controller to cut down ARP broadcast in large-scale data center networks", 《2015 INTERNATIONAL CONFERENCE ON INFORMATION NETWORKING(ICOIN)》 *

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107370841A (en) * 2017-08-20 2017-11-21 中国人民解放军理工大学 A kind of method of address resolution efficient on multi-hop wireless network
CN107370841B (en) * 2017-08-20 2020-11-27 中国人民解放军理工大学 Method for high-efficiency address resolution on multi-hop wireless network
CN107911297A (en) * 2017-11-21 2018-04-13 迈普通信技术股份有限公司 A kind of SDN network band control Path Setup method and apparatus
CN107911297B (en) * 2017-11-21 2020-03-24 迈普通信技术股份有限公司 SDN network in-band control channel establishment method and device
CN108566388A (en) * 2018-03-27 2018-09-21 西安电子科技大学 SDN stream rule conflict detection methods based on Bloom Filter and system
CN108566388B (en) * 2018-03-27 2020-10-16 西安电子科技大学 SDN flow rule conflict detection method and system based on bloom filter
CN109547344A (en) * 2019-01-15 2019-03-29 浙江农林大学暨阳学院 A kind of ethernet frame retransmission method and its MSPG system based on MSPG
CN109547344B (en) * 2019-01-15 2021-06-25 浙江农林大学暨阳学院 Ethernet frame forwarding method based on MSPG and MSPG system thereof
CN111010362A (en) * 2019-03-20 2020-04-14 新华三技术有限公司 Monitoring method and device for abnormal host
CN111010362B (en) * 2019-03-20 2021-09-21 新华三技术有限公司 Monitoring method and device for abnormal host
CN110247899A (en) * 2019-05-27 2019-09-17 南京大学 The system and method for ARP attack is detected and alleviated based on SDN cloud environment
CN110247899B (en) * 2019-05-27 2022-02-25 南京大学 System and method for detecting and relieving ARP attack based on SDN cloud environment

Similar Documents

Publication Publication Date Title
CN106506200A (en) A kind of ARP protocol submodel based on SDN
CN107222462A (en) A kind of LAN internals attack being automatically positioned of source, partition method
US8402559B2 (en) IP based security applications using location, port and/or device identifier information
US7320070B2 (en) Methods and apparatus for protecting against IP address assignments based on a false MAC address
CN105262738B (en) A kind of method of router and its preventing ARP aggression
CN105721457B (en) Network security protection system and network security defence method based on dynamic mapping
CN103039037B (en) For effectively managing the method and system of the connection between communication network and this communication network and customer rs premise equipment
US20090172156A1 (en) Address security in a routed access network
CN100459563C (en) Identification gateway and its data treatment method
CN105743878A (en) Dynamic service handling using a honeypot
CN101160773A (en) Method and system of obtaining secure shell host key of managed device
CN103491076B (en) The prevention method and system of a kind of network attack
CN100563249C (en) The trace to the source construction method of formula global network security system of a kind of minute territory
CN107995192A (en) A kind of inline detection of network boundary violation is with blocking system
CN109525601A (en) The lateral flow partition method and device of terminal room in Intranet
CN103957171A (en) Access control method and system based on physical interface and MAC addresses of intelligent exchanger
CN112787911A (en) Internet of things equipment integration gateway and system
CN106572103A (en) Hidden port detection method based on SDN network architecture
CN109327465A (en) A kind of method that safety resists network abduction
CN112565202A (en) Internet of things access gateway for video network system
CN110121866A (en) Detection and suppression loop
CN107040507A (en) Network blocking method and equipment
CN108616390B (en) The realization device of girff management method, device and girff management
TW201141155A (en) Alliance type distributed network intrusion prevention system and method thereof
CN109768872A (en) A kind of ID-Nac system of real name ID network management platform

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170315