CN106878326A - The guard method of IPv6 neighbor caches and its device based on inverse detection - Google Patents
The guard method of IPv6 neighbor caches and its device based on inverse detection Download PDFInfo
- Publication number
- CN106878326A CN106878326A CN201710172618.XA CN201710172618A CN106878326A CN 106878326 A CN106878326 A CN 106878326A CN 201710172618 A CN201710172618 A CN 201710172618A CN 106878326 A CN106878326 A CN 106878326A
- Authority
- CN
- China
- Prior art keywords
- ird
- storage queue
- record
- list item
- fields
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to a kind of IPv6 neighbor caches guard method based on inverse detection and its device, the method is included:Destination node receives ND messages, and the list item record of storage ND message informations is created in storage queue;After stand-by period t, a record is chosen from storage queue head, IRD neighbor request messages are sent to source node;Corresponding data filling is carried out to the IRD options of IRD neighbor request messages by the Sequence fields and Timestamp fields in the record of selection, and the Status field set that list item is recorded;Source node sends IRD notification packets, timestamp when identical Sequence fields are filled in IRD options and notification packet is sent;Destination node is directed to the IRD notification packets for receiving, and is checked by Sequence fields, Status fields and time-out time threshold value, and the respective record in neighbor cache and storage queue is processed according to inspection result.The present invention is effective against neighbor cache spoofing attack and Denial of Service attack, and resource consumption is few, protocol compatibility is strong, can preferably adapt to applied environment.
Description
Technical field
The present invention relates to IPv6 secure communication of network technical fields, more particularly to a kind of IPv6 neighbours based on inverse detection
Buffer protection method and its device.
Background technology
Neighbor Discovery Protocol (Neighbor Discovery Protocol, NDP) is a key protocol of IPv6, it
The agreement such as ARP, ICMP router discovery being combined with IPv4 and ICMP redirections, and they are improved, solve same
Information exchange problem on one link between different nodes.Because it does not provide any for the security threat in link
Security mechanism, the security breaches that attacker exists using NDP can be attacked to IPv6 subnets implementation Denial of Service attack and redirection
Hit.Ietf standard specifies to ensure the reliability and integrality of packet in NDP by IPSec AH, but does not provide user
Case.Secure Neighbor Discovery Protocol (SEcure Neighbor Discovery, SEND) is by introducing ciphered generation address
(Cryptographically Generated Address, CGA) and signature mechanism ensure the safety of NDP, but it is produced
Computing cost is excessive, is not used widely.
Neighbor cache is one group of information about single neighbours, and the information that it includes has:Neighbours' IP address and neighbours' link
Layer address mapping, Neighbor Reachability state etc..The renewal of neighbor cache is realized by the interaction of ND messages, and ND agreements exist
Message is not protected effectively during design, therefore neighbor cache is subject to spoofing attack and DoS attack etc..Inverse detection side
Method, although it reduces neighbor cache possibility under fire to a certain extent, because reverse probe messages do not have any protection machine
System, attacker still can send substantial amounts of false response message, and then bypass inverse detection mechanism easily, accordingly, it would be desirable to one
New IPv6 neighbor cache guard methods are planted, to improve IPv6 intranet security.
The content of the invention
The present invention provides a kind of guard method of IPv6 neighbor caches and its device based on inverse detection, it is ensured that neighbor cache
Correct renewal, be effective against neighbor cache spoofing attack and Denial of Service attack etc., and resource consumption is few, compatibility is strong.
According to design provided by the present invention, a kind of IPv6 neighbor cache guard methods based on inverse detection, bag
Containing following content:
Destination node receives ND messages, and the list item record of storage ND message informations is created in storage queue, wherein, often
Individual node is set up a storage queue for the storage of ND message informations, the IP address comprising source node, source in list item record
The MAC Address of node, the Timestamp fields of IRD request message times are sent to source node, and sending IRD to source node asks
The Sequence fields of test serial number, and identify whether to send the Status fields of IRD request message states to source node;
After stand-by period t, a record is chosen from storage queue head, IRD neighbor request messages are sent to source node, its
In, the IRD options of 0 < t < τ, IRD neighbor request messages are included:Type words for representing the option type value of IRD messages
Section, the Length fields of whole option, for the Sequence fields of the IRD test serial numbers of explicit message matching, retain
Reserved fields, and for limiting the Timestamp fields of the timestamp of message response duration;In record by selection
Sequence fields and Timestamp fields carry out corresponding data filling to the IRD options of IRD neighbor request messages, and will
The Status field set of list item record;
Source node sends IRD notification packets, and identical Sequence fields are filled in IRD options and notification packet is sent
When timestamp;
Destination node is directed to the IRD notification packets for receiving, by Sequence fields, Status fields and time-out time threshold
Value is checked, the respective record in neighbor cache and storage queue is processed according to inspection result.
Above-mentioned, checked by Sequence fields, Status fields and time-out time threshold value, and tied according to checking
Fruit is processed the respective record in neighbor cache and storage queue, as follows comprising content:It is in inquiry storage queue first
No have the record of identical Sequence fields, if it does not exist, then not updating neighbor cache, deletes this and records and terminate;If
In the presence of, then check storage queue in Status fields whether set, if non-set, does not update neighbor cache, delete the record
And terminate, if set, whether inspection IRD notification packets reach in time-out time threshold value, if so, then updating neighbor cache simultaneously
Terminate, otherwise, do not update neighbor cache, delete this and record and terminate.
Above-mentioned, also include:Node storage queue is managed by the RED methods based on timestamp, deletes storage
List item record in queue.
Preferably, node storage queue is managed by the RED methods based on timestamp, it is as follows comprising content:It is right
The list item of each Timestamp field non-zero starts timer in storage queue, and the table in storage queue is deleted according to timer
Item record;And according to storage queue average length calculate node drop probabilities, and abandon storage queue according to node drop probabilities
In list item record.
Above-mentioned, the list item to each Timestamp field non-zero in storage queue starts timer, is deleted according to timer
Except the list item record in storage queue, content is as follows:Storage queue minimum length, maximum length are read, current time stores team
List items set of records ends, storage queue head logging timestamp, time-out time threshold value;According in storage queue list item set of records ends
Whether each list item is recorded, and judges its Timestamp field more than zero, if so, being then correspondence list item by time-out time threshold value
Record sets timer;If timer expiry does not receive corresponding IRD notification packets also, corresponding list item record is deleted.
Preferably, according to storage queue average length calculate node drop probabilities, content is as follows:If storage queue is averagely long
Degree is less than storage queue minimum length, then set packet loss as zero;If storage queue average length is minimum more than storage queue long
Spend and less than storage queue maximum length, then according to formula:
, calculate packet loss;Otherwise, packet loss as 1 is set.
Preferably, time-out time threshold value is corrected according to network delay situation.
A kind of IPv6 neighbor cache protection devices based on inverse detection, comprising:Message information logging modle, record are chosen
Module and list item Inventory Detection Module;Wherein,
Message information logging modle, according to the message information for receiving, being created in node storage queue should for destination node
The list item record of message information;
Record chooses module, chooses the record of node storage queue head, and send IRD neighbor request reports to source node
Text, wherein, the record of IRD neighbor requests message and selection filling identical timestamp field and test serial number field, and by table
Identify whether that the Status fields for having sent IRD request message states to source node carry out set operation in item record;
List item Inventory Detection Module, destination node according to the IRD notification packets for receiving, by timestamp field, message sequence
Number field warp and time-out time threshold value are updated treatment to the record in neighbor cache and storage queue.
Above-mentioned device, also comprising queue management module, by the RED methods based on timestamp in node storage queue
List item record carry out deletion action.
Above-mentioned device, also includes:For the time being adjusted to time-out time threshold value according to network delay situation
Threshold value correcting module.
Beneficial effects of the present invention:
The problems such as present invention is directed to spoofing attack and the Denial of Service attack that IPv6 neighbor caches are subject to, from neighbor cache
Renewal process is started with, and introduces the protection mechanisms such as timestamp, test serial number and queue management, it is ensured that the correct renewal of neighbor cache;
And the numerical result by instantiation shows, the method can be effective against neighbor cache spoofing attack and Denial of Service attack
Hit, with resource consumption it is few, protocol compatibility is strong the features such as;Applied environment can be preferably adapted to, effectively protection IPv6 neighbours
Caching, with practical value very high.
Brief description of the drawings:
Fig. 1 is flow chart of the method for the present invention;
Fig. 2 is principle schematic of the invention;
Fig. 3 is storage queue schematic diagram of the invention;
Fig. 4 is IRD options schematic diagram of the invention.
Fig. 5 is workflow diagram of the invention;
Fig. 6 is device block diagram of the invention;
Fig. 7 is the network topology schematic diagram of example.
Specific embodiment:
In order that the object, technical solutions and advantages of the present invention are clearer, below in conjunction with the accompanying drawings with specific embodiment pair
The present invention is described in detail.
Shown in Figure 1, method provided by the present invention can mainly include:Destination node receives ND messages, is depositing
The list item record of storage ND message informations is created in storage queue, wherein, each node is set up has one to be deposited for ND message informations
The storage queue of storage, the IP address comprising source node in list item record, the MAC Address of source node sends IRD and asks to source node
The Timestamp fields of message time, the Sequence fields of IRD request message sequence numbers are sent to source node, and are identified whether
The Status fields of IRD request message states have been sent to source node;After stand-by period t, one is chosen from storage queue head
Record, IRD neighbor request messages are sent to source node, wherein, the IRD options of 0 < t < τ, IRD neighbor request messages are included:With
In the type field of the option type value for representing IRD messages, the Length fields of whole option, for explicit message matching
IRD test serial numbers Sequence fields, retain Reserved fields, and for limiting the timestamp of message response duration
Timestamp fields;By the Sequence fields and Timestamp fields in the record of selection to IRD neighbor request messages
IRD options carry out corresponding data filling, and the Status field set that list item is recorded;Source node sends IRD notice reports
Text, timestamp when identical Sequence fields are filled in IRD options and notification packet is sent;Destination node is directed to and receives
IRD notification packets, checked by Sequence fields, Status fields and time-out time threshold value, according to inspection result
Respective record in neighbor cache and storage queue is processed.
The above method that the present invention is provided is described in detail below, Fig. 2 shows for principle provided in an embodiment of the present invention
It is intended to, the method may comprise steps of:
Step 21:When destination node receives the messages such as NS/NA, first, a list item is created in node storage queue
Record, record receives ND message informations, such as IP-MAC mapping relations.
In the present embodiment, in order to ensure node can correctly update neighbor cache, each node sets up a ND message
The storage queue of information, as shown in figure 3, each field is meant that:
IP:The IP address of source node;
MAC:The MAC Address of source node;
Timestamp:Time during IRD NS messages is sent to source node, 0 is initialized as;
Sequence:Sequence number during IRD NS messages is sent to source node;
Status:Whether IRD NS messages are sent to source node.
Wherein, the function of Status fields is:When node attempt transmission falseness IRD response messages are attacked, even if message
In Timestamp fields and Sequence fields it is legal, meet standard agreement requirement, but in the queue of recipient not
Have the Status field set of respective record, then recipient does not still update neighbor cache and deletes this queue entry.
Step 22:Wait random time t, 0<t<τ, a record is chosen from storage queue head, and IRD is sent to source node
NS messages, the message includes IRD Option options, and the Timestamp fields and Sequence fields of respective record are carried out
Data are filled, and Status field set.
In the present embodiment, in order to have more preferable compatibility, there is provided a kind of IPD Option options, it is specific as shown in figure 4,
Each field meanings are as follows:
Type:Option type value, for identifying IRD messages;
Length:The length (including Type and Length fields) of whole option;
Sequence:IRD test serial numbers, for the matching of response message;
Reserved:Reserved field;
Timestamp:IRD message times are stabbed, for limiting message response duration.
Wherein, Sequence fields and Timestamp fields are used in combination with better against spoofing attack.
Step 23:When source node send IRD NA messages when, it is necessary in option fill identical Sequence fields and
Send timestamp during response message.
Step 24:Whether destination node checks the IRD NA messages for receiving have in inquiry storage queue
Sequence fields identical is recorded, if it has, going to step 25, otherwise, does not update neighbor cache, is deleted the list item and is tied
Beam.
Step 25:Check storage queue in Status fields whether set, if it is, going to step 26, otherwise, do not update
Neighbor cache, deletes the list item and terminates.
Step 26:Check whether the IRD NA messages reach in time-out time threshold value, if it is, should in storage queue
Each field information is legal and correct in record, by the information updating neighbor cache table of the record and terminates, and otherwise, does not update neighbour
Caching is occupied, the list item is deleted and is terminated.
Referring to shown in Fig. 5 and 7, host node B and C attack node A and attempt to implement go-between to it to attack just in proper communication
Hit.By taking host node B as an example, when B receives the IRD NA messages from A, B creates a list item storage in its queue should
The information such as Timestamp, Sequence, IP-MAC mapping relations in IRD NA messages;Wait random time t (0<t<τ), B
Send IRD NS messages to A, the message includes IRD Option options, and by the Timestamp fields of respective record and
Sequence fields carry out data filling, and Status field set;When A sends IRD NA messages to B, it is necessary in option
Timestamp when the Sequence fields and transmission response message of filling;Node A is checked the IRD NA messages for receiving, looked into
Whether there is Sequence fields identical to record in inquiry queue, if it has, going to step 5, otherwise, do not update neighbor cache, delete
Except the list item and terminate;Step 5, node A check in queue Status fields whether set, if it is, go to step 6, otherwise,
Neighbor cache is not updated, the list item is deleted and is terminated;Whether step 6, node A check the IRD NA messages in the time threshold for defining
Reached in value T, if it is, updating neighbor cache and terminating, otherwise, do not update neighbor cache, deleted the list item and terminate.From neighbour
Occupy buffer update process to start with, by introducing the protection mechanisms such as timestamp, test serial number, it is ensured that the correct renewal of neighbor cache;
The method can be effective against neighbor cache spoofing attack and Denial of Service attack, and with resource consumption is few, protocol-compliant
Property is strong.
Further, whether the storage queue of destination node is safe, directly affects the security update of neighbor cache, example
Such as, attacker constantly sends a large amount of falseness NS/NA messages, destination node is filled in being constantly in full queue state and storage queue
Full deceptive information, destination node cannot update its neighbor cache, and attacker still can reach carries out DoS attack to destination node
Purpose, therefore, queue management is one of the key of security update for ensureing neighbor cache.By the RED side based on timestamp
Method is managed to node storage queue, stabs the influence managed storage queue by introducing message time so that original RED side
Method disclosure satisfy that the requirement of IRD neighbor cache guard methods, and the implementation process of storage queue management is as follows:
List item to each Timestamp field non-zero in storage queue starts timer, is deleted according to timer and stored
List item record in queue;And according to storage queue average length calculate node drop probabilities, and lost according to node drop probabilities
The list item record abandoned in storage queue so that node storage queue can in time abandon partial data bag, it is ensured that destination node is deposited
Store up the robustness of queue.
The management of storage queue is completed through the above way, can be specially:Read storage queue minimum length, most greatly enhance
Degree, current time, storage queue list item set of records ends, storage queue head logging timestamp, time-out time threshold value;According to storage
Whether each list item record in queue entry set of records ends, judge its Timestamp field more than zero, if so, then by time-out
Time threshold is that correspondence list item record sets timer;If timer expiry does not receive corresponding IRD notification packets also, delete
Corresponding list item record.If storage queue average length is less than storage queue minimum length, packet loss as zero is set;If storage
Queue average length is more than storage queue minimum length and less than storage queue maximum length, then according to formula:
, calculate packet loss;Otherwise, packet loss as 1 is set.
The management process of above-mentioned storage queue can be realized by following program:
Above-mentioned storage queue management method receives Qavg、Tcurrent、TtimestampWith the influence of the factor such as T, meanwhile, network prolongs
When also can on destination node receive message produce influence, if network delay is larger, over-time threshold value T ignores node processing
IRD request messages and send the IRD response message times in the case of, then destination node will delete queue entry, cannot
Correct renewal neighbor cache, therefore, to be further ensured that neighbor cache is updated, it is necessary to according to network delay situation to time threshold
T is adjusted accordingly amendment, to ensure the correctness that neighbor cache updates.
Above is the description carried out to the method that the present invention is provided, is situated between in detail to device provided by the present invention below
Continue, as shown in fig. 6, the protection device, comprising:Message information logging modle 301, record choose module 302 and list item record inspection
Survey module 303;Wherein,
Message information logging modle 301, destination node is created according to the message information for receiving in node storage queue
The list item record of the message information.
Each node is set up a storage queue for the storage of ND message informations, and source node is included in list item record
IP address, the MAC Address of source node sends the Timestamp fields of IRD request message times to source node, is sent out to source node
The Sequence fields of IRD request message sequence numbers are sent, and identifies whether to send IRD request message states to source node
Status fields.
Record chooses module 302, chooses the record of node storage queue head, and send IRD neighbor requests to source node
Message, wherein, record filling identical timestamp field and the test serial number field of IRD neighbor requests message and selection, and will
Identify whether that the Status fields for having sent IRD request message states to source node carry out set operation in list item record.
After waiting random time t, a record is chosen from storage queue head, IRD neighbor request reports are sent to source node
Text, the Status field set of list item record, wherein, the IRD options of 0 < t < τ, IRD neighbor request messages are included:For table
Show the type field of the option type value of IRD messages, the Length fields of whole option, for explicit message matching
The Sequence fields of IRD test serial numbers, retain Reserved fields, and for limiting the timestamp of message response duration
Identical Sequence fields and Timestamp fields are filled in Timestamp fields, and the record chosen.
List item Inventory Detection Module 303, destination node according to the IRD notification packets for receiving, by timestamp field, message
Sequence number field is passed through and time-out time threshold value is updated treatment to the record in neighbor cache and storage queue.
First, whether Sequence fields identical records in inquiry storage queue;Secondly, in inspection storage queue
Status fields whether set;Again, check whether the IRD NA messages reach in the time-out time threshold value T of definition.If
Each field information is legal and correct in the record of storage queue, then by the information updating neighbor cache table of the record and tie
Beam;Otherwise, do not update neighbor cache table deletes queue simultaneously in and respective record and terminate.
Preferably, also comprising queue management module, by the RED methods based on timestamp to the table in node storage queue
Item record carries out deletion action.List item to each Timestamp field non-zero in storage queue starts timer, according to timing
Device deletes the list item record in storage queue;And according to storage queue average length calculate node drop probabilities, and according to node
Drop probabilities abandon the list item record in storage queue so that node storage queue can in time abandon partial data bag, it is ensured that
The robustness of destination node storage queue.
In addition, because network delay receives the influence of message generation to destination node, it is necessary to be adjusted to time-out time threshold value
It is whole;By setting time threshold value correcting module, adjustment is modified to time-out time threshold value according to network delay situation, further
Ensure the correct renewal of neighbor cache.
In sum, by the above embodiment of the present invention, there is provided a kind of IPv6 neighbor caches based on inverse detection
Guard method, protection device, the problem of spoofing attack and Denial of Service attack etc. is subject to for IPv6 neighbor caches, from neighbours
Buffer update process is started with, by introducing the protection mechanisms such as timestamp, test serial number and queue management, it is ensured that neighbor cache is just
Really update, be effective against neighbor cache spoofing attack and Denial of Service attack, with resource consumption it is few, it is compatible strong the features such as,
Applied environment can be preferably adapted to, effectively protection IPv6 communication securities.
Each embodiment is described by the way of progressive in this specification, and what each embodiment was stressed is and other
The difference of embodiment, between each embodiment same or similar part mutually referring to.To the disclosed embodiments
Described above, enables professional and technical personnel in the field to realize or uses the present invention.To various modifications of these embodiments to this
Be will be apparent for the professional and technical personnel in field, generic principles defined herein can not depart from the present invention
Spirit or scope in the case of, realize in other embodiments.Therefore, the present invention be not intended to be limited to it is shown in this article this
A little embodiments, and it is to fit to the most wide scope consistent with principles disclosed herein and features of novelty.
Claims (10)
1. a kind of IPv6 neighbor cache guard methods based on inverse detection, it is characterised in that comprising following content:
Destination node receives ND messages, and the list item record of storage ND message informations is created in storage queue, wherein, each section
Point is set up a storage queue for the storage of ND message informations, the IP address comprising source node, source node in list item record
MAC Address, to source node send the IRD request message times Timestamp fields, to source node send IRD request messages
The Sequence fields of sequence number, and identify whether to send the Status fields of IRD request message states to source node;
After stand-by period t, a record is chosen from storage queue head, IRD neighbor request messages are sent to source node, wherein, 0
The IRD options of < t < τ, IRD neighbor request messages are included:The type field for representing the option type value of IRD messages, it is whole
The Length fields of individual option, for the Sequence fields of the IRD test serial numbers of explicit message matching, retain
Reserved fields, and for limiting the Timestamp fields of the timestamp of message response duration;In the record of selection
Sequence fields and Timestamp fields carry out corresponding data filling to the IRD options of IRD neighbor request messages, and will
The Status field set of list item record;
Source node sends IRD notification packets, when identical Sequence fields are filled in IRD options and notification packet is sent
Timestamp;
Destination node is directed to the IRD notification packets for receiving, and is entered by Sequence fields, Status fields and time-out time threshold value
Row checks, the respective record in neighbor cache and storage queue is processed according to inspection result.
2. the IPv6 neighbor cache guard methods based on inverse detection according to claim 1, it is characterised in that pass through
Sequence fields, Status fields and time-out time threshold value checked, and according to inspection result to neighbor cache and storage
Respective record in queue is processed, as follows comprising content:Whether there is identical Sequence in inquiry storage queue first
The record of field, if it does not exist, then not updating neighbor cache, deletes this and records and terminate;If in the presence of checking storage queue
Middle Status fields whether set, if non-set, does not update neighbor cache, delete this and record and terminate, if set, check
Whether IRD notification packets reach in time-out time threshold value, if so, then update neighbor cache and terminate, otherwise, not more new neighbor
Caching, deletes this and records and terminate.
3. the IPv6 neighbor cache guard methods based on inverse detection according to claim 1, it is characterised in that also wrap
Contain:Node storage queue is managed by the RED methods based on timestamp, deletes the list item record in storage queue.
4. the IPv6 neighbor cache guard methods based on inverse detection according to claim 3, it is characterised in that by base
Node storage queue is managed in the RED methods of timestamp, it is as follows comprising content:To in storage queue each
The list item of Timestamp field non-zeros starts timer, and the list item record in storage queue is deleted according to timer;And according to depositing
Storage queue average length calculate node drop probabilities, and the list item record in storage queue is abandoned according to node drop probabilities.
5. the IPv6 neighbor cache guard methods based on inverse detection according to claim 4, it is characterised in that to storage
The list item of each Timestamp field non-zero starts timer in queue, and the list item note in storage queue is deleted according to timer
Record, content is as follows:Read storage queue minimum length, maximum length, current time, storage queue list item set of records ends, storage
Queue head logging timestamp, time-out time threshold value;Recorded according to each list item in storage queue list item set of records ends, judge it
Whether Timestamp fields are more than zero, if so, being then that correspondence list item record sets timer by time-out time threshold value;If fixed
When device time-out do not receive corresponding IRD notification packets also, then delete corresponding list item record.
6. the IPv6 neighbor cache guard methods based on inverse detection according to claim 5, it is characterised in that according to depositing
Storage queue average length calculate node drop probabilities, content is as follows:If storage queue average length is minimum less than storage queue long
Degree, then set packet loss as zero;If storage queue average length is more than storage queue minimum length and maximum less than storage queue
Length, then according to formula:
Calculate packet loss;Otherwise, packet loss as 1 is set.
7. the IPv6 neighbor cache guard methods based on inverse detection according to any one of claim 4~6, its feature exists
In time-out time threshold value is corrected according to network delay situation.
8. a kind of IPv6 neighbor cache protection devices based on inverse detection, it is characterised in that include:Message information records mould
Block, record choose module and list item Inventory Detection Module;Wherein,
Message information logging modle, destination node creates the message according to the message information for receiving in node storage queue
The list item record of information;
Record chooses module, chooses the record of node storage queue head, and sends IRD neighbor request messages to source node, its
In, record filling identical timestamp field and the test serial number field of IRD neighbor requests message and selection, and list item is recorded
In identify whether to source node send IRD request message states Status fields carry out set operation;
List item Inventory Detection Module, destination node according to the IRD notification packets for receiving, by timestamp field, test serial number word
Section warp and time-out time threshold value are updated treatment to the record in neighbor cache and storage queue.
9. IPv6 neighbor cache protection devices based on inverse detection according to claim 8, it is characterised in that also include
Queue management module, the list item in node storage queue is recorded by the RED methods based on timestamp carry out deletion action.
10. the IPv6 neighbor cache protection devices based on inverse detection according to any one of claim 8 or 9, its feature
It is also to include:For the time threshold correcting module being adjusted to time-out time threshold value according to network delay situation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710172618.XA CN106878326A (en) | 2017-03-21 | 2017-03-21 | The guard method of IPv6 neighbor caches and its device based on inverse detection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710172618.XA CN106878326A (en) | 2017-03-21 | 2017-03-21 | The guard method of IPv6 neighbor caches and its device based on inverse detection |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106878326A true CN106878326A (en) | 2017-06-20 |
Family
ID=59172526
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710172618.XA Pending CN106878326A (en) | 2017-03-21 | 2017-03-21 | The guard method of IPv6 neighbor caches and its device based on inverse detection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106878326A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108900272A (en) * | 2017-08-25 | 2018-11-27 | 杭州德泽机器人科技有限公司 | Sensor data acquisition method, system and packet loss judgment method |
| CN111147382A (en) * | 2019-12-31 | 2020-05-12 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
| CN111464517A (en) * | 2020-03-23 | 2020-07-28 | 武汉思普崚技术有限公司 | Method and system for preventing address spoofing attack by NS reverse query |
| CN112714133A (en) * | 2021-01-04 | 2021-04-27 | 烽火通信科技股份有限公司 | ND attack prevention method and device suitable for DHCPv6 server |
| CN114968893A (en) * | 2022-07-27 | 2022-08-30 | 井芯微电子技术(天津)有限公司 | PCIe message queue scheduling method, system and device based on timestamp |
| CN116094998A (en) * | 2022-12-29 | 2023-05-09 | 天翼云科技有限公司 | Method and device for forwarding VXLAN message of neighbor table entry based on OVS |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104518966A (en) * | 2013-09-27 | 2015-04-15 | 中国电信股份有限公司 | IPv6 direct connection link invalid address processing method and device |
-
2017
- 2017-03-21 CN CN201710172618.XA patent/CN106878326A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104518966A (en) * | 2013-09-27 | 2015-04-15 | 中国电信股份有限公司 | IPv6 direct connection link invalid address processing method and device |
Non-Patent Citations (1)
| Title |
|---|
| 孔亚洲 等: ""基于改进反向探测的IPv6 邻居缓存保护方法"", 《计算机应用》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108900272A (en) * | 2017-08-25 | 2018-11-27 | 杭州德泽机器人科技有限公司 | Sensor data acquisition method, system and packet loss judgment method |
| CN108900272B (en) * | 2017-08-25 | 2021-02-19 | 杭州德泽机器人科技有限公司 | Sensor data acquisition method and system and packet loss judgment method |
| CN111147382A (en) * | 2019-12-31 | 2020-05-12 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
| CN111147382B (en) * | 2019-12-31 | 2021-09-21 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
| CN111464517A (en) * | 2020-03-23 | 2020-07-28 | 武汉思普崚技术有限公司 | Method and system for preventing address spoofing attack by NS reverse query |
| CN111464517B (en) * | 2020-03-23 | 2021-02-26 | 武汉思普崚技术有限公司 | Method and system for preventing address spoofing attack by NS reverse query |
| CN112714133A (en) * | 2021-01-04 | 2021-04-27 | 烽火通信科技股份有限公司 | ND attack prevention method and device suitable for DHCPv6 server |
| CN114968893A (en) * | 2022-07-27 | 2022-08-30 | 井芯微电子技术(天津)有限公司 | PCIe message queue scheduling method, system and device based on timestamp |
| CN114968893B (en) * | 2022-07-27 | 2022-09-30 | 井芯微电子技术(天津)有限公司 | PCIe message queue scheduling method, system and device based on timestamp |
| CN116094998A (en) * | 2022-12-29 | 2023-05-09 | 天翼云科技有限公司 | Method and device for forwarding VXLAN message of neighbor table entry based on OVS |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106878326A (en) | The guard method of IPv6 neighbor caches and its device based on inverse detection | |
| Gong et al. | A more practical approach for single-packet IP traceback using packet logging and marking | |
| Compagno et al. | Poseidon: Mitigating interest flooding DDoS attacks in named data networking | |
| Cambiaso et al. | Taxonomy of slow DoS attacks to web applications | |
| Shi et al. | On broadcast-based self-learning in named data networking | |
| CN100566294C (en) | Single broadcast reverse path repeating method | |
| US6816910B1 (en) | Method and apparatus for limiting network connection resources | |
| Zhou et al. | Exploiting the Vulnerability of Flow Table Overflow in Software‐Defined Network: Attack Model, Evaluation, and Defense | |
| CN103701700B (en) | Node discovery method in a kind of communication network and system | |
| JP5713445B2 (en) | Communication monitoring system and method, communication monitoring device, virtual host device, and communication monitoring program | |
| Ullrich et al. | {IPv6} security: Attacks and countermeasures in a nutshell | |
| Knockel et al. | Counting packets sent between arbitrary internet hosts | |
| CN108965263A (en) | Network attack defence method and device | |
| Lu et al. | A novel path‐based approach for single‐packet IP traceback | |
| WO2021032016A1 (en) | Data processing method and device | |
| CN113347155A (en) | Method, system and device for defending ARP spoofing | |
| Boppana et al. | Analyzing the vulnerabilities introduced by ddos mitigation techniques for software-defined networks | |
| US8234503B2 (en) | Method and systems for computer security | |
| Alston et al. | Neutralizing interest flooding attacks in named data networks using cryptographic route tokens | |
| CN103095858B (en) | Method, the network equipment and the system of ARP message processing | |
| JP6418232B2 (en) | Network management device, network system, network management method and program | |
| Ribeiro et al. | Content pollution mitigation for content-centric networking | |
| Song et al. | Using FDAD to prevent DAD attack in secure neighbor discovery protocol | |
| Li et al. | Prospect for the future internet: A study based on TCP/IP vulnerabilities | |
| CN114024731A (en) | Message processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170620 |