CN110611678B - Method for identifying message and access network equipment - Google Patents

Method for identifying message and access network equipment Download PDF

Info

Publication number
CN110611678B
CN110611678B CN201910903727.3A CN201910903727A CN110611678B CN 110611678 B CN110611678 B CN 110611678B CN 201910903727 A CN201910903727 A CN 201910903727A CN 110611678 B CN110611678 B CN 110611678B
Authority
CN
China
Prior art keywords
terminal device
terminal
identity information
address
terminal equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910903727.3A
Other languages
Chinese (zh)
Other versions
CN110611678A (en
Inventor
陈昌源
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruijie Networks Co Ltd
Original Assignee
Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruijie Networks Co Ltd filed Critical Ruijie Networks Co Ltd
Priority to CN201910903727.3A priority Critical patent/CN110611678B/en
Publication of CN110611678A publication Critical patent/CN110611678A/en
Application granted granted Critical
Publication of CN110611678B publication Critical patent/CN110611678B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Abstract

The application provides a method for identifying a message and access network equipment, which are used for reducing the condition of misjudging the validity of a neighbor discovery message. The method comprises the following steps: receiving a neighbor discovery message sent by first terminal equipment; the neighbor discovery message comprises first identity information of the first terminal equipment, wherein the first identity information comprises an Internet Protocol (IP) address of the first terminal equipment; if the prestored binding table does not contain information matched with the first identity information, judging whether a second terminal device with the same IP address as the first terminal device exists in other terminal devices or not; the other terminal devices are terminal devices except the first terminal device in the current virtual local area network; and if the second terminal equipment with the same IP address as the first terminal equipment does not exist, identifying the neighbor discovery message as a legal message.

Description

Method for identifying message and access network equipment
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method for identifying a packet and an access network device.
Background
In a Virtual Local Area Network (VLAN), an access network device may monitor a Neighbor Discovery (ND) message sent by a terminal device, and determine whether the ND message is legal by comparing whether identity information of the terminal device in the ND message is consistent with identity information prestored in the access network device. If the identity information sent by the terminal equipment in the ND message is inconsistent with the identity information prestored in the access network equipment, the access network equipment determines that the ND message is an illegal message.
However, in some cases, the identity information of the terminal device pre-stored in the access network device may be different from the real information of the terminal device, and at this time, the access network device may misinterpret the legitimate packet sent by the terminal device as an illegitimate packet.
Disclosure of Invention
The embodiment of the application provides a method for identifying a message and access network equipment, which are used for reducing the situation of misjudging the legality of an ND message.
In a first aspect, a method for identifying a packet is provided, which is applied to an access network device, and includes:
receiving a neighbor discovery message sent by first terminal equipment; the neighbor discovery message comprises first identity information of the first terminal equipment, wherein the first identity information comprises an Internet Protocol (IP) address of the first terminal equipment;
if the prestored binding table does not contain information matched with the first identity information, judging whether a second terminal device with the same IP address as the first terminal device exists in other terminal devices or not; wherein the other terminal devices are terminal devices except the first terminal device in the current virtual local area network;
and if the second terminal equipment with the same IP address as the first terminal equipment does not exist, identifying the neighbor discovery message as a legal message.
In this embodiment of the application, after determining that the pre-stored binding table does not have information matching with the first identity information carried in the ND packet sent by the first terminal device, the access network device further determines whether a second terminal device having the same IP address as the first terminal device exists in other terminal devices, and further determines whether the ND packet is legal. Compared with the prior art that the pre-stored binding table is directly compared with the mode that whether the first identity information carried in the ND message sent by the first terminal device is matched or not, because whether the second terminal device with the same IP address as the first terminal device exists in other terminal devices or not can be further determined in the embodiment of the application, even under the certain condition that the first identity information carried in the ND message is not matched with the information in the pre-stored binding table, some legal ND messages can be accurately identified, the condition that the legality of the ND message is misjudged is reduced, and the legality accuracy of the ND message is improved. In addition, in the embodiment of the application, the condition that the legal message sent by the terminal equipment is discarded due to misjudgment is reduced, the communication efficiency of the user when using the terminal equipment is improved to a certain extent, and the use experience of the user for the terminal equipment is improved to a certain extent.
Optionally, if the pre-stored binding table does not have information matching with the first identity information, before determining whether a second terminal device having the same IP address as the first terminal device exists in the other terminal devices, the method includes:
judging whether information matched with the first identity information exists in a pre-stored binding table or not;
and if the information matched with the first identity information exists in the binding table, identifying the neighbor discovery message as a legal message.
In this embodiment of the present application, the access network device directly determines that the ND packet is legal when determining that the first identity information carried in the ND packet sent by the first terminal device is the same as the pre-stored identity information of the first terminal device, so that, because the access network device does not need to continue to determine whether the other terminal devices have the same IP address as the first terminal device every time the access network device receives the ND packet sent by the first terminal device, the processing amount of the access network device can be relatively reduced, and the efficiency of the access network device for verifying the validity of the packet is improved to a certain extent.
Optionally, the pre-stored binding table that does not have information matching the first identity information includes:
the pre-stored identity information of the first terminal equipment, which is pre-stored in a pre-stored binding table, is different from the first identity information; or the like, or, alternatively,
the pre-stored binding table does not contain the pre-stored identity information of the first terminal equipment.
In the embodiment of the application, the pre-stored identity information of the first terminal device pre-stored in the pre-stored binding table may not match with the first identity information carried by the ND message, and the first condition may include one condition, that the access network device determines that the pre-stored identity information of the first terminal device pre-stored in the pre-stored binding table is different from the first identity information carried by the ND message; and secondly, the access network equipment determines that the prestored identity information of the first terminal equipment does not exist in the prestored binding table, and when any condition is met, the access network equipment determines that the prestored identity information of the first terminal equipment prestored in the prestored binding table is not matched with the first identity information carried by the ND message, and the judgment process covers various possible conditions, so that the misjudgment probability of the access network equipment is reduced to a certain extent, and the accuracy of the access network equipment for identifying whether the message is legal or not is improved.
Optionally, the determining whether a second terminal device having the same IP address as the first terminal device exists in other terminal devices includes:
sending a detection message to the other terminal equipment; the detection message is used for detecting whether a second terminal device with the same IP address as the first terminal device exists in other terminal devices;
if response messages sent by other terminal equipment are received within a preset time length, determining that the second terminal equipment with the same IP address as the first terminal equipment exists in the other terminal equipment; the response message comprises legal identity information of the second terminal equipment which is the same as the IP address of the first terminal equipment in other terminal equipment;
and if the response messages sent by other terminal equipment are not received within the preset time length, determining that the second terminal equipment with the same IP address as the first terminal equipment does not exist in other terminal equipment.
In the embodiment of the application, whether the IP addresses of other terminal devices are the same as the IP address of the first terminal device is determined according to whether the brought messages from other terminal devices are received within a certain time, and the IP addresses of other terminal devices can be obtained more quickly and accurately by actively sending the detection messages to the other terminal devices, so that the efficiency of the access network device for verifying the validity of the ND message is improved.
Optionally, after determining whether a second terminal device having the same IP address as the first terminal device exists in the other terminal devices, the method includes:
and if the second terminal equipment with the same IP address as the first terminal equipment exists, identifying the neighbor discovery message as an illegal message.
In the embodiment of the application, if the existence of the second terminal device with the same IP address as the first terminal device is determined, the existence of the conflict between the IP address of the second terminal device and the IP address of the first terminal device is indicated, and the ND message is determined to be an illegal message, when the access network device can further determine the conflict between the IP addresses, the legality of the ND message is further judged, so that the accuracy of identifying the legality of the ND message is improved, the situation that the legal message is discarded due to misjudgment is reduced, the output of invalid attack logs is avoided, and the daily operation and maintenance work of a system administrator is increased.
Optionally, after identifying the neighbor discovery packet as a valid packet, the method includes:
if the first identity information is different from the pre-stored identity information of the first terminal equipment pre-stored in the binding table, updating the pre-stored identity information of the first terminal equipment pre-stored in the binding table into the first identity information;
and if the pre-stored identity information of the first terminal equipment is not stored in the binding table, newly adding the first identity information in the binding table.
In the embodiment of the application, after the access network device determines that the ND message sent by the first terminal device is a legal message, the access network device may update the first identity information carried by the ND message to the pre-stored binding table, so as to update the pre-stored identity information in time, which is beneficial to improving the subsequent communication efficiency of the first terminal device. And the prestored identity information of the first terminal device in the prestored binding table is updated in time, and the subsequent access network device can verify the validity of the ND message by inquiring the prestored binding table in the process of verifying the validity of the ND message of the first terminal device without further verifying the first identity information, so that the efficiency of the access network device for verifying the validity of the ND message is improved, the referential property of the verification result is improved, and the efficiency of network communication is improved to a certain extent.
In a second aspect, an access network device is provided, which includes:
the receiving and sending module is used for receiving a neighbor discovery message sent by the first terminal equipment; the neighbor discovery message comprises first identity information of the first terminal equipment, wherein the first identity information comprises an Internet Protocol (IP) address of the first terminal equipment;
the processing module is used for judging whether a terminal second terminal device with the same IP address as the first terminal device exists in other terminal devices or not if the information matched with the first identity information does not exist in the prestored binding table; wherein the other terminal devices are terminal devices except the first terminal device in the current virtual local area network; and the second terminal device is used for identifying the neighbor discovery message as a legal message if the second terminal device with the same IP address as the first terminal device does not exist.
Optionally, the processing module is further configured to:
if the pre-stored binding table does not contain information matched with the first identity information, judging whether the pre-stored binding table contains information matched with the first identity information or not before judging whether a second terminal device with the same IP address as the first terminal device exists in other terminal devices or not;
and if the information matched with the first identity information exists in the binding table, identifying the neighbor discovery message as a legal message.
Optionally, the pre-stored binding table does not contain information matched with the first identity information, and the pre-stored identity information of the first terminal device pre-stored in the binding table is different from the first identity information; or, the pre-stored identity information of the first terminal device does not exist in the binding table.
Optionally, the transceiver module is further configured to send a detection packet to the other terminal device; the detection message is used for detecting whether a second terminal device with the same IP address as the first terminal device exists in other terminal devices;
the processing module is specifically configured to determine that the second terminal device having the same IP address as the first terminal device exists in the other terminal devices if a response message sent by the other terminal device is received within a preset time length; the response message includes legal identity information of the second terminal device, which is the same as the IP address of the first terminal device, in other terminal devices, and if the response message sent by the other terminal device is not received within a preset time length, it is determined that the second terminal device, which is the same as the IP address of the first terminal device, does not exist in the other terminal devices.
Optionally, the processing module is specifically configured to:
and if the second terminal equipment with the same IP address as the first terminal equipment exists, identifying the neighbor discovery message as an illegal message.
Optionally, the processing module is further configured to:
after the neighbor discovery message is identified as a legal message, if the first identity information is different from the pre-stored identity information of the first terminal equipment pre-stored in the binding table, updating the pre-stored identity information of the first terminal equipment pre-stored in the binding table into the first identity information;
and if the pre-stored identity information of the first terminal equipment is not stored in the binding table, newly adding the first identity information in the binding table.
In a third aspect, an access network device is provided, including:
a memory for storing program instructions;
a processor for calling program instructions stored in said memory and for executing the method according to any of the first aspects in accordance with the obtained program instructions.
In a fourth aspect, there is provided a storage medium having stored thereon computer-executable instructions for causing a computer to perform the method of any one of the first aspects.
Drawings
FIG. 1 is a diagram illustrating a network architecture in a wired network mode suitable for the prior art;
fig. 2 is a schematic view of an application scenario of a method for identifying a packet according to an embodiment of the present application;
fig. 3 is a flowchart of a method for identifying a packet according to an embodiment of the present application;
FIG. 4 is a diagram illustrating a scenario of a change in snoop status in a binding table according to an embodiment of the present application;
fig. 5 is another situation of monitoring status change in a binding table according to an embodiment of the present application;
fig. 6 is a first schematic structural diagram of an access network device according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an access network device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
In addition, in the embodiments of the present application, "at least one" means one or more, "a plurality" means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone, wherein A and B can be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or multiple.
Hereinafter, some terms in the embodiments of the present application are explained to facilitate understanding by those skilled in the art.
Virtual Local Area Network (VLAN): a set of logical devices and users are integrated. The cascade architecture of devices in the two-layer data link layer of a VLAN may be divided into a two-layer structure and a three-layer structure, where the two-layer structure includes an access layer and a core layer, and the three-layer structure includes an access layer, a convergence layer, and a core layer. The access layer device has a function of accessing the terminal device to the network. The devices in the convergence layer have a function of converging transmission data of the access layer devices, and are used for reducing the load of the core layer devices. The core layer device has the functions of high-speed transmission and data management and is used for guaranteeing the performance of the network. An access network device in this application may be understood as belonging to an access stratum device. The upper layer device in the present application may be a device in the convergence layer, and may also be a device in the core layer.
Wireless Access Point (AP): the access point is an access point of the wireless terminal device connected with a wired network, and is a bridge for connecting the wireless network and the wired network. The wireless AP may provide wireless signal transmission functionality.
Neighbor Discovery (ND) protocol: the ND protocol is an important basic protocol in an Internet Protocol (IP) system, and defines functions of implementing address resolution, tracking a neighbor state, Duplicate Address Detection (DAD), router discovery, redirection, and the like. Internet protocol version 6 (IPv 6) is one of the IP protocols.
ND message: the ND protocol defines a message carried by using an Internet Control Message Protocol (ICMP). The ND message types include a route Request (RS) message, a Route Advertisement (RA) message, a neighbor request (NS) message, a Neighbor Advertisement (NA) message, and a redirect (redirect) message.
And D, DAD: for detecting whether the address of the terminal device conflicts with the addresses of other terminal devices through the NS. If receiving NA sent by other terminal equipment, the terminal equipment address is not unique. If the NA sent by other terminal equipment is not received, the terminal equipment address is unique, and the terminal equipment address is determined to be legal.
The following describes the prior art related to the embodiments of the present application.
At present, the process of identifying a packet is as discussed in the foregoing background art, and is not described herein again, and the following illustrates a method for identifying a packet in the prior art:
fig. 1 is a schematic diagram of a network architecture suitable for the prior art. Fig. 1 includes an access network device 101, a terminal device 102, and an upper layer device 103. Fig. 1 illustrates the number of access network devices 101 as an example, and does not actually limit the number of access network devices 101. Fig. 1 exemplifies that the terminal apparatus 102 includes a first terminal apparatus 1021, a second terminal apparatus 1022, and a third terminal apparatus 1023, and does not actually limit the number of terminal apparatuses 102. The first terminal device 1021, the second terminal device 1022 and the third terminal device 1023 may each communicate with the access network device 101.
Specifically, when the first terminal device 1021 transmits the ND packet, the access network device 101 receives the ND packet transmitted from the first terminal device 1021. The access network device 101 identifies the validity of the ND packet according to the pre-stored binding table.
In some cases, for example in wireless network mode, the first terminal device 1021 may access from one wireless AP to another wireless AP. During this process, the pre-stored identity information of the first terminal device 1021, such as the interface index information, may change. It may happen that the access network device 101 does not update the real first identity information of the first terminal device 1021 in a timely manner in the pre-stored binding table. In this case, the access network device 101 may mistake the legitimate ND packet sent by the first terminal device 1021 as an illegitimate packet, and discard the legitimate packet sent by the first terminal device 1021.
In view of this, the present application provides a method for identifying a packet. Please refer to fig. 2, which is a schematic diagram of an application scenario of the method according to the embodiment of the present application. The scenario includes an access network device 201, a terminal device 202, an access point 203, and an upper layer device 204. Fig. 2 is an example in which the access network device 201 includes a first access network device 2011 and a second access network device 2012, without actually limiting the number of access network devices 201. Fig. 2 exemplifies that the terminal apparatus 202 includes the first terminal apparatus 2021, the second terminal apparatus 2022, and the third terminal apparatus 2023, and the number of the terminal apparatuses 202 is not limited in practice. Fig. 2 illustrates that the access point 203 includes a first access point 2031, a second access point 2032, and a third access point 2033, and the number of access points 203 is not limited in practice. The access network device 201 belongs to the access stratum device discussed earlier, and the access network device 201 is, for example, an Access Switch (ASW). The terminal device 202 may be a mobile phone, a tablet computer, a Personal Computer (PC), or the like.
The second terminal device 2022 in this application refers generally to one terminal device among other terminal devices that has the same IP address as the first terminal device. Any one of the other terminal devices may be the second terminal device. The second terminal device may or may not be present in the other terminal devices.
The first terminal device 2021 enables communication with other devices through the first access network device 2011, the second terminal device 2022 enables communication with other devices through the second access network device 2012, and the third terminal device 2023 enables communication with other devices through the first access network device 2011.
Specifically, the first access network device 2011 receives an ND packet sent by the first terminal device 2021, where the ND packet includes the first identity information of the first terminal device 2021. The first access network device 2011 determines whether there is information in the binding table pre-stored by the first access network device 2011 that matches the first identity information. If no information matching the first identity information is present in the binding table, the first access network device 2011 determines if the other end devices 202 in the VLAN have a second end device 2022 with the same IP address as the first end device 2021. If there is no other terminal device 202 with the same IP address as the first terminal device 2021, the first access network device 2011 determines that the ND packet sent by the first terminal device 2021 is a legitimate packet.
In this embodiment, after determining that the binding table pre-stored in the first access network device 2011 does not have information that matches the first identity information of the first terminal device 2021, it may further determine whether a second terminal device 2022 having the same IP address as the first terminal device 2021 exists in other terminal devices, and further determine whether the ND packet is a valid packet, thereby reducing a situation that the first access network device 2011 misjudges the validity of the ND packet, and improving the accuracy of identifying the ND packet.
Based on the application scenario discussed in fig. 2, a method for identifying a packet in the embodiment of the present application is described below. The method may be performed by the access network equipment 201 device discussed previously.
Please refer to fig. 3, which is a flowchart illustrating a method for identifying a packet according to the present application.
And S31, receiving the ND message sent by the first terminal equipment 2021.
When the first terminal device 2021 needs to communicate with the other terminal device 202 managed by the first access network device 2011, or when the first terminal device 2021 needs to communicate with the terminal device 202 managed by the other access network device 201, the first terminal device 2021 needs to establish a connection with the first access network device 2011 first. After establishing the connection, the first access network device 2011 may store the first identity information of the first end device 2021 in a binding table in the first access network device 2011. The following illustrates an example of the first access network device 2011 storing the first identity information of the first terminal device 2021 in the binding table.
The first Access network device 2011 may monitor first identity information of the first terminal device 2021, which is carried in a message sent by the first terminal device 2021, to obtain the first identity information of the first terminal device 2021, where the first identity information includes, for example, an IPv6 address, a Media Access Control (MAC) address, interface index information, VLAN Access network device 201 information, and the like. The first access network device 2011, after acquiring the first identity information of the first terminal device 2021, stores the first identity information of the first terminal device 2021 in the binding table.
Specifically, the first access network device 2011 may establish a pre-stored binding table through a Source Address Validity Inspection (SAVI) technology. The first access network device 2011 may monitor the DAD process of the first terminal device 2021, and obtain the binding relationship between the IPv6 address, the MAC address, the interface index of the access device, and the VLAN information of the first terminal device 2021. The process of establishing the pre-stored binding table based on the SAVI is explained in detail below.
Specifically, when the first terminal device 2021 accesses the network, the IP address may be configured automatically, or the IP address may be configured manually by the user, for example, the IP address is an IPv6 address. The first end device 2021 may send an NS packet to the other end devices 202 in the VLAN through the first access network device 2011, where the NS packet carries, for example, a destination IPv6 address, a source IPv6 address, a MAC address, interface index information, and VLAN information. After acquiring the first identity information carried in the NS packet sent by the first terminal device 2021, the first access network device 2011 establishes a temporary binding table according to the first identity information. The first access network device 2011 determines whether the IPv6 address is in a formal binding table according to the temporary binding table.
After the first end device 2021 sends the NS packet, the first access network device 2011 determines whether a second end device 2022 conflicting with the IPv6 address of the first end device 2021 exists in the current VLAN by monitoring whether there is another end device 202 feeding back an NA packet for the NS packet. If the NS packet sent by the other terminal device 202 is not received within the preset time duration, it is determined that the second terminal device 2022 which conflicts with the IPv6 address of the first terminal device 2021 does not exist in the terminal device 202 in the VLAN, and therefore, the first access network device 2011 may write the first identity information of the first terminal device 2021 into the formal binding table.
Binding tables such as those shown in Table 1:
TABLE 1
Figure BDA0002212632070000111
Referring to table 1, the entry of the binding table in table 1 includes IPV6 address, MAC address, interface index, and VLAN ID. The interface index refers to the port identification on the access network device.
In a possible embodiment, the binding table includes, in addition to the pre-stored identity information of the bound legitimate terminal device, information to be checked, a monitoring state, a monitoring check identification bit, timing information, and the like, and table 2 is an example structure of the binding table.
TABLE 2
Figure BDA0002212632070000121
The TP interface referred to in table 2 represents a Trusted Port (TP), which represents an interface where the access network device 201 is connected to the upper layer device 204. The VP interface indicates a verification interface (VP), which indicates other interfaces of the access network device 201 besides the TP interface.
After the first terminal device 2021 accesses the network, the first terminal device 2021 may send a message to other devices through the first access network device 2011. For example, the first terminal device may send the ND message to the first access network device 2011 through the first access point 2031.
It should be noted that, in the present application, except when the binding table is specifically limited to be temporary, the remaining binding table refers to a formal binding table.
S32, determining whether the pre-stored binding table has information matched with the first identity information of the ND message.
If the pre-stored binding table does not contain information matching the first identity information of the ND message, the first access network device 2011 executes S33 to determine whether a second terminal device 2022 with the same address as the IPv6 of the first terminal device 2021 exists in the other terminal device 202, and if the pre-stored binding table contains information matching the first identity information of the ND message, executes S36 to identify the ND message sent by the first terminal device 2021 as a legitimate message.
The following describes a process of determining, by the first access network device 2011, whether information matching the first identity information carried in the ND packet sent by the first terminal device 2021 exists in a pre-stored binding table.
In a possible embodiment, the first access network device 2011 sequentially determines, according to a preset sequence, whether each item of information in the first identity information corresponds to information in the binding table one to one. The predetermined order, for example, sequentially determines IPv6 addresses, and other information. The other information here refers to information other than the IPv6 address in the first identity information.
Specifically, after the first access network device 2011 acquires the first identity information carried in the ND packet, the first access network device 2011 first determines whether an IPv6 address identical to the IPv6 address exists in a pre-stored binding table. If the IPv6 address exists in the binding table, whether other information in the first identity information and other information in the binding table having a binding relationship with the IPv6 address are the same or not is further determined.
The following describes an example of the binding relationship between the pieces of information in the binding table, and the format of the binding relationship between the pieces of information is shown in table 3 below.
TABLE 3
Figure BDA0002212632070000131
Referring to table 3, table 3 stores IPv6 as a key and other information as values. When determining whether the pre-stored binding table contains information matching the first identity information of the ND packet, the first access network device 2011 first determines whether the second terminal device 2022 has the same IPv6 as the first terminal device 2021, and then continues to determine whether there is a Mac, an interface index, and a vlan id that are the same as those of the first terminal device 2021.
And if the information completely identical to the first identity information of the ND message exists in the pre-stored binding table, determining that the information matched with the first identity information of the ND message exists in the pre-stored binding table. When the pre-stored binding table is not matched with the first identity information of the ND packet, the following two situations may be specifically included:
the first condition is as follows:
the pre-stored identity information pre-stored in the binding table is different from the first identity information carried in the ND message.
Specifically, it can be understood that the pre-stored identity information in the binding table is not identical to the first identity information carried in the ND packet. For example, continuing to take table 3 as an example, if an IPv6 address with the same IPv6 address in the first identity information carried in the ND packet sent by the first terminal device 2021 exists in the KEY of the pre-stored binding table, it indicates that there is related pre-stored identity information in the pre-stored binding table, and for example, if at least one item of information among the MAC address, the interface index, and the VLAN ID does not match with the information in the binding table, it is determined that the pre-stored identity information in the binding table is different from the first identity information carried in the ND packet.
Case two:
the binding table does not contain the first identity information carried in the ND message sent by the first terminal equipment.
Continuing to take table 3 as an example, if there is no IPv6 address in the first identity information carried in the ND packet sent by the first terminal device in the KEY of the pre-stored binding table, it is determined that there is no pre-stored identity information of the first terminal device in the pre-stored binding table.
The following describes two cases by referring to table 4, which shows a specific example of a binding table:
TABLE 4
Figure BDA0002212632070000141
For example, after the first access network device 2011 receives the ND packet from the first terminal device 2021, the obtained first identity information is obtained by setting the IPv6 address to 2001:0db8:85a3:08d3:1319:8a2e:0370:7344, the MAC address to 00-01-6C-06-a6-29, the interface index to 90, and the VLAN ID to 1. The first access network device 2011 determines that the IPv6 address exists in the KEY of the pre-stored binding table according to the IPv6 address 2001:0db8:85a3:08d3:1319:8a2e:0370: 7344. The first access network device 2011 determines, according to the interface index 90 in the first identity information carried in the ND packet, whether the interface index 80 bound by the IPv6 address in the binding table is the same as the interface index 90 in the ND packet. If the first access network device 2011 determines that the identity information is different, it is determined that the pre-stored identity information of the first terminal device 2021 pre-stored in the binding table is different from the first identity information carried in the ND packet sent by the first terminal device 2021, that is, information matched with the first identity information carried in the ND packet does not exist in the binding table.
Or for example, after the first access network device 2011 receives the ND packet from the first terminal device 2021, the obtained first identity information includes an IPv6 address of 6801:0d7h:65a3:09d3:6719:8a6r:0325:5684, an MAC address of 02-31-4C-26-a1-22, an interface index of 60, and a VLAN ID. The first access network device 2011 determines whether the IPv6 address exists in the KEY of the pre-stored binding table according to the IPv6 address 6801:0d7h:65a3:09d3:6719:8a6r:0325: 5684. The first access network device 2011 determines that the IPv6 address does not exist in the binding table, which indicates that the prestored identity information of the first terminal device 2021 does not exist in the binding table, and the first access network device 2011 determines that the information matching with the first identity information carried in the ND packet does not exist in the binding table.
S33, if there is no information matching the first identity information sent by the first terminal device 2021 in the pre-stored binding table, determine whether there is a second terminal device 2022 with the same IPv6 address as the first terminal device 2021 in the other terminal device 202.
If it is determined that the second terminal device 2022 having the same address as the IPv6 address of the first terminal device 2021 does not exist in the other terminal devices 202, S34 is executed to identify the ND packet sent by the first terminal device 2021 as a legitimate packet; if it is determined that the second terminal device 2022 having the same IPv6 address as the first terminal device 2021 exists in the other terminal devices 202, S37 is executed to recognize the ND message sent by the first terminal device 2021 as an illegal message.
When the pre-stored binding table does not contain information matching the first identity information, the first access network device 2011 needs to further determine the validity of the ND packet sent by the first terminal device 2021 according to the IPv6 address in the ND packet. The following describes a procedure in which the first access network device 2011 determines whether a second end device 2022 having the same IPv6 address as the first end device 2021 exists in the other end devices 202. For the first case:
the first access network device 2011 determines whether the second end device 2022 having the same IPv6 address as the first end device 2021 exists in the binding table of the first access network device 2011.
If the pre-stored identity information of the first terminal device 2021 pre-stored in the binding table is different from the first identity information carried in the ND packet sent by the first terminal device 2021, the first access network device 2011 may send a probe packet to other terminal devices 202 in the binding table of the first access network device 2011 except the first terminal device 2021, and send a probe packet to terminal devices 202 under other access network devices 201 in the same VLAN. The detection message carries the IPv6 address carried in the ND message.
Specifically, the first access network device 2011 may simultaneously send the probe message to the other terminal devices 202 in the binding table of the first access network device 2011 except the first terminal device 2021 and to the terminal devices 202 under the other access network devices 201 in the same VLAN, or may first send the probe message to the other terminal devices 202 in the binding table of the first access network device 2011 except the first terminal device 2021 and then send the probe message to the terminal devices 202 under the other access network devices 201 in the same VLAN.
If the first access network device 2011 does not receive the reply message sent by the other device within the preset time duration, and the reply message carries the legal identity information of the reply device, it is determined that there is no device with the same IPv6 address as the first terminal device 2021, and it can be further understood that the device with the same IPv6 address as the IPv6 address carried in the ND message and different other identity information may not be in the network currently.
If the first access network device 2011 receives the response message sent by the other terminal device 202 within the preset time duration, it is determined that the IPv6 addresses of the second terminal device 2022 and the first terminal device 2021 are the same.
For the second case:
if the pre-stored identity information of the first terminal device 2021 does not exist in the pre-stored binding table, the first access network device 2011 may send a probe message to the terminal device 202 under another access network device 201 in the same VLAN as the first access network device 2011, where the probe message includes an IPv6 address carried in the ND message sent by the first terminal device 2021.
If the first access network device 2011 does not receive the response message within the preset time duration, it is determined that the IPv6 addresses of the second terminal device 2022 and the first terminal device 2021 are not the same.
If the first access network device 2011 receives the response message within the preset time duration, it is determined that the IPv6 addresses of the second terminal device 2022 and the first terminal device 2021 are the same.
In a possible embodiment, the response message carries a check mark for the first identity information. After receiving the response message, the first access network device 2011 may determine whether the first identity information in the response message is valid according to the check identifier in the response message.
When the first access network device 2011 determines that there is no information matching with the first identity information carried in the ND packet sent by the first terminal device 2021 in the pre-stored binding table, the first access network device 2011 is triggered to start the monitoring function, the first access network device 2011 updates the monitoring state in the binding table according to the detection process, the monitoring process involves 5 monitoring states, and the change process of the monitoring state in the binding table is explained as follows:
in the first state:
an unbound (NO _ BIND) state, which is used to indicate that the IPv6 address carried in the ND message sent by the first terminal device 2021 does not exist in the binding table pre-stored in the first access network device 2011.
In the second state:
and a pending (TENTIAVE) state, which is used for establishing a temporary binding table for the first identity information carried in the ND message without verifying the validity.
The third state:
a VALID binding (VALID) state for storing a temporary binding table that is validated in a formal binding table.
The fourth state:
a VP interface detection waiting (TESTING _ VP) state, configured to detect whether the terminal device 202 corresponding to the pre-stored identity information in the binding table exists when the pre-stored identity information in the binding table is different from the first identity information carried in the ND packet.
In the fifth state:
the TP interface probing waiting (TESTING _ TP-LT) state is used for probing whether the terminal device 202 under the other access network device 201 has the second terminal device 2022 with the same IPv6 address as the first terminal device 2021 when the pre-stored identity information of the first terminal device 2021 does not exist in the pre-stored binding table.
The operations performed by the first access network device 2011 in different listening states are shown in table 5:
TABLE 5
Figure BDA0002212632070000171
Figure BDA0002212632070000181
The VPO interface referred to in table 5 indicates another VP interface (VPO).
Referring to table 5, the probing process of the first access network device 2011 is illustrated in conjunction with the two cases discussed above.
For the first case:
if the pre-stored identity information of the first terminal device 2021 pre-stored in the binding table is different from the first identity information carried in the ND packet sent by the first terminal device 2021, the first access network device 2011 is triggered to start detecting. The first access network device 2011 sends a probe packet to the other terminal devices 202 of the first access network device 2011 except the first terminal device 2021 through the VP interface, sets a check flag, and converts the monitoring state of the source information from the VALID state to the TESTING _ VP state.
If the other terminal device 202 does not respond to the probe packet within the preset time duration, that is, the first access network device 2011 does not receive the response packet, the first access network device 2011 clears the check flag, and converts the monitoring state of the source information from the TESTING _ VP state to the VALID state.
If the terminal device 202 corresponding to the source information responds to the probe packet within the preset duration, that is, the first access network device 2011 receives the response packet, the first access network device 2011 sets a check flag, records an attack log, and converts the monitoring state of the source information from the TESTING _ VP state to the VALID state.
For example, please refer to fig. 4, which is a case of the listening status change process in the binding table. The first terminal device 2021 initially accesses the network via the first access point, and the first access network device 2011 stores first identity information for the first terminal device 2021 in a binding table. At this time, the first access network device 2011 sets the pre-stored identity information of the first terminal device 2021 in the binding table to VALID state. When the first terminal device 2021 moves within the service range of the second access point 2032, the first terminal device 2021 accesses the network through the second access point 2032. If the ND message is sent by the first terminal device 2021 and the ND message is received by the first access network device 2011 at this time, the source information and the verification information may be mismatched, and then the first access network device 2011 may be triggered to detect the validity of the ND message. At this time, the first access network device 2011 sets the pre-stored identity information of the first terminal device 2021 in the binding table from VALID state to the TESTING _ VP state. The first access network device 2011 forwards the probe packet to the other terminal devices 202 under the current VLAN except the first terminal device 2021 through the VP interface. If the other terminal device 202 does not respond within the preset time duration, the first access network device 2011 determines that the ND packet is legal, and converts the identity information of the first terminal device 2021 in the binding table from the TESTING _ VP state to the VALID state. The source information in the present application refers to pre-stored identity information in the binding table, and the check information in the present application refers to the first identity information carried in the ND packet.
For the second case:
if the pre-stored identity information of the first terminal device 2021 does not exist in the pre-stored binding table, the first access network device 2011 is triggered to start detecting. The first access network device 2011 sends a probe packet to the terminal device 202 under the other access network device 201 through the TP interface, sets a monitoring check flag, and converts the monitoring state from the NO _ BIND state to the TENTATIVE state.
If the other terminal device 202 does not respond to the probe message within the preset time duration, that is, the first access network device 2011 does not receive the response message, the first access network device 2011 clears the check flag, and converts the monitoring state from the TENTATIVE state to the NO _ BIND state.
If the other terminal device 202 responds to the probe message within the preset time, that is, the first access network device 2011 receives the response message, the first access network device 2011 sets a check identification bit, records an attack log, and converts the monitoring state from the TENTATIVE state to the NO _ BIND state.
For example, please refer to fig. 5, which is another case of the listening status change process in the binding table. The first terminal device 2021 initially accesses the network via the first access point and the first access network device 2011 stores pre-stored identity information for the first terminal device 2021 in a binding table. The first access network device 2011 sets the pre-stored identity information of the first terminal device 2021 in the binding table to be in a VALID state. When the user moves the first terminal device 2021 into service range of the third access point 2033 under the second access network device 2012, the first terminal device 2021 accesses the network through the third access point 2033.
If the second access network device 2012 does not have the pre-stored information of the first terminal device 2021, the second access network device 2012 sets the listening state of the first terminal device 2021 to be in the NO _ BIND state. If the first terminal device 2021 sends the ND packet through the second access network device 2012 at this time, and the source information matching the verification information does not exist in the binding table of the second access network device 2012, the second access network device 2012 is triggered to start further detecting the validity of the ND packet. At this time, the second access network device 2012 sets the listening status of the first terminal device 2021 in the binding table from the NO _ BIND status to the TENTATIVE status. The second access network device 2012 receives the probe packet sent from the first terminal device 2021, and forwards the probe packet to the other terminal device 202 through the TP interface. If the terminal device 202 corresponding to the source information does not respond within the preset time length, the listening state of the first terminal device 2021 of the second access network device 2012 is set to the NO _ BIND state from the TENTATIVE state.
S34, if there is no second terminal device 2022 with the same IP address as the first terminal device 2021 in the other terminal devices 202, the ND message sent by the first terminal device 2021 is identified as a valid message.
If the first terminal device 2021 does not receive the response packet sent by the other device for detecting that the second terminal device 2022 having the same IP address as the first terminal device 2021 does not exist in the other terminal device 202, which is sent by the first terminal device 2021, the first access network device 2011 may determine that the ND packet sent by the first terminal device 2021 is a legal packet.
S35, if the ND packet sent by the first terminal device 2021 is a legal packet, updating the pre-stored binding table according to the first identity information of the first terminal device 2021.
Under the condition that the pre-stored binding table does not contain information matched with the first identity information carried in the ND message sent by the first terminal device 2021, and the first access network device 2011 identifies the ND message sent by the first terminal device 2021 as a legal message, the first access network device 2011 can update the current first identity information of the first terminal device 2021 into the binding table, so that unnecessary verification processes are not performed in the process of sending the ND message by the first terminal device 2021 later. The following describes the procedure for updating the binding table in two cases, in conjunction with the two cases discussed above:
for the first case:
if the pre-stored identity information of the first terminal device 2021 pre-stored in the binding table is different from the first identity information carried in the ND packet sent by the first terminal device 2021, and the first access network device 2011 does not receive the response packet, it indicates that the first identity information of the first terminal device 2021 has changed. The source information can be updated into the check information and stored in the formal binding table.
For the second case:
if the pre-stored identity information of the first terminal device 2021 does not exist in the pre-stored binding table, and the first access network device 2011 does not receive the response message, it indicates that the first identity information of the first terminal device 2021 has changed, the first identity information of the first terminal device 2021 may be added again in the binding table, and meanwhile, the first access network device 2011 sets the monitoring state from the tenative state to the VALID state.
In a possible embodiment, the information in the binding table is periodically updated, and the first access network device 2011 reenters the monitoring mode, monitors the DAD process, obtains the binding information of the terminal device 202, and reestablishes the binding table.
If the first access network device 2011 determines that the pre-stored binding table contains information that matches the first identity information of the ND packet, S36 is executed to identify the ND packet sent by the first terminal device as a valid packet, and at this time, the binding table and the like do not need to be updated.
If the first access network device 202 determines that the second terminal device 2022 of the IPv6 specifically identical to the first terminal device 2021 exists in the other terminal devices, the first access network device executes S37 to identify the ND packet sent by the first terminal device 2021 as an illegal packet.
After the access network device 201 identifies the ND packet sent by the first terminal device 2021 as an illegal packet, the access network device 201 may record an attack log, which is convenient for subsequent network maintenance and management.
As an example, S36, S37, S35 are optional steps.
Based on the same inventive concept, the embodiment of the present application provides an access network device 201, and the access network device 201 can implement the function corresponding to the foregoing method for identifying a packet. The access network apparatus 201 corresponds to the access network apparatus 201 discussed above. Referring to fig. 6, the access network device 201 includes a transceiver module 601 and a processing module 602, where:
a transceiver module 601, configured to receive a neighbor discovery message sent by a first terminal device; the neighbor discovery message comprises first identity information of the first terminal equipment, wherein the first identity information comprises an Internet Protocol (IP) address of the first terminal equipment;
a processing module 602, configured to determine whether a second terminal device having the same IP address as the first terminal device exists in other terminal devices if the pre-stored binding table does not include information matching the first identity information; the other terminal devices are terminal devices except the first terminal device in the current virtual local area network; and the neighbor discovery message is identified as a legal message if no second terminal equipment with the same IP address as the first terminal equipment exists.
In a possible embodiment, the processing module 602 is further configured to:
and if the pre-stored binding table has information matched with the first identity information, identifying the neighbor discovery message as a legal message.
In one possible embodiment, the absence of information in the binding table that matches the first identity information comprises:
the pre-stored identity information of the first terminal equipment in the pre-stored binding table is different from the first identity information; or, if the pre-stored identity information of the first terminal device does not exist in the binding table, determining that the information matched with the first identity information does not exist in the binding table.
In a possible embodiment, the transceiver module 601 is further configured to send a probe packet to other terminal devices; the detection message is used for detecting whether a second terminal device with the same IP address as the first terminal device exists in other terminal devices;
the processing module 602 is specifically configured to determine that a second terminal device having the same IP address as the first terminal device exists in other terminal devices if a response message sent by the other terminal device is received within a preset time duration; the response message includes legal identity information of a second terminal device in other terminal devices, which has the same IP address as the first terminal device, and if the response message sent by the other terminal device is not received within a preset time length, it is determined that the second terminal device having the same IP address as the first terminal device does not exist in the other terminal devices.
In a possible embodiment, the processing module 602 is specifically configured to:
after judging whether a second terminal device with the same IP address as the first terminal device exists in other terminal devices, if the second terminal device with the same IP address as the first terminal device exists, the neighbor discovery message is identified as an illegal message.
In a possible embodiment, the processing module 602 is specifically configured to:
and if the second terminal equipment with the same IP address as the first terminal equipment exists, identifying the neighbor discovery message as an illegal message.
Based on the same inventive concept, an embodiment of the present application provides an access network device 201, where the access network device 201 is equivalent to the access network device 201 discussed in the foregoing, please refer to fig. 7, and the access network device 201 includes:
at least one processor 701 and a memory 702 connected to the at least one processor 701, in this embodiment, a specific connection medium between the processor 701 and the memory 702 is not limited in this embodiment, and fig. 7 illustrates an example in which the processor 701 and the memory 702 are connected by a bus 700. The bus 700 is shown in fig. 7 by a thick line, and the connection between other components is merely illustrative and not limited thereto. The bus 700 may be divided into an address bus, a data bus, a control bus, etc., and is shown in fig. 7 with only one thick line for ease of illustration, but does not represent only one bus or one type of bus. Alternatively, the processor 701 may also be referred to as the controller 701, without limitation to name a few.
In the embodiment of the present application, the memory 702 stores instructions executable by the at least one processor 701, and the at least one processor 701 may execute the method for identifying a message discussed above by executing the instructions stored in the memory 702. The processor 701 may implement the functions of the respective modules in the access network device 201 shown in fig. 6.
The processor 701 is a control center of the access network device 201, and may connect various parts of the entire access network device 201 by using various interfaces and lines, and by executing or executing instructions stored in the memory 702 and invoking data stored in the memory 702, various functions of the access network device 201 and processing data.
In one possible embodiment, processor 701 may include one or more processing units, and processor 701 may integrate an application processor, which primarily handles operating systems, user interfaces, application programs, etc., and a modem processor, which primarily handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 701. In some embodiments, processor 701 and memory 702 may be implemented on the same chip, or in some embodiments, they may be implemented separately on separate chips.
The processor 701 may be a general-purpose processor, such as a Central Processing Unit (CPU), a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof, and may implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present application.
Memory 702, which is a non-volatile computer-readable storage medium, may be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. The Memory 702 may include at least one type of storage medium, and may include, for example, a flash Memory, a hard disk, a multimedia card, a card-type Memory, a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Programmable Read Only Memory (PROM), a Read Only Memory (ROM), a charge Erasable Programmable Read Only Memory (EEPROM), a magnetic Memory, a magnetic disk, an optical disk, and so on. The memory 702 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory 702 in the embodiments of the present application may also be circuitry or any other device capable of performing a storage function for storing program instructions and/or data.
Based on the same inventive concept, the present application further provides a storage medium storing computer instructions, which when executed on a computer, cause the computer to perform the method for identifying a message discussed above.
In some possible embodiments, the various aspects of the method for controlling a device provided in the present application may also be implemented in the form of a program product, which includes program code for causing an apparatus to perform the steps of the method for identifying a message according to various exemplary embodiments of the present application described above in this specification, when the program product runs on the apparatus.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (9)

1. A method for identifying a message is applied to an access network device, and the method comprises the following steps:
receiving a neighbor discovery message sent by first terminal equipment; the neighbor discovery message comprises first identity information of the first terminal equipment, wherein the first identity information comprises an Internet Protocol (IP) address of the first terminal equipment;
if the prestored binding table does not contain information matched with the first identity information, judging whether a second terminal device with the same IP address as the first terminal device exists in other terminal devices or not; wherein the other terminal devices are terminal devices except the first terminal device in the current virtual local area network;
if the second terminal equipment with the same IP address as the first terminal equipment does not exist, identifying the neighbor discovery message as a legal message;
wherein the absence of information matching the first identity information in the pre-stored binding table comprises:
the pre-stored identity information of the first terminal equipment, which is pre-stored in a pre-stored binding table, is different from the first identity information; or the like, or, alternatively,
the pre-stored binding table does not contain the pre-stored identity information of the first terminal equipment.
2. The method of claim 1, wherein determining whether a second terminal device having the same IP address as the first terminal device exists in the other terminal devices comprises:
sending a detection message to the other terminal equipment; the detection message is used for detecting whether a second terminal device with the same IP address as the first terminal device exists in other terminal devices;
if response messages sent by other terminal equipment are received within a preset time length, determining that the second terminal equipment with the same IP address as the first terminal equipment exists in the other terminal equipment; the response message comprises legal identity information of the second terminal equipment which is the same as the IP address of the first terminal equipment in other terminal equipment;
and if the response messages sent by other terminal equipment are not received within the preset time length, determining that the second terminal equipment with the same IP address as the first terminal equipment does not exist in other terminal equipment.
3. The method according to claim 2, wherein after determining whether a second terminal device having the same IP address as the first terminal device exists in the other terminal devices, the method comprises:
and if the second terminal equipment with the same IP address as the first terminal equipment exists, identifying the neighbor discovery message as an illegal message.
4. The method of claim 1, after identifying the neighbor discovery packet as a legitimate packet, comprising:
if the first identity information is different from the pre-stored identity information of the first terminal equipment pre-stored in the binding table, updating the pre-stored identity information of the first terminal equipment pre-stored in the binding table into the first identity information;
and if the pre-stored identity information of the first terminal equipment does not exist in the binding table, newly adding the first identity information in the binding table.
5. An access network device, comprising:
the receiving and sending module is used for receiving a neighbor discovery message sent by the first terminal equipment; the neighbor discovery message comprises first identity information of the first terminal equipment, wherein the first identity information comprises an Internet Protocol (IP) address of the first terminal equipment;
the processing module is used for judging whether a second terminal device with the same IP address as the first terminal device exists in other terminal devices or not if the information matched with the first identity information does not exist in the prestored binding table; the other terminal devices are terminal devices except the first terminal device in the current virtual local area network; and the second terminal equipment is used for identifying the neighbor discovery message as a legal message if the second terminal equipment with the same IP address as the first terminal equipment does not exist; the pre-stored binding table having no information matching the first identity information includes: the pre-stored identity information of the first terminal equipment, which is pre-stored in a pre-stored binding table, is different from the first identity information; or, the pre-stored identity information of the first terminal device does not exist in the pre-stored binding table.
6. The access network apparatus of claim 5,
the transceiver module is further configured to send a detection packet to the other terminal device; the detection message is used for detecting whether a second terminal device with the same IP address as the first terminal device exists in other terminal devices;
the processing module is specifically configured to determine that the second terminal device having the same IP address as the first terminal device exists in the other terminal devices if a response message sent by the other terminal device is received within a preset time length; the response message comprises legal identity information of the second terminal equipment which is the same as the IP address of the first terminal equipment in other terminal equipment; and the second terminal device is used for determining that the second terminal device with the same IP address as the first terminal device does not exist in other terminal devices if the response messages sent by other terminal devices are not received within the preset time length.
7. The access network device of claim 6, wherein the processing module is further configured to:
after judging whether a second terminal device with the same IP address as the first terminal device exists in other terminal devices, if the second terminal device with the same IP address as the first terminal device exists, the neighbor discovery message is identified as an illegal message.
8. An access network device, comprising:
a memory for storing program instructions;
a processor for calling the program instructions stored in the memory and executing the method according to any one of claims 1 to 4 according to the obtained program instructions.
9. A storage medium having stored thereon computer-executable instructions for causing a computer to perform the method of any one of claims 1 to 4.
CN201910903727.3A 2019-09-24 2019-09-24 Method for identifying message and access network equipment Active CN110611678B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910903727.3A CN110611678B (en) 2019-09-24 2019-09-24 Method for identifying message and access network equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910903727.3A CN110611678B (en) 2019-09-24 2019-09-24 Method for identifying message and access network equipment

Publications (2)

Publication Number Publication Date
CN110611678A CN110611678A (en) 2019-12-24
CN110611678B true CN110611678B (en) 2022-05-20

Family

ID=68892115

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910903727.3A Active CN110611678B (en) 2019-09-24 2019-09-24 Method for identifying message and access network equipment

Country Status (1)

Country Link
CN (1) CN110611678B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111835779B (en) * 2020-07-20 2023-04-18 安徽华速达电子科技有限公司 Authentication method for equipment access platform

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101552677A (en) * 2009-05-12 2009-10-07 杭州华三通信技术有限公司 Processing method and exchange equipment for address detected message
CN101577675A (en) * 2009-06-02 2009-11-11 杭州华三通信技术有限公司 Method and device for protecting neighbor table in IPv6 network
CN101651696A (en) * 2009-09-17 2010-02-17 杭州华三通信技术有限公司 Method and device for preventing neighbor discovery (ND) attack
CN101938411A (en) * 2010-08-03 2011-01-05 杭州华三通信技术有限公司 Method and equipment for processing ND snooping item
CN102137073A (en) * 2010-01-22 2011-07-27 杭州华三通信技术有限公司 Method and access equipment for preventing imitating internet protocol (IP) address to attack
CN102244651A (en) * 2010-05-14 2011-11-16 杭州华三通信技术有限公司 Method for preventing attack of illegal neighbor discovery protocol message and access equipment
CN107547510A (en) * 2017-07-04 2018-01-05 新华三技术有限公司 A kind of safe list item treating method and apparatus of Neighbor Discovery Protocol

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101552677A (en) * 2009-05-12 2009-10-07 杭州华三通信技术有限公司 Processing method and exchange equipment for address detected message
CN101577675A (en) * 2009-06-02 2009-11-11 杭州华三通信技术有限公司 Method and device for protecting neighbor table in IPv6 network
CN101651696A (en) * 2009-09-17 2010-02-17 杭州华三通信技术有限公司 Method and device for preventing neighbor discovery (ND) attack
CN102137073A (en) * 2010-01-22 2011-07-27 杭州华三通信技术有限公司 Method and access equipment for preventing imitating internet protocol (IP) address to attack
CN102244651A (en) * 2010-05-14 2011-11-16 杭州华三通信技术有限公司 Method for preventing attack of illegal neighbor discovery protocol message and access equipment
CN101938411A (en) * 2010-08-03 2011-01-05 杭州华三通信技术有限公司 Method and equipment for processing ND snooping item
CN107547510A (en) * 2017-07-04 2018-01-05 新华三技术有限公司 A kind of safe list item treating method and apparatus of Neighbor Discovery Protocol

Also Published As

Publication number Publication date
CN110611678A (en) 2019-12-24

Similar Documents

Publication Publication Date Title
CN107438068B (en) method and device for preventing ARP attack
CN107666662B (en) Terminal identification method and access point
CN101820432A (en) Safety control method and device of stateless address configuration
CN108429739B (en) Method, system and terminal equipment for identifying honeypots
CN108418780A (en) Filter method and device, system, the dns server of IP address
CN109756401B (en) Test method, test device, electronic equipment and storage medium
CN108667732A (en) A kind of message forwarding method and device
CN106302384A (en) DNS message processing method and device
CN101808097B (en) Method and equipment for preventing ARP attack
CN110619022B (en) Node detection method, device, equipment and storage medium based on block chain network
CN110611678B (en) Method for identifying message and access network equipment
US10554760B2 (en) Method and networking equipment for acquiring feature information
CN111953810B (en) Method, device and storage medium for identifying proxy internet protocol address
RU2008121872A (en) NEAREST NODE FOR CONNECTIONS OF DISTRIBUTED SERVICES
CN111064729B (en) Message processing method and device, storage medium and electronic device
CN112822208A (en) Internet of things equipment identification method and system based on block chain
CN109981813B (en) Message processing method and device
CN111010362B (en) Monitoring method and device for abnormal host
CN109617817B (en) Method and device for generating forwarding table entry of MLAG networking
CN115454896A (en) SMBUS-based SSD MCTP control message verification method and device, computer equipment and storage medium
KR20220131600A (en) Pharming dns analysis method and computing device therefor
CN114185804A (en) Interface testing method and device and terminal equipment
CN110769462B (en) Network access control method and device
CN114125812A (en) Data synchronization method, device, server and storage medium
CN111416887A (en) Address detection method, device, switch and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant