CN116634435A - Safety protection method, device, equipment and medium - Google Patents

Safety protection method, device, equipment and medium Download PDF

Info

Publication number
CN116634435A
CN116634435A CN202310724145.5A CN202310724145A CN116634435A CN 116634435 A CN116634435 A CN 116634435A CN 202310724145 A CN202310724145 A CN 202310724145A CN 116634435 A CN116634435 A CN 116634435A
Authority
CN
China
Prior art keywords
target
data packet
base station
address
ipv6
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310724145.5A
Other languages
Chinese (zh)
Inventor
姜坤
季新生
陶剑
王春晓
张停
杨梅樾
贲星
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Network Communication and Security Zijinshan Laboratory
Original Assignee
Network Communication and Security Zijinshan Laboratory
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Network Communication and Security Zijinshan Laboratory filed Critical Network Communication and Security Zijinshan Laboratory
Priority to CN202310724145.5A priority Critical patent/CN116634435A/en
Publication of CN116634435A publication Critical patent/CN116634435A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/108Source integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The application discloses a safety protection method, a device, equipment and a medium, which relate to the field of mobile communication safety and are applied to user plane function network elements and comprise the following steps: acquiring each data packet; checking whether a first IPv6 prefix in a first IPv6 address corresponding to the first data packet and a corresponding first base station address are consistent with a target base station address and a target IPv6 prefix; if the target base station address and the first IPv6 address are consistent with the subsequent base station address and the subsequent IPv6 address corresponding to the subsequent data packet, if so, the subsequent data packet is sent to the target network equipment, and if not, the subsequent data packet is discarded, so that the subsequent data packet sent to the target network equipment is ensured to be sent by a user sending the first data packet through a terminal sending the first data packet based on the target base station; because the data packets sent to the target network equipment are sent by the users and the terminals of the first data packet, a large number of false users can not exist, and only one user exists.

Description

Safety protection method, device, equipment and medium
Technical Field
The present application relates to the field of mobile communications security, and in particular, to a security protection method, apparatus, device, and medium.
Background
Currently, an IPv6 address of a terminal in 5G (5 th Generation Mobile Communication Technology, fifth generation mobile communication technology) is allocated to the terminal by a core network, specifically, a session management network element allocates an interface identifier to the terminal first, the terminal generates a new 64bit interface identifier according to the interface identifier in combination with an own MAC ((Media Access Control, media access control) address, meanwhile, the terminal obtains a 64bit prefix allocated by the core network, the prefix and the interface identifier are combined to form the IPv6 address of the terminal, the terminal can access an internet data network of a network device through the core network by using the address, a user plane function network element in the core network is an interface between a data plane of the core network and an external internet, and the user plane function network element performs packet detection (i.e. checks the 64bit prefix) on a data packet initiated by the terminal after decapsulation, and performs route forwarding, qos (Quality of Service ), charging and the like according to a rule matched by the packet detection.
When aiming at an IPv6 user, the existing processing flow of an operator mainly checks the front 64bit IPv6 prefix of a user source address, so that when the 64bit prefix of a terminal is intercepted by a counterfeiter, the counterfeiter can randomly counterfeits the IPv6 address of the terminal according to the IPv6 prefix, then uses the IPv6 address of the terminal to access internet data, can steal data traffic and can cause the original terminal user to generate additional charging; further, if a counterfeiter uses a 64-bit prefix to forge a large number of false users to access internet data, the counterfeiter can occupy the bandwidth of the user plane of the core network and form a serious influence on DDOS (Distributed Denial of Service, distributed blocking service) attacks on the internet server.
In summary, how to prevent counterfeiters from forging a large number of false users is a current urgent problem to be solved.
Disclosure of Invention
In view of the above, the present application aims to provide a security protection method, device, apparatus and medium, capable of preventing counterfeiters from forging a large number of false users, comprising the following specific steps:
in a first aspect, the present application discloses a security protection method applied to a user plane function network element, including:
acquiring each data packet sent to local access target network equipment;
checking whether a first IPv6 prefix in a first IPv6 address corresponding to a first data packet in each data packet is consistent with a corresponding first base station address, and whether a target base station address issued by a session management network element is consistent with the target IPv6 prefix; the IPv6 address comprises an IPv6 prefix and an interface identifier; one user corresponds to one IPv6 prefix; one interface identifier corresponds to one terminal;
if so, checking whether the target base station address and the first IPv6 address are consistent with the subsequent base station address and the subsequent IPv6 address corresponding to the subsequent data packet in the data packets, if so, sending the subsequent data packet to the target network equipment, and if not, discarding the subsequent data packet to ensure that the subsequent data packet sent to the target network equipment is sent by a user sending the first data packet through a terminal sending the first data packet based on the target base station;
And if not, taking the next data packet in the data packets as the first data packet, and jumping to the step of checking whether the first IPv6 prefix in the first IPv6 address corresponding to the first data packet in the data packets is consistent with the corresponding first base station address, and the target base station address issued by the session management network element is consistent with the target IPv6 prefix or not until the data packet checking is completed.
Optionally, before the acquiring each data packet sent to the local access target network device, the method further includes:
after a target user accesses a session management network element and initiates a session request based on the target base station through a target terminal, acquiring the target base station address and the target IPv6 prefix of the target base station sent by the session management network element;
the target IPv6 prefix is sent to the target terminal, so that the target terminal distributes the target IPv6 prefix for the target user, a target interface identifier provided by the target terminal and the target IPv6 prefix are combined to obtain a target IPv6 address, then the target terminal constructs an initial data packet based on the target IPv6 address, and the initial data packet is sent to the user plane function network element through the target base station; after the target base station acquires the initial data packet, the target base station address is used as a source address to be added into the initial data packet to obtain a target data packet, and the target data packet is sent to the user plane functional network element; the target interface identifier is an interface identifier generated by the target terminal according to a terminal media access control address and an initial interface identifier distributed to the target terminal by the session management network element.
Optionally, after the obtaining the target base station address and the target IPv6 prefix sent by the session management network element, the method further includes:
and determining a target base station based on the target base station address, and establishing a target tunnel between the target base station and the user plane function network element so that the target base station sends the target data packet to the user plane function network element through the target tunnel.
Optionally, the sending the target IPv6 prefix to the target terminal includes:
acquiring a router request sent by the target terminal, and returning a router advertisement to the target terminal based on the router request; the router advertisement includes the target IPv6 prefix.
Optionally, the obtaining the target base station address and the target IPv6 prefix of the target base station sent by the session management network element includes:
and acquiring a session establishment message sent by a session management network element, and acquiring a target base station address of the target base station carried by a first field of the session establishment message and a target IPv6 prefix carried by a second field of the session establishment message.
Optionally, before the acquiring each data packet sent to the local access target network device, the method further includes:
Acquiring a target field carrying the target base station address issued by the session management network element, and acquiring the target base station address based on the target field; the target field is the original field between the multiplexed session management network element and the user plane function network element.
In a second aspect, the present application discloses a security protection apparatus applied to a user plane function network element, including:
the data packet acquisition module is used for acquiring each data packet sent to the local access target network equipment;
the first checking module is used for checking whether the head IPv6 prefix in the head IPv6 address corresponding to the head data packet in each data packet is consistent with the corresponding head base station address or not, and the target base station address issued by the session management network element is consistent with the target IPv6 prefix; the IPv6 address comprises an IPv6 prefix and an interface identifier; one user corresponds to one IPv6 prefix; one interface identifier corresponds to one terminal;
the second checking module is configured to check whether the target base station address and the first IPv6 address are consistent, and if so, whether a subsequent base station address corresponding to a subsequent data packet in the data packets and the subsequent IPv6 address are consistent, and if not, discard the subsequent data packet, so as to ensure that the subsequent data packet sent to the target network device is sent by a user sending the first data packet through a terminal sending the first data packet based on the target base station;
And the first data packet determining module is used for taking the next data packet in the data packets as the first data packet, and jumping to the step of checking whether the first IPv6 prefix in the first IPv6 address corresponding to the first data packet in the data packets is consistent with the corresponding first base station address, and the target base station address issued by the session management network element is consistent with the target IPv6 prefix or not until the data packet checking is completed.
Optionally, the safety device further includes:
the information acquisition module is used for acquiring the target base station address and the target IPv6 prefix of the target base station sent by the session management network element after a target user accesses the session management network element through the target terminal based on the target base station and initiates a session request;
the information sending module is used for sending the target IPv6 prefix to the target terminal so that the target terminal distributes the target IPv6 prefix for the target user, and combines a target interface identifier provided by the target terminal with the target IPv6 prefix to obtain a target IPv6 address, and then the target terminal constructs an initial data packet based on the target IPv6 address and sends the initial data packet to the user plane functional network element through the target base station; after the target base station acquires the initial data packet, the target base station address is used as a source address to be added into the initial data packet to obtain a target data packet, and the target data packet is sent to the user plane functional network element.
In a third aspect, the present application discloses an electronic device, comprising:
a memory for storing a computer program;
and a processor for executing the computer program to implement the previously disclosed security protection method.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program; wherein the computer program, when executed by a processor, implements the previously disclosed security protection method.
The application can obtain each data packet sent to the local access target network equipment; checking whether a first IPv6 prefix in a first IPv6 address corresponding to a first data packet in each data packet is consistent with a corresponding first base station address, and whether a target base station address issued by a session management network element is consistent with the target IPv6 prefix; the IPv6 address comprises an IPv6 prefix and an interface identifier; one user corresponds to one IPv6 prefix; one interface identifier corresponds to one terminal; if so, checking whether the target base station address and the first IPv6 address are consistent with the subsequent base station address and the subsequent IPv6 address corresponding to the subsequent data packet in the data packets, if so, sending the subsequent data packet to the target network equipment, and if not, discarding the subsequent data packet to ensure that the subsequent data packet sent to the target network equipment is sent by a user terminal sending the first data packet based on the target base station; and if not, taking the next data packet in the data packets as the first data packet, and jumping to the step of checking whether the first IPv6 prefix in the first IPv6 address corresponding to the first data packet in the data packets is consistent with the corresponding first base station address, and the target base station address issued by the session management network element is consistent with the target IPv6 prefix or not until the data packet checking is completed. Therefore, the head IPv6 address (comprising the head IPv6 prefix and the head interface identifier) of the head data packet passing through the IPv6 prefix verification is used for verifying the subsequent data packet, so that the subsequent data packet sent to the target network equipment is sent by the user terminal sending the head data packet based on the target base station, only the data packet sent by one user based on the target base station through one terminal is obtained at the moment, and therefore the data packet sent by other users based on the target base station through other terminals is not obtained, a large number of false users are avoided, and only one user exists.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for protecting safety disclosed by the application;
FIG. 2 is a flow chart of a specific method of protecting safety disclosed in the present application;
FIG. 3 is a schematic diagram of a safety protection process according to the present disclosure;
FIG. 4 is a schematic view of a safety device according to the present disclosure;
fig. 5 is a block diagram of an electronic device according to the present disclosure.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
When the 64bit prefix of the terminal is intercepted by a counterfeiter, the counterfeiter can randomly counterfeit the IPv6 address of the terminal, then access internet data by using the IPv6 address of the terminal, steal data traffic and generate additional charging for the original terminal user; further, if a counterfeiter uses a 64-bit prefix to forge a large number of false users to access internet data, the counterfeiter can occupy the bandwidth of the user plane of the core network and form a serious influence on DDOS (Distributed Denial of Service, distributed blocking service) attacks on the internet server.
Therefore, the embodiment of the application provides a safety protection scheme which can prevent counterfeiters from forging a large number of false users.
The embodiment of the application discloses a safety protection method which is applied to a user plane functional network element, and is shown in fig. 1, and the method comprises the following steps:
step S11: and acquiring each data packet sent to the local access target network equipment.
In this embodiment, the data packets may include a target data packet, a dummy data packet sent based on the target IPv6 prefix after the target IPv6 prefix is intercepted by the dummy user, and other data packets unrelated to the target IPv6 prefix. It should be noted that the false user can combine the false interface identifier of the terminal where the false user is located to construct a false IPv6 address after intercepting the target IPv6 prefix, and send a false data packet based on the false IPv6 address; the false interface identifier is an interface identifier of a real medal of a terminal where the false user corresponding to the false user is located.
In this embodiment, before obtaining each data packet sent to the local access target network device, the method further includes: acquiring a target field carrying the target base station address issued by the session management network element, and acquiring the target base station address based on the target field; the target field is the original field between the multiplexed session management network element and the user plane function network element.
Note that, the original field of the multiplexing is Source IP Address field, and the reason for using this field is: 1. the field internal structure satisfies the use of the tunnel IPv4 and IPv6 dual stack addresses; 2. the field originally only relates to the use of the special function multi-downlink multicast of the user plane network element, multiplexing does not influence the use of the basic function of the user plane network element, and the use of two functions of the field can be distinguished in the user plane network element through a characteristic function switch; 3. multiplexing 3GPP ((3 rd Generation Partnership Project, third generation partnership project) existing fields rather than constructing private fields to store target base station addresses is chosen because constructing private fields may result in abnormal interfacing of session function network elements with heterogeneous user plane function network elements.
It should be noted that, because the existing matching process of the operator does not check the base station address of the data packet, the counterfeiter can also intervene the backhaul network from the base station to the user plane network element by counterfeiting the base station address, if the counterfeiter uses the base station address to forge a large amount of uplink data packets to access the internet data, the data storm will also occupy the bandwidth of the user plane of the core network, so that the normal user cannot access the internet seriously; therefore, the user plane network element acquires the target base station address, and the step of checking the target base station address is added to further ensure that the user can normally surf the internet.
Step S12: checking whether a first IPv6 prefix in a first IPv6 address corresponding to a first data packet in each data packet is consistent with a corresponding first base station address, and whether a target base station address issued by a session management network element is consistent with the target IPv6 prefix; the IPv6 address comprises an IPv6 prefix and an interface identifier; one user corresponds to one IPv6 prefix; one interface identifier corresponds to one terminal.
In this embodiment, the user plane functional network element and the session management network element both belong to a core network element.
In this embodiment, the checking whether the first base station address is consistent with the target base station address is to ensure that the data packet is a data packet forwarded by the target base station corresponding to the target base station address.
In this embodiment, checking whether the first IPv6 prefix is consistent with the target IPv6 prefix is to determine whether the data packet is a data packet sent based on the target IPv6 prefix; it should be noted that, although one user corresponds to one IPv6 prefix, a dummy user may intercept the target IPv6 prefix of the target user, and the prefix of the dummy packet sent by the dummy user is also the target IPv6 prefix.
In summary, whether the first IPv6 prefix is consistent with the target IPv6 prefix cannot be determined whether the user sending the data packet is a target user or a false user, but other data packets unrelated to the target IPv6 prefix can be excluded, so that it is further ensured that the prefix used by the user sending the data packet is the target IPv6 prefix.
Step S13: and if so, checking whether the target base station address and the first IPv6 address are consistent with the subsequent base station address and the subsequent IPv6 address corresponding to the subsequent data packet in the data packets, if so, sending the subsequent data packet to the target network equipment, and if not, discarding the subsequent data packet to ensure that the subsequent data packet sent to the target network equipment is sent by a user sending the first data packet through a terminal sending the first data packet based on the target base station.
In this embodiment, if the prefix of the first IPv6 is checked to be consistent with the prefix of the target IPv6, it is determined that the prefix used by the user sending the data packet is the prefix of the target IPv6, that is, the target user or any virtual user, and at this time, the target base station address and the first IPv6 address are checked to be consistent with the address of the subsequent base station corresponding to the subsequent data packet in each data packet, that is, whether the address of the target base station is consistent with the address of the subsequent base station, whether the prefix of the first IPv6 in the address of the first IPv6 is consistent with the prefix of the subsequent IPv6, and whether the identifier of the first interface in the address of the first IPv6 is consistent with the identifier of the subsequent interface in the subsequent IPv6 address are checked, and if all of the prefixes are consistent, the subsequent data packets sent to the target network device are sent by the user sending the first data packet through the terminal sending the first data packet based on the target base station, that is the same as the terminal sending the first data packet and the terminal receiving the first data packet.
Step S14: and if not, taking the next data packet in the data packets as the first data packet, and jumping to the step of checking whether the first IPv6 prefix in the first IPv6 address corresponding to the first data packet in the data packets is consistent with the corresponding first base station address, and the target base station address issued by the session management network element is consistent with the target IPv6 prefix or not until the data packet checking is completed.
In this embodiment, if the first data packet is inconsistent, the current first data packet is discarded, and the next data packet in the data packets is used as the first data packet.
In summary, only one fixed user can send a data packet to the target network device through one fixed terminal.
Therefore, the application uses the head IPv6 address (comprising the head IPv6 prefix and the head interface identifier) of the head data packet passing the IPv6 prefix verification to verify the subsequent data packet, so that the subsequent data packet sent to the target network equipment is sent by the user sending the head data packet through the terminal sending the head data packet based on the target base station, only one user can obtain the data packet sent by the user through one terminal based on the target base station at the moment, a large number of false users cannot exist, only one user exists, and when the head IPv6 address is the address forged by the false user after intercepting the target IPv6 prefix, the subsequent obtained data packet can only be sent by the false user, and when the head IPv6 address is the target IPv6 address of the target user, the subsequent obtained data packet is also sent by the target user.
The embodiment of the application discloses a specific security protection method which is applied to a user plane function network element, and compared with the previous embodiment, the embodiment further describes and optimizes the technical scheme. Referring to fig. 2, the method specifically includes:
Step S21: after a target user accesses a session management network element and initiates a session request based on the target base station through a target terminal, the target base station address and the target IPv6 prefix of the target base station sent by the session management network element are obtained.
In this embodiment, before the verification process, the target terminal is required to access the session management network element through the target base station and initiate a session request, the target terminal is required to create the target IPv6 address, and a data packet transmission channel between the target base station and the user plane function network element is required to be established.
In this embodiment, establishing a data packet transmission channel between a target base station and a user plane function network element is shown below, and after the obtaining the target base station address and the target IPv6 prefix sent by the session management network element, further includes: and determining a target base station based on the target base station address, and establishing a target tunnel between the target base station and the user plane function network element so that the target base station sends the target data packet to the user plane function network element through the target tunnel.
It should be noted that the target tunnel is a general packet radio service tunnel.
In this embodiment, before obtaining each data packet sent to the local access target network device, the method further includes: acquiring a target field carrying the target base station address issued by the session management network element, and acquiring the target base station address based on the target field; the target field is the original field between the multiplexed session management network element and the user plane function network element.
It should be noted that, because the existing matching process of the operator only checks the address of the user plane network element corresponding to the target tunnel, the counterfeiter can also intervene the backhaul network from the base station to the user plane network element through the address of the base station corresponding to the counterfeited target tunnel, if the counterfeiter uses the address of the base station to forge a large number of uplink data packets to access the internet data, the data storm will occupy the bandwidth of the user plane of the core network, so that the normal user cannot access the internet seriously; therefore, the user plane network element acquires the target base station address, and the step of checking the target base station address is added to further ensure that the user can normally surf the internet.
In this embodiment, the obtaining the target base station address and the target IPv6 prefix of the target base station sent by the session management network element includes: and acquiring a session establishment message sent by a session management network element, and acquiring a target base station address of the target base station carried by a first field of the session establishment message and a target IPv6 prefix carried by a second field of the session establishment message. It is noted that the first field is one of the multiplexed fields in the session establishment message.
Step S22: the target IPv6 prefix is sent to the target terminal, so that the target terminal distributes the target IPv6 prefix for the target user, a target interface identifier provided by the target terminal and the target IPv6 prefix are combined to obtain a target IPv6 address, then the target terminal constructs an initial data packet based on the target IPv6 address, and the initial data packet is sent to the user plane function network element through the target base station; after the target base station acquires the initial data packet, the target base station address is used as a source address to be added into the initial data packet to obtain a target data packet, and the target data packet is sent to the user plane functional network element.
In this embodiment, the sending the target IPv6 prefix to the target terminal includes: acquiring a router request sent by the target terminal, and returning a router advertisement to the target terminal based on the router request; the router advertisement includes the target IPv6 prefix.
In this embodiment, the user plane function network element also binds the target IPv6 prefix with the target base station address, so as to facilitate subsequent verification, and reduce potential safety hazards caused by forging the target tunnel from the base station to the user plane function network element, that is, prevent the target base station from being replaced by another base station.
In this embodiment, the target interface identifier is an interface identifier generated by the target terminal according to a terminal media access control address and an initial interface identifier allocated by the session management network element to the target terminal.
After a target user accesses a session management network element and initiates a session request based on the target base station through a target terminal, the target base station address and the target IPv6 prefix of the target base station sent by the session management network element are obtained; the target IPv6 prefix is sent to the target terminal, so that the target terminal distributes the target IPv6 prefix for the target user, a target interface identifier provided by the target terminal and the target IPv6 prefix are combined to obtain a target IPv6 address, then the target terminal constructs an initial data packet based on the target IPv6 address, and the initial data packet is sent to the user plane function network element through the target base station; after the target base station acquires the initial data packet, the target base station address is used as a source address to be added into the initial data packet to obtain a target data packet, and the target data packet is sent to the user plane functional network element. Therefore, before the verification process is performed, the target terminal is required to access the session management network element through the target base station and initiate the session request, the target terminal is required to create the target IPv6 address, and a data packet transmission channel between the target base station and the user plane function network element is required to be established so as to perform subsequent data packet transmission and verification work.
Referring to fig. 3, a schematic diagram of a safety protection flow is shown;
step 1: the target terminal accesses the core network through the target base station, initiates a session establishment flow, the session management network element issues PFCP Session Establishment Request information (session establishment information) to the user plane function network element, wherein a Create PDR= > IP Multicast Addressing Info = > Source IP Address field carries a target base station address (gNB_ip), specifically, a first field Source IP Address under a multiplexing field IP Multicast Addressing Info carries the target base station address, a Create PDR= > PDI= > UE IP address field (second field) carries a target IPv6 prefix UE_ ipA of the terminal dynamically allocated by the session management network element, and the user plane function network element creates and records session related information according to the session establishment information issued by the session management network element;
step 2: and establishing a GTP (GPRS tunneling protocol ) tunnel at the N3 side between the target base station (the base station corresponding to the target base station address gNB_ip) and the user plane function network element.
I.e., the target tunnel, for transmitting data;
step 3: the target terminal obtains a target IPv6 prefix UE_ ipA of the terminal dynamically allocated by the session management network element through an RS ((Router Solicitation, router request)/RA (Router Advertisement ) message, and then combines a target interface identifier UE_ ipB generated by the MAC address of the target terminal, and the UE_ ipA +UE_ ipB combines to generate a target IPv6 address UE_ip of the terminal for accessing Internet data;
Step 4: the target terminal accesses internet data at the target network device side by using the target IPv6 address UE_ip, if the first packet on the data stream passes through the user plane function network element, the user plane function network element checks whether the source address gtp_gNBip (first base station address) of the GTP header at the outer layer of the data packet is the same as the target base station address gNB_ip issued by the session management network element, and checks whether the prefix (first IPv6 prefix) of the source address UE_ip at the inner layer of the data packet is the same as the target IPv6 prefix UE_ ipA of the terminal dynamically allocated by the session management network element. If the verification is passed, the user plane function network element forwards the data packet to target network equipment, records a complete target IPv6 address UE_ip of a target terminal, updates the data packet to a Create PDR= > PDI= > UE IP address field, and replaces the original value UE_ ipA in the field to be UE_ip; if the verification is not passed, the user plane function network element discards the data packet;
step 5: when a subsequent data packet of a data flow of the internet accessed by the target terminal passes through the user plane function network element, the user plane function network element checks whether a source address gtp_gNBip (subsequent base station address) of an outer GTP header of the data packet is identical to a target base station address gNB_ip issued by the session management network element, and checks whether an inner IPv6 source address UE_ip (subsequent IPv6 address) of the data packet is identical to a target IPv6 address UE_ip of the terminal recorded under the Create PDR= > PDI= > UE IP address field. If the verification is passed, the user plane function network element forwards the data packet to the target network terminal; if the check is not passed, the user plane function network element discards the data packet.
In summary, the scheme increases the verification of the interface identifier, thereby achieving the aim of safety protection. The application can effectively reduce the risk of user information leakage and DDOS attack to the Internet caused by the counterfeit interface identifier of IPv6 by matching and checking the full 128bit IPv6 address, and can prevent the target base station from being replaced by binding the user address (target IPv6 address) with the access base station address. Compared with the existing user plane function network element data packet matching flow, the method provided by the application has the advantages that the safety is improved, the performance of the user plane function network element is not affected, and the PFCP private field is not increased.
Correspondingly, the embodiment of the application also discloses a safety protection device which is applied to the user plane function network element, and the device comprises:
a data packet obtaining module 11, configured to obtain each data packet sent to the local access target network device;
a first verification module 12, configured to verify whether a first IPv6 prefix in a first IPv6 address corresponding to a first data packet in the data packets and a corresponding first base station address are consistent with a target base station address issued by a session management network element and the target IPv6 prefix; the IPv6 address comprises an IPv6 prefix and an interface identifier; one user corresponds to one IPv6 prefix; one interface identifier corresponds to one terminal;
A second checking module 13, configured to check, if the target base station address and the first IPv6 address are consistent, whether a subsequent base station address corresponding to a subsequent data packet in the data packets and the subsequent IPv6 address are consistent, if the target base station address and the subsequent IPv6 address are consistent, send the subsequent data packet to the target network device, and discard the subsequent data packet if the subsequent data packet is inconsistent, so as to ensure that the subsequent data packet sent to the target network device is all sent by a user sending the first data packet through a terminal sending the first data packet based on the target base station;
and the first data packet determining module 14 is configured to take the next data packet in the data packets as the first data packet, and skip to the step of checking whether the first IPv6 prefix in the first IPv6 address corresponding to the first data packet in the data packets and the corresponding first base station address are consistent with the target base station address and the target IPv6 prefix issued by the session management network element.
The more specific working process of each module may refer to the corresponding content disclosed in the foregoing embodiment, and will not be described herein.
Therefore, the application uses the head IPv6 address (comprising the head IPv6 prefix and the head interface identifier) of the head data packet passing the IPv6 prefix verification to verify the subsequent data packet, so that the subsequent data packet sent to the target network equipment is sent by the user and the terminal sending the head data packet based on the target base station, only one user and one terminal can obtain the data packet sent by the user and the terminal based on the target base station at the moment, and therefore, a large number of false users do not exist and only one user exists.
Further, the embodiment of the application also provides electronic equipment. Fig. 5 is a block diagram of an electronic device 20, according to an exemplary embodiment, and is not intended to limit the scope of use of the present application in any way.
Fig. 5 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present application. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a display screen 23, an input output interface 24, a communication interface 25, a power supply 26, and a communication bus 27. Wherein the memory 22 is used for storing a computer program, and the computer program is loaded and executed by the processor 21 to implement the relevant steps in the safety protection method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in the present embodiment may be specifically an electronic computer.
In this embodiment, the power supply 26 is used to provide an operating voltage for each hardware device on the electronic device 20; the communication interface 25 can create a data transmission channel between the electronic device 20 and an external device, and the communication protocol to be followed is any communication protocol applicable to the technical solution of the present application, which is not specifically limited herein; the input/output interface 24 is used for obtaining external input data or outputting external output data, and the specific interface type thereof may be selected according to the specific application needs, which is not limited herein.
The memory 22 may be a read-only memory, a random access memory, a magnetic disk, an optical disk, or the like, and the resources stored thereon may include the computer program 221, which may be stored in a temporary or permanent manner. Wherein the computer program 221 may further comprise a computer program capable of performing other specific tasks in addition to the computer program capable of performing the security protection method performed by the electronic device 20 as disclosed in any of the previous embodiments.
Further, the embodiment of the application also discloses a computer readable storage medium for storing a computer program; wherein the computer program, when executed by a processor, implements the previously disclosed security protection method.
For specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no further description is given here.
In the present disclosure, each embodiment is described in a progressive manner, and each embodiment focuses on the difference from other embodiments, and the same or similar parts between the embodiments refer to each other, that is, for the device disclosed in the embodiments, since the device corresponds to the method disclosed in the embodiments, the description is relatively simple, and the relevant parts refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above description of the present application provides a method, apparatus, device and storage medium for protecting security, and specific examples are applied to illustrate the principles and embodiments of the present application, and the above examples are only used to help understand the method and core idea of the present application; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.

Claims (10)

1. A security protection method, applied to a user plane functional network element, comprising:
acquiring each data packet sent to local access target network equipment;
checking whether a first IPv6 prefix in a first IPv6 address corresponding to a first data packet in each data packet is consistent with a corresponding first base station address, and whether a target base station address issued by a session management network element is consistent with the target IPv6 prefix; the IPv6 address comprises an IPv6 prefix and an interface identifier; one user corresponds to one IPv6 prefix; one interface identifier corresponds to one terminal;
if so, checking whether the target base station address and the first IPv6 address are consistent with the subsequent base station address and the subsequent IPv6 address corresponding to the subsequent data packet in the data packets, if so, sending the subsequent data packet to the target network equipment, and if not, discarding the subsequent data packet to ensure that the subsequent data packet sent to the target network equipment is sent by a user sending the first data packet through a terminal sending the first data packet based on the target base station;
And if not, taking the next data packet in the data packets as the first data packet, and jumping to the step of checking whether the first IPv6 prefix in the first IPv6 address corresponding to the first data packet in the data packets is consistent with the corresponding first base station address, and the target base station address issued by the session management network element is consistent with the target IPv6 prefix or not until the data packet checking is completed.
2. The method of claim 1, wherein before the obtaining each data packet sent to the local access destination network device, further comprises:
after a target user accesses a session management network element and initiates a session request based on the target base station through a target terminal, acquiring the target base station address and the target IPv6 prefix of the target base station sent by the session management network element;
the target IPv6 prefix is sent to the target terminal, so that the target terminal distributes the target IPv6 prefix for the target user, a target interface identifier provided by the target terminal and the target IPv6 prefix are combined to obtain a target IPv6 address, then the target terminal constructs an initial data packet based on the target IPv6 address, and the initial data packet is sent to the user plane function network element through the target base station; after the target base station acquires the initial data packet, the target base station address is used as a source address to be added into the initial data packet to obtain a target data packet, and the target data packet is sent to the user plane functional network element; the target interface identifier is an interface identifier generated by the target terminal according to a terminal media access control address and an initial interface identifier distributed to the target terminal by the session management network element.
3. The method according to claim 2, wherein after the obtaining the target base station address and the target IPv6 prefix of the target base station sent by the session management network element, further comprises:
and determining a target base station based on the target base station address, and establishing a target tunnel between the target base station and the user plane function network element so that the target base station sends the target data packet to the user plane function network element through the target tunnel.
4. The security protection method according to claim 2, wherein the sending the target IPv6 prefix to the target terminal includes:
acquiring a router request sent by the target terminal, and returning a router advertisement to the target terminal based on the router request; the router advertisement includes the target IPv6 prefix.
5. The method according to claim 2, wherein the obtaining the target base station address and the target IPv6 prefix of the target base station sent by the session management network element includes:
and acquiring a session establishment message sent by a session management network element, and acquiring a target base station address of the target base station carried by a first field of the session establishment message and a target IPv6 prefix carried by a second field of the session establishment message.
6. The method of claim 2, wherein before the obtaining each data packet sent to the local access destination network device, further comprises:
acquiring a target field carrying the target base station address issued by the session management network element, and acquiring the target base station address based on the target field; the target field is the original field between the multiplexed session management network element and the user plane function network element.
7. A security protection apparatus, applied to a user plane functional network element, comprising:
the data packet acquisition module is used for acquiring each data packet sent to the local access target network equipment;
the first checking module is used for checking whether the head IPv6 prefix in the head IPv6 address corresponding to the head data packet in each data packet is consistent with the corresponding head base station address or not, and the target base station address issued by the session management network element is consistent with the target IPv6 prefix; the IPv6 address comprises an IPv6 prefix and an interface identifier; one user corresponds to one IPv6 prefix; one interface identifier corresponds to one terminal;
the second checking module is configured to check whether the target base station address and the first IPv6 address are consistent, and if so, whether a subsequent base station address corresponding to a subsequent data packet in the data packets and the subsequent IPv6 address are consistent, and if not, discard the subsequent data packet, so as to ensure that the subsequent data packet sent to the target network device is sent by a user sending the first data packet through a terminal sending the first data packet based on the target base station;
And the first data packet determining module is used for taking the next data packet in the data packets as the first data packet, and jumping to the step of checking whether the first IPv6 prefix in the first IPv6 address corresponding to the first data packet in the data packets is consistent with the corresponding first base station address, and the target base station address issued by the session management network element is consistent with the target IPv6 prefix or not until the data packet checking is completed.
8. The safety shield apparatus of claim 7, further comprising:
the information acquisition module is used for acquiring the target base station address and the target IPv6 prefix of the target base station sent by the session management network element after a target user accesses the session management network element through the target terminal based on the target base station and initiates a session request;
the information sending module is used for sending the target IPv6 prefix to the target terminal so that the target terminal distributes the target IPv6 prefix for the target user, and combines a target interface identifier provided by the target terminal with the target IPv6 prefix to obtain a target IPv6 address, and then the target terminal constructs an initial data packet based on the target IPv6 address and sends the initial data packet to the user plane functional network element through the target base station; after the target base station acquires the initial data packet, the target base station address is used as a source address to be added into the initial data packet to obtain a target data packet, and the target data packet is sent to the user plane functional network element.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the safety protection method as claimed in any one of claims 1 to 6.
10. A computer-readable storage medium for storing a computer program; wherein the computer program when executed by a processor implements the safety protection method according to any one of claims 1 to 6.
CN202310724145.5A 2023-06-16 2023-06-16 Safety protection method, device, equipment and medium Pending CN116634435A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310724145.5A CN116634435A (en) 2023-06-16 2023-06-16 Safety protection method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310724145.5A CN116634435A (en) 2023-06-16 2023-06-16 Safety protection method, device, equipment and medium

Publications (1)

Publication Number Publication Date
CN116634435A true CN116634435A (en) 2023-08-22

Family

ID=87613514

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310724145.5A Pending CN116634435A (en) 2023-06-16 2023-06-16 Safety protection method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN116634435A (en)

Similar Documents

Publication Publication Date Title
US7613193B2 (en) Apparatus, method and computer program product to reduce TCP flooding attacks while conserving wireless network bandwidth
KR100450973B1 (en) Method for authentication between home agent and mobile node in a wireless telecommunications system
EP2346205B1 (en) A method and device for preventing network attack
KR100750370B1 (en) Address acquisition
EP1775910A1 (en) Application layer ingress filtering
US20060185008A1 (en) Method, apparatus and computer program product enabling negotiation of firewall features by endpoints
US7933253B2 (en) Return routability optimisation
US8015603B2 (en) Method and mobile node for packet transmission in mobile internet protocol network
US7954002B2 (en) Systems and methods for bulk release of resources associated with node failure
Thaler Evolution of the IP Model
US20220174085A1 (en) Data Processing Method and Apparatus
CN101902482A (en) Method and system for realizing terminal security admission control based on IPv6 (Internet Protocol Version 6) automatic configuration
US20060107310A1 (en) Method for authorization of service requests to service hosts within a network
US8761007B1 (en) Method and apparatus for preventing a mobile device from creating a routing loop in a network
WO2017108009A1 (en) Diameter signaling transmission method and device
CN106453421A (en) Smart identifier network service tampered DoS (denial of service) attack cooperative defense method integrating LTE (long term evolution)
Xiaorong et al. Security analysis for IPv6 neighbor discovery protocol
CN116634435A (en) Safety protection method, device, equipment and medium
Zhang et al. A comparison of migration and multihoming support in IPv6 and XIA
Liang et al. A SDN-Based Hierarchical Authentication Mechanism for IPv6 Address
Hamadeh et al. Packet marking for traceback of illegal content distribution
Tschofenig et al. Traversing middleboxes with the host identity protocol
CN107707685A (en) A kind of wireless router access control method
Abley et al. Considerations on the application of the level 3 multihoming shim protocol for ipv6 (shim6)
Xiaorong et al. The research on mobile Ipv6 security features

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination