CN116886669B - Method and system for distributing IPv6 address by DHCPv6 - Google Patents
Method and system for distributing IPv6 address by DHCPv6 Download PDFInfo
- Publication number
- CN116886669B CN116886669B CN202311155221.1A CN202311155221A CN116886669B CN 116886669 B CN116886669 B CN 116886669B CN 202311155221 A CN202311155221 A CN 202311155221A CN 116886669 B CN116886669 B CN 116886669B
- Authority
- CN
- China
- Prior art keywords
- dhcpv6
- client
- server
- ipv6
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 238000004891 communication Methods 0.000 claims abstract description 3
- 238000004364 calculation method Methods 0.000 claims description 7
- 230000000977 initiatory effect Effects 0.000 claims description 3
- 230000000737 periodic effect Effects 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5053—Lease time; Renewal aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a system for distributing IPv6 addresses by DHCPv6, wherein the system comprises a DHCPv6 server, a DHCPv6 client, an IPv6 available address pool and a database, and the DHCPv6 server is respectively in communication connection with the DHCPv6 client, the IPv6 available address pool and the database. The invention can not only utilize the safety of IPv6 address massive space, but also carry out IP address safety tracing.
Description
Technical Field
The invention relates to the technical field of computer networks, in particular to a method and a system for distributing IPv6 addresses by using safe and controllable DHCPv 6.
Background
The DHCPv6 dynamic host control protocol is used as a centralized control and stateful address allocation protocol, and is mostly used for automatically allocating an IP address to a terminal PC, so that the PC can acquire a local IP address, a gateway IP, an NTP server IP, a DNS server IP and a SIP service IP through the DHCPv6 protocol, thereby meeting the requirement of PC networking access. Particularly in an IPv6 network, since the 128-bit length of an IPv6 address is difficult to memorize, network operation and maintenance management can be simplified only by automatically allocating an IP address using a centrally controlled DHCPv6 server. However, because of the address service function of the DHCPv6 protocol design convenience, the requirement on the security of the DHCPv6 service is lacking, and the 128-bit space of the IPv6 address has natural security characteristics, so that the network probe is trapped in endless scanning of the IP address and the service port before hacking, thereby avoiding the attack caused by the exposure of the network service to a certain extent. However, once the DHCPv6 client acquires the IPv6 address in the design and implementation of the DHCPv6 related RFC, a renewing lease mode is generally adopted, that is, the DHCPv6 client requests the server to extend the lease period of the IP address, so that the IPv6 address of the client is kept unchanged, and the security characteristic of the IPv6 address massive space is not fully utilized, but the IPv6 address variability affects the security tracing.
The types of reconfiguration messages are defined in RFC6644, RFC8415, RFC3315 and other standard documents related to DHCPv6, and mainly play a role in that a DHCPv6 server sends reconfiguration messages to a DHCPv6 client to prompt the DHCPv6 client that network configuration information on the DHCPv6 server is changed, so that the DHCPv6 client reinitiates an address request to update the network configuration information. The reconfigurated message definition is carried in the first reply advertisement message, informs the client and provides relevant verification method negotiation elements, so that the client can receive the reconfigurated message from the legal DHCP server at any time in the lease period, and triggers the network configuration Information (the reconfigurated message or the Information-request message) to be re-requested. The reconfiguration verification protocol aims to prevent the malicious DHCP server from sending a reconfiguration message to cause the DHCPv6 client network configuration change only if legal reconfiguration is accepted by the client.
The definition of reconfigurated messages in RFC presents problems in practical network applications:
1. in order to prevent the malicious DHCP server from sending the reconfigurated message to trigger the DHCPv6 client to re-request the network configuration information, the DHCPv6 client defaults to open the Reconfigure Accept option, and the option is difficult to modify and needs to have strong technical capability to modify. Resulting in the reconfigurability of the functionality to be dummy.
2. The reconfiguration authentication requirement is that authentication must be performed between the DHCPv6 client and the DHCPv6 server to allow the DHCPv6 to receive the reconfiguration, but the reconfiguration authentication encryption message is sent in advertisement, so that the reconfiguration authentication encryption message can be responded to the reconfiguration message at any time in the IP lease of the DHCPv6 client, and the protocol considers the validity problem of the DHCPv6 server, but does not solve the validity problem of the DHCPv6 client.
3. The reconfiguration message is sent when the network configuration message of the DHCPv6 server is changed, so that the DHCPv6 client triggers the update message or the Information-Request message to update the network configuration Information. If the network configuration information is not changed and the reconfiguration message is not triggered, the IPv6 address of the DHCPv6 client only carries out the lease renewing request at the time of the lease T1 and the lease T2, the IPv6 address is kept unchanged, and the massive space safety characteristic of the IPv6 address is not fully utilized.
Disclosure of Invention
Therefore, the technical problem to be solved by the invention is to provide a method and a system for distributing IPv6 addresses by DHCPv6, which can not only utilize the security of IPv6 address massive space, but also carry out IP address security tracing.
In order to solve the technical problems, the invention provides the following technical scheme:
a method for DHCPv6 to allocate IPv6 addresses, comprising the steps of:
s1) the DHCPv6 client sends a Solicit message to the DHCPv6 server requesting the DHCPv6 server to allocate IPv6 address and network configuration parameters for the DHCPv6 client, wherein the Solicit message carries Authentication option information, and the Authentication option information contains G A A mod p value; the DHCPv6 client and the DHCPv6 server are respectively provided with a DHCPv6 protocol assembly with a built-in DH algorithm module, and parameters P and G used for DH calculation by the DH algorithm module are preset parameters;
s2) the DH algorithm module of the DHCPv6 server side utilizes the received G A modP value and equation s= (G) A modP) B modP=(G A ×B modP) gets the shared key value S 1 ;
S3) the DHCPv6 server sends an advertisement message to the DHCPv6 client, wherein the advertisement message carries a G containing the IPv6 address and network configuration parameters, and the advertisement message informs the DHCPv6 client of the distribution of the IPv6 address and the network configuration parameters for the DHCPv6 client B Authentication option information of the mod p value;
s4) DH algorithm module of DHCPv6 client will utilize the received G B modP value and equation s= (G) B modP) A modP=(G A×B modP) gets the shared key value S 2 Then the DHCPv6 client sends a Request message to the authenticated DHCPv6 server, wherein the Request message carries the shared key value S 2 ;
S5) after receiving the Request message, the DHCPv6 server terminal shares the key value S 1 Sharing ofKey value S 2 Comparing, if the key value S is shared 1 And a shared key value S 2 If the two types of the messages are the same, the DHCPv6 server side sends a Reply message carrying the IPv6 address and the network configuration information allocated to the DHCPv6 client side, otherwise, the DHCPv6 server side refuses to send the Reply message to the DHCPv6 client side;
s6) after receiving the Reply message, the DHCPv6 client performs network configuration according to the IPv6 address and the network configuration information carried in the Reply message.
In the above method, in step S3), the IPv6 address allocated by the DHCPv6 server to the DHCPv6 client is an IPv6 address synthesized by the DHCPv6 server through a host bit address and an IPv6 available address pool network segment address, where the host bit address is a/64 host bit address generated by the DHCPv6 server from the IPv6 available address pool through a Random function, and "/64" is denoted as 2 64 The/64 host bit address indicates 2 64 An assignable IPv6 address.
According to the method, the DH algorithm module of the DHCPv6 server and the DH algorithm module of the DHCPv6 client are respectively provided with the timing sub-module for timing the time of using a private key by the DH algorithm module of the DHCPv6 server and the DH algorithm module of the DHCPv6 client, and when the timing duration of the timing sub-module is equal to or greater than a threshold value, the private keys generated by the DH algorithm module of the DHCPv6 server and the DH algorithm module of the DHCPv6 client are adjusted.
In the above method, in step S4), when the DHCPv6 client receives the advertisement messages sent by the multiple DHCPv6 servers, the DHCPv6 client sends a Request message carrying the DUID of the selected legal DHCPv6 server with high priority to all DHCPv6 servers in a multicast manner.
In the above method, in step S5), after receiving the Request message, the DHCPv6 server writes information related to the IPv6 address to be allocated into the database, where the information related to the IPv6 address to be allocated includes at least a corresponding host name, a system type, a MAC, a DUID, and an IAID.
The method, when the DHCPv6 client distributes IPv6 to the DHCPv6 clientWhen the DHCPv6 server of address and network configuration information sends a Renew message, G-carrying messages are built in the Renew message A Authentication option information on the mod p value.
In the above method, if the rebnew message is not responded, the DHCPv6 client sends a Rebind message for prolonging the IPv6 lease used by the DHCPv6 client and updating the corresponding network configuration information to any other reachable DHCPv6 server, where the Rebind message has a G-band A Authentication option information on the mod p value.
A system for distributing IPv6 addresses by utilizing the method for distributing IPv6 addresses by DHCPv6 comprises:
the DHCPv6 server is used for distributing the IPv6 address and the network configuration information; the DHCPv6 server is internally provided with a DH algorithm module, parameters P and G for DH calculation are preset in the DH algorithm module, and the parameters P and G are preset parameters;
an IPv6 available address pool;
the DHCPv6 client is used for initiating a request for distributing the IPv6 address and the network configuration information; the DHCPv6 client is internally provided with a DH algorithm module which is the same as the DH algorithm module in the DHCPv6 server;
the DHCPv6 server is respectively in communication connection with the DHCPv6 client and the IPv6 available address pool.
According to the system, the DH algorithm module of the DHCPv6 server and the DH algorithm module of the DHCPv6 client are respectively provided with the timing submodule, and the timing submodule is used for timing the time of using a private key of each of the DHCPv6 server and the DHCPv6 client.
The system further comprises a database for storing information related to the IPv6 address to be allocated, wherein the information related to the IPv6 address to be allocated at least comprises a corresponding host name, a system type, a MAC, a DUID and an IAID.
The technical scheme of the invention has the following beneficial technical effects:
1. the invention adjusts the processing procedure of the relevant RFC standard of the DHCPv6 to realize the safe and periodical adjustment of the IP address of the DHCPv6 client according to the need, and fully utilizes the safety of the IPv6 address massive space. And simultaneously adjusting the DH method, and taking the shared key result as a standard for verifying the validity of the DHCPv6 client and the DHCPv6 server.
2. The method and the device are used for solving the problems of DHCPv6 client security authentication, DHCPv6 server security authentication, IPv6 address complex randomness prediction attack prevention and IPv6 address periodical controllable transformation when a large-scale Internet of things terminal deployed in a public area acquires an IPv6 address through DHCPv 6.
3. The Diffie-Hellman key exchange protocol method is cited for carrying out validity authentication of the DHCPv6 client and the DHCPv6 server. For DH algorithm, please refer to RFC 2631: Diffie-Hellman Key Agreement Method, RFC 5114 Additional Diffie-Hellman Groups for Use with IETF Standards, and meanwhile, by modifying the continuous renting process of DHCPv6 protocol, the Method realizes safe and controllable allocation of different and complex IPv6 addresses for DHCPv6 clients periodically, so as to increase address security characteristics brought by IPv6 address space.
DH can be changed along with P, G parameters and private keys, so that a dynamic S value is obtained, the validity of the DHCPv6 client is judged by using the dynamic S value, the validity can be proved, and the problem that a digital certificate is stolen during RSA public-private key authentication can be avoided.
Drawings
FIG. 1 is a schematic diagram of the system for distributing IPv6 addresses by DHCPv6 in the present invention;
fig. 2 is a flow chart of the DHCPv6 allocation IPv6 address according to the present invention.
Detailed Description
The invention is further described below with reference to examples.
As shown in fig. 1, in the present invention, a system for distributing IPv6 addresses by DHCPv6 includes a DHCPv6 server, a DHCPv6 client, an IPv6 available address pool, and a database, where the DHCPv6 server is communicatively connected to the DHCPv6 client, the IPv6 available address pool, and the database, respectively. The DHCPv6 server is used for distributing IPv6 addresses and network configuration information, the DHCPv6 client is used for initiating a request for distributing the IPv6 addresses and the network configuration information, the database is used for storing a database of information related to the IPv6 addresses to be distributed, the information related to the IPv6 addresses to be distributed at least comprises a corresponding host name, a system type, MAC (media access control), DUID (physical address identifier) and IAID (integrated access identifier), and the information related to the IPv6 addresses to be distributed is used for tracing the addresses; the DHCPv6 server and the DHCPv6 client are respectively internally provided with a DH algorithm module, parameters P and G for DH calculation and a timing sub-module are preset in the DH algorithm module, wherein the parameters P and G are preset parameters, namely, the parameters P and G can be modified at any time by a user, and the timing sub-module is used for timing the time of using a private key of each of the DHCPv6 server and the DHCPv6 client.
In practical application, the DHCPv6 server is set on the DHCP server, the DHCPv6 client is set on the user terminal, and then the DHCPv6 is assigned with the IPv6 address through the following steps as shown in fig. 2:
s1) the DHCPv6 client sends a Solicit message to the DHCPv6 server requesting the DHCPv6 server to allocate IPv6 address and network configuration parameters for the DHCPv6 client, wherein the Solicit message carries Authentication option information, and the Authentication option information contains G A A mod p value;
s2) the DH algorithm module of the DHCPv6 server side utilizes the received G A modP value and equation s= (G) A modP) B modP=(G A ×B modP) gets the shared key value S 1 ;
S3) the DHCPv6 server sends an advertisement message to the DHCPv6 client, wherein the advertisement message carries a G containing the IPv6 address and network configuration parameters, and the advertisement message informs the DHCPv6 client of the distribution of the IPv6 address and the network configuration parameters for the DHCPv6 client B Authentication option information of the mod p value;
s4) DH algorithm module of DHCPv6 client will utilize the received G B modP value and equation s= (G) B modP) A modP=(G A×B modP) gets the shared key value S 2 Then the DHCPv6 client sends a Request message to the authenticated DHCPv6 server, wherein the Request message carries the shared key value S 2 ;
S5) after receiving the Request message, the DHCPv6 server terminal shares the key value S 1 And a shared key value S 2 Comparing, if the key value S is shared 1 And a shared key value S 2 If the two types of the messages are the same, the DHCPv6 server side sends a Reply message carrying the IPv6 address and the network configuration information allocated to the DHCPv6 client side, otherwise, the DHCPv6 server side refuses to send the Reply message to the DHCPv6 client side;
s6) after receiving the Reply message, the DHCPv6 client performs network configuration according to the IPv6 address and the network configuration information carried in the Reply message.
In step S3), the IPv6 address allocated by the DHCPv6 server to the DHCPv6 client is an IPv6 address synthesized by the DHCPv6 server through the host bit address and the network segment address of the IPv6 available address pool, where the host bit address is a/64 host bit address generated by the DHCPv6 server from the IPv6 available address pool through a Random function.
In order to increase the cracking difficulty of hackers, the timing sub-module is utilized to time the respective private key used by the DH algorithm module of the DHCPv6 server and the DH algorithm module of the DHCPv6 client, and when the duration of the DH algorithm module of the DHCPv6 server using the private key of the DHCPv6 server or the duration of the DH algorithm module of the DHCPv6 client using the private key of the DHCPv6 client is equal to or greater than a threshold value, the respective generated private key can be adjusted by the DH algorithm module of the DHCPv6 server and the DH algorithm module of the DHCPv6 client.
In actual use, a plurality of DHCPv6 servers may be set on the DHCP server, that is, the DHCPv6 client may receive advertisement messages sent by the plurality of DHCPv6 servers. When the DHCPv6 client receives advertisement messages sent by multiple DHCPv6 servers, the DHCPv6 client sends Request messages carrying the DUIDs of the selected legal DHCPv6 servers with high priority to all DHCPv6 servers in a multicast mode.
In order to facilitate address tracing, in step S5), after receiving the Request message, the DHCPv6 server writes information related to the IPv6 address to be allocated into the database, where the information related to the IPv6 address to be allocated includes at least a corresponding host name, a system type, a MAC, a DUID, and an IAID, where the system type is, for example, window\android\ios.
Distribution at DHCP serverWhen the IP address of (a) is about to expire, the user will choose to extend the lease to continue using the same IP address, and at this time, the DHCPv6 client needs to send a Renew message to the DHCPv6 server that allocates an IPv6 address and network configuration information to the DHCPv6 client. When the DHCPv6 client sends a Renew message to the DHCPv6 server which distributes the IPv6 address and the network configuration information to the DHCPv6 client, the Renew message is embedded with a G A Authentication option information on mod P value, G A The mod p value is used to verify whether the DHCPv6 client requesting extension of the IP address lease is a legitimate client.
Because of the fact that the original DHCPv6 service end for distributing IPv6 addresses and network configuration information to the DHCPv6 client fails or is down, the original DHCPv6 service end for distributing IPv6 addresses and network configuration information to the DHCPv6 client cannot respond timely to a Renew message sent by the DHCPv6 client, in this case, the DHCPv6 client sends a Rebind message for prolonging the IPv6 lease used by the DHCPv6 client and updating the corresponding network configuration information to any other reachable DHCPv6 service end, and the Rebind message is internally provided with a G A Authentication option information on the mod p value.
For the validity verification of the DHCPv6 client and the DHCPv6 server when the Renew lease message of the Renew and the Renew lease message are received, a periodic Address conversion function is started according to the setting of an administrator as required, namely T1=0 and T2=0 in the Reply message are returned and the message does not carry IA Address information, which means that the Renew is unsuccessful, and the DHCPv6 client is promoted to reenter the Solict flow after the lease expires.
In the invention, parameters P and G in a DH calculation module of the DHCPv6 server and a DH calculation module of the DHCPv6 client are preset parameters, and are not disclosed on the external network, namely, a hacker cannot acquire the parameters P and G from the external network, namely, private keys respectively used by the DHCPv6 server and the DHCPv6 client cannot be calculated by a Diffie-Hellman key exchange protocol method, thus increasing invasion difficulty and improving the security of the system.
Authentication between a DHCPv6 client and a DHCPv6 server is performed by using a Diffie-Hellman key exchange protocol method, a timing submodule is used for monitoring the time of using a certain private key, authentication security authentication between the DHCPv6 client and the DHCPv6 server and periodic key change are realized, and the problems of DHCPv6 client security authentication, DHCPv6 server security authentication, IPv6 address complexity randomness prediction attack prevention and IPv6 address periodic controllable transformation of large-scale Internet of things terminals deployed in a public area when IPv6 addresses are acquired through DHCPv6 are solved.
It is apparent that the above examples are given by way of illustration only and are not limiting of the embodiments. Other variations or modifications of the above teachings will be apparent to those of ordinary skill in the art. It is not necessary here nor is it exhaustive of all embodiments. While the obvious variations or modifications which are extended therefrom remain within the scope of the claims of this patent application.
Claims (8)
1. A method for allocating IPv6 addresses by DHCPv6, comprising the steps of:
s1) the DHCPv6 client sends a Solicit message to the DHCPv6 server requesting the DHCPv6 server to allocate IPv6 address and network configuration parameters for the DHCPv6 client, wherein the Solicit message carries Authentication option information, and the Authentication option information contains G A A mod p value; the DHCPv6 client and the DHCPv6 server are respectively provided with a DHCPv6 protocol assembly with a built-in DH algorithm module, and parameters P and G used for DH calculation by the DH algorithm module are preset parameters; the DH algorithm module of the DHCPv6 server and the DH algorithm module of the DHCPv6 client are respectively internally provided with a timing sub-module for timing the use time of a certain private key of the DH algorithm module of the DHCPv6 server and the DH algorithm module of the DHCPv6 client, and when the timing duration of the timing sub-module is equal to or greater than a threshold value, the respective generated private keys are adjusted through the DH algorithm module of the DHCPv6 server and the DH algorithm module of the DHCPv6 client; wherein the DH algorithm is a Diffie-Hellman algorithm;
s2) the DH algorithm module of the DHCPv6 server side utilizes the received G A modP value and equation s= (G) A modP) B modP=(G A× B modP) gets the shared key value S 1 ;
S3) the DHCPv6 server sends an advertisement message to the DHCPv6 client, wherein the advertisement message carries a G containing the IPv6 address and network configuration parameters, and the advertisement message informs the DHCPv6 client of the distribution of the IPv6 address and the network configuration parameters for the DHCPv6 client B Authentication option information of the mod p value;
s4) DH algorithm module of DHCPv6 client will utilize the received G B modP value and equation s= (G) B modP) A modP=(G A ×B modP) gets the shared key value S 2 Then the DHCPv6 client sends a Request message to the authenticated DHCPv6 server, wherein the Request message carries the shared key value S 2 ;
S5) after receiving the Request message, the DHCPv6 server terminal shares the key value S 1 And a shared key value S 2 Comparing, if the key value S is shared 1 And a shared key value S 2 If the two types of the messages are the same, the DHCPv6 server side sends a Reply message carrying the IPv6 address and the network configuration information allocated to the DHCPv6 client side, otherwise, the DHCPv6 server side refuses to send the Reply message to the DHCPv6 client side;
s6) after receiving the Reply message, the DHCPv6 client performs network configuration according to the IPv6 address and the network configuration information carried in the Reply message.
2. The method according to claim 1, wherein in step S3), the IPv6 address allocated by the DHCPv6 server to the DHCPv6 client is an IPv6 address synthesized by the DHCPv6 server through a host bit address and an IPv6 available address pool network segment address, where the host bit address is a/64 host bit address generated by the DHCPv6 server from the IPv6 available address pool through a Random function.
3. The method of claim 1 wherein in step S4), when the DHCPv6 client receives advertisement messages sent by multiple DHCPv6 servers, the DHCPv6 client sends a Request message carrying the DUID of the selected legal DHCPv6 server with a high priority to all DHCPv6 servers by multicast.
4. The method according to claim 1, wherein in step S5), after receiving the Request message, the DHCPv6 server writes information related to the IPv6 address to be allocated into the database, and the information related to the IPv6 address to be allocated includes at least a corresponding host name, system type, MAC, DUID, and IAID.
5. The method of claim 1, wherein when the DHCPv6 client sends a Renew message to a DHCPv6 server that allocates an IPv6 address and network configuration information for the DHCPv6 client, the Renew message is embedded with a G A Authentication option information on the mod p value.
6. The method of claim 5, wherein if the rebnew message is not acknowledged, the DHCPv6 client sends a Rebind message to any other available DHCPv6 server for extending IPv6 lease used by the DHCPv6 client and updating corresponding network configuration information, wherein the Rebind message has a G-band built therein A Authentication option information on the mod p value.
7. A system for IPv6 address allocation using the DHCPv6 IPv6 address allocation method of claim 1, comprising:
the DHCPv6 server is used for distributing the IPv6 address and the network configuration information; the DHCPv6 server is internally provided with a DH algorithm module, parameters P and G for DH calculation are preset in the DH algorithm module, and the parameters P and G are preset parameters;
the DHCPv6 client is used for initiating a request for distributing the IPv6 address and the network configuration information; the DHCPv6 client is internally provided with a DH algorithm module which is the same as the DH algorithm module in the DHCPv6 server; the DH algorithm module of the DHCPv6 server and the DH algorithm module of the DHCPv6 client are respectively internally provided with a timing submodule, and the timing submodule is used for timing the time of using a certain private key by the DHCPv6 server and the DHCPv6 client;
an IPv6 available address pool;
the DHCPv6 server is respectively in communication connection with the DHCPv6 client and the IPv6 available address pool.
8. The system of claim 7, further comprising a database for storing information related to the IPv6 address to be assigned, the information related to the IPv6 address to be assigned including at least a corresponding host name, system type, MAC, DUID, and IAID.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311155221.1A CN116886669B (en) | 2023-09-08 | 2023-09-08 | Method and system for distributing IPv6 address by DHCPv6 |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311155221.1A CN116886669B (en) | 2023-09-08 | 2023-09-08 | Method and system for distributing IPv6 address by DHCPv6 |
Publications (2)
Publication Number | Publication Date |
---|---|
CN116886669A CN116886669A (en) | 2023-10-13 |
CN116886669B true CN116886669B (en) | 2023-11-14 |
Family
ID=88268536
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202311155221.1A Active CN116886669B (en) | 2023-09-08 | 2023-09-08 | Method and system for distributing IPv6 address by DHCPv6 |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116886669B (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002247023A (en) * | 2000-12-14 | 2002-08-30 | Furukawa Electric Co Ltd:The | Method for sharing session sharing key, method for certifying network terminal, network, terminal, and repeater |
CN101388770A (en) * | 2008-10-20 | 2009-03-18 | 华为技术有限公司 | Method, server and customer apparatus for acquiring dynamic host configuration protocol cipher |
CN101521882A (en) * | 2009-03-24 | 2009-09-02 | 刘建 | Method and system for updating preshared key |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8750512B2 (en) * | 2011-10-28 | 2014-06-10 | Aruba Networks, Inc. | Authenticating an ephemeral Diffie-Hellman using a trusted third party |
-
2023
- 2023-09-08 CN CN202311155221.1A patent/CN116886669B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002247023A (en) * | 2000-12-14 | 2002-08-30 | Furukawa Electric Co Ltd:The | Method for sharing session sharing key, method for certifying network terminal, network, terminal, and repeater |
CN101388770A (en) * | 2008-10-20 | 2009-03-18 | 华为技术有限公司 | Method, server and customer apparatus for acquiring dynamic host configuration protocol cipher |
CN101521882A (en) * | 2009-03-24 | 2009-09-02 | 刘建 | Method and system for updating preshared key |
Non-Patent Citations (3)
Title |
---|
Authentication and Privacy Approach for DHCPv6;AYMAN AL-ANI等;IEEE;第7卷;全文 * |
IPsec中密钥交换协议认证过程的研究及协议的改进;韩秀玲 等;计算机工程与应用;全文 * |
基于DH 加密算法的DHCP 协议设计;刘强 等;计算机工程;第32卷(第19期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN116886669A (en) | 2023-10-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8239549B2 (en) | Dynamic host configuration protocol | |
CN102301763B (en) | Method and nodes for registering a terminal | |
US8806565B2 (en) | Secure network location awareness | |
US7529926B2 (en) | Public key certification providing apparatus | |
KR100931073B1 (en) | Dynamic Host Configuration and Network Access Authentication | |
CN101340334B (en) | Network access method, system and apparatus | |
US20170230824A1 (en) | Exclusive preshared key authentication | |
US7461251B2 (en) | Public key certification issuing apparatus | |
CN101388770B (en) | Method, server and customer apparatus for acquiring dynamic host configuration protocol cipher | |
JP2010086529A (en) | Sip signaling without requiring constant re-authentication | |
CN101478576A (en) | Method, apparatus and system for selecting service network | |
CN101084657A (en) | Gateway, network configuration, and method for controlling access to web server | |
WO2009003379A1 (en) | A configuration method, system and device of cryptographically generated address | |
Duangphasuk et al. | Design and implementation of improved security protocols for DHCP using digital certificates | |
KR20030087366A (en) | Method for assigning IP address using agent in zero configuration network | |
CN108600207B (en) | Network authentication and access method based on 802.1X and SAVI | |
Younes | A secure DHCP protocol to mitigate LAN attacks | |
CN101656724A (en) | Anti-attack method and dynamic host configuration protocol server | |
CN111683072A (en) | Remote verification method and remote verification system | |
KR100714368B1 (en) | Internet protocol address management system co-operated with authentication server | |
CN116886669B (en) | Method and system for distributing IPv6 address by DHCPv6 | |
EP3301852A1 (en) | Method to generate and use a unique persistent node identity, corresponding initiator node and responder node | |
CN1489341A (en) | Method and service device for allocating local network resource to terminal according to types of terminal | |
Rafiee et al. | A secure, flexible framework for dns authentication in ipv6 autoconfiguration | |
CN1798158A (en) | Method for distributing second level address |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |