CN1825853A - Method for increasing LAN communication safety - Google Patents
Method for increasing LAN communication safety Download PDFInfo
- Publication number
- CN1825853A CN1825853A CN 200610020621 CN200610020621A CN1825853A CN 1825853 A CN1825853 A CN 1825853A CN 200610020621 CN200610020621 CN 200610020621 CN 200610020621 A CN200610020621 A CN 200610020621A CN 1825853 A CN1825853 A CN 1825853A
- Authority
- CN
- China
- Prior art keywords
- arp
- lan communication
- safety
- raising
- address resolution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
This invention relates to an ARP and RARP of network communication and discloses a method for utilizing the safety certification to increase the safety for processing ARP including the following steps: a, increasing user information in the address resolution protocol, b, setting a certification server to certify the user information in the protocol, c, responding if it is certified, otherwise it does not respond, which can differentiate the validity of ARP messages effectively so the host will not modify the MAC binding information influenced by illegal ARP messages.
Description
Technical field
The present invention relates to network service, particularly the ARP(Address Resolution Protocol) of network communication protocol and Reverse Address Resolution Protocol (RARP).
Background technology
Often there is virus to utilize the principle of ARP deception at present in the local area network (LAN), eavesdrops data, duplicate oneself.Because these viruses are utilized the message format of ARP, distribute MAC-IP address binding relation arbituarily, revise the ARP table of other main frame in the network or gateway, this just makes other machine to surf the Net, or can not proper communication, disturbs the normal operation of whole local area network.
In the prior art, the common methods that overcomes the above problems is: on egress router all machines in the local area network (LAN) are done the Static ARP setting, the MAC-IP binding relationship manually is set, and on every PC configuring static ARP, the MAC Address of IP address of router correspondence is set.The problem of the maximum of this method is that management workload is big, if there are several thousand machines a sub-district, for the ISP that several attendants are only arranged, this almost is can not finishing of a task.Also have a kind of method to come dynamic binding with Dynamic Host Configuration Protocol server, though can reduce the task of human configuration, but for needs fixedly the LAN environment of IP can not be suitable for again, and it can only solve the problem in the ARP at gateway place list item confusion, can't solve the chaotic problem of ARP list item of other main frame of local area network (LAN).
Also having a kind of solution is with PPPoE authentication, logically all is point-to-point the connection between the outlet BAS of all PC of broadband cell and operator like this, the problem that does not exist ARP to cheat.But also be not suitable for making in this way for the environment that the intercommunication demand is arranged between the PC in some local area network (LAN), as the office net.
The key of above problem is exactly because ARP itself is the agreement of a no security control, if anyone sends out wrong MAC binding information with the ARP message format of standard, main frame in the local area network (LAN) or gateway all will be affected so.
Summary of the invention
Technical problem to be solved by this invention is exactly the problem at the ARP poor stability, and a kind of method of utilizing safety certification to improve the fail safe of ARP processing procedure is provided, and prevents that ARP is by malicious modification.
The present invention solves the problems of the technologies described above, and the technical scheme of employing is that the method for raising LAN communication safety comprises the steps:
A. in address resolution protocol, increase user profile;
B., certificate server is set, the user profile in the address resolution protocol is authenticated;
C. then respond by authentication, otherwise do not respond.
The invention has the beneficial effects as follows, can effectively distinguish the legitimacy of ARP message, thereby make main frame not influenced by illegal ARP message and revise the MAC binding information, the influence of ARP information is controlled, fundamentally solve the safety issue of ARP, improved the fail safe of local area network communication.In addition,, be easy to expand charge and wait other function, strengthen the manageability of local area network (LAN) because used certificate server that the user is authenticated.
Description of drawings
Fig. 1 is that the transmission of embodiment receives flow chart.
Embodiment
Below in conjunction with drawings and Examples, describe technical scheme of the present invention in detail.
The present invention increases user authentication information in ARP, increase certificate server in the network, utilizes the authentication of user profile in the ARP processing procedure, improves the fail safe of network.
Technical scheme of the present invention is that the method for raising LAN communication safety is characterized in that: comprise the steps:
A. in address resolution protocol, increase user profile;
B., certificate server is set, the user profile in the address resolution protocol is authenticated;
C. then respond by authentication, otherwise do not respond;
Concrete user profile is by user name length, username field, and the random number field, summary length field and clip Text field are formed;
Further be: described clip Text field be with digest algorithm with user name, random number and user cipher carry out that digest calculations forms;
Concrete verification process is:
B1. certificate server extracts user cipher according to the user name in the address resolution protocol that receives from database;
B2. above-mentioned user cipher is added the random number in the address resolution protocol of reception, adopt same digest algorithm to carry out digest calculations;
B3. the clip Text in the address resolution protocol of result of calculation and reception is compared, identical then by authentication, otherwise authentication is not passed through;
Concrete digest algorithm is unidirectional irreversible digest algorithm;
As the MD5 algorithm;
Above-mentioned responding is meant: described responding is meant: receive the safety ARP request, then send out safety ARP and reply; Receive that safety ARP replys, then revise local ARP information table; Receive safe RARP request, then send out RARP safe to reply; Receive that safe RARP replys, then revise the ARP information table of oneself;
More particularly: described certificate server is arranged on the gateway.
Embodiment
For ease of narration, the ARP that will increase user profile below is called safety ARP, and its message is the safety ARP message.
The present invention is arranged on the difference character of safety ARP message in the action type field, and a kind of form of safety ARP message is as shown in table 1, and wherein the user profile form of Zeng Jiaing is self-defining, does not also have standardization at present.
Table 1
| 2 byte hardware types | 2 byte protocol types | 1 byte length of protocol address | 2 byte manipulation types | The transmitting terminal hardware address | The transmitting terminal protocol address | The destination hardware address | The destination protocol address | 32 byte random numbers | 1 byte user name length | User name | 1 byte summary length | 1 byte summary length | Clip Text |
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 |
1 expression ether in table 1 the 1st hurdle; 0x0800 represents IP in the 2nd hurdle; The conventional ARP request of 1 expression in the 5th hurdle, the conventional arp reply of 2 expressions, the conventional RARP request of 3 expressions, the conventional RARP of 4 expressions replys, 21 expression safety ARP requests, 22 expression safety ARPs are replied, the safe RARP request of 23 expressions, the safe RARP of 24 expressions replys.The user profile of the 9th~14 hurdle for increasing in the table 1.
ARP safe in utilization needs the All hosts of local area network (LAN) and gateway can both support safety ARP in the local area network (LAN); Dispose or import oneself user name, password and address of the authentication server simultaneously in this locality.Certificate server can be the aaa server of standard, also can be the server of band user cipher database of oneself exploitation.Certificate server can also can be arranged on the gateway by individualism.
Main frame is sending the ARP request, and arp reply or RARP request when RARP replys, need to send with the safety ARP message; When receiving terminal has disposed safety ARP, receive traditional ARP message, do not do any response action; After receiving the safety ARP message, earlier the user profile in the message is extracted, be dealt into certificate server then and authenticate; Certificate server extracts password according to user name from database, add the random number of receiving, carries out digest calculations with same digest algorithm, compares result of calculation, and result of calculation is passed through with consistent then authentication of clip Text that server is received, otherwise does not pass through; If authentication by the safety ARP message is made response action; If authentication is not passed through, then do not do any response action.
Receive safety ARP message and authentication by after response action mainly contain: receive the safety ARP request, then send out safety ARP and reply; Receive that safety ARP replys, then revise local ARP information table; If receive safe RARP request, then send out RARP safe to reply; Reply if receive safe RARP, then revise the ARP information table of oneself.
The reception of whole safety ARP agreement and process of transmitting are referring to Fig. 1.
Present controlled local area network (LAN), the general online action that all has client software to control the user, as Internet bar and ISP the online client software is arranged all, so can on client software, increase the safety ARP function, also increase the safety ARP function on the gateway device, so above-mentioned virus distributes the ARP message arbituarily and artificial pseudo-IP illegal act can both solve, few of configuration effort amount, can be as the use of PPPoE yet what kind of influence communication between main frame.
Claims (8)
1. improve the method for LAN communication safety, it is characterized in that: comprise the steps:
A. in address resolution protocol, increase user profile;
B., certificate server is set, the user profile in the address resolution protocol is authenticated;
C. then respond by authentication, otherwise do not respond.
2. the method for raising LAN communication safety according to claim 1 is characterized in that: described user profile is by user name length, username field, and the random number field, summary length field and clip Text field are formed.
3. the method for raising LAN communication safety according to claim 2 is characterized in that: described clip Text field be with digest algorithm with user name, random number and user cipher carry out that digest calculations forms.
4. the method for raising LAN communication safety according to claim 3 is characterized in that: described step b is:
B1. certificate server extracts user cipher according to the user name in the address resolution protocol that receives from database;
B2. above-mentioned user cipher is added the random number in the address resolution protocol of reception, adopt same digest algorithm to carry out digest calculations;
B3. the clip Text in the address resolution protocol of result of calculation and reception is compared, identical then by authentication, otherwise authentication is not passed through.
5. according to the method for claim 3 or 4 described raising LAN communication safeties, it is characterized in that: described digest algorithm is unidirectional irreversible digest algorithm.
6. the method for raising LAN communication safety according to claim 5 is characterized in that: described digest algorithm is MD5.
7. the method for raising LAN communication safety according to claim 1 is characterized in that: among the step c, described responding is meant: receive the safety ARP request, then send out safety ARP and reply; Receive that safety ARP replys, then revise local ARP information table; Receive safe RARP request, then send out RARP safe to reply; Receive that safe RARP replys, then revise the ARP information table of oneself.
8. the method for raising LAN communication safety according to claim 1 is characterized in that: described certificate server is arranged on the gateway.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100206211A CN100571272C (en) | 2006-03-30 | 2006-03-30 | Improve the method for LAN communication safety |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100206211A CN100571272C (en) | 2006-03-30 | 2006-03-30 | Improve the method for LAN communication safety |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1825853A true CN1825853A (en) | 2006-08-30 |
| CN100571272C CN100571272C (en) | 2009-12-16 |
Family
ID=36936292
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006100206211A Expired - Fee Related CN100571272C (en) | 2006-03-30 | 2006-03-30 | Improve the method for LAN communication safety |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100571272C (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101175321B (en) * | 2006-10-30 | 2011-11-30 | 鸿富锦精密工业(深圳)有限公司 | Network access equipment, internetwork connection establishing method and mobile communication system using the same |
| CN103297559A (en) * | 2013-05-09 | 2013-09-11 | 厦门亿联网络技术股份有限公司 | Method for quickly searching equipment information within local area network |
| CN103347031A (en) * | 2013-07-26 | 2013-10-09 | 迈普通信技术股份有限公司 | Method and equipment for preventing address resolution protocol (ARP) message attack |
| CN103731258A (en) * | 2013-12-20 | 2014-04-16 | 三星电子(中国)研发中心 | Method and device for generating secret key |
| CN105207778A (en) * | 2014-07-03 | 2015-12-30 | 清华大学深圳研究生院 | Method of realizing package identity identification and digital signature on access gateway equipment |
| US11277442B2 (en) * | 2019-04-05 | 2022-03-15 | Cisco Technology, Inc. | Verifying the trust-worthiness of ARP senders and receivers using attestation-based methods |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103873478A (en) * | 2014-03-28 | 2014-06-18 | 上海斐讯数据通信技术有限公司 | Method for ensuring security of ARP message |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100353717C (en) * | 2003-03-28 | 2007-12-05 | 华为技术有限公司 | Safety access control method for internet protocol |
-
2006
- 2006-03-30 CN CNB2006100206211A patent/CN100571272C/en not_active Expired - Fee Related
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101175321B (en) * | 2006-10-30 | 2011-11-30 | 鸿富锦精密工业(深圳)有限公司 | Network access equipment, internetwork connection establishing method and mobile communication system using the same |
| CN103297559A (en) * | 2013-05-09 | 2013-09-11 | 厦门亿联网络技术股份有限公司 | Method for quickly searching equipment information within local area network |
| CN103347031A (en) * | 2013-07-26 | 2013-10-09 | 迈普通信技术股份有限公司 | Method and equipment for preventing address resolution protocol (ARP) message attack |
| CN103347031B (en) * | 2013-07-26 | 2016-03-16 | 迈普通信技术股份有限公司 | A kind of method and apparatus taking precautions against ARP message aggression |
| CN103731258A (en) * | 2013-12-20 | 2014-04-16 | 三星电子(中国)研发中心 | Method and device for generating secret key |
| CN105207778A (en) * | 2014-07-03 | 2015-12-30 | 清华大学深圳研究生院 | Method of realizing package identity identification and digital signature on access gateway equipment |
| CN105207778B (en) * | 2014-07-03 | 2019-04-16 | 清华大学深圳研究生院 | A method of realizing packet identity and digital signature on accessing gateway equipment |
| US11277442B2 (en) * | 2019-04-05 | 2022-03-15 | Cisco Technology, Inc. | Verifying the trust-worthiness of ARP senders and receivers using attestation-based methods |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100571272C (en) | 2009-12-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100571272C (en) | Improve the method for LAN communication safety | |
| CN1252598C (en) | Method and system for providing information related to status and preventing attacks from middleman | |
| US8250631B2 (en) | Protecting against denial of service attacks using trust, quality of service, personalization, and hide port messages | |
| CN100563158C (en) | Access control method and system | |
| CN103428211B (en) | Network authentication system based on switch and authentication method thereof | |
| CN101488857B (en) | Authenticated service virtualization | |
| US9148412B2 (en) | Secure configuration of authentication servers | |
| CA2578186A1 (en) | System and method for access control | |
| US20130133045A1 (en) | Method for directing requests to trusted resources | |
| KR20090091727A (en) | Creating and verifying globally unique device-specific identifiers | |
| US20100235625A1 (en) | Techniques and architectures for preventing sybil attacks | |
| CN1905452A (en) | Automatic configuration system and method of IPSec safety tactis in domestic gateway | |
| CN101345743A (en) | Method and system for preventing network attack by utilizing address analysis protocol | |
| CN1142662C (en) | Authentication method for supporting network switching in based on different devices at same time | |
| JP2012529795A (en) | Access control method suitable for three-factor peer authentication trusted network access architecture | |
| CN104618360B (en) | Bypass authentication method and system based on 802.1X agreement | |
| CN1266910C (en) | A method choosing 802.1X authentication mode | |
| CN1225870C (en) | Method and apparatus for VLAN based network access control | |
| CN1527557A (en) | Method of transmitting 802.1X audit message via bridging device | |
| CN1265579C (en) | Method for network access user authentication | |
| CN101030945A (en) | Method for preventing PPPoE from being attacked by personnel server and false server | |
| CN1652538A (en) | Agency testing method | |
| EP1530343A1 (en) | Method and system for creating authentication stacks in communication networks | |
| CN1595897A (en) | Method and system for unified process of domain authentication and user network authority control | |
| CN1770761A (en) | Address renewing method based on network key exchange protocol |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20091216 |