CN1921488A - Method for preventing forgery of source address based on signature authentication inside IPv6 sub network - Google Patents
Method for preventing forgery of source address based on signature authentication inside IPv6 sub network Download PDFInfo
- Publication number
- CN1921488A CN1921488A CNA2006101131922A CN200610113192A CN1921488A CN 1921488 A CN1921488 A CN 1921488A CN A2006101131922 A CNA2006101131922 A CN A2006101131922A CN 200610113192 A CN200610113192 A CN 200610113192A CN 1921488 A CN1921488 A CN 1921488A
- Authority
- CN
- China
- Prior art keywords
- message
- source address
- session key
- address
- ipv6
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 71
- 238000012795 verification Methods 0.000 claims description 22
- 230000007246 mechanism Effects 0.000 claims description 15
- 238000005516 engineering process Methods 0.000 claims description 8
- 101100217298 Mus musculus Aspm gene Proteins 0.000 abstract description 2
- 238000001914 filtration Methods 0.000 description 14
- 230000005540 biological transmission Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 230000002950 deficient Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 238000005242 forging Methods 0.000 description 2
- 235000019580 granularity Nutrition 0.000 description 2
- 238000012552 review Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 239000013256 coordination polymer Substances 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 239000012467 final product Substances 0.000 description 1
- 230000004060 metabolic process Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
IPv6子网内基于签名认证的防止源地址伪造的方法属于网络安全领域。本发明特征在于:该方法中,用户主机发往外网的报文携带一个由会话密钥、源地址、目的地址及报文序列号等使用消息摘要函数MD5或SHA1形成的签名,部署在IPv6子网边界路由器入口处的安全认证网关对该报文签名进行认证,以确认该报文源地址没有被伪造;同时,安全认证网关通过校验报文的序列号在会话密钥的生命期内是否是递增的来判断报文是否为重放报文。该方法能够有效防止IPv6子网内的源地址伪造,性能也足以满足现有子网的要求,同时支持增量部署,可以通过逐步在某些IPv6子网内部署安全认证网关来进行推广。
The method of preventing source address forgery based on signature authentication in IPv6 subnet belongs to the field of network security. The present invention is characterized in that: in this method, the message sent by the user host to the external network carries a signature formed by the session key, source address, destination address and message sequence number using the message digest function MD5 or SHA1, and is deployed on the IPv6 subnet The security authentication gateway at the entrance of the network border router authenticates the message signature to confirm that the source address of the message has not been forged; at the same time, the security authentication gateway checks whether the serial number of the message is within the lifetime of the session key. It is incremented to determine whether the packet is a replay packet. This method can effectively prevent source address forgery in IPv6 subnets, and its performance is sufficient to meet the requirements of existing subnets. At the same time, it supports incremental deployment and can be promoted by gradually deploying security authentication gateways in some IPv6 subnets.
Description
Technical field
The method that prevents forgery of source address based on authentication in the IPv6 subnet belongs to Internet technical field, relates in particular to the technology of network security aspect.
Background technology
Existing the Internet does not take into full account safety problem in the design phase, lacks the Security Architecture of system, does not have perfect built-in security mechanisms in the TCP/IP underlying protocol.Yet along with the expansion of internet scale and the growth of number of users, the safety problem of the Internet is come seriously more.And in numerous security threats, an important root is exactly: the behavior wildness is forged in the IP address.A large amount of attacks, as ddos attack, the TCP SYN flood attack, smurf attacks, and ICMP redirection attack or the like all will depend on the forgery of IP address.And existing message forwarding mechanism is based on destination address, source address is not done any checking, and does not also preserve the state information of packet forward.Therefore caused source IP address to be forged and be very easy to, behavior that also can't the pursuit attack person after attack takes place.According to the statistics of american computer emergency response group/Consultation Center, the security incident growth trend of internet has had a strong impact on the normal operation of the Internet considerably beyond the growth rate of internet scale.
In order to solve the source IP address forgery problem, guarantee the visit of true address, many schemes have been proposed at present, be summarized as follows:
● adopt the method for authenticated encryption.This is true end to end source IP address visit verification method.Communicating pair is by key agreement, and the safety of setting up authentication in advance connects.Connect safely based on this then and communicate.The representative scheme has IPSec etc.
● adopt the method for the Trace back that reviews.This method belongs to measure afterwards.It is in the process that packet is transmitted, and utilizes router, and grouping itself or independent ICMP (network control message protocol) message write down the state information of packet forward.After the packet repeating process is finished, when receiving terminal is found illegal grouping, utilize the state information of the packet forward that writes down previously, review the source end from destination.The representative scheme has SPIE, iTrace, iTrace-CP, PPM, APPM, PPPM, DPM etc.
● adopt the method for the Filtering that filters.This method belongs to measure in advance.This is in the process that packet is transmitted, and by being deployed in the network, mainly is the packet filter based on certain filtering rule generation on the router, and the true source IP address of transmitting grouping is carried out the checking of real-time online.The scheme of representative has Ingress filtering, DPF, SAVE etc.
Yet these schemes all exist weak point at present:
● the greatest drawback of this end to end authentication of IPSec is to make the route system in the middle of the network to verify the authenticity in data source.
● adopt the defective of the method for Trace back to be: at first, the method for trace back class is measure afterwards, can't real-time and effective prevent the transmission of spoofed IP address packets in network; The second, as the back-track algorithm of trace back class methods important component part more complicated all, realize the cost height; The 3rd, they need depend on the sensitivity level of system for monitoring intrusion usually.
● the method major defect of existing Filtering is: only to the filtration of network prefix, fineness ratio is thicker, fails host address is done further filtration.The forgery of source address between autonomous territory can be prevented to reach in the autonomous territory like this, but the forgery of the source address in the subnet can not be prevented.
Because the mode of Filtering belongs to measure in advance, can be real-time in the packet forward process true address be verified can be contained in loss before the generation, and be the most reasonable in actual applications.Thick at existing Filtering method grade of filtration, as can not to prevent forgery of source address in subnet problem.The present invention has proposed a scheme that guarantees IPv6 subnet source address authenticity from the angle of Filtering.This programme mainly adopts the method that host address in the subnet is authenticated to filter counterfeit message.That is to say, when other main frame mails to the message of outer net when this subnet is communicated by letter or reset in the address of other main frame in adulterator's spurious copy subnet in the subnet with outer net in, egress router will authenticate this message failure, makes the adulterator can't endanger outer net.Only there is the message that has true address could pass through checking, carries out proper communication with outer net.Filtering scheme (as SAVE) between like this and in the existing autonomous territory and autonomous territory cooperates, and just can realize preventing forgery of source address under the various granularities of the whole network.
Summary of the invention
The object of the present invention is to provide a kind ofly, make other host address in assailant's spurious copy subnet mail to the message of outer net and the assailant message that other main frame in the subnet mails to outer net of resetting and all be filtered based on the scheme of source address authenticity in the assurance IPv6 subnet of authentication.Filtering scheme (as SAVE) between like this and in existing other autonomous territory and autonomous territory cooperates, and just can realize the forgery of source address that prevents of the whole network.
Here be meant a local area network (LAN) by said subnet, and main frame is connected with outer net by router in the subnet, as Fig. 1.Prevent forgery of source address in the subnet, the source address that is meant the normal data packet that prevents to mail to outer net is attacked main frame by in this subnet other and is forged, thereby carries out malicious attack or other illegal activity.Because concerning most of subnet (as the campus network of school or the network of other common mechanisms), if the user in these subnets only communicates by letter in this subnet, even forge the address mutually, can not bring great political economy loss or jural dispute yet, and the extent of damage of network also only only limited to this subnet inside, do not influence the normal operation of outer net.Yet, in case in the user's spurious copy subnet in this subnet communicate by letter with outer net in other user's address, not only may cause the significant threat on the network behavior such as political economy, and can influence the normal operation of outer net.Except above-mentioned situation, nowadays the WLAN (wireless local area network) WLAN that popularizes day by day also is typical case's representative of this type subnet, because each access point only is connected to several wireless hosts of limit, be real when going out this subnet as long as guarantee their address, just can promote the fail safe of wireless network greatly.
Method thinking provided by the present invention is: a Security Certificate gateway is disposed in the border router porch at the IPv6 subnet, as Fig. 2.During each main frame access network in the subnet, all need to carry out access authentication, make the IP address of this main frame and it and security gateway shared session key (Session Key) binding to this Security Certificate gateway.By access recognize levy after, any one message that this main frame sends to outer net all needs to carry a signature (generating by source, destination address and the session key etc. of message are common).These messages that mail to outer net are gateway through safety certification all, and the signature that carries in the Security Certificate gateway message identifying has only authentication to pass through, and just can mail to outer net, otherwise abandon.
Simultaneously, this method has also designed unique method and has prevented Replay Attack.Replay Attack also is that forge a kind of address in fact in some sense, if user eavesdrops in the subnet information exchange of other people and outer net, give Security Certificate gateway with this message-replay then, only rely on certifying signature, the reception that Security Certificate gateway will be wrong is also transmitted this message (because the source address of this playback message is real).The method that this method has adopted unique sequence number to combine with timestamp prevents Replay Attack.Like this, anti-replay-attack combines with the mechanism of differentiating source address authenticity, just can guarantee that the message source address that this subnet sends all is real.
The invention is characterized in: this method is used the thinking of the Filtering that in advance takes precautions against, and the message source address that this subnet of assurance of employing authentication means real-time online mails to outer net all is not forged.This process had both comprised the source address authenticity authentication scheme of the message authentication method HMAC technology signature authentication that uses the band cipher key Hash, also comprised the anti-replay mechanism that sequence number combines with timestamp.
This method contains following steps successively:
Step (1), when the subscriber's main station access network in the IPv6 subnet, at first need to carry out access authentication to a Security Certificate gateway of the border router porch that is deployed in the IPv6 subnet, this process realizes with remote authentication dial-in customer service agreement Radius or ID authentication mechanism;
Step (2), after this subscriber's main station passes through authentication, the session key that the random number of at least 12 bytes of generation is represented;
Step (3), this subscriber's main station sends to described Security Certificate gateway to the session key that step (2) is generated, and Security Certificate gateway is bound the IP address of this main frame and its session key, sends into IP source address and session key binding relationship database;
Step (4), this subscriber's main station is done a signature with the message authentication method HMAC technology of band cipher key Hash to each message that leads to outer net of being sent out, this signature is made of source address, destination address and the sequence number etc. of described session key, this subscriber's main station, this signature forms a true address verification head, be inserted into after the IPv6 address header as a new IPv6 extension header, but before all other extension header;
Step (5), whether described Security Certificate gateway uses this message signature information of message authentication method HMAC technology verification of band cipher key Hash, be forged to confirm this message source address, if forge, just abandons this message, otherwise, carry out next step;
Step (6), whether Security Certificate gateway is whether this message of judging that increases progressively is the playback message with this sequence number of message of verification in the lifetime of session key, in order to resist Replay Attack, the lifetime of described session key need be less than the sequence of message number circulation used time in one week; If this sequence number increased progressively in the lifetime of session key, then this message is not the playback message, transmits this message, otherwise with this packet loss, refusal is transmitted.
In addition, session key needs regular replacing to guarantee fail safe.
The scheme of source address authenticity in the assurance subnet proposed by the invention, can widespread deployment to the IPv6 subnet to improve fail safe.Because the authentication method that this method adopts does not relate to encrypting and decrypting, but has adopted the message authentication method HMAC method of the band cipher key Hash among the RFC2104, makes efficiency of algorithm very high.Experiment shows, the handling property of the HMAC/MD5 (promptly adopting the HMAC of eap-message digest hashing algorithm MD5 as underlying algorithm) that the CPU software of use P42.1G is realized is greatly about 1.63Gbps, the performance in this and Tsing-Hua University exit is suitable, if realize that with hardware performance can be higher.So this method is fully feasible.
Another advantage of the present invention is to be fit to incremental deploying, and plug and play can be promoted by progressively dispose Security Certificate gateway in some IPv6 subnet.Simultaneously and in the autonomous territory or other Filtering technology (as SAVE) between the territory combine, can constitute the forgery of source address mechanism that prevents of a cover the whole network.The present invention is applied in Tsing-Hua University and the network equipment than prestige network technology Co., Ltd cooperation research and development, and plans to promote in CERNET2 and Chinese next generation network CNGI.
Description of drawings
Fig. 1. existing subnet architectural schematic;
Fig. 2. true address access system architectural schematic in the subnet;
Fig. 3 .HMAC schematic diagram;
Fig. 4. " true address verification head " form;
Fig. 5. the whole system workflow diagram;
Fig. 6. the concrete enforcement schematic diagram of native system.
Embodiment
User's access authentication procedure adopts ID authentication mechanisms such as radius commonly used just passable in the subnet.Below we mainly introduce two core mechanisms of the present invention: message source address authenticity authentication scheme and put Replay Attack mechanism.We have adopted the authentication scheme of the message authentication method HMAC Security Certificate gateway of band cipher key Hash to the message source address authenticity, as Fig. 3.Verification process among Fig. 3 is as follows:
(1) communicating pair (host A, Security Certificate gateway B) shares public session key S, host A will send to and calculate hash values with message digest function MD5 or SHA1 etc. again after specific part among the message M of Security Certificate gateway B (source address, destination address sequence of message number etc.) and S connect, and generate message authentication and accord with H[M||S];
(2) host A is with authenticator H[M||S] be appended to form after the message M message right<M, H[M||S] 〉, and send to Security Certificate gateway B;
(3) Security Certificate gateway B receive this message to after because Security Certificate gateway B also knows S,, and the hash value in result of calculation and the message is compared so B can calculate the hash value again according to the message of receiving.If two numerical value equate that Security Certificate gateway B can confirm what data were sent from host A really; If unequal, B can infer that data is sent by the adulterator, abandons it.
Our method of having adopted sequence number to combine of anti-replay-attack with timestamp.Timestamp and sequence number all are present popular anti-replay-attack methods.The principle of timestamp method is: host A is initiated communication to Security Certificate gateway B, and A can add a timestamp when sending message on message, show the transmitting time T of message
aAfter Security Certificate gateway B receives, from this machine-readable current time T that gets
bSuppose that the message time window that B allow to receive is Δ T, so if | T
b-T
a|>Δ T, then belong to the playback message, abandon.Yet because the uncertainty that can not accomplish the transmission time in absolute clock synchronization and the network between the different participants, being provided with of Δ T is generally big than the transmission time of reality.So work as the message that B receives A, if | T
b-T
a|<Δ T, this message should belong to non-playback message in the method, in this case, at remaining (Δ T-|T
b-T
a|) the playback message sent in the time, B still can wrong acceptance.So it is thicker that this method is resisted the granularity of Replay Attack.
The principle of sequence number method is: use an ordinal number to come to each message packet numbering in authenticated exchange, this sequence number increases progressively when transmitting new data packets at every turn, only just accepts when the message ordinal number order of receiving is legal.This method requires authentication must keep the sequence number of message last time, the message sequence number that only ought receive greater than deposited last time message sequence number just receive.But this method can not be resisted Replay Attack reliably.In practical operation, sequence number always has certain-length, and for example 16, the maximum of this size sequence number can reach 65535.After sequence number was incremented to this value, since 0 counting, so circulation was gone down.This just circulative metabolism has made chance for the Replay Attack person.Initiate communication such as: host A to Security Certificate gateway B, be incremented to 65535 the process from 0 at sequence number n wheel, the sequence number that the assailant intercepted and captured and stored host A is 300 message.At sequence number follow-up n+1, n+2 ... in the wheel increasing process, as long as host A sends sequence number less than 300 message, that message that the assailant stores when being sent in the n wheel is given B, and B can't identify this playback message.Therefore also can't finish the reliable and effective task of resisting Replay Attack only according to the method for sequence number.
Based on this, we have proposed the method that timestamp and sequence number combine is resisted Replay Attack reliably.Add the Replay Attack of resisting that timestamp can compare coarseness for each message, as previously mentioned, in the time window Δ T that checking end allows to receive, only adopting timestamp is to resist during this period Replay Attack, and we can establish a sequence number again and solve this problem in message.Be example to Security Certificate gateway B communication also with host A, after Security Certificate gateway B receives a message, if | T
b-T
a|<Δ T (T
a: the message timestamp shows the transmitting time of message; T
b: B receives the current time of message; Δ T:B allows the time window of reception), it will write down the sequence number that carries in this message.At remaining (Δ T-|T
b-T
a|) during this period of time in, if Security Certificate gateway B receives the message from same IP address, and sequence number wherein then still belongs to Replay Attack smaller or equal to the sequence number that is write down, and abandons.Otherwise, then belong to legal message.
This method has also overcome the defective of sequence number method when having overcome timestamp mechanism drawback.We allow receiving terminal the time window Δ T that receives to be arranged to less than in one week of sequence number circulation used time, the so just Replay Attack of having avoided the sequence number circulation to cause with timestamp mechanism.
Yet, in our method, needn't in message, carry a timestamp.Because in the method for this paper, new session key more for convenience, the message that main frame mails to outer net can carry the session key version number of its current use.We can use the timestamp of session key version number as message source, and the lifetime of session key just can be served as the effect that receiving terminal allows the time window of reception.We are provided with the lifetime of session key less than in one week of the sequence number circulation used time; We use the long sequence number of length simultaneously, make the lifetime of session key be unlikely to too short, just meet the requirement of key safety.
Like this, our binding sequence number and two kinds of methods of resisting Replay Attack of timestamp have overcome the defective of two kinds of methods, make it to become a scheme of resisting Replay Attack reliably.
The signature that message carries in this method and the sequence number that is used for anti-replay-attack are the IPv6 extension header that is placed on newly-designed being referred to as " true address verification head ".This prolate-headed message format such as Fig. 4.Being described as follows of this each territory of message:
● next header: 8.Indicating the type of next stature that is close to " true address verification head ", may be other extension header or upper strata (TCP/UDP etc.) protocol header.
● header length: 8.Indicate this head length degree.Do not comprise 8 initial bytes.
● Message Digest 5 type: 8.The signature algorithm that uses is described, the MD5 that uses is numbered 1. now
● key version number: 8.The renewal of session key for convenience.
● sequence number: 32.Be used to resist Replay Attack.
● verify data (variable length): verify data.If adopt MD5, size is 128.Verify data should comprise the Hash to following components:
■ IPV6 source address, 16 bytes
■ IPV6 destination address, 16 bytes
The ■ session key, 12 bytes or more.
■ session key version number, 2 bytes
The ■ sequence number, 4 bytes
So:
Verify data=Message Digest 5 (IPV6 source address+IPV6 destination address+session key+session key version number+sequence number).
In Fig. 5, we have provided the whole system operation flow process, and are as follows:
(1) main frame is when communicating by letter with outer net, each the IPv6 message that sends all will carry the extension header of " true address verification head ", this comprises some necessary signing messages (seeing above to " true address verification head " part), for security gateway the authenticity of message source IP address is done verification.This position should be positioned at after the IPv6 head, before other all extension header.
(2) after Security Certificate gateway is received this message, need do following verification:
If a) this message does not carry " true address verification head ", directly abandon;
Whether b) use HMAC certifying signature information according to database information, be the main frame that it really belongs to differentiate its source address; If, then abandon not by verification.
C) be whether this message of judging that increases progressively is the playback message in the lifetime whether according to the sequence number in the message, if then abandon at session key.
(3), remove " true address verification head ", this message of recombinating by after the verification.This is because considering part disposes, if other subnet is not disposed native system, will abandon this message because not discerning this extension header.If the overall situation is disposed, this step just there is no need.But in order to protect user's privacy, we require the Security Certificate gateway will be with the key version number in user's the true address verification head, and the territory of sequence number and signature all fills zero.
After finishing above-mentioned work, Security Certificate gateway is transmitted this message.
In Fig. 6, we have provided a concrete example the specific embodiment of the present invention have been described:
In Fig. 6, A is the victim, and the source address that B forges A sends message to outer net, and C then monitors the message that A sends and resets.When the source address authenticity authentication scheme on the Security Certificate gateway and anti-replay-attack mechanism were closed, all counterfeit message and playback message all can be sent to outer net smoothly.In case the function on the Security Certificate gateway is opened, all counterfeit message of being sent by B reach the playback message 100% that is sent by C and have been filtered out (send 10,000,000 message and do test) by Security Certificate gateway.The Replay Attack process of C is fairly simple, just monitors the message of A and send it to Security Certificate gateway to get final product.At this moment, because its playback sequence of message number does not increase progressively, it is the playback message that Security Certificate gateway will identify this message, abandons.The forgery process of B can be divided so several:
1. simple the forgery.The source address of promptly only forging A sends message to Security Certificate gateway.At this moment because B does not have the session key of A, so Security Certificate gateway to be easy to identify this message from signature be that the address of forging A sends, abandon.
2. forge comprehensively.Be that B intercepts and captures the messages that A sends, source, the destination address of the message of the source of the message that B oneself is sent, A that destination address is forged into intercepting and capturing then, and " the true address verification head " in the message of the A that intercepts and captures be attached in the message of B transmission.At this moment, Security Certificate gateway can not identify (because all HMAC check informations are consistent with the true message that A sends all) that this message source address is forgery with this signature of HMAC verification.Yet, because this message can not be changed the sequence number of intercepting and capturing in the A message for the verification of hiding HMAC, be a playback message so Security Certificate gateway can identify this message, it is abandoned.
As seen, guarantee mechanism by such cover based on true address in the subnet of authentication, each mail to outer net forgery source address or the playback message can both be filtered out by Security Certificate gateway, thereby guaranteed that each all is real from the message source address that this subnet mails to outer net.This shows that the present invention has reached intended purposes.
Claims (2)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101131922A CN100452799C (en) | 2006-09-19 | 2006-09-19 | Method for preventing forgery of source address based on signature authentication inside IPv6 sub network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101131922A CN100452799C (en) | 2006-09-19 | 2006-09-19 | Method for preventing forgery of source address based on signature authentication inside IPv6 sub network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1921488A true CN1921488A (en) | 2007-02-28 |
| CN100452799C CN100452799C (en) | 2009-01-14 |
Family
ID=37779059
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006101131922A Expired - Fee Related CN100452799C (en) | 2006-09-19 | 2006-09-19 | Method for preventing forgery of source address based on signature authentication inside IPv6 sub network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100452799C (en) |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009067908A1 (en) * | 2007-11-09 | 2009-06-04 | Huawei Technologies Co., Ltd. | A protection method and device during a mobile ipv6 fast handover |
| WO2010000171A1 (en) * | 2008-06-30 | 2010-01-07 | 成都市华为赛门铁克科技有限公司 | Communication establishing method, system and device |
| CN101795454A (en) * | 2010-02-10 | 2010-08-04 | 熊文俊 | Method and system of double identity authentication based on mobile communication independent channel |
| CN101170564B (en) * | 2007-11-30 | 2010-08-11 | 清华大学 | Method for preventing from counterfeiting IP source address based on end-to-end automatic synchronization |
| CN101808142A (en) * | 2010-03-10 | 2010-08-18 | 上海十进制网络信息技术有限公司 | Method and device for realizing trusted network connection through router or switch |
| CN101843077A (en) * | 2007-10-29 | 2010-09-22 | 诺基亚西门子通信公司 | Session and media binding to common control |
| CN101938530A (en) * | 2010-09-03 | 2011-01-05 | 清华大学 | User identity authentication and traceability method in address translation equipment |
| CN102045882A (en) * | 2009-10-19 | 2011-05-04 | 华为技术有限公司 | Method, device and system of external communication of 6LoWPAN (internet protocol 6 over low power wireless personal area network) intra-network device and outside |
| WO2011097821A1 (en) * | 2010-02-12 | 2011-08-18 | 华为技术有限公司 | Method, apparatus and system for media data replay statistics |
| WO2011137819A1 (en) * | 2010-07-26 | 2011-11-10 | 华为技术有限公司 | Time message processing method, apparatus and system |
| CN102404220A (en) * | 2011-11-25 | 2012-04-04 | 湖南军通信息科技有限公司 | Security router equipment based on private protocol and implementation method |
| CN101702727B (en) * | 2009-11-25 | 2012-09-05 | 北京交通大学 | Method for defending against DDos in address disjunction mapping network |
| CN105848095A (en) * | 2016-05-25 | 2016-08-10 | 深圳时瑞鸿科技有限公司 | Non-connecting bluetooth network transmission method and apparatus |
| CN108306858A (en) * | 2017-12-26 | 2018-07-20 | 成都卫士通信息产业股份有限公司 | The anti-fake guard method of Ethernet data and system |
| CN109120602A (en) * | 2018-07-25 | 2019-01-01 | 中国人民公安大学 | A kind of IPv6 attack source tracing method |
| CN110392128A (en) * | 2019-08-20 | 2019-10-29 | 清华大学 | Method and system for providing quasi-addressless IPv6 open world wide web service |
| CN110493367A (en) * | 2019-08-20 | 2019-11-22 | 清华大学 | The non-public server of unaddressed IPv6, client computer and communication means |
| CN110677424A (en) * | 2019-09-30 | 2020-01-10 | 华南理工大学广州学院 | Electric power firewall falsification addressing filtering method based on Hash algorithm |
| CN111431846A (en) * | 2019-05-30 | 2020-07-17 | 杭州海康威视数字技术股份有限公司 | Data transmission method, device and system |
| CN113395247A (en) * | 2020-03-11 | 2021-09-14 | 华为技术有限公司 | Method and equipment for preventing replay attack on SRv6HMAC verification |
| CN113630378A (en) * | 2021-06-29 | 2021-11-09 | 清华大学 | IPv6 network access source address verification deployment measurement method and device based on ICMP speed limit |
| CN113949519A (en) * | 2020-06-29 | 2022-01-18 | 中国电信股份有限公司 | Method and system for implementing user identity fidelity |
| CN114389835A (en) * | 2021-12-01 | 2022-04-22 | 青海师范大学 | An IPv6 option explicit source address encryption security verification gateway and verification method |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| ATE329443T1 (en) * | 2003-03-27 | 2006-06-15 | Motorola Inc | COMMUNICATION BETWEEN A PRIVATE NETWORK AND A MOBILE DEVICE |
| CN100596137C (en) * | 2003-11-25 | 2010-03-24 | 华为技术有限公司 | A method for checking IP message stream security |
-
2006
- 2006-09-19 CN CNB2006101131922A patent/CN100452799C/en not_active Expired - Fee Related
Cited By (37)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101843077A (en) * | 2007-10-29 | 2010-09-22 | 诺基亚西门子通信公司 | Session and media binding to common control |
| WO2009067908A1 (en) * | 2007-11-09 | 2009-06-04 | Huawei Technologies Co., Ltd. | A protection method and device during a mobile ipv6 fast handover |
| CN101170564B (en) * | 2007-11-30 | 2010-08-11 | 清华大学 | Method for preventing from counterfeiting IP source address based on end-to-end automatic synchronization |
| WO2010000171A1 (en) * | 2008-06-30 | 2010-01-07 | 成都市华为赛门铁克科技有限公司 | Communication establishing method, system and device |
| CN102045882B (en) * | 2009-10-19 | 2015-01-21 | 华为技术有限公司 | Method, device and system of external communication of 6LoWPAN (internet protocol 6 over low power wireless personal area network) intra-network device and outside |
| CN102045882A (en) * | 2009-10-19 | 2011-05-04 | 华为技术有限公司 | Method, device and system of external communication of 6LoWPAN (internet protocol 6 over low power wireless personal area network) intra-network device and outside |
| CN101702727B (en) * | 2009-11-25 | 2012-09-05 | 北京交通大学 | Method for defending against DDos in address disjunction mapping network |
| CN101795454A (en) * | 2010-02-10 | 2010-08-04 | 熊文俊 | Method and system of double identity authentication based on mobile communication independent channel |
| CN101795454B (en) * | 2010-02-10 | 2012-10-10 | 熊文俊 | Method and system of double identity authentication based on mobile communication independent channel |
| CN102725985A (en) * | 2010-02-12 | 2012-10-10 | 华为技术有限公司 | Method, apparatus and system for media data replay statistics |
| WO2011097821A1 (en) * | 2010-02-12 | 2011-08-18 | 华为技术有限公司 | Method, apparatus and system for media data replay statistics |
| CN101808142A (en) * | 2010-03-10 | 2010-08-18 | 上海十进制网络信息技术有限公司 | Method and device for realizing trusted network connection through router or switch |
| CN101808142B (en) * | 2010-03-10 | 2013-03-27 | 上海十进制网络信息技术有限公司 | Method and device for realizing trusted network connection through router or switch |
| CN102347831B (en) * | 2010-07-26 | 2014-12-03 | 华为技术有限公司 | Time message processing method, device and system |
| CN102347831A (en) * | 2010-07-26 | 2012-02-08 | 华为技术有限公司 | Time message processing method, device and system |
| WO2011137819A1 (en) * | 2010-07-26 | 2011-11-10 | 华为技术有限公司 | Time message processing method, apparatus and system |
| CN101938530B (en) * | 2010-09-03 | 2013-10-16 | 清华大学 | User identity authenticating and tracing method in address translation equipment |
| CN101938530A (en) * | 2010-09-03 | 2011-01-05 | 清华大学 | User identity authentication and traceability method in address translation equipment |
| CN102404220A (en) * | 2011-11-25 | 2012-04-04 | 湖南军通信息科技有限公司 | Security router equipment based on private protocol and implementation method |
| CN102404220B (en) * | 2011-11-25 | 2014-10-01 | 周明云 | Equipment and implementation method of safety router based on proprietary protocol |
| CN105848095A (en) * | 2016-05-25 | 2016-08-10 | 深圳时瑞鸿科技有限公司 | Non-connecting bluetooth network transmission method and apparatus |
| CN108306858A (en) * | 2017-12-26 | 2018-07-20 | 成都卫士通信息产业股份有限公司 | The anti-fake guard method of Ethernet data and system |
| CN109120602B (en) * | 2018-07-25 | 2020-12-25 | 中国人民公安大学 | IPv6 attack tracing method |
| CN109120602A (en) * | 2018-07-25 | 2019-01-01 | 中国人民公安大学 | A kind of IPv6 attack source tracing method |
| CN111431846A (en) * | 2019-05-30 | 2020-07-17 | 杭州海康威视数字技术股份有限公司 | Data transmission method, device and system |
| CN110392128B (en) * | 2019-08-20 | 2020-07-17 | 清华大学 | Method and system for providing quasi-addressless IPv6 public web services |
| CN110392128A (en) * | 2019-08-20 | 2019-10-29 | 清华大学 | Method and system for providing quasi-addressless IPv6 open world wide web service |
| CN110493367B (en) * | 2019-08-20 | 2020-07-28 | 清华大学 | Unaddressed IPv6 non-public server, client and communication method |
| CN110493367A (en) * | 2019-08-20 | 2019-11-22 | 清华大学 | The non-public server of unaddressed IPv6, client computer and communication means |
| CN110677424A (en) * | 2019-09-30 | 2020-01-10 | 华南理工大学广州学院 | Electric power firewall falsification addressing filtering method based on Hash algorithm |
| CN110677424B (en) * | 2019-09-30 | 2023-01-10 | 华南理工大学广州学院 | Electric power firewall falsification addressing filtering method based on Hash algorithm |
| CN113395247A (en) * | 2020-03-11 | 2021-09-14 | 华为技术有限公司 | Method and equipment for preventing replay attack on SRv6HMAC verification |
| CN113949519A (en) * | 2020-06-29 | 2022-01-18 | 中国电信股份有限公司 | Method and system for implementing user identity fidelity |
| CN113630378A (en) * | 2021-06-29 | 2021-11-09 | 清华大学 | IPv6 network access source address verification deployment measurement method and device based on ICMP speed limit |
| CN113630378B (en) * | 2021-06-29 | 2022-08-19 | 清华大学 | IPv6 network access source address verification deployment measurement method and device based on ICMP speed limit |
| CN114389835A (en) * | 2021-12-01 | 2022-04-22 | 青海师范大学 | An IPv6 option explicit source address encryption security verification gateway and verification method |
| CN114389835B (en) * | 2021-12-01 | 2024-04-16 | 青海师范大学 | IPv6 option explicit source address encryption security verification gateway and verification method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100452799C (en) | 2009-01-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1921488A (en) | Method for preventing forgery of source address based on signature authentication inside IPv6 sub network | |
| Shanmugasundaram et al. | Payload attribution via hierarchical bloom filters | |
| US9246926B2 (en) | Packet validation using watermarks | |
| US7552323B2 (en) | System, apparatuses, methods, and computer-readable media using identification data in packet communications | |
| CN104967610B (en) | A kind of timeslot-based watermark hopping communication means | |
| Liu et al. | Efficient and Secure Source Authentication with Packet Passports. | |
| CN104796261A (en) | Secure access control system and method for network terminal nodes | |
| CN109327426A (en) | A kind of firewall attack defense method | |
| CN101170564B (en) | Method for preventing from counterfeiting IP source address based on end-to-end automatic synchronization | |
| Foroushani et al. | TDFA: traceback-based defense against DDoS flooding attacks | |
| US8683572B1 (en) | Method and apparatus for providing continuous user verification in a packet-based network | |
| CA2506418C (en) | Systems and apparatuses using identification data in network communication | |
| CN104852914B (en) | A kind of watermark hopping communication means based on packet interval | |
| WO2010000171A1 (en) | Communication establishing method, system and device | |
| Hossain et al. | Secupan: A security scheme to mitigate fragmentation-based network attacks in 6lowpan | |
| US20210314366A1 (en) | Network Security System Using Statistical Object Identification | |
| CN100459611C (en) | Safety management method for hyper text transport protocol service | |
| CN1482549A (en) | Apparatus and method for network device identity authentication | |
| CN200962603Y (en) | A Trusted Border Security Gateway | |
| Bejarano et al. | Security in IP satellite networks: COMSEC and TRANSEC integration aspects | |
| CN1658553A (en) | Strong discrimination method of enciphered mode by public key cryptographic algorithm | |
| RU2314562C1 (en) | Method for processing network traffic datagrams for delimiting access to informational and computing resources of computer networks | |
| CN100512108C (en) | Method for identifying physical uniqueness of networked terminal, and access authentication system for terminals | |
| US20050204171A1 (en) | Deterministic packet marking | |
| CRISTESCU et al. | Volumetric Distributed Denial-of-Service and Session Replay Attacks-Resistant AAA-RADIUS Solution Based on EAP and LDAP |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C53 | Correction of patent of invention or patent application | ||
| CB03 | Change of inventor or designer information |
Inventor after: Bi Jun Inventor after: Wu Jianping Inventor after: Li Chongrong Inventor after: Xie Lizhong Inventor before: Bi Jun Inventor before: Wu Jianping Inventor before: Xie Lizhong |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: BI JUN WU JIANPING JIE LIZHONG TO: BI JUN WU JIANPING LI CHONGRONG JIE LIZHONG |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090114 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |