CN200973108Y - Access equipment for implementing safety access - Google Patents
Access equipment for implementing safety access Download PDFInfo
- Publication number
- CN200973108Y CN200973108Y CNU2006200143542U CN200620014354U CN200973108Y CN 200973108 Y CN200973108 Y CN 200973108Y CN U2006200143542 U CNU2006200143542 U CN U2006200143542U CN 200620014354 U CN200620014354 U CN 200620014354U CN 200973108 Y CN200973108 Y CN 200973108Y
- Authority
- CN
- China
- Prior art keywords
- arp
- module
- dhcp
- safety
- plane module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Abstract
The utility model discloses a switched-in equipment that realizes the safe interview which comprises a mutually connected ion control plane module and a data plane module, wherein the control plane module comprises a safe ARP module, a bundled database and a DHCP module; the safe ARP module and the data plane module are connected and are used in the legitimacy inspection to the upper and the lower ARP and respond to the request of the broadband long-distance switched-in server and the ARP; the bundled database is connected with the safe ARP module and the DHCP module and stores the contents of the DHCP package retrieved by the DHCP module; and the data plane module is used to complete the inception and sending of the upper and the lower ARP and submit the ARP to the safe ARP module of the control plane module. The utility model uses the switched-in equipment to deputize the user ARP request response, thereby effectively avoiding the IP address deception and attack.
Description
Technical field
The utility model relates to a kind of network access equipment, specifically, relates to a kind of access device of realizing secure access.
Background technology
The IP packet often sends by Ethernet.32 IP addresses of ethernet device and nonrecognition: they are with 48 ethernet address transmission Ethernet data bags.Therefore, the IP driver must convert the IP destination address to the address of Ethernet mesh.Between these two kinds of addresses, exist mapping certain static state or algorithm, usually need to check a table.(Address Resolution Protocol ARP) is exactly the agreement that is used for determining these maps to address resolution protocol.
Virtual Local Area Network not only helps network security and prevent network storm, and can improve the efficient of the network operation, and layer 3-switched popularizing to the application of VLAN created condition.VLAN is made up of the equipment that is positioned at different physical LAN sections, though the equipment that VLAN connected from the different network segments, can carry out direct communication each other.
During ARP work, send an Ethernet broadcast data packet that contains desirable IP address.Destination host, or another represents the system of this main frame contains the right packet of IP and ethernet address as replying with one.The sender gets up this address to high-speed cache, to save unnecessary ARP communication.If have a un-trusted node that local network is had the write access license, so also have certain risk.Such machine can be issued false ARP message and all communications are all turned to it oneself, and it just can play the part of some machine then, perhaps in passing data stream is simply revised.ARP mechanism usually works automatically.On ultra-safe network, ARP mapping can be used firmware, and has automatic inhibition agreement and reach and prevent the purpose disturbed.
(Dynamic Host Configuration Protocol, predecessor DHCP) is BOOTP to DHCP.DHCP can be described as the enhancing version of BOOTP, and it is divided into two parts: one is servo driver end, and another is a client.All IP network road set datas are all by the centralized management of DHCP server, and the responsible DHCP requirement of handling client; Client then can be used from server and distribute the IP world data of getting off.Relatively play BOOTP, DHCP sees through the notion of " lease ", effectively and dynamically distributes the TCP/IP of client to set, and, considering as compatibility, DHCP has also looked after the demand of BOOTP Client fully.
The safety ARP function generally is implemented on the three-layer equipment, and as BRAS, router, three layers of exchange etc., its principle is just carried out arp reply to legal IP address exactly, attacks so that prevent IP address spoofing.Online in the broadband access that is exchanged for core with two layers of Ethernet, also there is this problem, when BRAS is carrying out ARP when resolving to the user, disabled user with the same Virtual Local Area Network of validated user, can pass through to forge a validated user arp reply (but the identical MAC Address difference of IP), thus the intercepting user's data.In this case, even BRAS has the safety ARP function also can't address this problem.
The utility model content
The technical problem that the utility model solved provides a kind of access device of realizing secure access, has avoided the IP address spoofing attack effectively.
Technical scheme is as follows:
The access device of realizing secure access comprises interconnective control plane module and datum plane module, described control plane module comprises safety ARP module, binding data storehouse, DHCP module, wherein, the safety ARP module is connected with the datum plane module, be used for the validity checking of up-downgoing ARP, the request of Broadband Remote Access Server and ARP is replied; The binding data storehouse is connected with safety ARP module, DHCP module, stores the DHCP bag content that the DHCP module is extracted; Described datum plane module is used to finish intercepting and the transmission of up-downgoing ARP, ARP is submitted to the safety ARP module of control plane module.
Preferably, described binding data library storage has User IP, user MAC, VLAN, user port number.
Preferably, described datum plane module is provided with exchange chip, and this exchange chip is used to finish intercepting and the transmission of up-downgoing ARP, ARP is submitted to the safety ARP module of control plane module.
Preferably, the DHCP module is used for DHCP to be monitored, and sets up the binding data storehouse.
The utility model passes through at access device proxy user ARP request-reply, thereby has avoided the IP address spoofing attack effectively.
Description of drawings
Fig. 1 is a structured flowchart of the present utility model;
Fig. 2 is the up process chart of safety ARP of the present utility model;
Fig. 3 is a safety ARP downlink processing flow chart of the present utility model.
Embodiment
With reference to the accompanying drawings preferred embodiment of the present utility model is described in detail.
As shown in Figure 1, realize that the access device of secure access comprises interconnective control plane module 1 and datum plane module 5, control plane module 1 comprises safety ARP module 2, binding data storehouse 3, DHCP module 4.Safety ARP module 2 is connected with datum plane module 5, is used for the validity checking of up-downgoing ARP, and the request of Broadband Remote Access Server and ARP is replied.Binding data storehouse 3 is connected with safety ARP module 2, DHCP module 4, and binding data storehouse 3 stores the DHCP bag content that DHCP module 4 is extracted.Datum plane module 5 is used to finish intercepting and the transmission of up-downgoing ARP, ARP is submitted to the safety ARP module 2 of control plane module 1.
Exchange chip need intercept up-downgoing ARP bag and DHCP bag, and ARP gives safety ARP module 2 and handles, and the DHCP bag is mainly used in DHCP and monitors, and sets up binding data storehouse 3.
As shown in Figure 2, up ARP handling process is as follows:
(1) exchange chip intercepting ARP bag.
(2) exchange chip extracts User IP and the VLAN in the ARP bag, search to binding data storehouse 3, if in binding data storehouse 3 not this user's IP and VLAN, then abandon this ARP and wrap; If this user's IP and VLAN are arranged in binding data storehouse 3, the user port of then checking packet and user MAC whether with IP binding data storehouse in consistent, if inconsistent, then abandon, otherwise transmit this ARP bag by exchange chip.
As shown in Figure 2, the concrete steps of descending ARP handling process are as follows:
(1) exchange chip intercepting ARP bag.
(2) if the ARP request package then provides IP and VLAN, search,, then abandon this packet if do not find identical IP and VLAN to binding data storehouse 3; If find identical IP and VLAN in binding data storehouse 3, then use the user MAC in the binding data storehouse 3, structure arp reply bag provides and replys.
(3) if the arp reply bag then extracts User IP and VLAN in the arp reply bag, search, if not then abandon to binding data storehouse 3; If have, the user port of then checking packet and user MAC whether with binding data storehouse 3 in consistent, if inconsistent, then abandon, otherwise transmit this ARP bag by exchange chip.
Claims (2)
1, a kind of access device of realizing secure access, comprise interconnective control plane module and datum plane module, it is characterized in that, described control plane module comprises safety ARP module, binding data storehouse, DHCP module, wherein, the safety ARP module is connected with the datum plane module, is used for the validity checking of up-downgoing ARP, and the request of Broadband Remote Access Server and ARP is replied; The binding data storehouse is connected with safety ARP module, DHCP module, stores the DHCP bag content that the DHCP module is extracted; Described datum plane module is used to finish intercepting and the transmission of up-downgoing ARP, ARP is submitted to the safety ARP module of control plane module.
2, the access device of realization secure access according to claim 1, it is characterized in that, described datum plane module is provided with exchange chip, and this exchange chip is used to finish intercepting and the transmission of up-downgoing ARP, ARP is submitted to the safety ARP module of control plane module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNU2006200143542U CN200973108Y (en) | 2006-06-29 | 2006-06-29 | Access equipment for implementing safety access |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNU2006200143542U CN200973108Y (en) | 2006-06-29 | 2006-06-29 | Access equipment for implementing safety access |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN200973108Y true CN200973108Y (en) | 2007-11-07 |
Family
ID=38884358
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNU2006200143542U Expired - Lifetime CN200973108Y (en) | 2006-06-29 | 2006-06-29 | Access equipment for implementing safety access |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN200973108Y (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101895587A (en) * | 2010-07-06 | 2010-11-24 | 中兴通讯股份有限公司 | Method, device and system for preventing users from modifying IP addresses privately |
| CN102082835B (en) * | 2009-11-27 | 2013-04-17 | 华为技术有限公司 | Method and device for distributing IP (internet protocol) addresses |
| CN103347031A (en) * | 2013-07-26 | 2013-10-09 | 迈普通信技术股份有限公司 | Method and equipment for preventing address resolution protocol (ARP) message attack |
| CN108462683A (en) * | 2017-08-03 | 2018-08-28 | 新华三技术有限公司 | authentication method and device |
-
2006
- 2006-06-29 CN CNU2006200143542U patent/CN200973108Y/en not_active Expired - Lifetime
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102082835B (en) * | 2009-11-27 | 2013-04-17 | 华为技术有限公司 | Method and device for distributing IP (internet protocol) addresses |
| CN101895587A (en) * | 2010-07-06 | 2010-11-24 | 中兴通讯股份有限公司 | Method, device and system for preventing users from modifying IP addresses privately |
| CN101895587B (en) * | 2010-07-06 | 2015-09-16 | 中兴通讯股份有限公司 | Prevent the methods, devices and systems of users from modifying IP addresses privately |
| CN103347031A (en) * | 2013-07-26 | 2013-10-09 | 迈普通信技术股份有限公司 | Method and equipment for preventing address resolution protocol (ARP) message attack |
| CN103347031B (en) * | 2013-07-26 | 2016-03-16 | 迈普通信技术股份有限公司 | A kind of method and apparatus taking precautions against ARP message aggression |
| CN108462683A (en) * | 2017-08-03 | 2018-08-28 | 新华三技术有限公司 | authentication method and device |
| CN108462683B (en) * | 2017-08-03 | 2020-04-03 | 新华三技术有限公司 | Authentication method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110710168B (en) | Intelligent thread management across isolated network stacks | |
| CN1177439C (en) | Method of acting address analytic protocol Ethernet Switch in application | |
| EP2260402B1 (en) | Configuring communications between computing nodes | |
| CN101094236B (en) | Method for processing message in address resolution protocol, communication system, and forwarding planar process portion | |
| CN1248447C (en) | Broadband network access method | |
| US8046480B2 (en) | Embedding overlay virtual network addresses in underlying substrate network addresses | |
| CN103155524B (en) | The system and method for IIP address is shared between the multiple cores in multiple nucleus system | |
| KR101688984B1 (en) | Method and device for data flow processing | |
| US11019102B2 (en) | Method for a communication network, and electronic monitoring unit | |
| CN200973108Y (en) | Access equipment for implementing safety access | |
| CN1879388A (en) | Dual mode firewall | |
| CN101800690B (en) | Method and device for realizing source address conversion by using address pool | |
| US9602331B2 (en) | Shared interface among multiple compute units | |
| CN108377234A (en) | Transparent deployment in intermediate managers to client operating system Internet traffic | |
| US8082333B2 (en) | DHCP proxy for static host | |
| CN1633798A (en) | Airborne internet protocol network | |
| CN102437946A (en) | Access control method, network access server (NAS) equipment and authentication server | |
| CN101035012A (en) | Ethernet multi-layer switcher secure protection method based on DHCP and IP | |
| US8209371B2 (en) | Method and system for managing communication in a computer network using aliases of computer network addresses | |
| CN103516821A (en) | Address resolution method, corresponding system, switch, and server | |
| CN103067270A (en) | Virtual machine exchange visit safety control method and device | |
| CN102833217A (en) | Processing method for client/server application and centralized processing system | |
| US20130275608A1 (en) | Network-Layer Protocol Substituting IPv6 | |
| CN1859384A (en) | Method for controlling user's message passing through network isolation device | |
| CN114389905B (en) | Network traffic statistics method, related device and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term |
Granted publication date: 20071107 |
|
| EXPY | Termination of patent right or utility model |