JP3499621B2 - Address management device and address management method - Google Patents

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an address management device and method for address allocation and security maintenance in a system that allows nodes to move between networks.

[0002]

2. Description of the Related Art With the personalization of computers,
There are increasing opportunities to move computers and use them in various places. In an environment where a protocol for controlling communication based on a network layer address, such as TCP / IP, is used as a network communication protocol, when a computer is physically moved and connected to a network at a connection point different from before. , A network layer address that can be used in the newly connected network, for example, in the case of TCP / IP, IP (InternetProt
ocol) address.

By the way, if such an operation is manually performed by a network administrator or the like, it takes a lot of time and effort for management, and there is a possibility of erroneous setting. Therefore, network layer address (for example, IP address) is automatically assigned. Techniques for setting various necessary parameters have been proposed. For example, IETF (Internet Engineer)
RFC (Request For Comments) published by ng Task Force)
1533 and the document RFC1541 show DHCP (Dynamic Host Config).
(Uration Protocol) is well known.

However, when the communication utilizing such a technique is put into practical use, a malicious node exists in the network, and it is possible to easily prevent communication between other nodes. Security issues remain. For example, the following cases are possible. Nodes that move between networks
In order to enable communication, the network layer address is acquired at the destination. The network layer address may be the same as or different from the address given by the network to which the user belongs before moving. In the conventional technology, since the security of communication is not taken into consideration, the address management device or the person who sets the address when acquiring the address at the destination may intentionally or accidentally set an inappropriate address. In addition, a malicious node could send a packet by spoofing an address, a malicious node could intercept a packet sent by a valid node, or an illegal node could intercept a correct node after it was disconnected from the network. A situation may occur in which the security of communication such as transmitting a packet is deteriorated.

[0005]

As described above, in the conventional address management apparatus and method, an illegal address management apparatus that intentionally sets an inappropriate address appears, or an address is illegally set. An illegal address as a result of an illegal terminal device appearing to send a packet to the network or intercept a packet sent by the correct node, or the address management device has set an inappropriate address due to error. Even if a terminal device with a terminal appeared, it could not be monitored.

The present invention has been made in view of the above problems, and an object of the present invention is to provide an address management device and method capable of monitoring the presence of an unauthorized address management device and an unauthorized terminal device. . Further, the present invention is
An object of the present invention is to provide an address management device and method capable of actively monitoring the presence of an unauthorized address management device.

[0007]

According to a first aspect of the present invention, it is possible to judge the legitimacy of a node on the basis of whether or not it is a node (address management device and general node) registered in the address management device. It is characterized by

That is, the first invention assigns a network layer address used by the node for packet communication in response to an address assignment request based on a data link layer address unique to the node from each node connected to the network. In the address management device, an address list storage means for storing the already assigned network layer address and the corresponding data link layer address as a set, and a receiving means for receiving a packet transmitted on the network regardless of its destination. Extracting means for extracting at least one of a set of a network layer address and a data link layer address of a source node or a set of a network layer address and a data link layer address of a destination node of the packet from the received packet. Network Set of address and data link layer address, and further comprising a determining means for determining whether or not present in the set that is stored in the address list means.

In the second invention, when there is only one address management device, a management message is sent to the network, and an unregistered unauthorized address management device is detected by the presence or absence of a response to the message. Is characterized by.

That is, a second aspect of the present invention is an address management device for allocating a network layer address used by a node for packet communication in response to an address allocation request based on a data link layer address from each node connected to a network, When the address management device itself is a request source, a means for sending out the address allocation request in a pseudo manner, and a response packet for the pseudo-outgoing address allocation request is transmitted during a predetermined time period. And extracting means for extracting the network layer address and the data link layer address of the transmission source node of the response packet.

A third aspect of the present invention is characterized in that an address management device sends a management message to a network and inspects a response to the message to detect an unregistered unauthorized address management device.

That is, the third invention is an address management device for allocating a network layer address used by the node for packet communication in response to an address allocation request based on a data link layer address from each node connected to the network, Address list storage means for storing the already assigned network layer address and corresponding data link layer address as a set, and means for sending the address allocation request in a pseudo manner with the address management device itself as the request source. When a response packet to the pseudo-transmitted address allocation request is transmitted during a predetermined time, extraction means for extracting the network layer address and the data link layer address of the source node of the response packet And the extracted network layer add Scan and data link layer address of the set, characterized by comprising determining means for determining whether or not present in the set that is stored in the address list means.

A fourth aspect of the present invention monitors packet communication between nodes connected to a network using a network layer address assigned to a data link layer address unique to the node by an address management device. And an address management method for detecting an illegal node using a network layer address not assigned by the address management device, wherein the address management device comprises a network layer address already assigned and a corresponding data link layer. A set of addresses is registered in an address list, a packet transmitted on the network is received regardless of its destination, and a set of a network layer address and a data link layer address of a source node of the packet is received from the received packet, or Network layer address and destination node And at least one of the set of data link layer addresses, and determining whether the set of extracted network layer address and data link layer address exists in the set registered in the address list. Characterize.

According to a fifth aspect of the present invention, a plurality of address management apparatuses according to the first or second aspect of the invention are installed within the same management range, and the value of the network layer address which can be assigned by each address management apparatus, The feature is that they are set so as not to overlap each other.

According to a sixth aspect of the invention, a plurality of address management devices of the first or second invention are installed within the same management range, a database for managing an address list of the entire network is provided, and each address management device is provided. Is characterized in that the database is queried to assign a network layer address, and the reaction times for the address requests of the address management devices are set to different lengths.

[0016]

In the first aspect of the present invention, the already assigned network layer address and the corresponding data link layer address are paired and stored in the address list storage means. The address management device receives a packet transmitted on the network regardless of its destination, and from the received packet, a set of the network layer address and the data link layer address of the source node of the packet or the network layer address of the destination node. And at least one of the set of data link layer addresses. It is judged whether or not the extracted set of the network layer address and the data link layer address exists in the set stored in the address list means.

If a set of network layer address and data link layer address exists in the address list means, it is confirmed that the node is a legitimate node. On the other hand, when the set of the network layer address and the data link layer address does not exist in the address list means, it is confirmed that the node is not a legitimate node.

In this way, network operation with excellent security becomes possible. In the second invention, the address management device sends the address allocation request in a pseudo manner with the address management device itself as the request source. When the response packet to the pseudo-transmitted address allocation request is transmitted during the lapse of a predetermined time, the network layer address and the data link layer address of the source node of the response packet are extracted.

By the way, when only one address management device exists, the response packet should not be transmitted. Therefore, it can be seen that the node having the network layer address and the data link layer address described in the response packet is an unauthorized address management device.

In this way, since the presence of an unauthorized address management device in the network can be actively monitored, it is possible to detect an unauthorized address management device early and to operate a network with excellent security. Become.

In the third invention, the already-allocated network layer address and the corresponding data link layer address are stored as a set in the address list storage means. The address management device pseudo-transmits the address allocation request with the address management device itself as the request source.
When the response packet to the pseudo-transmitted address allocation request is transmitted during the lapse of a predetermined time, the network layer address and the data link layer address of the source node of the response packet are extracted.
It is judged whether or not the extracted set of the network layer address and the data link layer address exists in the set stored in the address list means.

When the set of the network layer address and the data link layer address exists in the address list means, it is confirmed that the node is an authorized address management device.

On the other hand, when the set of the network layer address and the data link layer address does not exist in the address list means, it is confirmed that the node is not an authorized address management device.

In this way, the presence of an unauthorized address management device in the network can be actively monitored, so that an unauthorized address management device can be detected early and network operation with excellent security becomes possible. Become.

In the fourth invention, the already assigned network layer address and the corresponding data link layer address are paired and registered in the address list. The address management device receives a packet transmitted on the network regardless of its destination, and from the received packet, a set of the network layer address and the data link layer address of the source node of the packet or the network layer address of the destination node. And at least one of the set of data link layer addresses. It is determined whether or not the extracted set of the network layer address and the data link layer address exists in the set registered in the address list.

If the set of network layer address and data link layer address is present in the address list:
It is confirmed that the node is a legitimate node. On the other hand, when the set of the network layer address and the data link layer address does not exist in the address list, it is confirmed that the node is not a legitimate node.

In this way, network operation with excellent security becomes possible. In the fifth invention, by installing a plurality of address management devices within the same management range, and sharing the address range under the jurisdiction of each,
It is possible to reduce the load on each address management device.

As a result, it contributes to the stable operation of the address management system. According to the sixth aspect of the present invention, it is possible to quickly respond to the system down of each address management device by using the plurality of address management devices and the database that manages the addresses of the entire network. As a result, it contributes to the stable operation of the address management system.

[0029]

Embodiments of the present invention will be described below with reference to the drawings. FIG. 1 shows the basic system configuration of this embodiment. As shown in the figure, in this embodiment, a plurality of terminal devices (hereinafter referred to as general nodes) 4 and one or a plurality of address management devices 6 to which the present invention is applied are connected to a network 2.

In the following, the general node and the address management device may not be distinguished from each other, and therefore, for the sake of convenience, the general node and the address management device are generically referred to simply as "nodes".

The network 2 may exist independently. Alternatively, the network 2 may be a subnet, and may be interconnected with one or more other subnets to form one network as a whole. In other words, the range of the broadcast within the network is the subnet, that is, the network 2. In this case, the subnets are connected by the inter-network connection device. In some cases, instead of providing the address management device 6 in a certain subnet, an address management relay device capable of transferring packets to the address management device 6 existing in another subnet may be provided. When the network 2 is a subnet, there may be one general node 4 connected to a certain subnet.

As the network 2, a broadcast LAN such as Ethernet can be used. In addition to the above, the present invention can be applied to various forms of networks.

By the way, the International Organization for Standardization ISO (Int
international Organization f
or Standardization) Open Systems Interconnection Reference Model (Referenced Mo)
del of Open System Interc
connection), communication protocols are classified into seven layers: a physical layer, a data link layer, a network layer, a transport layer, a session layer, a presentation layer, and an application layer.

The network layer is a layer that defines a basic unit of transfer through the network and handles route control and the like, and an address used for transfer and route control in the network layer is a network layer address.

The data link layer is located below the network layer and uses a hardware dependent data link layer address to transfer packets through the network.

When the general node 4 connected to the network 2 makes an address allocation request based on the data link layer address, the address management device 6 of this embodiment responds to the request by the general node 4 of the request source. Assigns the above-mentioned network layer address used for packet communication. The data link layer address of each node is globally unique.

Hereinafter, some examples of the address management device will be described in detail. (First Embodiment) FIG. 2 shows the internal structure of the address management device of the first embodiment. As shown in the figure, the address management device of this embodiment includes a communication protocol control unit 11, an address list unit 13, and an address / parameter allocation control unit 1.
2, the message control unit 14 and the network monitoring unit 15 are used.

The communication protocol control unit 11 controls the communication protocol, and controls TCP / IP, which is a protocol for communication through a network used on the Internet, for example.
Of course, the communication protocol control unit 11 uses TCP / IP
Other communication protocols other than the above may be used.

Next, the address list provided in the address list section 13 will be described. As shown in FIG. 3, the address list unit 13 is for registering the correspondence between the network layer address and the data link layer address.
In the present embodiment, an IP address, which is a type of the network layer address, and a MAC address, which is a type thereof, are used as the network layer address.

As the most general address list, as shown in FIG. 3, IP addresses and MAC addresses are registered in a one-to-one correspondence. In this case, the MAC address of the node whose IP address is IP1 is MAC1, and the MAC address is MA.
The IP address of the node C1 indicates that it is IP1.

In the one-to-one correspondence address list, there may be no MAC address corresponding to the IP address as shown in FIG. This indicates that there is currently no node corresponding to that IP address. For example, the initial state of the address list before address allocation is this state.

In addition to this, the following address list can be considered. First, as shown in FIG. 5, a plurality of MAC addresses correspond to one IP address. By doing so, for example, easy maintenance of the node becomes possible. In the address list, not only MAC1, which is the MAC address of the node that is actually used, but also MAC2 and MAC3, which are the MAC addresses of the backup nodes that will be used instead when the node becomes damaged due to some reason and cannot be used. I'll do it. By doing so, even if the MAC1 node fails, it is recognized as a node registered in the address list and easy maintenance is achieved even if the MAC1 node is replaced with a new MAC2 node.

The second is, as shown in FIG. 6, one MA.
This is a case where a plurality of IP addresses correspond to the C address. By doing so, it is possible to cope with, for example, the movement of a node (particularly a general node). A valid I in each network that may use a node having MAC1 which is the MAC address in advance in the address list.
IP addresses IP1 and IP2 are registered in advance. When the node initially assigned IP1 moves and is newly assigned IP2 at the move destination, the identity of the node before and after the move can be easily confirmed.

Third, as shown in FIG. 7, the IP address and the MAC address are in a many-to-many correspondence. If such registration is performed in advance, both easy maintenance and node movement are possible.

Next, the address list section 13 will be described. The address list unit 13 includes the address list as described above. In this embodiment, the address list is divided into the address list 131 of the address management device and the address list 132 of the general node.

The address list 131 is an area for registering the network layer address of the address management device and the data link layer address in association with each other. In this embodiment, as the address list 131, as shown in FIG. 8, an address list in which IP addresses and MAC addresses have a one-to-one correspondence is used.

In the present embodiment, the address management device registered in the address list 131 is regarded as a legitimate address management device as viewed from the address management device holding the address list 131, while the unregistered address management device is managed. The device is regarded as an illegal address management device. Therefore, when using the address management device connected to the network, use the address management device for the address management device that needs to be recognized as a legitimate address management device among the existing address management devices in the vicinity. The address list 131 is registered in advance. The term "periphery" as used herein means the same management range when considering the narrowest range, and a wider range than that is acceptable. Even if the address management device is added to a peripheral network later, if it is necessary to recognize the address management device as a regular address management device, the address management device is registered in the address list 131.

By referring to the address list 131 by the network monitoring unit 14 by the method described later,
When the arrival of a packet sent from an unregistered address management device in the address list 131 is found, it can be determined that there is an unauthorized address management device, and that effect can be reported to other nodes or network system managers. . The causes of illegal address management devices are:
Examples include registration error and intrusion.

On the other hand, the address list 132 has a network layer address possessed by the address management device for allocating an address in response to an allocation request from a general node, and an address management device in accordance with an allocation request from a general node. It holds the network layer address to which the address is assigned and the corresponding data link layer address. FIG. 9 shows an example of the address list 132 of general nodes used in this embodiment. As shown in the figure, regarding the network layer address that the address management device possesses in order to allocate the address in response to the general node allocation request, if the network layer address is in the allocatable state, it is in the unlocked state. If not, the state is locked, and the state is specified. The network layer address already assigned to correspond to the data link layer address is loc
The third state is neither the k state nor the unlock state.

The lock state occurs in the following cases, for example. The network layer address once used is
Even if this general layer node that was previously used returns this network layer address, it will not be available immediately and cannot be reused until the specified time has passed since it was returned. Among them, the network layer address is locked. A network layer address in the locked state cannot be assigned to another general node.

The unlock state is an unused network layer address that has never been used,
Alternatively, it is a network layer address returned after being used and already released from the locked state, and can be reused by another general node.

From the viewpoint of the address management device holding the address list 132, the general node registered in the address list 132 is regarded as a normal general node, and the unregistered general node is regarded as an invalid general node.

By referring to the address list 132 by the network monitoring unit 14 by the method described later,
When the arrival of a packet sent from an unregistered node in the address list 132 is discovered, it can be determined that an unauthorized general node exists, and that effect can be reported to other nodes, network system managers, or the like.

The address management device holds the network layer address in advance in order to perform the network layer address assignment and registration procedure in response to the address allocation request from the general node connected to the network. In this embodiment, the IP addresses stored in advance in the address list unit 13 are all IP addresses having the network identifier of the network managed by the address management device.

Various methods are conceivable for the method of holding the IP address, for example, as shown below, and the IP address may be appropriately set according to the situation. For example, the number of address management devices /
A method of retaining all IP addresses having a network identifier of a network managed by the address management device, a method of retaining a part of the IP addresses having a network identifier of the network managed by the address management device, according to the arrangement and use Method for holding an IP address having a network identifier other than the network identifier of the network managed by the address management device, part or all of the IP address having the network identifier of the network managed by the address management device, and the network managed by the address management device A method of holding an IP address having a network identifier other than the above network identifier can be considered.

Regarding the correspondence between the network layer address and the data link layer address registered in the address list section 13 of this embodiment, the four forms described above, that is, the network layer address and the data link layer address are 1
A form corresponding to one-to-one, a form in which a plurality of data link layer addresses correspond to one network layer address,
It may be appropriately selected from the form in which a plurality of network layer addresses correspond to one data link layer address and the form in which network layer addresses and data link layer addresses correspond many-to-many.

By the way, in the present embodiment, the address list unit 13 has an address list 131 of the address management device.
Although the address list 132 of the general node is provided separately, it is also possible to provide it as one address list without distinguishing the address management device and the general node. In this case, when the network monitoring unit 14 refers to the address list and discovers the arrival of a packet sent from a node not registered in the address list by a method described later, it is determined that an unauthorized node exists, The fact can be reported to other nodes, network system managers, and the like.

Next, the address / parameter assignment controller 12 will be described. The address / parameter assignment control unit 12 controls assignment of network layer addresses and necessary parameters. For example, the address / parameter assignment control unit 12 sends data from a node according to the specifications set in RFC1541 of IETF and the address and parameter assignment policy of each address management device. In response to the address allocation request, the procedure for assigning an IP address and various parameters is performed. Of course, the address / parameter assignment control unit 12 uses the IETF RFC
Control based on another system other than 1541 may be performed. The parameters include, for example, the valid period when the valid period of the IP address is set.

Next, the communication protocol control unit 11 will be described. In this embodiment, the communication protocol control unit 11
Performs control of a communication protocol represented by TCP / IP, that is, packet path control in a normal network. As the control most related to the address management, when TCP / IP is taken as an example of the communication protocol, one of the TCP / IP protocol groups is ARP (Address) which is a protocol of the data link layer.
Resolution Protocol, RFC82
An ARP table is provided in relation to 6) and holds the correspondence between the network layer address and the data link layer address at that time. The address management device responds to the ARP message flowing on the network by the address list unit 1
The ARP response message is not created with reference to 3, and all are handled by the communication protocol control unit 11.

Next, the network monitoring unit 14 will be described. The network monitoring unit 14 monitors packets flowing through the network. FIG. 10 shows the configuration of the network monitoring unit 14 of this embodiment. As shown in the figure, the network monitoring unit 14 includes a packet discrimination unit 141.
And the address information processing unit 142.

First, the network monitoring unit 14 takes in not only packets addressed to the address management device itself but also packets addressed to other destinations from the network by a physical means or the like.

The packet discriminating unit 141 discriminates, for example, the packet of the DHCP message by looking at the information inside the fetched packet, and directly passes it to the address / parameter allocation control unit 12 without passing through the address information processing unit 142. Alternatively, the packet of the ARP message is discriminated and passed directly to the communication protocol control unit 11 without passing through the address information processing unit 142. With respect to various other packets, the packet discrimination unit 141 can specify the packet discrimination means and an appropriate destination of the packet in advance, so that the packet can be discriminated inside the address management device. For example, for ARP packets, the packet discrimination unit 1
It is determined by 41 that the packet should be passed control to the communication protocol control unit 11, and is passed to the communication protocol control unit 11. Further, for example, the DHCPoffer message (RFC1533) is determined by the packet determination unit 141 to be a packet for which control should be passed to the address information processing unit 142, and is passed to the address information processing unit 142.

The address information processing unit 142 reads the required address for each of the determined packet types from the packet and compares it with the address list unit 13 for reference.
For example, when an illegal node is detected as described below,
If necessary, the message control unit 15 is requested to send a message to an arbitrary destination.

Next, a detection method for detecting an unauthorized node using the network monitoring unit 14 and the address list unit 13 will be described. As an example of this detection method, FIG.
Shows a procedure for monitoring the DHCPoffer message and determining whether or not there is an unauthorized address management device. The DHCPoffer message is a message in which an address management device that has received an address request from a node presents an address that can be provided and necessary parameters to the node. This procedure is as follows.

First, the network monitoring unit 14 takes in a packet flowing on the network (step S
1). Next, it is determined whether the packet is a DHCPoffer message packet by using the UDP (User
Datagram Protocol, RFC768)
O of DHCP message stored in data field
Judgment is made by looking at the P field (step S2). DH if the packet is DHCPoffer
The network layer address of the address management device that sent the CPoffer message is set to s of the DHCP message.
It is read from the iaddr field or the giaddr field (step S3). Whether the read-out network layer address of the address management device and the network layer address already registered in the address list 131 of the address management device are compared and referenced to determine whether the address management device that has transmitted the packet is a registered address management device. It is checked whether or not (step S4). There is no problem if the network layer address of the address management device that has transmitted the packet is registered in the address list 131. If the network layer address of the address management device that has transmitted the packet is not registered in the address list 131, it is considered that there is an unauthorized address management device in the network, and so a report is sent to the network administrator. And deal with it (step S5).

Although the packet monitoring of the DHCPoffer message has been described in the present embodiment, similar packet monitoring is possible for other packets flowing on the network such as normal data packets, and only an unauthorized address management device can be used. Instead, by referring to the address list 132, an unauthorized general node can be detected.

It is also possible to judge whether or not the destination node is invalid by reading not only the address of the source of the packet but also the address of the destination of the packet. Next, a method for ensuring security at the time of address allocation, that is, detecting an unauthorized device, using the address management device of the present embodiment, will be described below.

An unauthorized address management device may appear on the network and an unauthorized general node may appear on the network. If there is an unauthorized address management device or unauthorized general node in the network, and it interferes with the communication of the legitimate address management device or general node, or if it eavesdrops,
Communicating important matters on the network is very dangerous.

Therefore, make arrangements so that there is no unauthorized address management device or unauthorized general node in the network, and if an unauthorized address management device or unauthorized general node exists, it is immediately detected and arranged to be removed. There must be.

Regarding the method, (i) correspondence of a legitimate address management device when an unauthorized address management device exists in the network, and (ii) handling of a legitimate general node when an unauthorized address management device exists in the network Correspondence,
(Iii) Correspondence between a legitimate address management device and a general node when an unauthorized address management device exists in the network, (iv) Correspondence between a legitimate address management device when an unauthorized general node exists in the network, (v ) The following describes the correspondence of legitimate general nodes when an unauthorized general node exists in the network.

(I) Correspondence of a legitimate address management apparatus when an illegal address management apparatus exists in the network When an illegal address management apparatus exists in the network, the correspondence of the legitimate address management apparatus is (a) There is a method in which a legitimate address management device monitors packets flowing through the network.

As this method, there is a method of monitoring packets flowing on the network by using the network monitoring unit 14 and the address list unit 13 as described above. In addition to the above method a, (b) the legitimate address management device periodically sends out a pseudo address allocation request to listen to the surrounding reaction, and the address management device that responds is not an illegal address management device. There is a method of checking whether or not the address list section 13 is used. This method will be described in detail later as a second embodiment. A method of installing a plurality of the address management devices of the first embodiment or the second embodiment as regular address management devices and monitoring each other will be described in detail later as a third embodiment and a fourth embodiment. To do.

(Ii) Correspondence of the regular general node when the unauthorized address management apparatus exists in the network Here, the correspondence of the regular general node when the unauthorized address management apparatus exists in the network will be described. The general node, to which the IP address is assigned by the address management device, determines whether or not the node using the assigned IP address already exists in the network before starting communication using the assigned IP address.
RP (Address Resolution Pro)
can be examined by performing a tocol). ARP is
It is a protocol for inquiring the MAC address corresponding to the IP address. The node to which the IP address described in the ARP message is assigned notifies the node that has sent the ARP message of the MAC address corresponding to the IP address in a response message to the ARP. If the IP address is properly assigned and is also described in the address list section 13, there should be no response to the ARP asking for the MAC address corresponding to the newly assigned IP address. If the assigned IP address has already been assigned to another node for some reason, there is a response to the ARP. When there is a response to the ARP, the general node can report the fact to the system administrator or the address management device, etc., and request a new IP address to be dealt with.

(Iii) Correspondence (common part) between a legitimate address management device and a general node when an unauthorized address management device exists in the network: IP assigned to the general node that issued the address request.
IP whose address is already assigned to another node
The network monitoring unit 14 and the address list unit 13 as described above by the legitimate address management device indicate that the legitimate address management device does not assign the IP address to the general node that issued the address request, although it is not the address.
If it is found by a method of monitoring a packet flowing on the network by using, take measures as follows.

The legitimate address management device uses the illegal address management in the address list unit 13 in order to prevent the IP address arbitrarily given to the general node from the illegal address management device from being used by the general node. If there is an IP address that is the same as the IP address assigned to the general node by the device without permission, the IP address is assigned so as not to be assigned to another general node.
Take countermeasures such as putting it in the ck state.

After that, the IP address is sent from the unauthorized address management device.
When the node to which the address is assigned sends an ARP message in order to confirm the validity of the assigned IP address, the legitimate address management device issues a pseudo ARP response message in response to this message. In the portion indicating the MAC address corresponding to the IP address in the pseudo ARP response message, the MAC address of the legitimate address management device may be written. With this ARP response message, the general node that has made the address request can judge that the use of the IP address originally given (from the unauthorized address management device) is not appropriate, and can make a new request for the IP address. .

The legitimate address management device reports to the system administrator that there is an address management device that has not been registered and has tried to allocate an address to a general node, and then, the IP address lock
It can be dealt with by canceling the state.

(Iv) Correspondence of Address Management Device when Unauthorized General Node Exists in Network Here, the correspondence of the address management device when an unauthorized general node exists in the network will be described. The address management device uses the network monitoring unit 14 and the address list unit 13 to monitor packets flowing on the network. In the address management device, the packet is taken in from the network monitoring unit 14, the packet determination unit 141 determines the transfer destination of the packet, and the address information processing unit 14
Except for packets that are specified to be transferred to other than 2,
It is transferred to the address information processing unit 142. The address information processing unit 142 reads the MAC address and the IP address from the header of the packet, and checks whether the same pair of the IP address and the MAC address read from the packet is registered in the address list unit 13. . It can be seen that a general node that has been confirmed to be a general node already registered in the address list is a regular general node, and an invalid general node if it has not been registered. If it is an unregistered illegal address, it can be dealt with by notifying the system administrator.

(V) Correspondence of the regular general node when the unauthorized general node exists in the network Here, the correspondence of the regular general node when the unauthorized general node exists in the network will be described. The general node performs ARP at the time of setting the IP address, at the time of updating, or at regular time intervals. If there is no response to the ARP, it is considered that there is no node using the IP address and it can be used. on the other hand,
If there is a response to ARP, the response indicates that there is a node that is using the IP address at that time, so it is determined that the use of the IP address is inappropriate. To do. The general node, which has noticed inappropriate address allocation by ARP, can deal with it by refraining from using the IP address and requesting allocation of a new IP address. Further, it is possible to respond by reporting the fact that the IP addresses are duplicated to the system administrator or the address management device.

By the way, as described above, the message control unit 15 controls to send a message, which needs to be sent by network monitoring, to an arbitrary destination.
When there are a plurality of address management devices of this embodiment, a monitoring device that centrally receives and manages the messages sent from the message control unit 15 of each address management device may be provided at any place in the network. This point is the same for each of the examples described later.

(Second Embodiment) In the first embodiment, a passive detection method for monitoring a packet flowing through a network to detect an illegal node has been described in detail, but in this embodiment, address management is performed. An active detection method for clarifying the existence of an unauthorized registered address management device by sending a special message from the device will be described.

As shown in FIG. 12, the address management apparatus of this embodiment basically has the same configuration as the address management apparatus of the first embodiment, and a security maintenance unit 20 is added to this. It was done.

In addition to the functions of the second embodiment, the address management apparatus of this embodiment uses the security maintenance unit 20 to send a pseudo address allocation request to the network, and the address management apparatus that responds to it is illegal. It has a function of checking whether or not it is an address management device by using the address list unit 13. This operation is performed regularly, for example.

FIG. 13 shows a procedure for actively detecting an unauthorized address management device. First, in order to detect an unauthorized address management device that has not been registered, the address management device artificially sends an address allocation request having the same specifications as the address allocation request normally sent by a general node (step S11).

As the address allocation request, for example, D
HCP messages can be used. In Figure 14,
The packet format of a DHCP message is shown. D
OP to indicate address request of HCP message
Write the address request code in the field. An appropriate number is entered in the field indicating the transaction ID of the address allocation request, and the pseudo ID allocation request sent by itself is distinguished from other packets by the transaction ID. At this time, it is possible to include the own MAC address in the pseudo address allocation request.

The pseudo address allocation request sent from the address management device is broadcast to the subnet. The pseudo address allocation request returned to itself by broadcast is ignored because it is found to be the address allocation request transmitted by itself with the transaction ID included in the packet.

If the address management device originally has only one address management device that issued the address allocation request in the local network,
There should be no response. Further, when there are a plurality of address management devices in the local network, there should be a response from another address management device.
However, here, the following processing is continued regardless of the number of address management devices existing in the network.

While the packet flowing on the network is being monitored (step S12), if there is a response including the address proposal to the pseudo address allocation request (step S13), siadd of the response packet is sent.
I of the responding address management device contained in the r field
Look at the P address.

If the IP address of the responding address management device is that of the legitimate address management device registered in the address list of the address management device that has transmitted the pseudo address allocation request (step S14), the illegal address management device is Is presumed to be nonexistent. Therefore, there is no need to notify the system administrator. For the response containing the address proposal to the pseudo address assignment request from the registered legitimate address management device, the address unnecessary notification is explicitly issued.
If the address management device has introduced a timeout system that disables the address proposal when there is no response from the node to the response containing the address proposal for the address allocation request for a certain period of time, do nothing as it is. You can leave it on.

On the other hand, if the address of the address management device that has sent the response is not that of the legitimate address management device registered in the address list of the address management device that has sent the pseudo-address allocation request (step S1).
4) Then, the address management device that finds out the fact responds by sending a warning packet to the system administrator (step S15).

By the way, if there is only one address management device that has issued the address allocation request as described above, there should be no response. Therefore, when there is only one legitimate address management device, it may be considered that there is an unauthorized address management device based on the fact that there is a response without referring to the address list.

(Third Embodiment) Here, a plurality of address management devices of the first embodiment or the second embodiment are installed in one network to improve the efficiency of address management and the security of communication. An example of the above will be described.

In this embodiment, the plurality of address management devices provided in one network share the addresses to be managed, and are responsible for the management of addresses in different ranges. For example, as shown in FIG. 15, two address management devices 6 are included in one subnet 2.
-A and 6-B are installed, and the range of addresses under their control, for example, IP0 to IP0 for the address management device 6-A
IP19, IP20 for address management device 6-B
~ IP39. As a matter of course, the IP address held in the address list A (not shown) in the address management device 6-A of FIG. 15 and the address management device 6-
There is no duplicate IP address held in the address list B (not shown) in B. According to this method, the number of addresses to be managed by one address management device can be reduced, and the burden of address management can be reduced.

Regarding the general node, whether the general node is a normal general node or an unauthorized general node is owned by each address management device unless information is exchanged between the address management devices. It can be judged only by the range of the address list. Therefore, the address management device uses the address list unit 13 in network monitoring.
If you find a general node that is not registered in the
It is also possible to present a pair of an IP address and a MAC address and inquire whether the address pair is registered in the address list of the address management device of the inquiry destination.
If it is found that the address is not registered in the address list of any address management device after receiving the response to the inquiry from all the address management devices in charge of the same network, other nodes and system management This can be dealt with by sending a warning packet to the person concerned.

(Fourth Embodiment) Here, a plurality of address management devices according to the first or second embodiment are installed in one network to improve efficiency of address management and communication security. An example for improving will be described.
Unlike the third embodiment, this embodiment does not share the range of addresses managed by the respective address management devices, and as shown in FIG. 16, a common address list database (hereinafter When information is shared in the database 30 and there is an address allocation request from a node, each address management device 6-C, 6-D
Is a method in which the database 30 is referred to as necessary to allow them to function as redundant systems.

First, an address list in which addresses that can be given to terminals in each subnet, several subnet groups, or one for the entire network and which are in the subnet, the subnet group, or the network is stored is held. The database 30 is installed.

The address management apparatus stores the database 3 when an address request is received from a node or when packet monitoring is performed and other address management information is required.
0 is inquired about the latest address information. The database 30 provides the latest address information in response to an inquiry from the address management device. The address management device performs control of allocating the address and necessary parameters to the general node based on the latest information on the address provided from the database 30.

In response to an address or parameter assignment request from a general node to an address management device, a response time from when a request is made until the address management device that actually receives the request starts processing corresponding to the request and The policy by which the address management device gives the address and the parameter can be freely set in each address management device, and the time until the start of processing and the address and parameter assignment policy between the address management devices that access the same database 30. Need not be unified. In particular, if the above reaction times are set to different lengths for each address management device, for example, when address allocation of the first operating address management device is completed successfully, another address management device will be able to address the network. Since it is not necessary to send out a packet for allocation processing, or to perform the address allocation processing itself,
It is possible to improve the efficiency of use of network resources and the efficiency of processing.

When performing network monitoring to determine the legitimacy of a packet, an address management apparatus that is an odd number of the least significant bit of the network layer address monitors between the address management apparatuses that are in charge of the same range such as the same subnet. However, in the case of an even number, another address management device may monitor, and the work of actually collating with the address list from the address management device to the database 30 may be shared.

On the other hand, in the case of such a configuration including a plurality of address management devices and a database, the address management devices can function as a redundant system. Even if one of the address management devices goes down, the address and parameter assignment request from the general node is
It is processed by another address management device having a time from the reception of an address and parameter allocation request different from that of the system down address management device to the start of processing, or a DHCP address and parameter allocation request is issued. It is processed by the resend function.

As the means for judging whether or not the system of the address management device is down, the method described in the second embodiment can be applied. In other words, whether or not an address management device existing within the same management range has gone down the system, an address management device or a database having a function equivalent to that of the address management device sends a pseudo address allocation request. It can be confirmed by the presence or absence of a response. Further, the present invention is not limited to the above-described embodiments, and various modifications can be carried out without departing from the scope of the invention.

[0102]

According to the present invention, a set of a regular network layer address and a data link layer address is stored, and the network layer address and the data link layer address described in the packet transmitted on the network are stored. The presence of an unauthorized address management device and an unauthorized terminal device can be monitored by checking whether the address is illegal.

In the second invention, the only existing address management device sends an address allocation request in a pseudo manner with the address management device itself as the request source, and the response packet is transmitted during the lapse of a predetermined time. In that case, it is possible to know the existence of an unauthorized address management device by using the fact.

In this way, the presence of an unauthorized address management device in the network can be actively monitored, so that an unauthorized address management device can be detected early.

In the third invention, a set of a regular network layer address and a data link layer address is stored,
The address management device pseudo-transmits an address allocation request using the address management device itself as a request source, and when a response packet is transmitted within a predetermined period of time, the network layer address described in the response packet. By checking whether the data link layer address is stored and the data link layer address, it is possible to monitor the presence of an unauthorized address management device.

In this way, since the presence of an unauthorized address management device in the network can be actively monitored, it is possible to detect an unauthorized address management device early.

In the fourth invention, a set of a regular network layer address and a data link layer address is stored,
By checking whether the network layer address and data link layer address described in the packet transmitted on the network are stored, it is possible to monitor the presence of an unauthorized address management device and an unauthorized terminal device. .

[Brief description of drawings]

FIG. 1 is a diagram showing an example of a network configuration to which the present invention is applied.

FIG. 2 is a diagram showing an internal configuration of an address management device according to the first embodiment of the present invention.

FIG. 3 is a diagram showing an example of an address list of the embodiment.

FIG. 4 is a diagram showing an address list when there is no MAC address corresponding to an IP address.

FIG. 5 is a diagram showing another example of an address list.

FIG. 6 is a diagram showing still another example of the address list.

FIG. 7 is a diagram showing still another example of the address list.

FIG. 8 is a diagram showing an address list of an address management device.

FIG. 9 is a diagram showing an address list of a general node.

FIG. 10 is a diagram showing an internal configuration of a network monitoring unit.

FIG. 11 is a flow chart showing an example of an operation of monitoring a packet in the embodiment.

FIG. 12 is a diagram showing an internal configuration of an address management device according to a second embodiment of the present invention.

FIG. 13 is a flowchart showing an example of an operation of monitoring an unauthorized address management device in the embodiment.

FIG. 14 is a diagram showing a DHCP message format.

FIG. 15 is a diagram showing a system configuration of a third embodiment of the present invention.

FIG. 16 is a diagram showing a system configuration of a fourth embodiment of the present invention.

[Explanation of symbols]

2 ... Network, 4 ... General node, 6, 6-A, 6-
B, 6-C, 6-D ... Address management device, 11 ... Communication protocol control unit, 12 ... Address / parameter assignment control unit, 13 ... Address list unit, 131 ... Address list, 132 ... Address list, 14 ... Network monitoring Part, 141 ... Packet discrimination part, 142 ... Address information processing part, 15 ... Message control part, 20 ... Security maintenance part, 30 ... Common address list database

─────────────────────────────────────────────────── ─── Continuation of front page (58) Fields surveyed (Int.Cl. ⁷ , DB name) H04L 12/28 H04L 12/46

Claims (6)

(57) [Claims] 1. A address management device to the node from each node connected to the network in response to the address assignment request based on a unique data link layer address each node assigns a network layer address to be used for packet communication, each A data link layer address unique to a node and a network layer address assigned in response to an address assignment request based on the data link layer address
An address list storage means for and storing, receiving means for receiving regardless packets to that destination to be transmitted over the network, from the received packet, is the source node of the packet
Or destination node data link layer address and net
First address corresponding to each work layer address
And an extracting means for extracting a second address, and the extracting means for extracting the second address in the set stored in the address list storing means.
A pair of the first address and the second address does not exist,
Assigned by the address management device to the first address
Use an illegal network layer address
Means for detecting a first node and said first node
Sent to confirm the legitimacy of the second address
The data link layer address corresponding to the second address
Received the first message to inquire about the dress
When the second address of the first node is
Notify that the network layer address is invalid
Response message corresponding to the first message
And a means for transmitting to the first node . 2. An address management device which allocates a network layer address used by the node for packet communication in response to an address allocation request based on a data link layer address from each node connected to the network, As a request source, means for sending out the address allocation request in a pseudo manner, and when a response packet to the pseudo output address allocation request is transmitted within a predetermined time, transmission of the response packet An address management device comprising: an extracting unit that extracts a network layer address and a data link layer address of an original node. 3. An address management device for allocating a network layer address used by the node for packet communication in response to an address allocation request based on a data link layer address from each node connected to the network, wherein data unique to the node is provided. Address list storage means for storing a link layer address and a network layer address assigned in response to an address assignment request based on the data link layer address or registered in advance in association with the data link layer address. A means for sending out the address allocation request in a pseudo manner with the address management device itself as a request source; and a response packet for the pseudo output address allocation request transmitted during a predetermined time. If the response packet is Extraction means for extracting the network layer address and the data link layer address of the original node, and whether the set of the extracted network layer address and the data link layer address exists in the set stored in the address list storage means. An address management device, comprising: a determination means for determining whether or not 4. A packet communication performed between a plurality of nodes connected to a network using a network layer address assigned to a data link layer address peculiar to each node by an address management device, and the address is monitored. An address management method for detecting an unauthorized node using a network layer address not assigned by a management device, wherein the address management device includes one data link layer address for one network layer address. Correspond to one network layer address, a plurality of data link layer addresses correspond to one network layer address, a plurality of network layer addresses correspond to one data link layer address, and a plurality of network layer addresses correspond to a plurality of network layer addresses. Which of the forms the data link layer address corresponds to In the form, has a specific data link layer address to the node, the address list storage means for and storing the network layer address assigned in response to the address assignment request based on the data link device address set, The receiving step of receiving a packet transmitted on the network regardless of its destination, and the source node of the packet from the received packet.
Or destination node network layer address and data
The first address corresponding to each of the link layer addresses
And an extraction step of extracting a second address, and the set stored in the address list storage means includes
There must be a set of the first address and the second address.
First, the address management device assigns the first address.
Use an incorrect network layer address that is not assigned
Detecting the unauthorized node that is present , and verifying the legitimacy of the second address from the unauthorized node.
Corresponds to the second address sent for confirmation
The first to query the data link layer address
When you receive a message
The second address is an invalid network layer address
Respond to the first message to notify you
Response message to the unauthorized node.
Tsu address management method characterized by comprising the flop, the. 5. The address list storage means has a plurality of data link layer addresses corresponding to one network layer address, a plurality of data link layer addresses corresponding to one network layer address, and a plurality of data link layer addresses corresponding to one network layer address. The data link layer address unique to the node is one of a form in which one data link layer address corresponds to a network layer address and a form in which a plurality of data link layer addresses correspond to a plurality of network layer addresses. And a net assigned in response to an address assignment request based on the data link device address.
2. The address management device according to claim 1, wherein the address management device stores the work layer address as a set . 6. An address management device for allocating a network layer address used by the node for packet communication in response to an address allocation request based on a data link layer address from each node connected to a network. A form in which one data link layer address corresponds, a form in which a plurality of data link layer addresses correspond to one network layer address, a form in which one data link layer address corresponds to a plurality of network layer addresses, and a plurality of form The data link layer address is assigned in response to an address assignment request based on the data link layer address unique to the node and the data link device address in one of a plurality of data link layer addresses corresponding to the network layer address. Or An address list storage means for storing a network layer address registered in advance corresponding to a data link layer address as a set; a means for sending the address allocation request in a pseudo manner with the address management device itself as a request source; When a response packet to the pseudo-transmitted address allocation request is transmitted during the passage of time, the extraction means for extracting the network layer address and the data link layer address of the source node of the response packet, The set stored in the address list storage means and the set of the extracted network layer address and data link layer address are compared, and a network layer address not present in the set stored in the address list storage means Illegal having a set of data link layer addresses as addresses An address management device comprising: means for detecting a valid node;