JP7376289B2 - Address monitoring device and address monitoring method - Google Patents

Description

The present invention relates to an address monitoring device and an address monitoring method, and particularly to a technique for monitoring address settings in an IPv6 environment.

In recent years, with the spread of IoT, various devices have become connected to the Internet. Along with this, the number of devices connected to the Internet has increased explosively, and the transition from IPv4, which has traditionally been used as an Internet protocol, to IPv6, which is a new protocol with an address length of 128 bits, is progressing. Furthermore, many network security products such as network monitoring devices are also rapidly required to be compatible with IPv6.

In an IPv6 environment, stateless automatic configuration is known as one method of assigning an IPv6 address to a terminal device. When setting an IPv6 address using stateless automatic configuration, an ICMPv6 Type 134 router advertisement (RA) packet is used. A terminal device that receives an RA packet transmitted by a device such as a router determines its own IPv6 address based on the prefix information included in the RA packet.

However, in an IPv6 environment, when an unauthorized RA packet is sent by a malicious party, a terminal device that receives the RA packet may have a new IPv6 address set based on the unauthorized RA packet. Additionally, if the IPv6 address generated based on the RA packet is an IPv6 address generated in EUI-64 format, and the temporary IPv6 address setting is disabled, the MAC address of the terminal device cannot be identified. Therefore, security problems arise.

For example, Patent Document 1 discloses a technique for preventing unauthorized connection to a network in an IPv6 environment. In the technology described in Patent Document 1, a monitoring device is installed in a network, monitors NS (Neighbor Solicitation) packets flowing within the network, and connects to the network based on the source address and MAC address of the NS packet. Determine whether the terminal device is authorized.

Japanese Patent Application Publication No. 2007-104396

However, the technique described in Patent Document 1 cannot detect whether stateless automatic configuration of IPv6 addresses in terminal devices on the network is disabled or enabled in order to prevent unauthorized access to the network.

The present invention has been made to solve the above-mentioned problems, and an object of the present invention is to detect whether stateless automatic configuration of IPv6 addresses is effective.

In order to solve the above problems, an address monitoring device according to the present invention includes a generation unit configured to generate a router advertisement packet including a first prefix value different from a prefix value that identifies a network to be monitored; , a transmitting unit configured to transmit the generated router advertisement packet via all-node multicast through the network, and detecting a duplicate temporary IPv6 address in the network as a response to the router advertisement packet. and a second prefix value included in the temporary IPv6 address included in the response packet matches the first prefix value; and a first determination unit configured to determine that stateless automatic configuration of IPv6 addresses is enabled in the terminal device that is the source of the response packet.

Further, in the address monitoring device according to the present invention, when the first determination unit determines that stateless automatic configuration of IPv6 address is enabled in the terminal device that is the source of the response packet, the first determination unit If the interface identifier of the temporary IPv6 address included in the temporary IPv6 address is a value based on a physical address unique to the terminal device, the setting of a temporary IPv6 address containing a random value is disabled in the terminal device. You may judge that.

Further, in the address monitoring device according to the present invention, when the receiving unit does not receive the response packet from the terminal device to be monitored, the stateless automatic configuration of the IPv6 address is disabled in the terminal device to be monitored. It may further include a second determination unit configured to determine that the condition is true.

Further, in the address monitoring device according to the present invention, the generation unit may generate the router advertisement packet using the first prefix value according to an operation input received from the outside by an input device.

Furthermore, the address monitoring device according to the present invention may further include a display device that displays the determination result by the first determination section on a display screen.

In order to solve the above problems, an address monitoring method according to the present invention includes a first step of generating a router advertisement packet including a first prefix value different from a prefix value for identifying a network to be monitored; a second step of transmitting the router advertisement packet generated in step by all-node multicast via the network; and a response for detecting duplicate addresses of temporary IPv6 addresses in the network as a response to the router advertisement packet. a third step of receiving a packet, and if the second prefix value included in the temporary IPv6 address included in the response packet matches the first prefix value, the sender of the response packet; and a fourth step of determining that stateless automatic configuration of IPv6 addresses is enabled in the terminal device.

According to the present invention, a first prefix value different from a prefix value identifying a network to be monitored included in a router advertisement packet transmitted by all-node multicast, and a second prefix of a temporary IPv6 address included in a received response packet. If the values match, it is determined that stateless automatic configuration of IPv6 addresses is enabled in the terminal device that sent the response packet. Therefore, it is possible to detect whether stateless automatic configuration of IPv6 addresses is effective.

FIG. 1 is a block diagram showing the configuration of a network system including an address monitoring device according to an embodiment of the present invention. FIG. 2 is a block diagram showing the configuration of the address monitoring device according to the embodiment. FIG. 3 is a block diagram showing the hardware configuration of the address monitoring device according to the embodiment. FIG. 4 is a flowchart for explaining the address monitoring method according to the embodiment. FIG. 5 is a sequence diagram showing the operation of the network system according to the embodiment.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to FIGS. 1 to 5.
[Network system configuration]
First, an overview of a network system including an address monitoring device 1 according to an embodiment of the present invention will be explained.
The address monitoring device 1 according to the embodiment of the present invention detects whether stateless automatic configuration of the IPv6 address of each of the terminal devices 2 and 3 connected via a network NW such as a LAN is enabled. do. The address monitoring device 1 is provided, for example, in a network system as shown in FIG. Further, the network system is provided in, for example, a BA (Building Automation) system.

As shown in FIG. 1, the network system includes an address monitoring device 1 and terminal devices 2 and 3 that are communicably connected to each other via a network NW. In this embodiment, the address monitoring device 1 monitors the terminal devices 2 and 3 on the network NW. The terminal devices 2 and 3 are terminals such as PCs that operate on IPv6. Furthermore, in this embodiment, as shown in FIG. 1, stateless automatic configuration of IPv6 addresses is enabled in terminal device 2, and stateless automatic configuration of IPv6 addresses is disabled in terminal device 3. It is assumed that there is

Stateless automatic configuration of IPv6 addresses is comprised of ICMPv6 router advertisement (RA) and duplicate address detection (DAD) functions. Specifically, when stateless automatic configuration of an IPv6 terminal that receives an RA packet sent by an IPv6 router is enabled, the IPv6 terminal uses the prefix value included in the RA packet to determine the temporary IPv6 address of its own device. generate. Furthermore, the IPv6 terminal executes DAD to verify that the generated temporary IPv6 address is unique within the link local. NS packets and NA packets are used to execute DAD. An IPv6 terminal with stateless autoconfiguration enabled that has generated a temporary IPv6 address in response to receiving an RA packet will receive an NS packet with the temporary IPv6 address stored in the "Target Address" field of the NS format. Send.

On the other hand, an IPv6 terminal in which stateless automatic configuration of IPv6 addresses is disabled does not perform DAD even if it receives an RA packet from an IPv6 router.

The address monitoring device 1 according to the present embodiment utilizes these mechanisms to generate an RA packet for inspection that includes a first prefix value that is different from the prefix value that identifies the network NW to be monitored. Send node multicast. In addition, if the second prefix value of the temporary IPv6 address included in the response packet received as a response to the RA packet and resulting from execution of DAD matches the first prefix value, the address monitoring device 1 detects the sender of the response packet. It is determined that the stateless automatic configuration of the terminal devices 2 and 3 is enabled. On the other hand, if the address monitoring device 1 does not receive a response packet to the RA packet, it determines that the stateless automatic configuration of the monitored terminal devices 2 and 3 is disabled.

[Functional block of address monitoring device]
An example of the configuration of the address monitoring device 1 according to this embodiment will be described below with reference to the block diagram of FIG. 2.
The address monitoring device 1 includes a generating section 10, a transmitting section 11, a receiving section 12, a first determining section 13, a second determining section 14, and a storage section 15.

The generation unit 10 generates an RA packet that includes a first prefix value that is different from a prefix value that identifies the network NW to be monitored. In this embodiment, RA packets are sent for inspection. The generation unit 10 uses a preset first prefix value for the RA packet because it needs to be distinguished from the RA packet transmitted for normal automatic IPv6 address setting.

Note that the generation unit 10 can use a first prefix value according to an operation input received from the outside by the input device 107, which will be described later. Alternatively, the generation unit 10 can also capture an RA packet flowing on the network NW and set a first prefix value that is different from the prefix value that identifies the network NW. The first prefix value is stored in the storage unit 15.

The transmitter 11 transmits the RA packet generated by the generator 10 by all-node multicast via the network NW. In this embodiment, RA packets are transmitted to the terminal devices 2 and 3.

The receiving unit 12 receives, as a response to the RA packet transmitted by the transmitting unit 11, a response packet for detecting duplicate IPv6 addresses within the link local. In this embodiment, an NS packet accompanying the execution of DAD by the terminal device 2 that has received the RA packet is received as a response packet.

If the second prefix value of the temporary IPv6 address included in the response packet received by the reception unit 12 matches the first prefix value, the first determination unit 13 determines whether the response packet is sent from the terminal It is determined that stateless automatic configuration of IPv6 addresses is enabled for device 2. As described above, the response packet includes a temporary IPv6 address generated by the terminal device 2 that received the RA packet using the prefix information of the RA packet. Therefore, for the terminal device 2 in which stateless automatic configuration is enabled, the same prefix information as the first prefix value included in the RA packet generated by the generation unit 10 is included.

When the first determination unit 13 determines that the stateless automatic configuration is enabled, the interface ID of the temporary IPv6 address generated by the terminal device 2 included in the response packet is a physical address unique to the terminal device 2. If the value is based on the address (MAC address), it is determined that the temporary IPv6 address setting including a random value is invalid.

A temporary IPv6 address is a temporary address that has an interface ID generated using a random value instead of a MAC address. The temporary IPv6 address has, for example, an interface ID generated by a bit string that changes randomly over time, and is replaced with a new temporary address after a certain expiration date. For an IPv6 terminal for which temporary IPv6 address setting is valid, for example, when a unique IPv6 address is generated in the IPv6 terminal by stateless automatic configuration, a temporary IPv6 address is also generated. In actual communication, this temporary IPv6 address is used.

An IPv6 address generated in stateless automatic configuration is composed of a prefix value advertised in an RA packet and an interface ID. The interface ID may be generated in an extended unique identifier (EUI-64) format using the MAC address of the terminal device 2 that received the RA packet. An interface ID generated in EUI-64 format can identify a globally unique MAC address. For example, even if the prefix of the network NW changes over time, the MAC address remains fixed. Since the terminal device 2 can be identified from the interface ID, in this embodiment, the IPv6 address generated in EUI-64 format is detected to identify security problems.

Specifically, if the interface ID of the temporary IPv6 address generated by the terminal device 2 included in the response packet includes the MAC address of the terminal device 2, the first determination unit 13 determines that the temporary IPv6 address is It is determined that the settings to be generated are invalid.

If the receiving unit 12 does not receive a response packet to the RA packet transmitted by all-node multicast, the second determining unit 14 determines that stateless automatic configuration of IPv6 addresses is disabled in the terminal device 3 to be monitored. I judge that. For example, if the second determining unit 14 does not receive an NS packet (response packet) from the terminal device 3 to be monitored by the time when the transmitting unit 11 transmits the RA packet and a certain period of time has elapsed, , it can be determined that stateless automatic configuration is disabled in that terminal device 3. Note that information for identifying the terminal device 3 is stored in the storage unit 15 in advance.

The storage unit 15 stores the first prefix value generated by the generation unit 10. Furthermore, the storage unit 15 can store information that identifies the terminal devices 2 and 3 on the network NW to be monitored.

[Hardware configuration of address monitoring device]
Next, an example of the hardware configuration of the address monitoring device 1 having the above-described functions will be described using FIG. 3.

As shown in FIG. 3, the address monitoring device 1 includes, for example, a processor 102, a main storage device 103, a communication interface 104, an auxiliary storage device 105, an input/output I/O 106, an input device 107, which are connected via a bus 101. This can be realized by a computer equipped with the display device 108 and a program that controls these hardware resources.

The main storage device 103 stores in advance programs for the processor 102 to perform various controls and calculations. The processor 102 and the main storage device 103 realize each function of the address monitoring device 1, such as the generation section 10, first judgment section 13, and second judgment section 14 shown in FIG.

The communication interface 104 is an interface circuit for network connection between the address monitoring device 1 and the terminal devices 2 and 3 and various external electronic devices. The communication interface 104 realizes the transmitter 11 and the receiver 12 described in FIG. Further, the determination results by the first determining section 13 and the second determining section 14 can be transmitted from the communication interface 104 to a specific terminal device on the network NW.

The auxiliary storage device 105 includes a readable and writable storage medium and a drive device for reading and writing various information such as programs and data to and from the storage medium. For the auxiliary storage device 105, a semiconductor memory such as a hard disk or a flash memory can be used as a storage medium.

The auxiliary storage device 105 has a program storage area in which the address monitoring device 1 stores a program for determining whether or not stateless automatic configuration of IPv6 addresses is valid in the terminal devices 2 and 3. The auxiliary storage device 105 realizes the storage unit 15 described in FIG. Furthermore, for example, it may have a backup area for backing up the data, programs, etc. mentioned above.

The input/output I/O 106 is composed of I/O terminals that input signals from external devices and output signals to external devices.

The input device 107 is configured with a touch panel, a keyboard, or the like, and receives touch operations and key inputs from the user, and generates signals in accordance with the operation inputs.

The display device 108 is configured with a liquid crystal display or the like. The display device 108 can display the determination results by the first determination section 13 and the second determination section on a display screen.

[Address monitoring method]
Next, the operation of the address monitoring device 1 having the above-described configuration will be explained with reference to the flowchart of FIG. 4.

First, the generation unit 10 generates an RA packet including a first prefix value different from the prefix value in the link local (step S1). Next, the transmitter 11 transmits the RA packet including the first prefix value generated in step S1 by all-node multicast transmission via the network NW (step S2).

Next, if the receiving unit 12 does not receive a response packet to the RA packet from the terminal devices 2 and 3 on the network NW (step S4: NO), the second determining unit 14 determines that the stateless automatic configuration is disabled. It is determined that (step S4). For example, the second determination unit 14 can determine whether the stateless automatic configuration is invalid based on whether or not an NS packet is received as a response packet from the monitored terminal devices 2 and 3 within a preset period. .

On the other hand, when the receiving unit 12 receives a response packet from the terminal devices 2 and 3 on the network NW (step S3: YES), the second prefix value of the temporary IPv6 address included in the response packet is the same as that of the transmitted RA packet. If the first prefix value matches the first prefix value (step S5: YES), it is determined that the stateless automatic configuration of the terminal devices 2 and 3 from which the response packet is sent is enabled (step S6).

Next, if it is determined in step S6 that stateless automatic configuration is enabled, and the interface ID of the temporary IPv6 address included in the response packet is in EUI-64 format (step S7: YES) ), the first determination unit 13 determines that the temporary IPv6 address setting is invalid in the terminal devices 2 and 3 that are the sender of the response packet (step S8).

Thereafter, for example, the display device 108 can display the state of stateless automatic configuration of IPv6 addresses and the temporary IPv6 address configuration of the terminal devices 2 and 3 on the monitored network NW (step S9). Alternatively, the determination result can be transmitted from the communication interface 104 to a specific terminal device (not shown) on the network NW.

[Network system operation sequence]
Next, the operation of the network system having the above-described configuration will be explained using the sequence diagram of FIG. 5. In the following explanation, as shown in FIG. 5, it is assumed that the prefix value for identifying the network NW to be monitored is "B".

First, the address monitoring device 1 generates an RA packet having a prefix value "A" (first prefix value) different from the prefix value "B" that identifies the network NW, and sends it by all-node multicast transmission ("FF02::1 ”) (step S100). Note that since the RA packet transmitted by the address monitoring device 1 is an RA packet for inspection, the valid period (Valid-lifetime) of the RA packet is set to the shortest possible period.

Next, upon receiving the RA packet, the terminal device 2 generates an IPv6 address using the prefix value "A" (second prefix value) included in the RA packet (step S101). In this embodiment, it is assumed that the terminal device 2 generates an interface ID in EUI-64 format.

Next, the terminal device 2 transmits an NS packet for executing DAD as a response packet (step S102). A temporary IPv6 address generated by the terminal device 2 is stored in the field "Target Address" of this response packet.

Thereafter, the address monitoring device 1 determines that the prefix value "A" of the IPv6 address included in the response packet from the terminal device 2 matches the prefix value "A" of the RA packet transmitted in advance (step S103: YES). It is determined that the stateless automatic configuration of the terminal device 2 is valid (step S104).

Next, the address monitoring device 1 determines that the IPv6 address setting is temporarily invalid in the terminal device 2 because the interface ID of the IPv6 address included in the response packet from the terminal device 2 is in EUI-64 format (step S105: YES). It is determined that it is (step S106). Therefore, in this example, the address monitoring device 1 determines that the stateless automatic configuration of the IPv6 address of the terminal device 2 is valid, and that the temporary IPv6 address configuration is invalid.

On the other hand, if the interface ID is not in the EUI-64 format (step S105: NO), the address monitoring device 1 outputs a determination result that stateless automatic configuration of the terminal device 2 is valid (step S104).

On the other hand, regarding the terminal device 3, the address monitoring device 1 does not receive a response packet from the terminal device 3 within a certain period of time after all-node multicast transmission of the RA packet with the prefix value "A" in step S100 (step S107: YES), it is determined that stateless automatic setting is disabled.

As explained above, according to the address monitoring device 1 according to the present embodiment, an RA packet having a first prefix value different from a prefix value that identifies a network to be monitored is transmitted by all-node multicast, and Based on whether or not a response packet is received by the terminal devices 2 and 3 by executing DAD, it is determined whether stateless automatic configuration of the IPv6 address of the terminal devices 2 and 3 is effective. Therefore, the address monitoring device 1 can determine whether or not the stateless automatic setting of the terminal devices 2 and 3 to be monitored is effective with a simpler configuration.

As a result, in an IPv6 environment, it is possible to prevent IPv6 addresses from being added to the terminal devices 2 and 3 in an unauthorized manner due to the transmission of an unauthorized RA packet from a malicious party.

Additionally, if the interface ID of the IPv6 address included in the response packet is an address generated in the EUI-64 format, the address monitoring device 1 temporarily disables the IPv6 address setting in the target terminal device 2. Therefore, terminal devices with security problems can be detected with a simpler configuration.

Although the embodiments of the address monitoring device and the address monitoring method of the present invention have been described above, the present invention is not limited to the described embodiments, and those skilled in the art can imagine it within the scope of the invention described in the claims. Various possible modifications can be made.

DESCRIPTION OF SYMBOLS 1... Address monitoring device, 2, 3... Terminal device, 10... Generation part, 11... Transmission part, 12... Receiving part, 13... First judgment part, 14... Second judgment part, 15... Storage part, 101... Bus , 102... Processor, 103... Main storage device, 104... Communication interface, 105... Auxiliary storage device, 106... Input/output I/O, 107... Input device, 108... Display device, NW... Network.

Claims (6)

a generator configured to generate a router advertisement packet including a first prefix value different from a prefix value identifying a network to be monitored;
a transmitter configured to transmit the generated router advertisement packet via all-node multicast over the network;
a receiving unit configured to receive a response packet for detecting duplicate temporary IPv6 addresses in the network as a response to the router advertisement packet;
It is determined whether the second prefix value included in the temporary IPv6 address included in the response packet matches the first prefix value, and if it is determined that both match, the second prefix value included in the temporary IPv6 address included in the response packet is An address monitoring device comprising: a first determination unit configured to determine that stateless automatic configuration of an IPv6 address is enabled in a transmission source terminal device. The address monitoring device according to claim 1,
When the first determination unit determines that stateless automatic configuration of IPv6 addresses is enabled in the terminal device that is the source of the response packet, the first determination unit determines that the interface identifier of the temporary IPv6 address included in the response packet is is a value based on a physical address unique to the terminal device, the address monitoring device determines that the setting of a temporary IPv6 address including a random value is invalid in the terminal device. . The address monitoring device according to claim 1 or 2,
The receiving unit is configured to determine that stateless automatic configuration of an IPv6 address is disabled in the monitored terminal device when the response packet is not received from the monitored terminal device. An address monitoring device further comprising a second determination section. The address monitoring device according to any one of claims 1 to 3,
The address monitoring device is characterized in that the generation unit generates the router advertisement packet using the first prefix value according to an operation input received from the outside by an input device. The address monitoring device according to any one of claims 1 to 4,
An address monitoring device further comprising a display device that displays a determination result by the first determination section on a display screen. a first step of generating a router advertisement packet including a first prefix value different from a prefix value identifying a network to be monitored;
a second step of transmitting the router advertisement packet generated in the first step by all-node multicasting via the network;
a third step of receiving a response packet for detecting duplicate temporary IPv6 addresses in the network as a response to the router advertisement packet;
It is determined whether the second prefix value included in the temporary IPv6 address included in the response packet matches the first prefix value, and if it is determined that both match, the second prefix value included in the temporary IPv6 address included in the response packet is A fourth step of determining that stateless automatic configuration of IPv6 addresses is enabled in a sending terminal device.

Images