WO2009043304A1 - Method, system, and device for verifying the relation of dada link layer address and its transmitting party - Google Patents

Method, system, and device for verifying the relation of dada link layer address and its transmitting party Download PDF

Info

Publication number
WO2009043304A1
WO2009043304A1 PCT/CN2008/072562 CN2008072562W WO2009043304A1 WO 2009043304 A1 WO2009043304 A1 WO 2009043304A1 CN 2008072562 W CN2008072562 W CN 2008072562W WO 2009043304 A1 WO2009043304 A1 WO 2009043304A1
Authority
WO
WIPO (PCT)
Prior art keywords
data link
link layer
layer address
sender
address
Prior art date
Application number
PCT/CN2008/072562
Other languages
French (fr)
Chinese (zh)
Inventor
Sheng Jiang
Zhongqi Xia
Marcelo Bagnulo Brown
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009043304A1 publication Critical patent/WO2009043304A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/35Network arrangements, protocols or services for addressing or naming involving non-standard use of addresses for implementing network functionalities, e.g. coding subscription information within the address or functional addressing, i.e. assigning an address to a function
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
    • H04L69/322Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
    • H04L69/324Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the data link layer [OSI layer 2], e.g. HDLC

Definitions

  • the present invention relates to the field of network communication technologies, and in particular, to a method, system, and apparatus for verifying a relationship between a data link layer address and a sender thereof. Background technique
  • the data link layer is the necessary level for network data transmission, and the communication security requirements are constantly improving.
  • the open air interface brings threatening link layer data transmission. A secure cyber attack.
  • These network attacks mainly include: (1) The attacker provides a large number of invalid media access control (MAC, Media Access Control) addresses to the network switch, causing the content addressed memory (CAM, Call Access Management) table to be flooded, resulting in an intruder. See the information in the local virtual local area network (VLAN). (2) The attacker forces the spanning tree protocol to update by attacking the spanning tree protocol. The attacker masquerades his own system into the root bridge in the topology to obtain various data frames. (3) The attacker spoofs the MAC address of the attacked host and sends a data link layer control message to rewrite the corresponding entry in the CAM table, so that the switch forwards the data packet with the destination address of the attacked host to the attacker.
  • MAC media access control
  • CAM content addressed memory
  • VLAN virtual local area network
  • the attacker obtains the Address Resolution Protocol (ARP) table by illegally modifying the correspondence between the MAC address and the IP address saved on the switch, and implements service denial or man-in-the-middle attacks.
  • the attacker attacks by using a fake MAC address to broadcast a Dynamic Host Configure Protocol (DHCP) request. If there are enough requests, the network attacker can exhaust DHCP for a period of time. The address space provided by the server, and then the attacker establishes a fake DHCP server in his system to react to new DHCP requests from clients on the network.
  • ARP Address Resolution Protocol
  • DHCP Dynamic Host Configure Protocol
  • a MAC address is an address used on a data link layer, also called a physical address.
  • the link address is the physical address of the NIC produced by the manufacturer and is unique to each device.
  • the packet switching and forwarding of the data link layer in the Ethernet are all identified by the MAC address.
  • Each packet transmitted on the data link layer contains the MAC address of the network card that sends the packet, and the binding of the MAC address.
  • MAC address-based authentication is applied in various security mechanisms at the data link layer, such as binding authentication mechanism for MAC address and IP address; Data Link Layer Access Control List (ACL): Access Control A list is actually a collection of allowed and rejected matching criteria.
  • 802.1x authentication by verifying the identity sent by the client, that is, the username and password, to determine whether the user has the right to use the network service provided by the network system.
  • the network card driver does not read the MAC address from the hardware memory device when transmitting the data link layer, but creates a buffer area in the memory.
  • the data link layer message reads the source MAC address from the buffer. Therefore, the user can modify the source MAC address in the data link layer packet actually sent through the operating system. Since the MAC address can be modified, the various security mechanisms based on the MAC address lose their original meaning.
  • the existing data link layer address uses a fixed address corresponding to the physical hardware, does not have the authentication of the fixed address ownership, is easily spoofed by a potential attacker on the same link, and is secured by various data link layers.
  • Most of the mechanisms are based on the premise that the MAC address is unique, permanent, and not spoofable, but the MAC address can be forged. The attacker can fake the MAC address and then steal the IP address, bypassing the binding authentication mechanism of the MAC address and IP address. An attacker can spoof a router that uses an access control list by changing its MAC address to an address allowed by a known access control list. An attacker can use the opened network service by impersonating a legitimate user's MAC address and port after the authenticated user passes the 802.1x authentication.
  • Embodiments of the present invention provide a method, system, and apparatus for verifying a relationship between a data link layer address and a sender thereof, and a data link layer address capable of generating an embedded security mechanism, and a data link layer of the embedded security mechanism The address is verified with its sender relationship to improve the security of data link layer data transmission.
  • An embodiment of the present invention provides a method for verifying a relationship between a data link layer address and a sender thereof, including: Receiving a packet, where the source address of the packet is a data link layer address of the sender, and the data link address is embedded with security information;
  • the embodiment of the present invention further provides a network interaction system, including a sending device and a receiving device, where the sending device includes:
  • a sending unit configured to send a message, where a source address of the packet is a data link layer address of the sender, and the data link address is embedded with security information;
  • the receiving device includes:
  • a receiving unit configured to receive the packet
  • a calculating unit configured to perform, by using a first preset rule, a data link layer address corresponding parameter of the sender, to obtain an operation result
  • the address verification unit is configured to compare and determine that the operation result corresponds to the data link layer address of the sender, and determine that the data link layer address is owned by the sender.
  • An embodiment of the present invention provides a device for verifying a sender address, including: a sending unit, configured to send a message, where a source address of the packet is a data link layer address of the sender, and the data link address is Embedded with security information.
  • the embodiment of the present invention further provides a receiving device for verifying a sender address, including: a receiving unit, configured to receive a packet, where a source address of the packet is a data link layer address of the sender, and the data link The address is embedded with security information; the calculating unit is configured to perform operation on the data link layer address parameter of the sender by using a first preset rule to obtain an operation result;
  • An address verification unit configured to compare the operation result with the data link layer of the sender When the address corresponds, it is verified that the data link layer address is owned by the sender.
  • the received data packet uses the data link layer address of the embedded security information of the sender as the source address, and the data link layer address of the embedded security information in the data packet may be extracted. And calculating, by using the data link layer address corresponding parameter of the embedded security information, when the operation result corresponds to the data link layer address, the data link layer address is considered to be owned by the sender. Therefore, it can be known whether the data link layer address of the transmitted data message is owned by the sender, thereby improving the security of the data link layer data transmission.
  • FIG. 1 is a flowchart of a verification method according to an embodiment of the present invention
  • FIG. 2 is a flowchart of generating a data link layer address according to Embodiment 1 of the present invention
  • FIG. 3 is a flowchart of verifying a data link layer address according to Embodiment 1 of the present invention
  • FIG. 5 is a flowchart of verifying a data link layer address according to Embodiment 2 of the present invention
  • FIG. 6 is a schematic diagram of a system according to an embodiment of the present invention.
  • FIG. 7 is a schematic diagram of a sending apparatus according to an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of a receiving apparatus according to an embodiment of the present invention. detailed description
  • the embodiment of the invention provides a method, a system and a device for verifying a relationship between a data link layer address and a sender thereof, and for verifying a correspondence between a sender and a data link layer address thereof during network data transmission, thereby avoiding counterfeiting
  • the phenomenon of data link layer address thereby improving the security of data link layer data transmission.
  • the method includes the following steps: 101: Receive a message, where the message uses a data link layer address of a security information embedded by a sender as a source address.
  • the security information includes: a public-private key pair of the sender; or a symmetric key agreed in advance.
  • the method for generating the data link layer address is: the sender presets the security information of the data link layer address; the sender performs the operation on the security information by using the second preset rule, where the data link
  • the layer address corresponding parameter is a collection of all actual parameter values used in generating the data link layer address.
  • the operation result corresponding to the data link layer address includes: when the first preset rule and the second preset rule are the same, the operation result is the same as the data link layer address; When the first preset rule and the second preset rule are different, the operation result needs to have a corresponding relationship with the data link layer address, so that the receiver can use the operation result to the data link layer address. Confirm the relationship with the sender.
  • the first preset rule and/or the second preset rule are reproducible, irreversible, and the like, and are the same as or similar to the first preset rule and/or the second preset rule. Descriptions are all features that are protected by the present invention.
  • the packet further includes: the data link layer address corresponding parameter; correspondingly, the calculating, by the first preset rule, the data link layer address corresponding parameter comprises: extracting the report The data link layer address in the text corresponds to a parameter, and the parameter is operated by the first preset rule.
  • the packet is signed by the sender.
  • the receiving the message includes: verifying the signature data of the packet.
  • a flowchart of a first example of generating a data link layer address includes:
  • the network node generates a 256-bit random modified value
  • the chaotic algorithm SHA-256 Using the chaotic algorithm SHA-256, adding 1 byte of zero to the modified value, and then attaching the public key and the extended parameter to form an input sequence, performing a chaotic operation on the input sequence, and then taking the most of the chaotic operation result
  • the left N bits, the N bits are at least (16 * security level) bits.
  • step 203 detecting whether the leftmost (16* security level) bit of the chaotic value 2 is all zeros, all 0s to the next step, otherwise, the random modification value is incremented by 1, returning to step 202;
  • the 16* security level is a variable, and the security level ranges from 0 to 7.
  • the address conflict detection scheme is used to detect whether the generated new address conflicts with the existing address. If the conflict occurs, the conflict count value is incremented by one, and the process returns to step 205. After three consecutive conflicts, the process is aborted and an error is reported.
  • step 303 if yes, go to step 303, otherwise, go to step 302;
  • step 307 Verify chaos value 2 Whether the leftmost (16* security level) bit is all zeros; If not, execute step 302 to exit the verification process; if yes, go to step 308.
  • the 16* security level is a variable, and the security level ranges from 0 to 7.
  • a flowchart of a second example of generating a data link layer address according to an embodiment of the present invention includes:
  • the network node generates a 128-bit random modified value
  • the chaotic algorithm 402 Using the chaotic algorithm SHA-384, adding a 4-byte zero to the modified value, and then performing a chaotic operation on the public key and the extended parameter in a sequence synthesized from left to right, and then taking the leftmost N bits of the chaotic operation result.
  • the N bits are at least (8* security level) bits. Normally, you can directly take the leftmost 64 bits as the chaotic value 2;
  • 403 Detect whether the leftmost (8* security level) bit of the chaotic value 2 is all zeros, and the security level ranges from 0 to 7, all 0s enter the next step, otherwise, the random modification value is incremented by 1, and the step is returned. 402; wherein, the 8* security level is a variable, and the security level ranges from 0 to 7.
  • the address conflict detection scheme is used to detect whether the generated new address conflicts with the existing address. If the conflict occurs, the conflict count value is incremented by one, and the process returns to step 405. After three consecutive conflicts, the process is aborted and an error is reported.
  • FIG. 5 a flowchart of a second example of verifying a data link layer address provided by an embodiment of the present invention is provided. include:
  • step 501 Check whether the conflict count value in the data link layer address parameter is less than 2, that is, one of 0, 1, 2, if yes, go to step 503, otherwise, go to step 502;
  • the chaotic SHA-384 algorithm is used for the data link layer address parameter, and the leftmost 21 bits of the chaotic output value are taken as the chaotic value 1.
  • step 504 Comparing whether the rightmost 21 bits of the data link layer address are equal to the chaotic value 1; unequal, executing step 502, or if so, executing step 505;
  • 505 From the data link layer address, take 25-27 bits from the left, a total of 3 bits, as a security level; 506: replace the vendor identifier, padding bit, and collision count value in the data link layer address parameter All zeros, and then use the chaotic SHA-384 algorithm on the modified data link layer address parameter to obtain a chaotic value of 2;
  • step 507 Verify that the leftmost (8* security level) bit is all zeros; if not, go to step 110, 302 to exit the verification process; if yes, go to step 508.
  • FIG. 6 is a schematic diagram of a system according to an embodiment of the present invention, including: a sending device 601, a receiving device 602;
  • the sending device 601 includes:
  • the sending unit 603 is configured to send a message, where the message uses a data link layer address of the embedded security information of the sender as the source address.
  • the security information includes: a public-private key pair of the sender; or a symmetric key agreed in advance.
  • the receiving device 602 includes:
  • the receiving unit 611 is configured to receive the packet, where the source address of the packet is a data link layer address of the sender, and the data link address is embedded with security information;
  • the obtaining unit 604 is configured to obtain the data link layer address of the sender from the message received by the receiving unit 611.
  • the calculating unit 605 is configured to pass the first pre-data link layer address parameter to the sender Set the rule to perform the operation and get the result of the operation.
  • the data link layer address corresponding parameter is a collection of actual parameter values used in generating the data link layer address.
  • the address verification unit 606 is configured to verify that the data link layer address is owned by the sender when the operation result is compared with the data link layer address of the sender.
  • the sending device 601 further includes:
  • a signing unit 607 configured to sign the message
  • the receiving device 602 further includes:
  • the signature verification unit 608 is configured to verify the signature data of the packet.
  • the sending device 601 further includes:
  • a preset unit 609 configured to preset security information for generating a data link layer address
  • the generating unit 610 is configured to perform, by using the second preset rule, the security information to generate a data link layer address and the data link layer address corresponding parameter.
  • the first preset rule and/or the second preset rule are: by using the preset security information of the sender, the sending device 601 further includes: an information adding unit 612, Adding a data link layer address corresponding parameter to the packet;
  • the obtaining unit 604 further includes: extracting a data link layer address corresponding parameter in the packet; and the calculating unit 605 further includes: performing, by using the first preset rule, the parameter.
  • FIG. 7 is a schematic diagram of a sending apparatus according to an embodiment of the present invention, including:
  • the sending unit 603 is configured to send a message, where the message uses a data link layer address of the embedded security information of the sender as the source address.
  • the security information includes: a public-private key pair of the sender; or a symmetric key agreed in advance.
  • the transmitting device further includes:
  • a signing unit 607 configured to sign the message
  • a preset unit 609 configured to preset security information for generating a data link layer address
  • the generating unit 610 is configured to perform, by using the second preset rule, the security information to generate a data link layer address and the data link layer address corresponding parameter.
  • the first preset rule and/or the second preset rule are: using a chaotic calculation for the preset security information of the sender
  • the sending device 601 further includes: an information adding unit 612, configured to add a data link layer address corresponding parameter to the packet.
  • FIG. 8 is a schematic diagram of a receiving apparatus according to an embodiment of the present invention, including:
  • the receiving unit 611 is configured to receive the packet.
  • the obtaining unit 604 is configured to obtain the data link layer address of the sender from the message received by the receiving unit 611.
  • the calculating unit 605 is configured to perform operation on the data link layer address parameter of the sender by using a first preset rule to obtain an operation result.
  • the data link layer address corresponding parameter is a collection of all actual parameter values used in generating the data link layer address.
  • the address verification unit 606 is configured to verify that the data link layer address is owned by the sender when the operation result is compared with the data link layer address of the sender.
  • the receiving device further includes:
  • the signature verification unit 608 is configured to verify the signature data of the packet.
  • the obtaining unit 604 further includes: extracting a data link layer address corresponding parameter in the packet;
  • the calculating unit 605 further includes: performing an operation on the parameter by using a first preset rule.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method for verifying the relation of data link layer address and its transmitting party includes that: a message is received, and a data link layer address embedded with security information of the transmitting party is used as a source address by the message (101); the data link layer address is extracted (102), a corresponding parameter of the data link layer address is calculated by the first preset rule, and the calculated result is acquired (103), the corresponding parameter of the data link layer address is a gather of all the used actual parameter values during the generation of the data link layer address; when the calculated result corresponds to the data link layer address, the data link layer address is held by the transmitting party (104). A corresponding system and a device are also provided in the invention, the data link layer address of the transmitting party is verified by a receiving party, and the phenomenon of forged data link layer address is avoided, thereby the security of data transmission in the data link layer is improved.

Description

数据链路层地址与其发送方关系的方法、 系统及装置 本申请要求于 2007 年 09 月 30 日提交中国专利局、 申请号为 200710149993.9、 发明名称为"验证数据链路层地址与其发送方关系的方 法、 系统及装置"的中国专利申请的优先权, 其全部内容通过引用结合在本 申请中。 技术领域  Method, system and device for data link layer address and sender relationship thereof. The application claims to be submitted to the Chinese Patent Office on September 30, 2007, the application number is 200710149993.9, and the invention name is "Verify the data link layer address and its sender relationship. The priority of the Chinese Patent Application, the entire disclosure of which is incorporated herein by reference. Technical field
本发明涉及网络通信技术领域, 尤其涉及一种验证数据链路层地址与 其发送方关系的方法、 系统及其装置。 背景技术  The present invention relates to the field of network communication technologies, and in particular, to a method, system, and apparatus for verifying a relationship between a data link layer address and a sender thereof. Background technique
在网络通信中, 数据链路层作为网络数据传输的必经层面, 通信安全 要求正在不断的提高, 随着无线网络的实用和大规模普及, 开放的空中接 口带来了威胁链路层数据传输安全的网络攻击。  In network communication, the data link layer is the necessary level for network data transmission, and the communication security requirements are constantly improving. With the practical and large-scale popularization of wireless networks, the open air interface brings threatening link layer data transmission. A secure cyber attack.
这些网络攻击主要包括: ( 1 )攻击者通过向网络交换机提供大量的无 效媒体访问控制 ( MAC , Media Access Control )地址, 使得内容寻址存储 器( CAM, Call Access Management )表格被淹没, 导致入侵者看到本地虚 拟局域网 (VLAN, Virtual Local Area Network ) 中的信息。 (2 )攻击者 通过攻击生成树协议, 迫使生成树协议进行更新, 攻击者将自己的系统伪 装成该拓朴结构中的根网桥, 获得各种各样的数据帧。 (3 )攻击者仿冒被 攻击主机的 MAC地址,并发送数据链路层控制报文,改写 CAM表格中对应 条目, 使得交换机将以被攻击主机为目的地址的数据包转发给该攻击者。 ( 4 ) 攻击者通过非法修改交换机上保存的 MAC地址和 IP地址对应关系获 得地址解析协议(ARP, Address Resolution Protocol )表格, 实施服务拒绝 或者中间人攻击。 ( 5 )攻击者通过利用伪造的 MAC地址来广播动态主机 配置协议( DHCP, Dynamic Host Configure Protocol )请求的方式进行攻击, 如果所发出的请求足够多, 网络攻击者就可以在一段时间内耗竭 DHCP服 务器所提供的地址空间, 然后攻击者在自己的系统中建立虚假的 DHCP服 务器来对网络上客户发出的新 DHCP请求作出反应。  These network attacks mainly include: (1) The attacker provides a large number of invalid media access control (MAC, Media Access Control) addresses to the network switch, causing the content addressed memory (CAM, Call Access Management) table to be flooded, resulting in an intruder. See the information in the local virtual local area network (VLAN). (2) The attacker forces the spanning tree protocol to update by attacking the spanning tree protocol. The attacker masquerades his own system into the root bridge in the topology to obtain various data frames. (3) The attacker spoofs the MAC address of the attacked host and sends a data link layer control message to rewrite the corresponding entry in the CAM table, so that the switch forwards the data packet with the destination address of the attacked host to the attacker. (4) The attacker obtains the Address Resolution Protocol (ARP) table by illegally modifying the correspondence between the MAC address and the IP address saved on the switch, and implements service denial or man-in-the-middle attacks. (5) The attacker attacks by using a fake MAC address to broadcast a Dynamic Host Configure Protocol (DHCP) request. If there are enough requests, the network attacker can exhaust DHCP for a period of time. The address space provided by the server, and then the attacker establishes a fake DHCP server in his system to react to new DHCP requests from clients on the network.
现有技术中, MAC地址是在数据链路层上使用的地址, 也叫物理地址 或者链路地址,是厂商生产的网卡的物理地址,对于每一台设备是唯一的。 以太网中数据链路层的包交换和转发, 都是以 MAC地址作为标识, 在数据 链路层上传输的每个报文都含有发送该报文的网卡的 MAC地址, MAC地址 的绑定和基于 MAC地址的认证被应用在数据链路层的各种安全机制中, 如, MAC地址和 IP地址的绑定认证机制; 数据链路层访问控制列表 ( ACL , Access Control List ) : 访问控制列表实际上就是一系列允许和拒绝匹配准 则的集合。 802.1x验证, 通过检验客户端发送来的身份标识, 即用户名和 口令来判别用户是否有权使用网络系统提供的网络服务。 In the prior art, a MAC address is an address used on a data link layer, also called a physical address. Or the link address is the physical address of the NIC produced by the manufacturer and is unique to each device. The packet switching and forwarding of the data link layer in the Ethernet are all identified by the MAC address. Each packet transmitted on the data link layer contains the MAC address of the network card that sends the packet, and the binding of the MAC address. And MAC address-based authentication is applied in various security mechanisms at the data link layer, such as binding authentication mechanism for MAC address and IP address; Data Link Layer Access Control List (ACL): Access Control A list is actually a collection of allowed and rejected matching criteria. 802.1x authentication, by verifying the identity sent by the client, that is, the username and password, to determine whether the user has the right to use the network service provided by the network system.
在对现有技术的研究和实践过程中, 发明人发现网卡驱动在发送数据 链路层 4艮文时, 并不从硬件记忆设备中读取 MAC地址, 而是在内存中建立 一块緩存区, 数据链路层报文从该緩存区中读取源 MAC地址。 因此, 用户 可以通过操作系统修改实际发送的数据链路层报文中的源 MAC地址。 由于 MAC地址可以修改,那么基于 MAC地址的各种安全机制也就失去了它原有 的意义。  In the research and practice of the prior art, the inventor found that the network card driver does not read the MAC address from the hardware memory device when transmitting the data link layer, but creates a buffer area in the memory. The data link layer message reads the source MAC address from the buffer. Therefore, the user can modify the source MAC address in the data link layer packet actually sent through the operating system. Since the MAC address can be modified, the various security mechanisms based on the MAC address lose their original meaning.
另外, 现有的数据链路层地址使用和物理硬件相对应的固定地址, 没 有对该固定地址所有权的认证, 极易被同一链路上潜在的攻击者假冒, 并 且各种数据链路层安全机制, 大都以 MAC地址是唯一、 永久且不可假冒为 前提, 但 MAC地址是可以伪造的。 攻击者可以先假冒 MAC地址, 再盗用 IP 地址, 就绕过了 MAC地址和 IP地址的绑定认证机制。 攻击者可以把自己的 MAC地址改为已知访问控制列表允许的地址,从而欺骗使用访问控制列表 的路由器。攻击者可以在合法用户通过 802.1x验证后,假冒合法用户的 MAC 地址和端口, 使用已经打开的网络服务。  In addition, the existing data link layer address uses a fixed address corresponding to the physical hardware, does not have the authentication of the fixed address ownership, is easily spoofed by a potential attacker on the same link, and is secured by various data link layers. Most of the mechanisms are based on the premise that the MAC address is unique, permanent, and not spoofable, but the MAC address can be forged. The attacker can fake the MAC address and then steal the IP address, bypassing the binding authentication mechanism of the MAC address and IP address. An attacker can spoof a router that uses an access control list by changing its MAC address to an address allowed by a known access control list. An attacker can use the opened network service by impersonating a legitimate user's MAC address and port after the authenticated user passes the 802.1x authentication.
发明内容 Summary of the invention
本发明实施例提供一种验证数据链路层地址与其发送方关系的方法、 系统及其装置, 能够生成内嵌安全机制的数据链路层地址, 并对该内嵌安 全机制的数据链路层地址与其发送方关系进行验证, 从而提高数据链路层 数据传输的安全性。  Embodiments of the present invention provide a method, system, and apparatus for verifying a relationship between a data link layer address and a sender thereof, and a data link layer address capable of generating an embedded security mechanism, and a data link layer of the embedded security mechanism The address is verified with its sender relationship to improve the security of data link layer data transmission.
本发明实施例提供一种验证数据链路层地址与其发送方关系的方法, 包括: 接收报文, 所述报文的源地址为发送方的数据链路层地址, 该数据链 路地址内嵌安全信息; An embodiment of the present invention provides a method for verifying a relationship between a data link layer address and a sender thereof, including: Receiving a packet, where the source address of the packet is a data link layer address of the sender, and the data link address is embedded with security information;
提取所述数据链路层地址;  Extracting the data link layer address;
对所述数据链路层地址对应参数通过第一预置规则进行运算, 得到运 算结果,所述数据链路层地址对应参数为生成所述数据链路层地址过程中, 所用的所有实际参数值的合集;  Performing an operation result on the data link layer address corresponding parameter by using a first preset rule, where the data link layer address corresponding parameter is all actual parameter values used in generating the data link layer address Collection
当所述运算结果与所述数据链路层地址对应时, 则判定所述数据链路 层地址为所述发送方所有。  When the operation result corresponds to the data link layer address, it is determined that the data link layer address is owned by the sender.
本发明实施例还提供一种网络交互系统, 包括发送装置和接收装置, 所述发送装置, 包括:  The embodiment of the present invention further provides a network interaction system, including a sending device and a receiving device, where the sending device includes:
发送单元, 用于发送报文, 所述报文的源地址为发送方的数据链路层 地址, 该数据链路地址内嵌安全信息;  a sending unit, configured to send a message, where a source address of the packet is a data link layer address of the sender, and the data link address is embedded with security information;
所述接收装置, 包括:  The receiving device includes:
接收单元, 用于接收所述报文; 计算单元, 用于对所述发送方的数据链路层地址对应参数通过第一预 置规则进行运算, 得到运算结果;  a receiving unit, configured to receive the packet, and a calculating unit, configured to perform, by using a first preset rule, a data link layer address corresponding parameter of the sender, to obtain an operation result;
地址验证单元, 用于比较并确定所述运算结果与所述发送方的数据链 路层地址对应时, 则判定所述数据链路层地址为所述发送方所有。  The address verification unit is configured to compare and determine that the operation result corresponds to the data link layer address of the sender, and determine that the data link layer address is owned by the sender.
本发明实施例提供一种用于验证发送方地址发送装置, 包括: 发送单元, 用于发送报文, 所述报文的源地址为发送方的数据链路层 地址, 该数据链路地址内嵌有安全信息。  An embodiment of the present invention provides a device for verifying a sender address, including: a sending unit, configured to send a message, where a source address of the packet is a data link layer address of the sender, and the data link address is Embedded with security information.
本发明实施例还提供一种用于验证发送方地址的接收装置, 包括: 接收单元, 用于接收报文, 所述报文的源地址为发送方的数据链路层 地址, 该数据链路地址内嵌有安全信息; 计算单元, 用于对所述发送方的数据链路层地址参数通过第一预置规 则进行运算, 得到运算结果;  The embodiment of the present invention further provides a receiving device for verifying a sender address, including: a receiving unit, configured to receive a packet, where a source address of the packet is a data link layer address of the sender, and the data link The address is embedded with security information; the calculating unit is configured to perform operation on the data link layer address parameter of the sender by using a first preset rule to obtain an operation result;
地址验证单元, 用于比较所述运算结果与所述发送方的数据链路层地 址对应时, 验证所述数据链路层地址为所述发送方所有。 An address verification unit, configured to compare the operation result with the data link layer of the sender When the address corresponds, it is verified that the data link layer address is owned by the sender.
本发明实施例提供的技术方案中, 接收的数据报文使用发送方内嵌安 全信息的数据链路层地址作为源地址, 可提取该数据报文中的内嵌安全信 息的数据链路层地址, 并且可通过该内嵌安全信息的数据链路层地址对应 参数进行运算, 当所述运算结果与所述数据链路层地址对应时, 则认为所 述数据链路层地址为发送方所有。 因此, 可获知发送数据报文的数据链路 层地址是否为发送方所有, 从而提高数据链路层数据传输的安全性。 附图说明  In the technical solution provided by the embodiment of the present invention, the received data packet uses the data link layer address of the embedded security information of the sender as the source address, and the data link layer address of the embedded security information in the data packet may be extracted. And calculating, by using the data link layer address corresponding parameter of the embedded security information, when the operation result corresponds to the data link layer address, the data link layer address is considered to be owned by the sender. Therefore, it can be known whether the data link layer address of the transmitted data message is owned by the sender, thereby improving the security of the data link layer data transmission. DRAWINGS
图 1为本发明实施例提供的验证方法流程图;  FIG. 1 is a flowchart of a verification method according to an embodiment of the present invention;
图 2为本发明实施例一提供的生成数据链路层地址的流程图; 图 3为本发明实施例一提供的验证数据链路层地址的流程图; 图 4为本发明实施例二提供的生成数据链路层地址的流程图; 图 5为本发明实施例二提供的验证数据链路层地址的流程图; 图 6为本发明实施例提供的系统示意图;  2 is a flowchart of generating a data link layer address according to Embodiment 1 of the present invention; FIG. 3 is a flowchart of verifying a data link layer address according to Embodiment 1 of the present invention; FIG. 5 is a flowchart of verifying a data link layer address according to Embodiment 2 of the present invention; FIG. 6 is a schematic diagram of a system according to an embodiment of the present invention;
图 7为本发明实施例提供的发送装置示意图;  FIG. 7 is a schematic diagram of a sending apparatus according to an embodiment of the present invention;
图 8为本发明实施例提供的接收装置示意图。 具体实施方式  FIG. 8 is a schematic diagram of a receiving apparatus according to an embodiment of the present invention. detailed description
本发明实施例提供了一种验证数据链路层地址与其发送方关系的方 法、 系统及其装置, 用于网络数据传输时, 对发送方与其数据链路层地址 的对应关系进行验证, 避免假冒数据链路层地址的现象, 从而提高数据链 路层数据传输的安全性。 为了使本发明的技术方案更加清楚明白, 下面列 举实施例进行详细说明:  The embodiment of the invention provides a method, a system and a device for verifying a relationship between a data link layer address and a sender thereof, and for verifying a correspondence between a sender and a data link layer address thereof during network data transmission, thereby avoiding counterfeiting The phenomenon of data link layer address, thereby improving the security of data link layer data transmission. In order to make the technical solution of the present invention more clear, the following is a detailed description of the embodiments:
参见图 1 , 为本发明实施例提供的方法流程图, 该方法包括如下步骤: 101 :接收报文, 所述报文使用发送方内嵌安全信息的数据链路层地址 作为源地址。 所述安全信息包括: 发送方公私钥对; 或者事先约定好的对 称密钥。  1 is a flowchart of a method according to an embodiment of the present invention. The method includes the following steps: 101: Receive a message, where the message uses a data link layer address of a security information embedded by a sender as a source address. The security information includes: a public-private key pair of the sender; or a symmetric key agreed in advance.
102: 提取所述数据链路层地址;  102: Extract the data link layer address;
103: 对数据链路层地址对应参数通过第一预置规则进行运算,得到运 算结果。 其中, 所述数据链路层地址的生成方法为: 发送方预置生成数据链路 层地址的安全信息; 发送方对所述安全信息通过第二预置规则进行运算, 其中, 所述数据链路层地址对应参数为生成所述数据链路层地址过程 中, 所用的所有实际参数值的合集。 103: Perform operation on the data link layer address corresponding parameter by using a first preset rule to obtain an operation result. The method for generating the data link layer address is: the sender presets the security information of the data link layer address; the sender performs the operation on the security information by using the second preset rule, where the data link The layer address corresponding parameter is a collection of all actual parameter values used in generating the data link layer address.
104: 当所述运算结果与所述数据链路层地址对应时, 则所述数据链路 层地址为所述发送方所有。  104: When the operation result corresponds to the data link layer address, the data link layer address is owned by the sender.
所述运算结果与所述数据链路层地址对应包括: 当所述第一预置规则 和所述第二预置规则相同时,则所述运算结果与所述数据链路层地址相同; 当所述第一预置规则和所述第二预置规则不同时, 则所述运算结果需要与 所述数据链路层地址有对应的关系, 以便接收方可以通过运算结果对数据 链路层地址与发送方的关系进行确认。  The operation result corresponding to the data link layer address includes: when the first preset rule and the second preset rule are the same, the operation result is the same as the data link layer address; When the first preset rule and the second preset rule are different, the operation result needs to have a corresponding relationship with the data link layer address, so that the receiver can use the operation result to the data link layer address. Confirm the relationship with the sender.
其中, 所述第一预置规则和 /或所述第二预置规则具有可重复性、 不可 逆等特点, 与所述第一预置规则和 /或所述第二预置规则相同或相似的描述 均属于本发明所保护的特征。  The first preset rule and/or the second preset rule are reproducible, irreversible, and the like, and are the same as or similar to the first preset rule and/or the second preset rule. Descriptions are all features that are protected by the present invention.
其中, 所述报文中还包括: 所述数据链路层地址对应参数; 相应地, 所述对所述数据链路层地址对应参数通过第一预置规则进行运算具体包 括: 提取所述报文中的数据链路层地址对应参数, 对所述参数通过第一预 置规则进行运算。  The packet further includes: the data link layer address corresponding parameter; correspondingly, the calculating, by the first preset rule, the data link layer address corresponding parameter comprises: extracting the report The data link layer address in the text corresponds to a parameter, and the parameter is operated by the first preset rule.
其中, 所述报文由所述发送方进行签名; 相应地, 所述接收报文后具 体包括: 对所述报文的签名数据进行验证。  The packet is signed by the sender. Correspondingly, the receiving the message includes: verifying the signature data of the packet.
下面对本发明实施例提供的数据链路层地址的生成方法, 及验证数据 链路层地址与数据链路层地址的发送方的对应关系分别进行举例说明: 参见图 2, 为本发明实施例提供的生成数据链路层地址的例一流程图, 包括:  The method for generating a data link layer address and the corresponding relationship between the data link layer address and the sender of the data link layer address are respectively described as follows: Referring to FIG. 2, it is provided by the embodiment of the present invention. A flowchart of a first example of generating a data link layer address includes:
201 : 网络节点生成一个 256位的随机修改值;  201: The network node generates a 256-bit random modified value;
202: 使用混乱算法 SHA-256 , 对修改值加上 1字节的零, 再后续附上 公钥和扩展参数, 形成输入数列, 对所述输入数列进行混乱运算, 然后取 混乱运算结果的最左 N位, 所述 N位至少为 (16*安全级数)位。 通常情况 下, 可以直接取 112位, 作为混乱值 2; 202: Using the chaotic algorithm SHA-256, adding 1 byte of zero to the modified value, and then attaching the public key and the extended parameter to form an input sequence, performing a chaotic operation on the input sequence, and then taking the most of the chaotic operation result The left N bits, the N bits are at least (16 * security level) bits. Usually Next, you can take 112 bits directly, as a chaotic value of 2;
203: 检测混乱值 2的最左 ( 16*安全级数)位是否为全零, 全 0进入下 一步, 否则, 随机修改值加 1 , 返回步骤 202;  203: detecting whether the leftmost (16* security level) bit of the chaotic value 2 is all zeros, all 0s to the next step, otherwise, the random modification value is incremented by 1, returning to step 202;
其中, 16*安全级数为变量, 该安全级数取值范围为 0到 7。  The 16* security level is a variable, and the security level ranges from 0 to 7.
204: 将 4位的冲突计数值置 0;  204: Set the 4-bit collision count value to 0;
205: 使用混乱算法 SHA-256, 对修改值加上 4位为全 1的填充位, 再后 续附上冲突计数值、 公钥和扩展参数, 按照由左至右顺序合成的数列进行 混乱运算, 然后取最左的 45位, 作为混乱值 1 ;  205: Using the chaotic algorithm SHA-256, adding 4 bits to the modified value to fill the padding bits, and then attaching the conflict count value, the public key, and the extended parameter, and performing a chaotic operation according to the sequence synthesized from left to right. Then take the leftmost 45 bits as a chaotic value of 1;
206:在以 3位方式表达的安全级数后面附上混乱值 1加上安全级数生成 数据链路层地址;  206: Attach a chaotic value after the security level expressed in 3-bit mode 1 and add a security level to generate a data link layer address;
207:使用地址冲突检测方案,检测生成的新地址是否和已有地址冲突, 如果冲突, 把冲突计数值加 1 , 返回步骤 205 , 连续 3次冲突后, 中止进程, 报告错误;  207: The address conflict detection scheme is used to detect whether the generated new address conflicts with the existing address. If the conflict occurs, the conflict count value is incremented by one, and the process returns to step 205. After three consecutive conflicts, the process is aborted and an error is reported.
208: 获得有效地址, 把修改值、 4位 1、 冲突计数值、 公钥和扩展参数 顺序由左至右合成数据链路层地址参数。 面对发送方与其数据链路层地址对应关系的验证方法进行描述: 骤:  208: Obtain a valid address, and synthesize the data link layer address parameter from left to right in a modified value, a 4-bit 1, a collision count value, a public key, and an extended parameter order. The verification method for the correspondence between the sender and its data link layer address is described: Step:
301 : 检查数据链路层地址参数中的冲突计数值是否小于 2, 也即 0、 1、 301: Check whether the conflict count value in the data link layer address parameter is less than 2, that is, 0, 1,
2中的一个, 若是, 执行步骤 303 , 否则, 实行步骤 302; 2, if yes, go to step 303, otherwise, go to step 302;
302: 如为任何该范围外的值, 则验证失败, 退出验证流程。  302: If any value outside the range is valid, the verification fails and the verification process is exited.
303: 对数据链路层地址参数使用混乱 SHA-256算法, 取混乱输出值的 最左 45位作为混乱值 1。  303: Use the chaotic SHA-256 algorithm for the data link layer address parameter, taking the leftmost 45 bits of the chaotic output value as the chaotic value 1.
304: 比较数据链路层地址的最右 45位是否等于混乱值 1 ; 不等, 执行 步骤 302, 若等, 则执行步骤 305;  304: Comparing whether the rightmost 45 bits of the data link layer address are equal to the chaotic value 1; unequal, executing step 302, if so, executing step 305;
305: 从数据链路层地址中, 取最左 3位, 作为安全级数;  305: From the data link layer address, take the leftmost 3 bits as the security level;
306: 把数据链路层地址参数中的填充位和冲突计数值都替换为全零, 再对该修改过后的数据链路层地址参数使用混乱 SHA-256算法, 得到混乱 值 2; 306: Replace the padding bit and the collision count value in the data link layer address parameter with all zeros, and then use the chaotic SHA-256 algorithm to obtain the chaos of the modified data link layer address parameter. Value 2;
307: 校验混乱值 2最左的(16*安全级数)位是否为全零; 不等, 则执 行步骤 302退出验证流程; 相等, 则执行步骤 308。  307: Verify chaos value 2 Whether the leftmost (16* security level) bit is all zeros; If not, execute step 302 to exit the verification process; if yes, go to step 308.
其中, 16*安全级数为变量, 该安全级数取值范围为 0到 7。  The 16* security level is a variable, and the security level ranges from 0 to 7.
308: 验证通过。  308: Verification passed.
参见图 4, 为本发明实施例提供的生成数据链路层地址的例二流程图, 包括:  Referring to FIG. 4, a flowchart of a second example of generating a data link layer address according to an embodiment of the present invention includes:
401 : 网络节点生成一个 128位的随机修改值;  401: The network node generates a 128-bit random modified value;
402: 使用混乱算法 SHA-384 , 对修改值加上 4字节的零, 再对公钥和 扩展参数按照由左至右顺序合成的数列进行混乱运算, 然后取混乱运算结 果的最左 N位, 所述 N位至少为 (8*安全级数)位。 通常情况下, 可以直接 取然最左的 64位, 作为混乱值 2;  402: Using the chaotic algorithm SHA-384, adding a 4-byte zero to the modified value, and then performing a chaotic operation on the public key and the extended parameter in a sequence synthesized from left to right, and then taking the leftmost N bits of the chaotic operation result. The N bits are at least (8* security level) bits. Normally, you can directly take the leftmost 64 bits as the chaotic value 2;
403: 检测混乱值 2的最左 (8*安全级数)位是否为全零, 所述安全级 数取值范围 0到 7 , 全 0进入下一步, 否则, 随机修改值加 1 , 返回步骤 402; 其中, 8*安全级数为变量, 该安全级数取值范围为 0到 7。  403: Detect whether the leftmost (8* security level) bit of the chaotic value 2 is all zeros, and the security level ranges from 0 to 7, all 0s enter the next step, otherwise, the random modification value is incremented by 1, and the step is returned. 402; wherein, the 8* security level is a variable, and the security level ranges from 0 to 7.
404: 将 4位的冲突计数值置 0;  404: Set the 4-bit collision count value to 0;
405: 使用混乱算法 SHA-384 , 对修改值加上 24位厂商标识, 再加上 4 位为全 0的填充位, 加上冲突计数值, 再后续附上公钥和扩展参数, 形成输 入数列, 对所述输入数列进行混乱运算, 然后取最左 21位, 作为混乱值 1 ;  405: Using the chaotic algorithm SHA-384, add a 24-bit vendor identifier to the modified value, plus 4 padding bits with all 0s, plus the collision count value, and then attach the public key and the extended parameter to form the input sequence. Performing a chaotic operation on the input sequence, and then taking the leftmost 21 bits as a confusion value of 1;
406: 在 24位厂商标识后面附上以 3位方式表达的安全级数, 再在后面 附上混乱值 1生成数据链路层地址;  406: Attach a 3-digit security level to the 24-bit vendor identifier, followed by a chaotic value 1 to generate a data link layer address.
407:使用地址冲突检测方案,检测生成的新地址是否和已有地址冲突, 如果冲突, 把冲突计数值加 1 , 返回步骤 405 , 连续 3次冲突后, 中止进程, 报告错误;  407: The address conflict detection scheme is used to detect whether the generated new address conflicts with the existing address. If the conflict occurs, the conflict count value is incremented by one, and the process returns to step 405. After three consecutive conflicts, the process is aborted and an error is reported.
408: 获得有效地址, 把修改值、 4位 0、 冲突计数值、 公钥和扩展参数 顺序由左至右合成数据链路层地址参数。 面对发送方与其数据链路层地址冲突对应关系的验证方法进行描述:  408: Obtain a valid address, and synthesize the data link layer address parameter from left to right by the modified value, 4-bit 0, collision count value, public key, and extended parameter order. The verification method for the correspondence between the sender and its data link layer address conflict is described:
参见图 5 , 对本发明实施例提供的验证数据链路层地址的例二流程图 , 包括: Referring to FIG. 5, a flowchart of a second example of verifying a data link layer address provided by an embodiment of the present invention is provided. include:
501 : 检查数据链路层地址参数中的冲突计数值是否小于 2, 也即 0、 1、 2中的一个, 若是, 执行步骤 503 , 否则, 实行步骤 502;  501: Check whether the conflict count value in the data link layer address parameter is less than 2, that is, one of 0, 1, 2, if yes, go to step 503, otherwise, go to step 502;
502: 如为任何该范围外的值, 则验证失败, 退出验证流程。  502: If any value outside the range is valid, the verification fails and the verification process is exited.
503: 对数据链路层地址参数使用混乱 SHA-384算法, 取混乱输出值的 最左 21位作为混乱值 1。  503: The chaotic SHA-384 algorithm is used for the data link layer address parameter, and the leftmost 21 bits of the chaotic output value are taken as the chaotic value 1.
504: 比较数据链路层地址的最右 21位是否等于混乱值 1 ; 不等, 执行 步骤 502, 或若等, 则执行步骤 505;  504: Comparing whether the rightmost 21 bits of the data link layer address are equal to the chaotic value 1; unequal, executing step 502, or if so, executing step 505;
505: 从数据链路层地址中,取由左起 25-27位,共 3位,作为安全级数; 506: 把数据链路层地址参数中的厂商标识、填充位和冲突计数值都替 换为全零,再对该修改过后的数据链路层地址参数使用混乱 SHA-384算法, 得到混乱值 2;  505: From the data link layer address, take 25-27 bits from the left, a total of 3 bits, as a security level; 506: replace the vendor identifier, padding bit, and collision count value in the data link layer address parameter All zeros, and then use the chaotic SHA-384 algorithm on the modified data link layer address parameter to obtain a chaotic value of 2;
507: 校验其最左的(8*安全级数)位是否为全零; 不等, 则执行步骤 110, 302退出验证流程; 相等, 则执行步骤 508。  507: Verify that the leftmost (8* security level) bit is all zeros; if not, go to step 110, 302 to exit the verification process; if yes, go to step 508.
508: 验证通过验证。  508: Verification is verified.
上述对本发明实施例提供的方法进行了描述, 下面对本发明实施例提 供的系统进行描述:  The method provided by the embodiment of the present invention is described above, and the system provided by the embodiment of the present invention is described below:
参见图 6, 为本发明实施例提供的系统示意图, 包括: 发送装置 601、 接收装置 602;  FIG. 6 is a schematic diagram of a system according to an embodiment of the present invention, including: a sending device 601, a receiving device 602;
所述发送装置 601包括:  The sending device 601 includes:
发送单元 603 , 用于发送报文, 所述报文使用发送方内嵌安全信息的 数据链路层地址作为源地址。 所述安全信息包括: 发送方公私钥对; 或者 事先约定好的对称密钥。  The sending unit 603 is configured to send a message, where the message uses a data link layer address of the embedded security information of the sender as the source address. The security information includes: a public-private key pair of the sender; or a symmetric key agreed in advance.
所述接收装置 602包括:  The receiving device 602 includes:
接收单元 611 , 用于接收所述报文, 所述报文的源地址为发送方的数 据链路层地址, 该数据链路地址内嵌有安全信息;  The receiving unit 611 is configured to receive the packet, where the source address of the packet is a data link layer address of the sender, and the data link address is embedded with security information;
获取单元 604 , 用于从所述接收单元 611接收的报文中获取所述发送 方的数据链路层地址。  The obtaining unit 604 is configured to obtain the data link layer address of the sender from the message received by the receiving unit 611.
计算单元 605 , 用于对所述发送方的数据链路层地址参数通过第一预 置规则进行运算, 得到运算结果。 其中, 所述数据链路层地址对应参数为 生成所述数据链路层地址过程中, 所用的实际参数值的合集。 The calculating unit 605 is configured to pass the first pre-data link layer address parameter to the sender Set the rule to perform the operation and get the result of the operation. The data link layer address corresponding parameter is a collection of actual parameter values used in generating the data link layer address.
地址验证单元 606, 用于比较所述运算结果与所述发送方的数据链路 层地址对应时, 验证所述数据链路层地址为所述发送方所有。  The address verification unit 606 is configured to verify that the data link layer address is owned by the sender when the operation result is compared with the data link layer address of the sender.
其中, 所述发送装置 601进一步包括:  The sending device 601 further includes:
签名单元 607 , 用于对所述报文进行签名;  a signing unit 607, configured to sign the message;
所述接收装置 602进一步包括:  The receiving device 602 further includes:
签名验证单元 608, 用于对所述报文的签名数据进行验证。  The signature verification unit 608 is configured to verify the signature data of the packet.
其中, 所述发送装置 601进一步包括:  The sending device 601 further includes:
预置单元 609 , 用于预置生成数据链路层地址的安全信息;  a preset unit 609, configured to preset security information for generating a data link layer address;
生成单元 610, 用于对所述安全信息通过第二预置规则进行运算, 生 成数据链路层地址及所述数据链路层地址对应参数。所述第一预置规则和 / 或所述第二预置规则为: 通过对所述发送方的预置的安全信息使用混乱算 其中, 所述发送装置 601进一步包括: 信息添加单元 612, 用于将数 据链路层地址对应参数添加到所述报文中;  The generating unit 610 is configured to perform, by using the second preset rule, the security information to generate a data link layer address and the data link layer address corresponding parameter. The first preset rule and/or the second preset rule are: by using the preset security information of the sender, the sending device 601 further includes: an information adding unit 612, Adding a data link layer address corresponding parameter to the packet;
获取单元 604还包括: 提取所述报文中的数据链路层地址对应参数; 计算单元 605还包括: 对所述参数通过第一预置规则进行运算。  The obtaining unit 604 further includes: extracting a data link layer address corresponding parameter in the packet; and the calculating unit 605 further includes: performing, by using the first preset rule, the parameter.
参见图 7 , 为本发明实施例提供的发送装置示意图, 包括:  FIG. 7 is a schematic diagram of a sending apparatus according to an embodiment of the present invention, including:
发送单元 603 , 用于发送报文, 所述报文使用发送方内嵌安全信息的 数据链路层地址作为源地址。 所述安全信息包括: 发送方公私钥对; 或者 事先约定好的对称密钥。  The sending unit 603 is configured to send a message, where the message uses a data link layer address of the embedded security information of the sender as the source address. The security information includes: a public-private key pair of the sender; or a symmetric key agreed in advance.
该发送装置进一步包括:  The transmitting device further includes:
签名单元 607 , 用于对所述报文进行签名;  a signing unit 607, configured to sign the message;
预置单元 609 , 用于预置生成数据链路层地址的安全信息;  a preset unit 609, configured to preset security information for generating a data link layer address;
生成单元 610, 用于对所述安全信息通过第二预置规则进行运算, 生 成数据链路层地址及所述数据链路层地址对应参数。所述第一预置规则和 / 或所述第二预置规则为: 通过对所述发送方的预置的安全信息使用混乱算 其中, 所述发送装置 601进一步包括: 信息添加单元 612, 用于将数 据链路层地址对应参数添加到所述报文中。 The generating unit 610 is configured to perform, by using the second preset rule, the security information to generate a data link layer address and the data link layer address corresponding parameter. The first preset rule and/or the second preset rule are: using a chaotic calculation for the preset security information of the sender The sending device 601 further includes: an information adding unit 612, configured to add a data link layer address corresponding parameter to the packet.
参见图 8, 为本发明实施例提供的接收装置示意图, 包括:  FIG. 8 is a schematic diagram of a receiving apparatus according to an embodiment of the present invention, including:
接收单元 611 , 用于接收所述报文;  The receiving unit 611 is configured to receive the packet.
获取单元 604 , 用于从所述接收单元 611接收的报文中获取所述发送 方的数据链路层地址。  The obtaining unit 604 is configured to obtain the data link layer address of the sender from the message received by the receiving unit 611.
计算单元 605 , 用于对所述发送方的数据链路层地址参数通过第一预 置规则进行运算, 得到运算结果。 其中, 所述数据链路层地址对应参数为 生成所述数据链路层地址过程中, 所用的所有实际参数值的合集。  The calculating unit 605 is configured to perform operation on the data link layer address parameter of the sender by using a first preset rule to obtain an operation result. The data link layer address corresponding parameter is a collection of all actual parameter values used in generating the data link layer address.
地址验证单元 606, 用于比较所述运算结果与所述发送方的数据链路 层地址对应时, 验证所述数据链路层地址为所述发送方所有。  The address verification unit 606 is configured to verify that the data link layer address is owned by the sender when the operation result is compared with the data link layer address of the sender.
其中, 所述接收装置进一步包括:  The receiving device further includes:
签名验证单元 608, 用于对所述报文的签名数据进行验证。  The signature verification unit 608 is configured to verify the signature data of the packet.
其中, 所述获取单元 604还包括: 提取所述报文中的数据链路层地址 对应参数;  The obtaining unit 604 further includes: extracting a data link layer address corresponding parameter in the packet;
所述计算单元 605还包括: 对所述参数通过第一预置规则进行运算。 以上实施例可以看出, 由于接收的数据报文使用发送方内嵌安全信息 的数据链路层地址作为源地址, 可提取该数据报文中的内嵌安全信息的数 据链路层地址, 并且可通过该内嵌安全信息的数据链路层地址对应参数进 行运算, 当所述运算结果与所述数据链路层地址对应时, 则认为所述数据 链路层地址为发送方所有。 因此, 可获知发送数据报文的数据链路层地址 是否为发送方所有, 从而提高数据链路层数据传输的安全性。  The calculating unit 605 further includes: performing an operation on the parameter by using a first preset rule. The above embodiment can be seen that, since the received data message uses the data link layer address of the embedded embedded security information as the source address, the data link layer address of the embedded security information in the data packet can be extracted, and The operation may be performed by the data link layer address corresponding parameter of the embedded security information. When the operation result corresponds to the data link layer address, the data link layer address is considered to be owned by the sender. Therefore, it can be known whether the data link layer address of the transmitted data message is owned by the sender, thereby improving the security of the data link layer data transmission.
本领域技术人员可以理解, 上述实施例中的全部或部分单元或各步骤 是可以通过程序来指令相关硬件来实现, 所述程序可存储于计算机可读取 存储介质中, 所述存储介质, 如 ROM/RAM、 磁盘、 光碟等。 或者将它 们分别制作成各个集成电路模块, 或者将它们中的多个单元或步骤制作成 单个集成电路模块来实现。 这样, 本发明不限制于任何特定的硬件和软件 结合。  It will be understood by those skilled in the art that all or part of the units or steps in the foregoing embodiments may be implemented by a program to instruct related hardware, and the program may be stored in a computer readable storage medium, such as a storage medium, such as ROM/RAM, disk, CD, etc. Alternatively, they may be fabricated into individual integrated circuit modules, or a plurality of units or steps thereof may be fabricated as a single integrated circuit module. Thus, the invention is not limited to any particular combination of hardware and software.
以上对本发明所提供的一种验证数据链路层地址与其发送方关系的方 法、 系统及其装置进行了详细介绍, 对于本领域的一般技术人员, 依据本 发明实施例的思想, 在具体实施方式及应用范围上均会有改变之处, 综上 所述, 本说明书内容不应理解为对本发明的限制。 The above provides a method for verifying the relationship between the data link layer address and its sender provided by the present invention. The method, the system and the device thereof are described in detail. For those skilled in the art, according to the idea of the embodiment of the present invention, there are some changes in the specific implementation manner and the application scope. It should not be construed as limiting the invention.

Claims

权 利 要 求 Rights request
1、一种用于验证数据链路层地址与其发送方关系的接收装置,其特征 在于, 包括: A receiving apparatus for verifying a relationship between a data link layer address and a sender thereof, the method comprising:
接收单元, 用于接收报文, 所述报文的源地址为发送方的数据链路层 地址, 该数据链路地址内嵌有安全信息; 计算单元, 用于对所述发送方的数据链路层地址参数通过第一预置规 则进行运算, 得到运算结果;  a receiving unit, configured to receive a message, where a source address of the packet is a data link layer address of the sender, the data link address is embedded with security information, and a calculating unit is configured to use the data link of the sender The layer address parameter is calculated by the first preset rule to obtain an operation result;
地址验证单元, 用于比较所述运算结果与所述发送方的数据链路层地 址对应时, 验证所述数据链路层地址为所述发送方所有。  And an address verification unit, configured to verify that the data link layer address is owned by the sender when the operation result is compared with the data link layer address of the sender.
2、 根据权利要求 1所述的接收装置, 其特征在于, 还包括: 签名验证单元, 用于对所述报文的签名数据进行验证。  2. The receiving apparatus according to claim 1, further comprising: a signature verification unit, configured to verify signature data of the message.
3、根据权利要求 1所述的接收装置, 其特征在于, 所述获取单元还用 于提取所述报文中的数据链路层地址对应参数。  The receiving apparatus according to claim 1, wherein the acquiring unit is further configured to extract a data link layer address corresponding parameter in the packet.
4、 一种验证数据链路层地址与其发送方关系的方法, 其特征在于, 包 括:  4. A method for verifying a relationship between a data link layer address and a sender thereof, the method comprising:
接收报文, 所述报文的源地址为发送方的数据链路层地址, 该数据链 路地址内嵌安全信息;  Receiving a packet, where the source address of the packet is a data link layer address of the sender, and the data link address is embedded with security information;
从所述报文提取所述数据链路层地址;  Extracting the data link layer address from the message;
对所述数据链路层地址对应参数通过第一预置规则进行运算, 得到运 算结果,所述数据链路层地址对应参数为生成所述数据链路层地址过程中, 所用的实际参数值的合集;  Performing an operation result on the data link layer address corresponding parameter by using a first preset rule, where the data link layer address corresponding parameter is an actual parameter value used in generating the data link layer address Collection
当所述运算结果与所述数据链路层地址对应时, 则判定所述数据链路 层地址为所述发送方所有。  When the operation result corresponds to the data link layer address, it is determined that the data link layer address is owned by the sender.
5、 根据权利要求 4所述的方法, 其特征在于, 所述报文中还包括: 数 据链路层地址对应参数;  The method according to claim 4, wherein the packet further includes: a data link layer address corresponding parameter;
所述对数据链路层地址对应参数通过第一预置规则进行运算之前, 该 方法还包括: 提取所述报文中的数据链路层地址对应参数, 对所述参数通 过第一预置规则进行运算。 Before the data link layer address corresponding parameter is calculated by using the first preset rule, the method further includes: extracting a data link layer address corresponding parameter in the packet, and adopting the first preset rule for the parameter Perform the operation.
6、根据权利要求 4或 5所述的方法, 其特征在于, 所述报文由所述发 送方进行签名; The method according to claim 4 or 5, wherein the message is signed by the sender;
所述接收报文后, 对所述报文的签名数据进行验证。  After receiving the message, verifying the signature data of the message.
7、根据权利要求 6所述的方法, 其特征在于, 所述数据链路层地址的 生成, 包括:  The method according to claim 6, wherein the generating of the data link layer address comprises:
发送方预置生成数据链路层地址的安全信息;  The sender presets the security information of the data link layer address;
发送方对所述安全信息通过第二预置规则进行运算, 生成数据链路层 地址及数据链路层地址对应参数。  The sender performs the operation on the security information by using the second preset rule to generate a data link layer address and a data link layer address corresponding parameter.
8、根据权利要求 7所述的方法, 其特征在于, 所述第一预置规则和所 述第二预置规则相同。  The method according to claim 7, wherein the first preset rule and the second preset rule are the same.
9、根据权利要求 7所述的方法, 其特征在于, 所述安全信息包括发送 方的公钥、 私钥对; 或者  The method according to claim 7, wherein the security information comprises a sender's public key and a private key pair; or
所述安全信息包括发送方与接收方的对称密钥。  The security information includes a symmetric key of the sender and the receiver.
10、 根据权利要求 4或 5所述的方法, 其特征在于, 所述数据链路层 地址的生成方法为:  The method according to claim 4 or 5, wherein the data link layer address is generated by:
发送方预置生成数据链路层地址的安全信息;  The sender presets the security information of the data link layer address;
发送方对所述安全信息通过第二预置规则进行运算, 生成数据链路层 地址及数据链路层地址对应参数。  The sender performs the operation on the security information by using the second preset rule to generate a data link layer address and a data link layer address corresponding parameter.
11、 根据权利要求 10所述的方法, 其特征在于, 所述第一预置规则和 所述第二预置规则相同。  The method according to claim 10, wherein the first preset rule and the second preset rule are the same.
12、根据权利要求 10所述的方法, 其特征在于, 所述安全信息包括发 送方的公钥、 私钥对; 或者  The method according to claim 10, wherein the security information comprises a public key and a private key pair of the sender; or
所述安全信息包括发送方与接收方的对称密钥。  The security information includes a symmetric key of the sender and the receiver.
13、 根据权利要求 6所述的方法, 其特征在于, 所述的所述报文由所 述发送方进行签名具体包括: 所述报文由所述发送方的私钥进行签名; 所述对所述报文的签名数据进行验证具体包括: 通过所述发送方的公 钥对所述报文进行验证。  The method according to claim 6, wherein the signing of the message by the sender specifically includes: the message is signed by a private key of the sender; The verification of the signature data of the packet includes: verifying the packet by using the public key of the sender.
14、 根据权利要求 6所述的方法, 其特征在于, 所述的所述报文由所 述发送方进行签名具体包括:所述报文由所述发送方的对称密钥进行签名; 所述对所述报文的签名数据进行验证具体包括: 通过所述发送方的对 称密钥, 对所述报文进行验证。 The method according to claim 6, wherein the signing of the message by the sender specifically includes: the message is signed by a symmetric key of the sender; The verifying the signature data of the packet specifically includes: verifying the packet by using a symmetric key of the sender.
15、 一种网络系统, 其特征在于, 包括发送装置和接收装置, 所述发送装置, 包括:  A network system, comprising: a transmitting device and a receiving device, the transmitting device comprising:
发送单元, 用于发送报文, 所述报文的源地址为发送方的数据链路层 地址, 该数据链路地址内嵌安全信息;  a sending unit, configured to send a message, where a source address of the packet is a data link layer address of the sender, and the data link address is embedded with security information;
所述接收装置, 包括:  The receiving device includes:
接收单元, 用于接收所述报文; 计算单元, 用于对所述发送方的数据链路层地址对应参数通过第一预 置规则进行运算, 得到运算结果;  a receiving unit, configured to receive the packet, and a calculating unit, configured to perform, by using a first preset rule, a data link layer address corresponding parameter of the sender, to obtain an operation result;
地址验证单元,用于验证所述数据链路层地址是否为所述发送方所有; 若通过比较确定所述运算结果与所述发送方的数据链路层地址对应时, 则 所述数据链路层地址为所述发送方所有。  An address verification unit, configured to verify whether the data link layer address is owned by the sender; if it is determined by comparison that the operation result corresponds to the data link layer address of the sender, the data link The layer address is owned by the sender.
16、根据权利要求 15所述的系统, 其特征在于, 所述发送装置进一步 包括:  The system according to claim 15, wherein the transmitting device further comprises:
签名单元, 用于对所述 文进行签名;  a signature unit, configured to sign the text;
所述接收装置进一步包括:  The receiving device further includes:
签名验证单元, 用于对所述报文的签名数据进行验证。  And a signature verification unit, configured to verify signature data of the packet.
17、 根据权利要求 15或 16所述的系统, 其特征在于, 所述发送装置 进一步包括:  The system according to claim 15 or 16, wherein the transmitting device further comprises:
预置单元, 用于预置生成数据链路层地址的安全信息;  a preset unit, configured to preset security information for generating a data link layer address;
生成单元, 用于对所述安全信息通过第二预置规则进行运算, 生成数 据链路层地址及所述数据链路层地址对应参数。  And a generating unit, configured to perform, by using the second preset rule, the security information to generate a data link layer address and the data link layer address corresponding parameter.
18、根据权利要求 15所述的系统, 其特征在于, 所述发送装置进一步 包括:  The system according to claim 15, wherein the transmitting device further comprises:
信息添加单元, 用于将数据链路层地址对应参数添加到所述报文中; 所述接收装置!  An information adding unit, configured to add a data link layer address corresponding parameter to the packet; the receiving device!
应参数, 并发送给所述计算单元 Should be parameterized and sent to the computing unit
19、 一种用于验证发送方地址的发送装置, 其特征在于, 包括: 发送单元, 用于发送报文, 所述报文的源地址为发送方的数据链路层 地址, 该数据链路地址内嵌有安全信息。 A transmitting device for verifying a sender address, comprising: a sending unit, configured to send a message, where a source address of the packet is a data link layer address of a sender, and the data link Security information is embedded in the address.
20、 根据权利要求 19所述的发送装置, 其特征在于, 还包括: 签名单元, 用于对所述 文进行签名。  20. The transmitting apparatus according to claim 19, further comprising: a signing unit, configured to sign the text.
21、 根据权利要求 19所述的发送装置, 其特征在于, 还包括: 信息添加单元, 用于将数据链路层地址对应参数添加到所述报文中; 所述数据链路层地址对应参数为发送方生成所述数据链路层地址过程中所 用的实际参数值的合集。  The transmitting device according to claim 19, further comprising: an information adding unit, configured to add a data link layer address corresponding parameter to the packet; and the data link layer address corresponding parameter A collection of actual parameter values used in the process of generating the data link layer address for the sender.
22、 根据权利要求 20或 21所述的装置, 其特征在于, 还包括: 预置单元, 用于预置生成数据链路层地址的安全信息;  The device according to claim 20 or 21, further comprising: a preset unit, configured to preset security information for generating a data link layer address;
生成单元, 用于对所述安全信息通过第二预置规则进行运算, 生成数 据链路层地址及所述数据链路层地址对应参数。  And a generating unit, configured to perform, by using the second preset rule, the security information to generate a data link layer address and the data link layer address corresponding parameter.
PCT/CN2008/072562 2007-09-30 2008-09-27 Method, system, and device for verifying the relation of dada link layer address and its transmitting party WO2009043304A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710149993.9A CN101399814B (en) 2007-09-30 2007-09-30 Method, system and device for verifying relation between data link layer address and sending side
CN200710149993.9 2007-09-30

Publications (1)

Publication Number Publication Date
WO2009043304A1 true WO2009043304A1 (en) 2009-04-09

Family

ID=40518069

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/072562 WO2009043304A1 (en) 2007-09-30 2008-09-27 Method, system, and device for verifying the relation of dada link layer address and its transmitting party

Country Status (2)

Country Link
CN (1) CN101399814B (en)
WO (1) WO2009043304A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103618678A (en) * 2013-11-18 2014-03-05 北京星网锐捷网络技术有限公司 Method, device and system for self-adaptation multiple-link aggregation
CN114025001A (en) * 2021-10-25 2022-02-08 安庆师范大学 Agent card information transmission control system based on cloud service

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103840984B (en) * 2014-02-28 2018-02-09 新华三技术有限公司 Detect the method and apparatus without webmaster type Ethernet switch configuration file conflict
EP3319272B1 (en) 2015-07-22 2019-09-04 Huawei Technologies Co., Ltd. Communication method, device and system based on data link layer
CN105939402A (en) * 2016-03-03 2016-09-14 杭州迪普科技有限公司 MAC table entry obtaining method and device
CN115292624B (en) * 2022-10-08 2023-08-04 成都同步新创科技股份有限公司 General message processing method and device based on HTTP protocol

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030179753A1 (en) * 2000-07-07 2003-09-25 Jean-Pierre Mercuriali Method of setting up communications in a packet switching system
US20050076108A1 (en) * 2003-10-01 2005-04-07 Santera Systems, Inc. Methods and systems for per-session network address translation (NAT) learning and firewall filtering in media gateway
CN1819593A (en) * 2004-11-01 2006-08-16 联想(新加坡)私人有限公司 Information processor and data transmission system and method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030179753A1 (en) * 2000-07-07 2003-09-25 Jean-Pierre Mercuriali Method of setting up communications in a packet switching system
US20050076108A1 (en) * 2003-10-01 2005-04-07 Santera Systems, Inc. Methods and systems for per-session network address translation (NAT) learning and firewall filtering in media gateway
CN1819593A (en) * 2004-11-01 2006-08-16 联想(新加坡)私人有限公司 Information processor and data transmission system and method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103618678A (en) * 2013-11-18 2014-03-05 北京星网锐捷网络技术有限公司 Method, device and system for self-adaptation multiple-link aggregation
CN114025001A (en) * 2021-10-25 2022-02-08 安庆师范大学 Agent card information transmission control system based on cloud service

Also Published As

Publication number Publication date
CN101399814B (en) 2012-08-08
CN101399814A (en) 2009-04-01

Similar Documents

Publication Publication Date Title
JP4944845B2 (en) Internet protocol addressing mechanism
AlSa'deh et al. Secure neighbor discovery: Review, challenges, perspectives, and recommendations
US8473744B2 (en) Methods and systems for unilateral authentication of messages
US7620733B1 (en) DNS anti-spoofing using UDP
US8843751B2 (en) IP address delegation
Goyal et al. An efficient solution to the ARP cache poisoning problem
Hijazi et al. Address resolution protocol spoofing attacks and security approaches: A survey
US8880891B2 (en) Method, system and apparatus for establishing communication
EP1574009B1 (en) Systems and apparatuses using identification data in network communication
WO2009043304A1 (en) Method, system, and device for verifying the relation of dada link layer address and its transmitting party
CN115118489B (en) User, equipment, IPv6 network address binding network access authentication system and method
Alsadeh et al. Cryptographically Generated Addresses (CGAs): Possible attacks and proposed mitigation approaches
Guangxue et al. A quick CGA generation method
US8364949B1 (en) Authentication for TCP-based routing and management protocols
Salim et al. Preventing ARP spoofing attacks through gratuitous decision packet
Pansa et al. Architecture and protocols for secure LAN by using a software-level certificate and cancellation of ARP protocol
JP6488001B2 (en) Method for unblocking an external computer system in a computer network infrastructure, a distributed computer network having such a computer network infrastructure, and a computer program product
CN110401646B (en) CGA parameter detection method and device in IPv6 secure neighbor discovery transition environment
Liu et al. Study on attacking and defending techniques in IPv6 networks
Song et al. Anonymous-address-resolution model
Zhu et al. A web database Security model using the Host identity protocol
Ahmed et al. A novel algorithm to prevent man in the middle attack in LAN environment
Chodrow et al. The sentry system
Vasić et al. Deploying new hash algorithms in secure neighbor discovery
Wei et al. NoPTPeer: Protecting android devices from stealthy spoofing and stealing in WLANs without privilege

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08836191

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08836191

Country of ref document: EP

Kind code of ref document: A1