WO2010072096A1 - Method and broadband access device for improving the security of neighbor discovery in ipv6 environment - Google Patents

Method and broadband access device for improving the security of neighbor discovery in ipv6 environment Download PDF

Info

Publication number
WO2010072096A1
WO2010072096A1 PCT/CN2009/074278 CN2009074278W WO2010072096A1 WO 2010072096 A1 WO2010072096 A1 WO 2010072096A1 CN 2009074278 W CN2009074278 W CN 2009074278W WO 2010072096 A1 WO2010072096 A1 WO 2010072096A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
node
record
access device
request message
Prior art date
Application number
PCT/CN2009/074278
Other languages
French (fr)
Chinese (zh)
Inventor
孙鹏
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2010072096A1 publication Critical patent/WO2010072096A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]

Definitions

  • the present invention relates to an IP Version 6 (IPv6) network, and more particularly to a Neighbor Discovery (ND) process in an IPv6 network and a broadband access device therefor.
  • IPv6 IP Version 6
  • ND Neighbor Discovery
  • IPv6 Neighbor Discovery is a set of messages and procedures that determine the relationship between neighboring nodes. ND replaces "Address Resolution Protocol (ARP)", “Internet Control Message Protocol (ICMP)", “Router Discovery”, and “ICMP Redirection” used in IP Version 4 (IPv4) And offers other features. ND is described in RFC 2461 "Neighbor Discovery for IP Version 6 (IPv6)”.
  • Interface ID When the network interface of a user node starts to be enabled, a 64-bit Interface Identifier (interface ID) is first generated according to the 48-bit Media Access Control (MAC) address of the network interface (if the network is considered) The identity secret problem during communication, the Interface ID at this time will be randomly generated according to RFC 3041). Add this interface ID to the link local address prefix FE80:: /64, and the network interface gets a temporary link-local address, which is the temporary IP address of the network interface. Before binding this temporary IP address to the network interface, in order to prevent IP address conflicts with other nodes, Duplicate Address Detection (DAD) is required for the temporary IP address, and the user node requests the IP address.
  • DAD Duplicate Address Detection
  • the user node also sends a multicast listener report to the multicast address.
  • the user node receives an advertisement message from the neighboring node of the temporary IP address, it indicates that other nodes on the link are using the IP address, and the user node can only randomly generate the interface ID or Manual configuration by the administrator.
  • a malicious attack node in the link can listen to DAD packets of the link and extract each one.
  • the to-be-detected address in the DAD packet is used to forge a neighbor node announcement message (NA) packet to reply.
  • NA neighbor node announcement message
  • the attacked node receives the falsified data packet and considers that the address has been used. Therefore, only a new temporary IP address can be generated, and DAD is sent to send the DAD packet again.
  • the attacking node always responds to the DAD packet, so the attacked node will never be able to obtain the IP address that is detected and not duplicated, thus cutting off the contact between the attacked node and the outside world.
  • the malicious attack node thus achieved a Denial of Service (DoS) attack by exploiting the vulnerability in duplicate address detection.
  • DoS Denial of Service
  • the attack node in the link Since the attack node in the link does not need to use any spoofing means, it can directly receive all DAD messages in the entire link (even in the data exchange network environment, the switch performs port binding according to the source MAC address of the data packet, The DAD packet whose destination MAC address is Ethernet multicast address 33:33:FF:XX: XX.XX will be forwarded to each port on the network device). If the attacker replies to the DAD packet in the entire link, it will cause the entire link to communicate. In the experiment, the duplicate address detection DoS attack can effectively block the communication of the attacked node.
  • the adjacency list on the router has the IP address and Media Access Control (MAC) address information of all user nodes served by the router.
  • MAC Media Access Control
  • the router In order to keep the table available, the router periodically sends a host request message to the user node to resolve the user's MAC address.
  • the IPv6 address information of the user node does not spread to the lines of other user nodes, thus it is difficult to ensure the security of the user data stream.
  • the technical problem to be solved by the present invention is to provide a method for improving security, which can effectively prevent duplicate address detection DoS attacks in an IPv6 network, block communication by a DoS attack node, avoid communication defects of the entire link, and improve IPv6 environment.
  • the present invention provides a method for improving security, including: when a user node performs duplicate address detection on a temporary IP address, sending a neighbor node request message to the associated broadband access device, where the neighboring point The request packet carries the temporary IP address of the user node. And MAC address;
  • the broadband access device After receiving the request message of the neighboring node, the broadband access device only determines that the temporary access table of the broadband access device already contains the record of the temporary IP address, but the MAC address and location in the record When the neighboring node requests the MAC address in the message to be different, the neighbor node announces the message to the user node;
  • the above method may also have the following features:
  • the broadband access device determines that the record in the adjacency list includes the temporary IP address, and the MAC address in the record is the same as the MAC address in the neighboring node request, the neighboring device discards the neighbor The node requests 4 and does not respond to the user node.
  • the above method may also have the following features:
  • the broadband access device determines that the temporary IP address is not included in the record of the adjacency list, the broadband access device saves the temporary IP address and the MAC address in the neighboring node request message to a record in the adjacency list.
  • the above method may also have the following features:
  • Any one of the records of the adjacency list includes an IP address, a MAC address, and a line information.
  • the broadband access device sends a neighbor node request when determining that the temporary IP address is not included in the record of the adjacency list.
  • the line information of the user node of the message and the temporary IP address and MAC address in the request message of the neighbor node are saved in the same record of the adjacency list.
  • the invention also provides a broadband access device for improving security, comprising a storage module, a parsing module, a judging module and a response module, wherein:
  • the storage module is configured to save an adjacency list, where the adjacency list includes an IP address field and a MAC address field of the user node;
  • the parsing module is configured to parse the temporary IP address in the received neighbor request message and
  • the determining module is configured to determine, in the record of the adjacency list, the temporary IP address, and When the MAC address in the record is the same as the user MAC address in the neighboring request message, the response module is instructed to respond, in other cases, the response module is not instructed to respond; the response module is used to: After receiving the indication of the response sent by the determining module, the user node that requests the sending node to respond to the neighboring node announces the message;
  • the above broadband access device may also have the following features:
  • the above broadband access device may also have the following features:
  • the adjacency table saved by the storage module further includes a line information field, where the determining module sends a neighboring node requesting the user if the temporary IP address is not included in the record of the adjacency list.
  • the line information of the node is stored in the line information field of the added record.
  • the neighbor node request message sent by the user node is not forwarded to other user lines, and only the broadband access device controls and uniformly replies, and other users cannot attack through the ND request, so Block the communication of nodes attacked by DoS and avoid the embarrassment of communication over the entire link.
  • Another technical problem to be solved by the present invention is to provide a method for ensuring neighbor discovery security in an IPv6 environment, which can ensure that user IPv6 address information does not spread to other subscriber lines.
  • the present invention provides a method for improving security, including: the broadband access device maintains an adjacency list, and the adjacency list records the IP address, MAC address, and location information of the served user node;
  • the broadband access device After receiving the neighbor discovery request message sent by the network side, the broadband access device searches for the record with the IP address in the adjacency list according to the IP address of the user node in the neighbor discovery request message, if yes, according to the presence Forwarding the neighbor discovery request message to the corresponding user node, or discarding the text; This improves the security of neighbor discovery in an IPv6 environment.
  • the neighbor discovery request message sent by the network side received by the broadband access device may be a host request message sent by the router.
  • the invention also provides a broadband access device for implementing the above method, comprising a storage module, a parsing module, a judging module and a forwarding module, wherein:
  • the storage module is configured to save an adjacency list, where the adjacency list includes an IP address field, a MAC address field, and a line information field of the user node;
  • the parsing module is configured to parse an IP address in a neighbor discovery request message sent by the network side, and send the IP address to the determining module;
  • the determining module is configured to: when determining that the IP address of the adjacency table is sent by the parsing module, instructing the forwarding module to forward the neighbor discovery request message;
  • the forwarding module is configured to forward the neighbor discovery request message to the corresponding line information according to the line information in the record in which the adjacency list has the IP address, after receiving the indication sent by the determining module User node.
  • the ND mechanism capable of providing IPv6 network security ensures that the user's IPv6 address information does not spread to other users' lines on the basis of ensuring the normal service data of the user node, thereby ensuring the security of the user data stream. .
  • Figure 1 is a networking diagram of a broadband access network
  • FIG. 2 is a schematic diagram of a signaling flow of a method according to a first embodiment of the present invention
  • Figure 3 is a flow chart of the method of the second embodiment of the present invention.
  • This embodiment provides a technical solution for how to effectively prevent duplicate address detection DOS attacks.
  • a malicious attack node in a link can perform a DoS attack by means of a duplicate address detection vulnerability.
  • the user's IPv6 address information is spread to other nodes in the link, and the malicious attack node can listen. All DAD packets of this link.
  • the neighbor node request message sent by the user node of the present invention is not forwarded to other user lines, and only the broadband access device controls and uniformly replies, so other users cannot attack through the ND request.
  • the networking diagram of the broadband access network is shown in Figure 1. It includes a router, a broadband access device, and multiple user nodes connected to the broadband access device, such as host 1 and host 2 in Figure 1.
  • the broadband access device may be a Multi-Service Access Network (MSAN), a Digital Subscriber Line Access Multiplexer (DSLAM) or an Optical Line Terminal (OLT). ), capable of providing Layer 2 convergence and security capabilities.
  • MSAN Multi-Service Access Network
  • DSLAM Digital Subscriber Line Access Multiplexer
  • OLT Optical Line Terminal
  • the network side and the user side of the broadband access device are configured with different types of interfaces. In this system, different user nodes are isolated from each other and cannot be interconnected at the second layer (that is, the data link layer). The user nodes here may also be other types of nodes.
  • the broadband access device needs to be improved to implement the function of preventing duplicate address detection DoS attacks.
  • the broadband access device comprises a storage module, a parsing module, a judging module and a response module, wherein:
  • the storage module is configured to store an adjacency list, where the adjacency list includes an IP address field and a MAC address field of the user node.
  • the parsing module is configured to parse the temporary IP address and the MAC address in the received neighbor request message, and send the result to the judging module.
  • the judging module is configured to: when the temporary IP address in the record of the adjacency list is determined, and the MAC address in the record is the same as the user MAC address in the request message of the neighboring node, the response module is instructed to respond, in other cases, In response to the response module responding; wherein, when it is determined that there is no temporary IP address in the record of the adjacency list, a record is added to the adjacency list, and the neighboring node requests the temporary IP address in the message (in this case, the temporary The IP address also becomes the sending neighbor node request report.
  • the IP address of the user node of the text, the MAC address, and the line information of the user node that sent the neighbor node request message are stored in the corresponding field of the record.
  • the response module is configured to: after receiving the indication sent by the determining module to respond, send a neighboring node advertisement to the user node that sends the neighboring request message.
  • the ND and DHCP snooping capability are enabled on the broadband access device, and the IP address, the MAC address, and the line information of the user node are obtained, and the three pieces of information of the same user node are bound and recorded in the adjacency.
  • the structure of the adjacency table is as shown in Table 1 below, including fields such as IP address, MAC address, and line information.
  • other methods even manual static configuration, may be used to maintain the adjacency list.
  • each user node checks whether the IP address is duplicated through the DAD mechanism. The existence of the address before the temporary IP address can be used.
  • the user node (represented by the host A in the figure) sends an ND request to the broadband access device to perform DAD detection by sending a request message of the neighbor node, where the request message includes the temporary IP address of the user node. And MAC address;
  • the broadband access device parses the received neighbor node request packet, and obtains the temporary IP address and
  • the temporary IP address and MAC address, and the user section are The line information of the point (the corresponding port of the user node and the virtual local area network (VLAN) information) is added to the adjacency list for the next query, and the broadband access device does not respond to the request message of the neighbor node;
  • VLAN virtual local area network
  • the broadband access device simulates the user node that has used the temporary IP address, and responds to a neighbor node advertisement message to the user node that sends the neighbor node request message, and the user node receives the neighbor node advertisement message. After that, a new IP address is generated to re-apply;
  • the MAC address in the record is the same as the MAC address in the request message of the neighbor, indicating that the user node has sent the neighbor node request message.
  • the incoming device directly discards the neighboring node request packet received by the device, and does not respond to the request from the neighboring node.
  • This embodiment provides a technical solution for effectively preventing user IPv6 address information from spreading to other subscriber lines.
  • the networking diagram of the broadband access network is the same as that of the first embodiment, as shown in FIG.
  • the router periodically sends a host request packet (that is, initiates an ND request) to the user node recorded in the adjacency list, and the packet carries the IP address of the user node.
  • a host request packet that is, initiates an ND request
  • the host request packet is first sent to the broadband access device to which the user node belongs.
  • the broadband access device In order not to spread the IP address of the user node to the unrelated subscriber line, the broadband access device must forward the host request packet to the corresponding subscriber line.
  • the user node After receiving the host request message, the user node sends a response to the router, carrying its own MAC address, and the router refreshes its own adjacency list according to the content of the user node response to keep the adjacency list data available.
  • the maintenance of the adjacency list on the broadband access device can be performed in the same manner as the first embodiment. For example, you can enable the ND and DHCP snooping capability to obtain the IP address, MAC address, and line information of the user node, such as the request from the neighboring node. His way, even manual static configuration to maintain the adjacency list. The description will not be repeated here.
  • the broadband access device includes a storage module, a parsing module, a judging module, and a forwarding module, where:
  • the storage module is configured to save the adjacency list, where the adjacency list includes an IP address field, a MAC address field, and a line information field of the user node;
  • the parsing module is configured to parse the IP address in the neighbor discovery request packet (such as the host request packet of the router) sent by the network, and then send the packet to the judging module;
  • the determining module is configured to: when determining that the IP address of the adjacency table is sent by the parsing module, instructing the forwarding module to forward the neighbor discovery request;
  • the forwarding module is configured to forward the neighbor discovery request message to the corresponding user node according to the line information in the record with the IP address in the adjacency list after receiving the indication sent by the determining module.
  • the process of the method in this embodiment is as shown in FIG. 3, and includes:
  • Step 310 The router sends a host request message to the user node recorded in the adjacency list, where the packet carries the IP address of the user node.
  • Step 320 After receiving the host request packet sent by the router, the broadband access device parses the IP address of the user node in the packet, and searches the adjacency list according to the IP address:
  • Step 330 If the record with the IP address is searched, go to step 340. Otherwise, directly discard the host request and do not respond, and end;
  • Step 340 The broadband access device extracts the subscriber line information in the record, and forwards the received host request message to the subscriber line. In this way, the broadband access device does not forward the IPv6 address information of a certain user node to other user lines, thereby preventing the data packet from being stolen and leaking the IP address of the user node, thereby improving the security of the ND process.
  • the broadband access device For ND request packets sent by other network-side devices, the broadband access device is processed in the same manner. It should be noted that the method of the present invention may be changed or replaced according to the technical solutions of the present invention and the beneficial effects thereof, and all such changes or substitutions are within the scope of the claims of the present invention.
  • the neighbor node request message sent by the user node is not forwarded to other user lines, and only the broadband access device uniformly controls and uniformly answers Other users cannot attack through the ND request, so it can effectively block the communication of the node attacked by the DoS and avoid the embarrassment of communication of the entire link.
  • the ND mechanism that can provide IPv6 network security ensures that the user's IPv6 address information does not spread to other users' lines on the basis of ensuring the normal service data of the user node, thereby ensuring the security of the user data stream.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)
  • Small-Scale Networks (AREA)

Abstract

A method and a broadband access device for improving the security of neighbor discovery in IPV6 environment are provided. The neighbor node solicitation messages sent by the user nodes are controlled and replied only by the broadband access device uniformly, without being forwarded to other user lines, and the other users can not launch an attack by neighbor discovery request, so that the communication of the node attacked by Denial of Service is interdicted effectively and the paralysis of the whole link communication is avoided. The implementation of the invention can provide IPv6 network with the secure neighbor discovery mechanism, and in the basic of ensuring the normal service data of the user node, ensure the IPv6 address information against being diffused to other user lines, so that the security of user data stream is guaranteed.

Description

IPv6环境下提高邻居发现安全性的方法及宽带接入设备  Method for improving neighbor discovery security and broadband access device in IPv6 environment
技术领域 Technical field
本发明涉及 IP Version 6 (IPv6)网络, 更具体地, 涉及 IPv6网络中的邻居 发现 (Neighbor Discovery, ND)过程及其所用的宽带接入设备。  The present invention relates to an IP Version 6 (IPv6) network, and more particularly to a Neighbor Discovery (ND) process in an IPv6 network and a broadband access device therefor.
背景技术 Background technique
IPv6邻居发现 (Neighbor Discovery, ND)是一组确定邻居节点之间关系 的消息和过程。 ND代替在 IP Version 4 ( IPv4 ) 中使用的 "地址解析协议 (Address Resolution Protocol , ARP) " 、 "Internet 控制消息协议 (Internet Control Message Protocol, ICMP)" 、 "路由器发现" 和 "ICMP 重定向" , 并提供了其他功能。 ND在 RFC 2461 "Neighbor Discovery for IP Version 6 (IPv6)" 中说明。  IPv6 Neighbor Discovery (ND) is a set of messages and procedures that determine the relationship between neighboring nodes. ND replaces "Address Resolution Protocol (ARP)", "Internet Control Message Protocol (ICMP)", "Router Discovery", and "ICMP Redirection" used in IP Version 4 (IPv4) And offers other features. ND is described in RFC 2461 "Neighbor Discovery for IP Version 6 (IPv6)".
当一个用户节点的网络接口开始启用时,将首先根据该网络接口的 48位 媒体访问控制 (Media Access Control, MAC )地址生成 64位的接口标识符 ( Interface Identifier, interface ID )(若考虑到网络通信时的身份隐秘问题, 此 时的 Interface ID将根据 RFC 3041随机生成) 。 将此 interface ID加上链路本 地地址前缀 FE80:: /64, 网络接口得到一个临时链路本地地址, 即网络接口 的临时 IP地址。 在将这个临时 IP地址绑定到网络接口之前, 为了防止与其 他节点的 IP 地址冲突, 需对此临时 IP 地址进行重复地址检测 (Duplicate Address Detection , DAD) , 该用户节点向该 IP 地址的请求节点多播地址 (solicited node multicast address) FF02:: 1 : FFXX: :XXXX ( "X"表示在十六进 制的 0-F范围中任意取值)发送一个多播邻居请求报文(也即下文中的邻节 点请求报文和 DAD报文), 其数据帧的目的 MAC地址为对应于请求节点多 播地址的以太网多播地址 33:33:FF:XX:XX:XX。 用户节点同时也会向该多播 地址发送多播监听 4艮告 (multicast listener report)。  When the network interface of a user node starts to be enabled, a 64-bit Interface Identifier (interface ID) is first generated according to the 48-bit Media Access Control (MAC) address of the network interface (if the network is considered) The identity secret problem during communication, the Interface ID at this time will be randomly generated according to RFC 3041). Add this interface ID to the link local address prefix FE80:: /64, and the network interface gets a temporary link-local address, which is the temporary IP address of the network interface. Before binding this temporary IP address to the network interface, in order to prevent IP address conflicts with other nodes, Duplicate Address Detection (DAD) is required for the temporary IP address, and the user node requests the IP address. Solicited node multicast address FF02:: 1 : FFXX: :XXXX ( "X" means any value in the hexadecimal 0-F range) to send a multicast neighbor request message (ie In the following, the neighbor node request message and the DAD message, the destination MAC address of the data frame is the Ethernet multicast address 33:33:FF:XX:XX:XX corresponding to the multicast address of the requesting node. The user node also sends a multicast listener report to the multicast address.
若用户节点收到一个来自此临时 IP地址的邻节点公告报文, 则说明本链 路有其他节点在使用此 IP地址, 本用户节点只能再随机生成 interface ID或 由管理员进行手工配置。 If the user node receives an advertisement message from the neighboring node of the temporary IP address, it indicates that other nodes on the link are using the IP address, and the user node can only randomly generate the interface ID or Manual configuration by the administrator.
链路内的恶意攻击节点可以监听本链路的 DAD报文, 提取出每一个 A malicious attack node in the link can listen to DAD packets of the link and extract each one.
DAD报文中的待检测地址, 即前述临时 IP地址, 并以此地址伪造一个邻节 点公告报文(NA )数据包进行回复。 这样被攻击节点接收伪造的数据包后会 认为此地址已被使用, 从而只能再生成一个新的临时 IP地址, 并进行 DAD, 再次发送 DAD报文。 攻击节点一直针对 DAD数据包进行回复, 所以将导致 被攻击节点始终无法获得经检测不重复的 IP地址,从而切断了被攻击节点与 外界的联系。 恶意攻击节点就这样借助重复地址检测中的漏洞, 达成了拒绝 服务 ( Denial of Service, DoS )攻击。 The to-be-detected address in the DAD packet, that is, the temporary IP address, is used to forge a neighbor node announcement message (NA) packet to reply. In this way, the attacked node receives the falsified data packet and considers that the address has been used. Therefore, only a new temporary IP address can be generated, and DAD is sent to send the DAD packet again. The attacking node always responds to the DAD packet, so the attacked node will never be able to obtain the IP address that is detected and not duplicated, thus cutting off the contact between the attacked node and the outside world. The malicious attack node thus achieved a Denial of Service (DoS) attack by exploiting the vulnerability in duplicate address detection.
由于链路内的攻击节点无须利用任何欺骗手段就直接能接收到整个链路 内的所有 DAD报文 (即使在数据交换网络环境下, 交换机是根据数据包的源 MAC 地址来进行端口绑定, 目的 MAC 为以太网多播地址 33:33:FF:XX: XX.XX的 DAD报文将被转发到网络设备上的各个端口)。 若攻击者对整个链 路内的 DAD报文进行回复, 则将造成整个链路通信的瘫痪。 在实验中, 重复 地址检测 DoS攻击能有效阻断被攻击节点的通信。  Since the attack node in the link does not need to use any spoofing means, it can directly receive all DAD messages in the entire link (even in the data exchange network environment, the switch performs port binding according to the source MAC address of the data packet, The DAD packet whose destination MAC address is Ethernet multicast address 33:33:FF:XX: XX.XX will be forwarded to each port on the network device). If the attacker replies to the DAD packet in the entire link, it will cause the entire link to communicate. In the experiment, the duplicate address detection DoS attack can effectively block the communication of the attacked node.
同时,路由器上的邻接表中有该路由器所服务的所有用户节点的 IP地址 和媒体访问控制 (Media Access Control, MAC )地址信息。 为了保持该表可 用, 路由器会定期向用户节点发送主机请求报文去解析用户 MAC地址。 目 前还没有相应的安全机制来保证用户节点 IPv6地址信息不扩散到其他用户节 点的线路上, 从而难以保证用户数据流的安全。  At the same time, the adjacency list on the router has the IP address and Media Access Control (MAC) address information of all user nodes served by the router. In order to keep the table available, the router periodically sends a host request message to the user node to resolve the user's MAC address. Currently, there is no corresponding security mechanism to ensure that the IPv6 address information of the user node does not spread to the lines of other user nodes, thus it is difficult to ensure the security of the user data stream.
发明内容 Summary of the invention
本发明要解决的技术问题是提供一种提高安全性的方法, 能够有效防止 IPv6网络中重复地址检测 DoS攻击, 阻断被 DoS攻击节点的通信,避免整个 链路通信的瘫痪, 提高 IPv6环境下邻居发现的安全性。  The technical problem to be solved by the present invention is to provide a method for improving security, which can effectively prevent duplicate address detection DoS attacks in an IPv6 network, block communication by a DoS attack node, avoid communication defects of the entire link, and improve IPv6 environment. The security discovered by the neighbors.
为了解决上述问题, 本发明提供了一种提高安全性的方法, 包括: 用户节点在对临时 IP地址进行重复地址检测时, 向所属的宽带接入设备 发送邻节点请求报文, 所述邻接点请求报文携带所述用户节点的临时 IP地址 和 MAC地址; 以及 In order to solve the above problem, the present invention provides a method for improving security, including: when a user node performs duplicate address detection on a temporary IP address, sending a neighbor node request message to the associated broadband access device, where the neighboring point The request packet carries the temporary IP address of the user node. And MAC address;
所述宽带接入设备收到所述邻节点请求报文后, 只在判断出所述宽带接 入设备的邻接表中已有包含所述临时 IP地址的记录但该记录中的 MAC地址 与所述邻节点请求 ^艮文中的 MAC地址不同时, 向所述用户节点返回邻节点 公告报文;  After receiving the request message of the neighboring node, the broadband access device only determines that the temporary access table of the broadband access device already contains the record of the temporary IP address, but the MAC address and location in the record When the neighboring node requests the MAC address in the message to be different, the neighbor node announces the message to the user node;
从而提高 IPv6环境下邻居发现的安全性。  This improves the security of neighbor discovery in an IPv6 environment.
进一步地, 上述方法还可具有以下特点:  Further, the above method may also have the following features:
所述宽带接入设备在判断所述邻接表中已有包含所述临时 IP地址的记录 且该记录中的 MAC地址与所述邻节点请求 ^艮文中的 MAC地址相同时,丟弃 所述邻节点请求 4艮文且不对所述用户节点进行回应。  When the broadband access device determines that the record in the adjacency list includes the temporary IP address, and the MAC address in the record is the same as the MAC address in the neighboring node request, the neighboring device discards the neighbor The node requests 4 and does not respond to the user node.
进一步地, 上述方法还可具有以下特点:  Further, the above method may also have the following features:
所述宽带接入设备在判断所述邻接表的记录中没有所述临时 IP地址时, 将所述邻节点请求报文中的临时 IP地址和 MAC地址保存到所述邻接表的一 条记录中。  When the broadband access device determines that the temporary IP address is not included in the record of the adjacency list, the broadband access device saves the temporary IP address and the MAC address in the neighboring node request message to a record in the adjacency list.
进一步地, 上述方法还可具有以下特点:  Further, the above method may also have the following features:
所述邻接表的任一条记录中均包括有 IP地址、 MAC地址和所在线路信 息, 所述宽带接入设备在判断所述邻接表的记录中没有所述临时 IP地址时, 将发送邻节点请求报文的所述用户节点的所在线路信息与所述邻节点请求报 文中的临时 IP地址和 MAC地址保存到所述邻接表的同一条记录中。  Any one of the records of the adjacency list includes an IP address, a MAC address, and a line information. The broadband access device sends a neighbor node request when determining that the temporary IP address is not included in the record of the adjacency list. The line information of the user node of the message and the temporary IP address and MAC address in the request message of the neighbor node are saved in the same record of the adjacency list.
本发明还提供了一种提高安全性的宽带接入设备, 包含存储模块、 解析 模块、 判断模块和响应模块, 其中: The invention also provides a broadband access device for improving security, comprising a storage module, a parsing module, a judging module and a response module, wherein:
所述存储模块用于保存邻接表, 所述邻接表包含用户节点的 IP地址字段 和 MAC地址字段;  The storage module is configured to save an adjacency list, where the adjacency list includes an IP address field and a MAC address field of the user node;
所述解析模块用于解析出收到的邻节点请求报文中的临时 IP地址和 The parsing module is configured to parse the temporary IP address in the received neighbor request message and
MAC地址, 并传送到所述判断模块; a MAC address, and transmitted to the determining module;
所述判断模块用于在判断出所述邻接表的记录中有所述临时 IP地址,且 该记录中的 MAC地址与所述邻节点请求 ^艮文中的用户 MAC地址相同时,指 示所述响应模块进行响应, 在其他情况下, 不指示所述响应模块进行响应; 所述响应模块用于在收到所述判断模块发送的进行响应的指示后, 向发 送邻节点请求报文的所述用户节点回应一邻节点公告报文; The determining module is configured to determine, in the record of the adjacency list, the temporary IP address, and When the MAC address in the record is the same as the user MAC address in the neighboring request message, the response module is instructed to respond, in other cases, the response module is not instructed to respond; the response module is used to: After receiving the indication of the response sent by the determining module, the user node that requests the sending node to respond to the neighboring node announces the message;
从而能够提高 IPv6环境下邻居发现的安全性。  Therefore, the security of neighbor discovery in an IPv6 environment can be improved.
进一步地, 上述宽带接入设备还可具有以下特点:  Further, the above broadband access device may also have the following features:
所述判断模块还用于在判断出所述邻接表的记录中没有所述临时 IP地址 时, 在所述邻接表中增加一条记录, 在该记录的 IP地址字段和 MAC地址字 段分别保存所述邻节点请求报文中的临时 IP地址和 MAC地址。  The determining module is further configured to: add a record in the adjacency list when the temporary IP address is not included in the record of the adjacency list, and save the record in the IP address field and the MAC address field of the record respectively The temporary IP address and MAC address in the neighbor request packet.
进一步地, 上述宽带接入设备还可具有以下特点:  Further, the above broadband access device may also have the following features:
所述存储模块保存的所述邻接表还包含所在线路信息字段, 所述判断模 块在判断出所述邻接表的记录中没有所述临时 IP地址时,还将发送邻节点请 求才艮文的用户节点的所在线路信息保存在所述增加的记录中的所在线路信息 字段。  The adjacency table saved by the storage module further includes a line information field, where the determining module sends a neighboring node requesting the user if the temporary IP address is not included in the record of the adjacency list. The line information of the node is stored in the line information field of the added record.
基于上述方法和宽带接入设备, 用户节点发出的邻节点请求报文不转发 到其他用户线路, 只由宽带接入设备统一控制和统一答复, 其他用户不可能 通过 ND请求进行攻击, 因此能够有效阻断被 DoS攻击节点的通信, 避免整 个链路通信的瘫痪。  Based on the foregoing method and the broadband access device, the neighbor node request message sent by the user node is not forwarded to other user lines, and only the broadband access device controls and uniformly replies, and other users cannot attack through the ND request, so Block the communication of nodes attacked by DoS and avoid the embarrassment of communication over the entire link.
本发明要解决的又一技术问题是提供一种 IPv6环境下保证邻居发现安全 的方法, 能够保证用户 IPv6地址信息不扩散到其他用户线路上。 Another technical problem to be solved by the present invention is to provide a method for ensuring neighbor discovery security in an IPv6 environment, which can ensure that user IPv6 address information does not spread to other subscriber lines.
为了解决上述问题, 本发明提供了一种提高安全性的方法, 包括: 宽带接入设备维护一邻接表, 该邻接表中记录了所服务用户节点的 IP地 址、 MAC地址和所在线路信息;  In order to solve the above problem, the present invention provides a method for improving security, including: the broadband access device maintains an adjacency list, and the adjacency list records the IP address, MAC address, and location information of the served user node;
所述宽带接入设备收到网络侧发来的邻居发现请求报文后, 根据该邻居 发现请求报文中用户节点的 IP地址查找邻接表中是否存在具有该 IP地址的 记录, 如存在, 根据该记录中的所在线路信息, 将该邻居发现请求报文转发 到相应的用户节点, 否则丟弃该 文; 从而提高 IPv6环境下邻居发现的安全性。 After receiving the neighbor discovery request message sent by the network side, the broadband access device searches for the record with the IP address in the adjacency list according to the IP address of the user node in the neighbor discovery request message, if yes, according to the presence Forwarding the neighbor discovery request message to the corresponding user node, or discarding the text; This improves the security of neighbor discovery in an IPv6 environment.
进一步地, 所述宽带接入设备收到的网络侧发来的邻居发现请求报文可 为路由器发来的主机请求报文。  Further, the neighbor discovery request message sent by the network side received by the broadband access device may be a host request message sent by the router.
本发明还提供了一种用于实现上述方法的宽带接入设备,包含存储模块、 解析模块、 判断模块和转发模块, 其中:  The invention also provides a broadband access device for implementing the above method, comprising a storage module, a parsing module, a judging module and a forwarding module, wherein:
所述存储模块用于保存邻接表,所述邻接表包含用户节点的 IP地址字段、 MAC地址字段和所在线路信息字段;  The storage module is configured to save an adjacency list, where the adjacency list includes an IP address field, a MAC address field, and a line information field of the user node;
所述解析模块用于解析出网络侧发来的邻居发现请求报文中的 IP地址, 并传送到所述判断模块;  The parsing module is configured to parse an IP address in a neighbor discovery request message sent by the network side, and send the IP address to the determining module;
所述判断模块用于在判断出所述邻接表的记录中有解析模块传送来的 IP 地址时, 指示所述转发模块转发所述邻居发现请求报文;  The determining module is configured to: when determining that the IP address of the adjacency table is sent by the parsing module, instructing the forwarding module to forward the neighbor discovery request message;
所述转发模块用于在收到所述判断模块发送的进行转发的指示后, 根据 所述邻接表具有所述 IP地址的记录中的所在线路信息, 将所述邻居发现请求 报文转发到相应的用户节点。  The forwarding module is configured to forward the neighbor discovery request message to the corresponding line information according to the line information in the record in which the adjacency list has the IP address, after receiving the indication sent by the determining module User node.
基于上述方法和宽带接入设备, 能够给予 IPv6网络安全的 ND机制, 在 保证用户节点正常的业务数据基础上, 保证用户 IPv6地址信息不扩散到其他 用户的线路上, 从而保证用户数据流的安全。  Based on the above method and the broadband access device, the ND mechanism capable of providing IPv6 network security ensures that the user's IPv6 address information does not spread to other users' lines on the basis of ensuring the normal service data of the user node, thereby ensuring the security of the user data stream. .
附图概述 BRIEF abstract
图 1是宽带接入网络的组网图;  Figure 1 is a networking diagram of a broadband access network;
图 2是本发明第一实施例方法的信令流程的示意图;  2 is a schematic diagram of a signaling flow of a method according to a first embodiment of the present invention;
图 3是本发明第二实施例方法的流程图。  Figure 3 is a flow chart of the method of the second embodiment of the present invention.
本发明的较佳实施方式 Preferred embodiment of the invention
下面分别用两个实施例来描述如何有效防止重复地址检测 DoS攻击, 以 及如何有效防止用户 IPv6地址信息扩散到其他用户线路的技术方案。 当然, 该两个实施例的方案也可以同时釆用。 第一实施例 The following two embodiments are respectively used to describe how to effectively prevent duplicate address detection DoS attacks, and how to effectively prevent user IPv6 address information from spreading to other subscriber lines. Of course, the solutions of the two embodiments can also be used at the same time. First embodiment
本实施例提供了如何有效防止重复地址检测 DOS攻击的技术方案。  This embodiment provides a technical solution for how to effectively prevent duplicate address detection DOS attacks.
现有技术 IPv6 ND过程中, 一个链路内的恶意攻击节点可以借助重复地 址检测的漏洞进行 DoS攻击,是因为用户的 IPv6地址信息会扩散到链路内其 他的节点上, 恶意攻击节点可以监听本链路的所有 DAD报文。本发明用户节 点发出的邻节点请求报文不转发到其他用户线路, 只由宽带接入设备统一控 制和统一答复, 因此其他用户不可能通过 ND请求进行攻击。  In the prior art IPv6 ND process, a malicious attack node in a link can perform a DoS attack by means of a duplicate address detection vulnerability. The user's IPv6 address information is spread to other nodes in the link, and the malicious attack node can listen. All DAD packets of this link. The neighbor node request message sent by the user node of the present invention is not forwarded to other user lines, and only the broadband access device controls and uniformly replies, so other users cannot attack through the ND request.
下面结合附图对本实施例作进一步的详细说明:  The embodiment will be further described in detail below with reference to the accompanying drawings:
宽带接入网络的组网图如图 1所示, 包括路由器、 宽带接入设备以及与 该宽带接入设备连接的多个用户节点, 如图 1 中的主机 1和主机 2。 其中宽 带接入设备可以是多业务接入网络( Multi-Service Access Network, MSAN )、 数字用户线路接入复用器 (Digital Subscriber Line Access Multiplexer , DSLAM )或光线路终端 (Optical Line Terminal, OLT ) ) , 能够提供二层汇 聚能力以及安全能力。 该宽带接入设备的网络侧和用户侧配置有不同类型的 接口。 在该系统中, 不同用户节点之间是互相隔离的, 不能二层(即数据链 路层)互通, 这里的用户节点也可以是其他类型的节点。  The networking diagram of the broadband access network is shown in Figure 1. It includes a router, a broadband access device, and multiple user nodes connected to the broadband access device, such as host 1 and host 2 in Figure 1. The broadband access device may be a Multi-Service Access Network (MSAN), a Digital Subscriber Line Access Multiplexer (DSLAM) or an Optical Line Terminal (OLT). ), capable of providing Layer 2 convergence and security capabilities. The network side and the user side of the broadband access device are configured with different types of interfaces. In this system, different user nodes are isolated from each other and cannot be interconnected at the second layer (that is, the data link layer). The user nodes here may also be other types of nodes.
为了实现本实施例方法, 需要对宽带接入设备进行改进, 使其实现防止 重复地址检测 DoS攻击的功能。 该宽带接入设备包含存储模块、 解析模块、 判断模块和响应模块, 其中:  In order to implement the method in this embodiment, the broadband access device needs to be improved to implement the function of preventing duplicate address detection DoS attacks. The broadband access device comprises a storage module, a parsing module, a judging module and a response module, wherein:
所述存储模块用于保存邻接表, 所述邻接表包含用户节点的 IP地址字段 和 MAC地址字段。  The storage module is configured to store an adjacency list, where the adjacency list includes an IP address field and a MAC address field of the user node.
解析模块用于解析出收到的邻节点请求报文中的临时 IP地址和 MAC地 址, 并传送到判断模块。  The parsing module is configured to parse the temporary IP address and the MAC address in the received neighbor request message, and send the result to the judging module.
判断模块用于在判断出邻接表的记录中有临时 IP地址, 且该记录中的 MAC地址与邻节点请求报文中的用户 MAC地址相同时, 指示响应模块进行 响应, 在其他情况下, 不指示响应模块进行响应; 其中, 在判断出邻接表的 记录中没有临时 IP地址时, 在邻接表中增加一条记录, 将邻节点请求报文中 的临时 IP地址(在这种情况下, 该临时 IP地址也即成为发送邻节点请求报 文的用户节点的 IP地址) 、 MAC地址和发送邻节点请求报文的用户节点的 所在线路信息保存在该记录的相应字段。 The judging module is configured to: when the temporary IP address in the record of the adjacency list is determined, and the MAC address in the record is the same as the user MAC address in the request message of the neighboring node, the response module is instructed to respond, in other cases, In response to the response module responding; wherein, when it is determined that there is no temporary IP address in the record of the adjacency list, a record is added to the adjacency list, and the neighboring node requests the temporary IP address in the message (in this case, the temporary The IP address also becomes the sending neighbor node request report. The IP address of the user node of the text, the MAC address, and the line information of the user node that sent the neighbor node request message are stored in the corresponding field of the record.
响应模块用于在收到判断模块发送的进行响应的指示后, 向发送邻节点 请求 文的用户节点回应一个邻节点公告 ^艮文。  The response module is configured to: after receiving the indication sent by the determining module to respond, send a neighboring node advertisement to the user node that sends the neighboring request message.
本实施例中, 在宽带接入设备上启用 ND与 DHCP Snooping (监听) 能 力, 获取用户节点的 IP地址、 MAC地址和所在线路信息并将同一用户节点 的该 3个信息绑定, 记录在邻接表的一个记录中。 邻接表结构如下表 1所示, 包含 IP地址、 MAC地址与所在线路信息等字段。 不过, 在其他实施方式中, 也可以釆用其他方式, 甚至手工静态配置来维护该邻接表。 In this embodiment, the ND and DHCP snooping capability are enabled on the broadband access device, and the IP address, the MAC address, and the line information of the user node are obtained, and the three pieces of information of the same user node are bound and recorded in the adjacency. In a record of the table. The structure of the adjacency table is as shown in Table 1 below, including fields such as IP address, MAC address, and line information. However, in other embodiments, other methods, even manual static configuration, may be used to maintain the adjacency list.
表 1 : 邻接表结构  Table 1: Adjacent table structure
Figure imgf000009_0001
Figure imgf000009_0001
IPv6环境下, 用户节点在启动时和在无状态自动配置过程中, 当获得临 时链路本地地址也即临时 IP地址后, 每一个用户节点都会通过 DAD机制检 测 IP地址是否重复, 险证临时 IP地址的存在性, 然后才可以使用该临时 IP 地址。 In an IPv6 environment, when a user node obtains a temporary link local address or a temporary IP address during startup and during stateless autoconfiguration, each user node checks whether the IP address is duplicated through the DAD mechanism. The existence of the address before the temporary IP address can be used.
请参照图 2, 用户节点 (图中用主机 A表示)通过发送邻节点请求报文 的方式给宽带接入设备发送 ND请求进行 DAD检测,该邻节点请求报文中包 含用户节点的临时 IP地址和 MAC地址;  Referring to FIG. 2, the user node (represented by the host A in the figure) sends an ND request to the broadband access device to perform DAD detection by sending a request message of the neighbor node, where the request message includes the temporary IP address of the user node. And MAC address;
宽带接入设备解析收到的邻节点请求报文, 获得其中的临时 IP地址和 The broadband access device parses the received neighbor node request packet, and obtains the temporary IP address and
MAC地址, 用该临时 IP地址到邻接表中搜索: MAC address, use this temporary IP address to search in the adjacency list:
如果在邻接表中没有搜索到 IP地址与该临时 IP地址相同的记录, 说明 该 IP地址在网络中未使用, 则把该临时 IP地址与 MAC地址, 以及该用户节 点所在线路信息 (该用户节点对应端口和虚拟局域网 (Virtual Local Area Network, VLAN)信息) 添加到邻接表中, 供下次查询, 宽带接入设备不对 该邻节点请求 文进行回应; If no record with the same IP address as the temporary IP address is found in the adjacency list, indicating that the IP address is not used in the network, the temporary IP address and MAC address, and the user section are The line information of the point (the corresponding port of the user node and the virtual local area network (VLAN) information) is added to the adjacency list for the next query, and the broadband access device does not respond to the request message of the neighbor node;
如果在邻接表中搜索到 IP地址与该临时 IP地址相同的记录, 再比对记 录中的 MAC地址和邻节点请求报文中的 MAC地址, 如果两者不相同, 说明 该 IP地址已经有被其他用户节点使用, 宽带接入设备模拟那个已经使用该临 时 IP地址的用户节点, 回应一个邻节点公告报文给发送邻节点请求报文的用 户节点, 该用户节点收到这个邻节点公告报文后, 再产生一个新 IP地址进行 重新申请;  If the IP address is the same as the temporary IP address in the adjacency list, and the MAC address in the record and the MAC address in the neighbor request message are compared, if the two are different, the IP address has been Used by other user nodes, the broadband access device simulates the user node that has used the temporary IP address, and responds to a neighbor node advertisement message to the user node that sends the neighbor node request message, and the user node receives the neighbor node advertisement message. After that, a new IP address is generated to re-apply;
如果邻接表中有记录的 IP地址与该临时 IP地址相同, 该记录中的 MAC 地址也与邻节点请求报文中的 MAC地址相同, 说明该用户节点已发出过邻 节点请求报文, 宽带接入设备直接默默丟弃此次收到的邻节点请求报文, 不 对该邻节点请求^艮文进行回应。  If the IP address of the record in the adjacency table is the same as the temporary IP address, the MAC address in the record is the same as the MAC address in the request message of the neighbor, indicating that the user node has sent the neighbor node request message. The incoming device directly discards the neighboring node request packet received by the device, and does not respond to the request from the neighboring node.
第二实施例 Second embodiment
本实施例提供了如何有效防止用户 IPv6地址信息扩散到其他用户线路的 技术方案。  This embodiment provides a technical solution for effectively preventing user IPv6 address information from spreading to other subscriber lines.
宽带接入网络的组网图和第一实施例相同, 如图 1所示。  The networking diagram of the broadband access network is the same as that of the first embodiment, as shown in FIG.
路由器会定期向邻接表中记录的用户节点发出主机请求报文(即发起 ND 请求) , 报文中携带用户节点的 IP地址。  The router periodically sends a host request packet (that is, initiates an ND request) to the user node recorded in the adjacency list, and the packet carries the IP address of the user node.
主机请求报文先发送到用户节点所属的宽带接入设备, 为了不把用户节 点的 IP地址扩散到无关用户线路上, 宽带接入设备必须将该主机请求报文转 发到相应的用户线路上,用户节点收到该主机请求报文后向路由器发送回应, 携带自己的 MAC地址, 路由器根据用户节点回应的内容刷新自己的邻接表, 以保持邻接表数据可用。  The host request packet is first sent to the broadband access device to which the user node belongs. In order not to spread the IP address of the user node to the unrelated subscriber line, the broadband access device must forward the host request packet to the corresponding subscriber line. After receiving the host request message, the user node sends a response to the router, carrying its own MAC address, and the router refreshes its own adjacency list according to the content of the user node response to keep the adjacency list data available.
本实施例中, 宽带接入设备上的邻接表的维护可以釆用与第一实施例相 同的方式。 如可以通过启用 ND与 DHCP Snooping能力来获取用户节点的 IP 地址、 MAC地址和所在线路信息如从邻节点请求报文中获取, 也可以釆用其 他方式, 甚至手工静态配置来维护该邻接表。 这里不再重复说明。 In this embodiment, the maintenance of the adjacency list on the broadband access device can be performed in the same manner as the first embodiment. For example, you can enable the ND and DHCP snooping capability to obtain the IP address, MAC address, and line information of the user node, such as the request from the neighboring node. His way, even manual static configuration to maintain the adjacency list. The description will not be repeated here.
本实施例中, 宽带接入设备包含存储模块、 解析模块、 判断模块和转发 模块, 其中:  In this embodiment, the broadband access device includes a storage module, a parsing module, a judging module, and a forwarding module, where:
存储模块用于保存邻接表, 所述邻接表包含用户节点的 IP地址字段、 MAC地址字段和所在线路信息字段;  The storage module is configured to save the adjacency list, where the adjacency list includes an IP address field, a MAC address field, and a line information field of the user node;
解析模块用于解析出网络侧发来的邻居发现请求报文 (如路由器的主机 请求报文) 中的 IP地址后, 传送到判断模块;  The parsing module is configured to parse the IP address in the neighbor discovery request packet (such as the host request packet of the router) sent by the network, and then send the packet to the judging module;
判断模块用于在判断出邻接表的记录中有解析模块传送来的 IP地址时, 指示转发模块转发所述邻居发现请求 4艮文;  The determining module is configured to: when determining that the IP address of the adjacency table is sent by the parsing module, instructing the forwarding module to forward the neighbor discovery request;
转发模块用于在收到判断模块发送的进行转发的指示后, 根据邻接表具 有所述 IP地址的记录中的所在线路信息, 将邻居发现请求报文转发到相应的 用户节点。  The forwarding module is configured to forward the neighbor discovery request message to the corresponding user node according to the line information in the record with the IP address in the adjacency list after receiving the indication sent by the determining module.
本实施例方法的流程如图 3所示, 包括: The process of the method in this embodiment is as shown in FIG. 3, and includes:
步骤 310, 路由器向邻接表中记录的用户节点发出主机请求报文, 报文 中携带用户节点的 IP地址;  Step 310: The router sends a host request message to the user node recorded in the adjacency list, where the packet carries the IP address of the user node.
步骤 320, 宽带接入设备收到路由器发来的主机请求报文后, 解析出该 报文中用户节点的 IP地址, 并根据该 IP地址到邻接表中搜索:  Step 320: After receiving the host request packet sent by the router, the broadband access device parses the IP address of the user node in the packet, and searches the adjacency list according to the IP address:
步骤 330, 如搜索到具有该 IP地址的记录, 执行步骤 340, 否则, 直接 丟弃该主机请求 ^艮文且不进行回应, 结束;  Step 330: If the record with the IP address is searched, go to step 340. Otherwise, directly discard the host request and do not respond, and end;
步骤 340, 宽带接入设备提取出所述记录中的用户线路信息, 把收到的 主机请求报文转发到该用户线路上。 这样, 宽带接入设备不会把某个用户节点的 IPv6地址信息转发到其他用 户线路上, 可以避免数据包被窃取而泄露该用户节点的 IP地址, 提高 ND过 程的安全性。  Step 340: The broadband access device extracts the subscriber line information in the record, and forwards the received host request message to the subscriber line. In this way, the broadband access device does not forward the IPv6 address information of a certain user node to other user lines, thereby preventing the data packet from being stolen and leaking the IP address of the user node, thereby improving the security of the ND process.
对于其他网络侧设备发来的 ND请求报文, 宽带接入设备也按相同的方 式进行处理。 应当指出的是, 本发明方法对本领域普通技术人员来说, 可以根据本发 明的技术方案及其有益效果进行改变或替换, 而所有这些改变或替换都应属 于本发明的权利要求的保护范围。 For ND request packets sent by other network-side devices, the broadband access device is processed in the same manner. It should be noted that the method of the present invention may be changed or replaced according to the technical solutions of the present invention and the beneficial effects thereof, and all such changes or substitutions are within the scope of the claims of the present invention.
工业实用性 Industrial applicability
本发明提出的 IPv6环境下提高邻居发现安全性的方法和宽带接入设备, 一方面使用户节点发出的邻节点请求报文不转发到其他用户线路, 只由 宽带接入设备统一控制和统一答复,其他用户不可能通过 ND请求进行攻击, 因此能够有效阻断被 DoS攻击节点的通信, 避免整个链路通信的瘫痪。  The method for improving neighbor discovery security and the broadband access device in the IPv6 environment proposed by the present invention, on the one hand, the neighbor node request message sent by the user node is not forwarded to other user lines, and only the broadband access device uniformly controls and uniformly answers Other users cannot attack through the ND request, so it can effectively block the communication of the node attacked by the DoS and avoid the embarrassment of communication of the entire link.
另一方面能够给予 IPv6网络安全的 ND机制, 在保证用户节点正常的业 务数据基础上, 保证用户 IPv6地址信息不扩散到其他用户的线路上, 从而保 证用户数据流的安全。  On the other hand, the ND mechanism that can provide IPv6 network security ensures that the user's IPv6 address information does not spread to other users' lines on the basis of ensuring the normal service data of the user node, thereby ensuring the security of the user data stream.

Claims

权 利 要 求 书 Claim
1、 一种提高安全性的方法, 包括:  1. A method of improving security, including:
用户节点在对临时 IP地址进行重复地址检测时, 向所属的宽带接入设备 发送邻节点请求报文, 所述邻接点请求报文携带所述用户节点的临时 IP地址 和 MAC地址; 以及  When the user node performs the duplicate address detection on the temporary IP address, the user node sends a neighboring node request message to the associated broadband access device, where the neighboring point request message carries the temporary IP address and the MAC address of the user node;
所述宽带接入设备收到所述邻节点请求报文后, 只在判断出所述宽带接 入设备的邻接表中已有包含所述临时 IP地址的记录但所述记录中的 MAC地 址与所述邻节点请求 ^艮文中的 MAC地址不同时, 向所述用户节点返回邻节 点公告报文;  After receiving the request message of the neighboring node, the broadband access device only determines that the record of the temporary IP address is included in the adjacency list of the broadband access device, but the MAC address in the record is When the neighboring node requests the MAC address in the file to be different, the neighbor node returns an advertisement message to the user node;
从而提高 IPv6环境下邻居发现的安全性。  This improves the security of neighbor discovery in an IPv6 environment.
2、 如权利要求 1所述的方法, 还包括:  2. The method of claim 1 further comprising:
所述宽带接入设备在判断所述邻接表中已有包含所述临时 IP地址的记录 且所述记录中的 MAC地址与所述邻节点请求 ^艮文中的 MAC地址相同时,丟 弃所述邻节点请求 >¾文且不对所述用户节点进行回应。  When the broadband access device determines that the record in the adjacency list includes the temporary IP address, and the MAC address in the record is the same as the MAC address in the neighboring node request, the broadband access device discards the The neighbor node requests >3⁄4 text and does not respond to the user node.
3、 如权利要求 1或 2所述的方法, 还包括:  3. The method of claim 1 or 2, further comprising:
所述宽带接入设备在判断所述邻接表的记录中没有所述临时 IP地址时, 将所述邻节点请求报文中的临时 IP地址和 MAC地址保存到所述邻接表的一 条记录中。  When the broadband access device determines that the temporary IP address is not included in the record of the adjacency list, the broadband access device saves the temporary IP address and the MAC address in the neighboring node request message to a record in the adjacency list.
4、 如权利要求 3所述的方法, 其中,  4. The method of claim 3, wherein
所述邻接表中的任一条记录中均包括有 IP地址、 MAC地址和所在线路 信息;  Any one of the records in the adjacency list includes an IP address, a MAC address, and a line information;
所述方法还包括: 所述宽带接入设备在判断所述邻接表的记录中没有所 述临时 IP地址时, 将发送所述邻节点请求报文的所述用户节点的所在线路信 息与所述邻节点请求报文中的临时 IP地址和 MAC地址保存到所述邻接表的 同一条记录中。  The method further includes: when the broadband access device determines that the temporary IP address is not included in the record of the adjacency list, the line information of the user node that sends the neighbor node request message is The temporary IP address and MAC address in the neighbor request message are saved in the same record in the adjacency list.
5、 一种提高安全性的宽带接入设备, 包括存储模块、 解析模块、 判断模 块和响应模块, 其中, 所述存储模块设置为保存邻接表, 所述邻接表包含用户节点的 IP地址字 段和 MAC地址字段; 5. A broadband access device for improving security, comprising a storage module, a parsing module, a judging module, and a response module, wherein The storage module is configured to save an adjacency list, where the adjacency list includes an IP address field and a MAC address field of the user node;
所述解析模块设置为解析收到的邻节点请求报文中的临时 IP地址和 MAC地址, 并传送到所述判断模块;  The parsing module is configured to parse the temporary IP address and the MAC address in the received neighboring node request message, and send the result to the determining module;
所述判断模块设置为在判断出所述邻接表的记录中有所述临时 IP地址, 且所述记录中的 MAC地址与所述邻节点请求 ^艮文中的用户 MAC地址相同 时, 指示所述响应模块进行响应;  The determining module is configured to: when it is determined that the temporary IP address is in the record of the adjacency list, and the MAC address in the record is the same as the user MAC address in the neighboring request message, indicating the The response module responds;
所述响应模块设置为在收到所述判断模块发送的进行响应的指示后, 向 发送所述邻节点请求报文的所述用户节点回应一邻节点公告报文;  The response module is configured to: after receiving the indication of the response sent by the determining module, responding to the neighboring node advertisement message by the user node that sends the request message to the neighboring node;
从而能够提高 IPv6环境下邻居发现的安全性。  Therefore, the security of neighbor discovery in an IPv6 environment can be improved.
6、 如权利要求 5所述的宽带接入设备, 其中,  6. The broadband access device of claim 5, wherein
所述判断模块还设置为在判断出所述邻接表的记录中没有所述临时 IP地 址时, 在所述邻接表中增加一条记录, 在增加的记录的 IP地址字段和 MAC 地址字段分别保存所述邻节点请求报文中的临时 IP地址和 MAC地址。  The determining module is further configured to: when it is determined that the temporary IP address is not included in the record of the adjacency list, add a record in the adjacency list, and save the IP address field and the MAC address field of the added record separately The temporary IP address and MAC address in the neighboring node request message.
7、 如权利要求 6所述的宽带接入设备, 其中,  7. The broadband access device of claim 6, wherein
所述存储模块还设置为在其保存的所述邻接表中包含所在线路信息字 段;  The storage module is further configured to include a line information field in the adjacency table that it holds;
所述判断模块还设置为在判断出所述邻接表的记录中没有所述临时 IP地 址时, 将发送所述邻节点请求报文的用户节点的所在线路信息保存到所述增 加的记录中的所在线路信息字段。  The determining module is further configured to, when determining that the temporary IP address is not included in the record of the adjacency list, save the line information of the user node that sends the neighbor node request message to the added record. The line information field.
8、 一种提高安全性的方法, 包括:  8. A method of improving security, including:
宽带接入设备维护一邻接表, 所述邻接表中记录了所服务用户节点的 IP 地址、 MAC地址和所在线路信息; 以及  The broadband access device maintains an adjacency list, wherein the adjacency list records the IP address, the MAC address, and the line information of the served user node;
所述宽带接入设备收到网络侧发来的邻居发现请求报文后, 根据所述邻 居发现请求报文中用户节点的 IP地址查找所述邻接表中是否存在具有所述 IP 地址的记录, 如存在, 将所述邻居发现请求报文转发到所述记录中的所在线 路信息相应的用户节点, 否则丟弃所述邻居发现请求 文; 从而提高 IPv6环境下邻居发现的安全性。 After receiving the neighbor discovery request message sent by the network side, the broadband access device searches for the record with the IP address in the adjacency list according to the IP address of the user node in the neighbor discovery request message. If yes, the neighbor discovery request message is forwarded to the corresponding user node of the line information in the record, otherwise the neighbor discovery request message is discarded; This improves the security of neighbor discovery in an IPv6 environment.
9、 如权利要求 8所述的方法, 其中,  9. The method of claim 8 wherein
所述宽带接入设备收到的所述网络侧发来的邻居发现请求报文为路由器 发来的主机请求 4艮文。  The neighbor discovery request message sent by the network side received by the broadband access device is a host request sent by the router.
10、 一种提高安全性的宽带接入设备, 包括存储模块、 解析模块、 判断 模块和转发模块, 其中: 所述存储模块设置为保存邻接表, 所述邻接表包含用户节点的 IP地址字 段、 MAC地址字段和所在线路信息字段;  A broadband access device for improving security, comprising a storage module, a parsing module, a judging module, and a forwarding module, wherein: the storage module is configured to save an adjacency list, and the adjacency list includes an IP address field of the user node, MAC address field and line information field;
所述解析模块设置为解析网络侧发来的邻居发现请求 文中的 IP地址, 并传送到所述判断模块;  The parsing module is configured to parse the IP address in the neighbor discovery request message sent by the network side, and transmit the IP address to the determining module;
所述判断模块设置为在判断出所述邻接表的记录中有所述解析模块传送 来的 IP地址时, 指示所述转发模块转发所述邻居发现请求报文; 所述转发模块设置为在收到所述判断模块发送的进行转发的指示后 , 将 所述邻居发现请求报文转发到所述邻接表的具有所述 IP地址的记录中的所在 线路信息相应的用户节点;  The determining module is configured to: when it is determined that the IP address transmitted by the parsing module is included in the record of the adjacency list, the forwarding module is instructed to forward the neighbor discovery request message; After the indication sent by the determining module is forwarded, the neighbor discovery request message is forwarded to a user node corresponding to the line information of the record having the IP address in the adjacency list;
从而能够提高 IPv6环境下邻居发现的安全性。  Therefore, the security of neighbor discovery in an IPv6 environment can be improved.
PCT/CN2009/074278 2008-12-25 2009-09-28 Method and broadband access device for improving the security of neighbor discovery in ipv6 environment WO2010072096A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810176582.3 2008-12-25
CN2008101765823A CN101764734B (en) 2008-12-25 2008-12-25 Method for improving neighbor discovery safety in IPv6 (Internet Protocol Version 6) environment and broadband access equipment

Publications (1)

Publication Number Publication Date
WO2010072096A1 true WO2010072096A1 (en) 2010-07-01

Family

ID=42286878

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/074278 WO2010072096A1 (en) 2008-12-25 2009-09-28 Method and broadband access device for improving the security of neighbor discovery in ipv6 environment

Country Status (2)

Country Link
CN (1) CN101764734B (en)
WO (1) WO2010072096A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106537844A (en) * 2014-06-12 2017-03-22 康维达无线有限责任公司 Context aware neighbor discovery
CN114465776A (en) * 2021-12-31 2022-05-10 华为技术有限公司 Flooding attack defense method and related device
CN115086271A (en) * 2022-06-17 2022-09-20 杭州云合智网技术有限公司 Method for searching equipment in local area network

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101938411B (en) * 2010-08-03 2012-04-18 杭州华三通信技术有限公司 Method and equipment for processing ND snooping item
CN101951415B (en) * 2010-08-30 2013-10-16 清华大学 Method of increasing safety of address conflict detection process
CN102143248A (en) * 2011-02-28 2011-08-03 华为数字技术有限公司 Method and device for detecting IP (Internet Protocol) address conflict
CN102347903B (en) * 2011-10-13 2014-07-02 北京星网锐捷网络技术有限公司 Data message forwarding method as well as device and system
CN102333134B (en) * 2011-10-17 2014-03-19 中兴通讯股份有限公司 Medium/media access control address conflict detection method, device and system
CN102571816B (en) * 2012-02-15 2015-09-30 神州数码网络(北京)有限公司 A kind of method and system preventing neighbor learning attack
CN103795821A (en) * 2014-02-11 2014-05-14 江苏沁恒股份有限公司 Method and device for applying for independent MAC address through Internet for networking product
CN104967632B (en) * 2014-04-22 2017-02-15 腾讯科技(深圳)有限公司 Webpage abnormal data processing method, data server and system
CN104301141B (en) * 2014-10-10 2018-02-09 华为技术有限公司 A kind of method, apparatus and system for preserving configuration information
US10027576B2 (en) * 2016-05-23 2018-07-17 Juniper Networks, Inc. Method, system, and apparatus for proxying intra-subnet traffic across multiple interfaces within networks
CN109120741B (en) * 2018-08-27 2020-10-02 南京中兴新软件有限责任公司 Duplicate address detection method and device and computer readable storage medium
CN109981813B (en) * 2019-03-19 2021-09-17 新华三技术有限公司 Message processing method and device
JP7417395B2 (en) * 2019-10-01 2024-01-18 アズビル株式会社 Fraud detection device and fraud detection method
CN113098737B (en) * 2019-12-23 2022-12-30 北京神经元网络技术有限公司 User node admission control method and device and electronic equipment
CN113347282A (en) * 2021-05-25 2021-09-03 清华大学 IP address distribution and duplicate checking method and system for satellite internet
CN116208582A (en) * 2021-11-30 2023-06-02 华为技术有限公司 Address detection method and device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1901551A (en) * 2005-07-19 2007-01-24 上海贝尔阿尔卡特股份有限公司 Repeat address detecting method and its device for supporting IPv6 two layer access net
CN101222513A (en) * 2008-01-28 2008-07-16 杭州华三通信技术有限公司 Method and network appliance for preventing repeated address detection attack

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1980252A (en) * 2005-12-06 2007-06-13 华为技术有限公司 Address-conflict detection realizing method and address conflict detection agent apparatus
CN101018146A (en) * 2006-02-10 2007-08-15 北京航空航天大学 A local management unit for hierarchical mobile IPv6

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1901551A (en) * 2005-07-19 2007-01-24 上海贝尔阿尔卡特股份有限公司 Repeat address detecting method and its device for supporting IPv6 two layer access net
CN101222513A (en) * 2008-01-28 2008-07-16 杭州华三通信技术有限公司 Method and network appliance for preventing repeated address detection attack

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106537844A (en) * 2014-06-12 2017-03-22 康维达无线有限责任公司 Context aware neighbor discovery
US10659940B2 (en) 2014-06-12 2020-05-19 Convida Wireless, Llc Method and apparatus for context aware neighbor discovery in a network
CN114465776A (en) * 2021-12-31 2022-05-10 华为技术有限公司 Flooding attack defense method and related device
WO2023125239A1 (en) * 2021-12-31 2023-07-06 华为技术有限公司 Flood attack defense method and related device
CN114465776B (en) * 2021-12-31 2023-09-12 华为技术有限公司 Flood attack defense method and related device
CN115086271A (en) * 2022-06-17 2022-09-20 杭州云合智网技术有限公司 Method for searching equipment in local area network
CN115086271B (en) * 2022-06-17 2023-09-26 杭州云合智网技术有限公司 Method for searching equipment in local area network

Also Published As

Publication number Publication date
CN101764734A (en) 2010-06-30
CN101764734B (en) 2012-12-19

Similar Documents

Publication Publication Date Title
WO2010072096A1 (en) Method and broadband access device for improving the security of neighbor discovery in ipv6 environment
US8953601B2 (en) Internet protocol version six (IPv6) addressing and packet filtering in broadband networks
US20100313265A1 (en) Method and Apparatus for Preventing Spoofed Packet Attacks
US8477782B2 (en) VRRP and learning bridge CPE
KR100908320B1 (en) Method for protecting and searching host in internet protocol version 6 network
EP2724508B1 (en) Preventing neighbor-discovery based denial of service attacks
EP2362587B1 (en) Method and apparatus for realizing ARP request broadcasting limitation
WO2011060571A1 (en) Method, apparatus and system for duplicate address detection proxy
Anbar et al. Review of security vulnerabilities in the IPv6 neighbor discovery protocol
WO2012075850A1 (en) Method and system for preventing mac address cheat, and switch
WO2011020254A1 (en) Method and device for preventing network attacks
WO2010022574A1 (en) A method and apparatus for realizing forwarding the reversal transmission path of the unique address
Thaler Evolution of the IP Model
WO2013053266A1 (en) Message learning method, device and system
WO2011107052A2 (en) Method and access node for preventing address conflict
JP5241957B2 (en) Method and apparatus for connecting a subscriber unit to an aggregation network supporting IPv6
WO2010130181A1 (en) Device and method for preventing internet protocol version 6 (ipv6) address being fraudulently attacked
Xiaorong et al. Security analysis for IPv6 neighbor discovery protocol
Haberman et al. Multicast Router Discovery
EP2362610B1 (en) Method and system for assigning an IPv6 link-local address
Gont Hacking ipv6 networks
Liang et al. A SDN-Based Hierarchical Authentication Mechanism for IPv6 Address
JP2004104709A (en) Access network system
Dawood Introduction to IPv6 Security
Bae et al. Design and deployment of IPv6 address management system on research networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09834049

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09834049

Country of ref document: EP

Kind code of ref document: A1