WO2011060571A1 - 一种地址重复检测代理方法、装置及系统 - Google Patents
一种地址重复检测代理方法、装置及系统 Download PDFInfo
- Publication number
- WO2011060571A1 WO2011060571A1 PCT/CN2009/074984 CN2009074984W WO2011060571A1 WO 2011060571 A1 WO2011060571 A1 WO 2011060571A1 CN 2009074984 W CN2009074984 W CN 2009074984W WO 2011060571 A1 WO2011060571 A1 WO 2011060571A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- address
- dad
- information
- detected
- message
- Prior art date
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 73
- 238000000034 method Methods 0.000 title claims abstract description 37
- 238000012545 processing Methods 0.000 claims abstract description 21
- 230000000977 initiatory effect Effects 0.000 claims abstract description 3
- 238000005538 encapsulation Methods 0.000 claims description 12
- 108010001267 Protein Subunits Proteins 0.000 claims description 4
- 238000012423 maintenance Methods 0.000 claims description 4
- 230000004044 response Effects 0.000 claims description 4
- 230000000717 retained effect Effects 0.000 claims description 3
- 239000002699 waste material Substances 0.000 abstract description 3
- 238000004891 communication Methods 0.000 abstract description 2
- 230000009286 beneficial effect Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5046—Resolving address allocation conflicts; Testing of addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2592—Translation of Internet protocol [IP] addresses using tunnelling or encapsulation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5092—Address allocation by self-assignment, e.g. picking addresses at random and testing if they are already in use
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/59—Network arrangements, protocols or services for addressing or naming using proxies for addressing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/622—Layer-2 addresses, e.g. medium access control [MAC] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/659—Internet protocol version 6 [IPv6] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/40—Support for services or applications
Definitions
- the present invention relates to the field of communications, and in particular, to an address repeat detection proxy method, apparatus, and system. Background art
- IPv6 will replace the Internet Protocol version 6, IPv4, as a next-generation Internet protocol, a prominent feature of the IPv6 protocol. It is to support the automatic configuration of the address of the network node, which will greatly simplify the work of the network administrator.
- DAD Downlicate Address Detection
- DSL Digital Subscriber Line
- P2P Point to Point
- PON Passive Optical Network
- N 2 the user port on a network device is even in the same In a VLAN, the user ports are also isolated. Therefore, the network device does not forward the DAD packets of other users to the user.
- the N: 1 VLAN is to change the VLAN ID carried in the packets from the N VLANs to the same one. VLAN ID. Therefore, the DAD function in the above scenario does not work, and the address cannot be automatically configured.
- the DAD function can be forwarded by the ND Proxy (Neighbor Discovery Proxy) to perform the DAD function.
- ND Proxy Neighbor Discovery Proxy
- the NS (Neighbor Solicitation) multicast packet is sent to the D Proxy through the intermediate Layer 2 network AN1.
- the Proxy port 1 of the ND Proxy modifies the LLA (Link-Local Address) in the packet. Link-local address) and S-MAC (Source-Media Access Control), and then forward the modified multicast packet to other ports of the D Proxy unconditionally. For example, after receiving the modification, port 2 receives the modification. After the packet is sent to the corresponding User2 through the intermediate Layer 2 network AN2.
- LLA Link-Local Address
- S-MAC Source-Media Access Control
- the D Proxy can forward the multicast packet for the DAD-NS, the D Proxy unconditionally forwards the received DAD-NS multicast packet to the port except the port that receives the packet.
- the D Proxy On all other ports, in actual applications, users on the user network corresponding to only a few ports will have duplicate addresses. If all other ports forward multicast packets, not only resources are wasted, but also a large amount of Bandwidth, and forwarding DAD-NS multicast packets to other users, other users can easily obtain the user's address and other related information from the message, which brings security risks; and, because of the need to forward through D Proxy
- the multicast packet of the DAD-NS increases the delay of detection.
- an embodiment of the present invention provides an address repeat detection proxy method and apparatus.
- the technical solution is as follows:
- An embodiment of the present invention provides an address repeat detection proxy method, where the method includes:
- the DAD-NS message includes address information sent by the user and access location information corresponding to the address information, where the address information includes at least an IP address to be detected and a link layer
- the DAD-NS message is compared in the locally stored DAD information, and when the IP address to be detected is not duplicated according to the result of the comparison, the DAD-NS message is added to the locally stored DAD information. And determining, according to the result of the comparison, whether the IP address to be detected is duplicated, and performing unreachable detection on the IP address to be detected according to the address information in the compared locally stored DAD information to determine the IP to be detected. Whether the address is repeated; the DAD information includes address information of at least one user and access location information corresponding to the address information.
- An embodiment of the present invention provides an address repetition detection proxy device, where the apparatus includes: an acquisition module, a storage module, and a processing module;
- the obtaining module is configured to obtain an address repeat detection-neighbor request DAD-NS message, where the DAD-NS message includes address information sent by the user and access location information corresponding to the address information, where the address information includes at least Detecting the IP address and the link layer address;
- a storage module configured to store DAD information;
- the DAD information includes address information of at least one user and access location information corresponding to the address information;
- the processing module is configured to compare the DAD-NS message acquired by the acquiring module in the DAD information stored by the storage module, and determine, according to the result of the comparison, that the to-be-detected IP address is not duplicated, and the DAD is -NS
- the information is added to the locally stored DAD information. If the IP address to be detected is not determined according to the result of the comparison, the unreachable detection is initiated to the IP address to be detected according to the address information in the compared locally stored DAD information. , to determine whether the IP address to be detected is repeated.
- An embodiment of the present invention provides an address repetition detection proxy system, where the system includes: an address repetition detection proxy device and an access device;
- the address repeat detection proxy device includes: an acquisition module, a storage module, and a processing module;
- the obtaining module is configured to obtain an address repeat detection-neighbor request DAD-NS message by using the access device, where the DAD-NS message includes address information sent by the user and the address information inserted by the access device Access location information, where the address information includes at least an IP address to be detected and a link layer address;
- a storage module configured to store DAD information;
- the DAD information includes address information of at least one user and access location information corresponding to the address information;
- the processing module is configured to compare the DAD-NS message acquired by the acquiring module in the DAD information stored by the storage module, and determine, according to the result of the comparison, that the to-be-detected IP address is not duplicated, and the DAD is -
- the NS message is added to the locally stored DAD information; if the IP address to be detected is not determined according to the result of the comparison, the address information in the locally stored DAD information is initiated to the IP address to be detected. Detecting to determine whether the IP address to be detected is duplicated;
- the processing module includes:
- a comparing unit configured to compare the DAD-NS message acquired by the acquiring module in the DAD information stored by the storage module
- the unreachable detecting unit is configured to: when the comparing unit compares the DAD-NS message acquired by the acquiring module, the same access location information and the same IP address to be detected in the DAD information stored by the storage module, different Link layer address, or,
- the comparing unit compares that the DAD-NS message acquired by the acquiring module has the same to-be-detected IP address, different access location information, and different link layer addresses in the DAD information stored by the storage module, or ,
- the comparing unit compares that the DAD-NS message acquired by the acquiring module has the same link layer address, the same IP address to be detected, and different access location information in the DAD information stored by the storage module, And sending the unreachable detection to the to-be-detected IP address according to the address information in the DAD information that is stored locally, and notifying the sending unit if the unreachable detection is successful; and notifying the determining unit if the unreachable detection fails;
- the sending unit is configured to: after receiving the unreachable detection success notification of the unreachable detecting unit, determine that the to-be-detected IP address is a duplicate address, and send, by the access device, an address repeated detection-neighbor to the user Announcement DAD-NA Message
- the determining unit is configured to: after receiving the unreachable detection failure notification of the unreachable detecting unit, determine that the IP address to be detected is not repeated;
- the access device includes: a receiving module, a determining module, a sending module, and a discarding module;
- the receiving module is configured to receive an address repeat detection-neighbor advertisement DAD-NA message sent by a sending unit in the processing module of the address repetition detecting proxy device;
- the DAD-NA message includes an access ring corresponding to the user
- the access identifier includes the access device identifier and the line identifier corresponding to the user;
- the determining module is configured to determine whether the access channel identifier in the DAD-NA message received by the receiving module has its own access device identifier; if yes, notify the sending module; if not, notify The discarding module is configured to send the DAD-NA message to the user according to the line identifier in the access loop identifier;
- the discarding module is configured to discard the DAD-NA message.
- the technical solution provided by the embodiment of the present invention has the beneficial effects that: the received DAD-NS message is compared in the locally stored DAD information, and according to the comparison result, it is determined that the IP address to be detected is duplicated, according to the compared local
- the address information in the stored DAD information initiates an unreachable detection to the IP address to be detected to determine whether the IP address to be detected is duplicated, not only can correctly perform DAD, but also does not need to be forwarded to other users that do not need to be detected.
- other users cannot obtain the DAD-NA message for detecting the user, thereby solving the problem of waste of resources and security caused by the unconditional multicast forwarding of the DAD-NA message in the prior art.
- FIG. 2 is a schematic flowchart of an address repeat detection proxy method according to Embodiment 1 of the present invention.
- FIG. 3 is a schematic flowchart of an address repeat detection proxy method according to Embodiment 2 of the present invention.
- FIG. 4 is a schematic structural diagram of an address repetition detecting proxy device according to Embodiment 3 of the present invention.
- FIG. 5 is a schematic structural diagram of an address repetition detection proxy system according to Embodiment 4 of the present invention. detailed description
- Example 1 Referring to FIG. 2, an embodiment of the present invention provides an address repeat detection proxy method, where the method includes:
- the DAD-NS message includes address information sent by the user and access location information corresponding to the address information, where the address information includes an IP address to be detected and a link layer address.
- the Link-Layer Address is the MAC address in the Ethernet link, and is the ITU Telecommunication Standardization Group in the Integrated Services Digital Network (ISDN). Sector, ITU-T) E.164 address.
- ISDN Integrated Services Digital Network
- the DAD-NS message is compared in the locally stored DAD information, and the DAD-NS message is added to the locally stored DAD information when the IP address to be detected is not duplicated according to the result of the comparison; And determining, according to the result of the comparison, whether the IP address to be detected is duplicated, and performing unreachable detection on the IP address to be detected according to the address information in the locally stored DAD information to determine whether the IP address to be detected is repeat.
- the beneficial effects of the embodiment of the present invention are: by comparing the acquired DAD-NS messages in the locally stored DAD information to determine whether the IP address to be detected is duplicated, not only can the DAD be correctly performed, but also does not need to be The user who needs to perform the test forwards the multicast packet, and the users cannot obtain the DAD-NA message for detecting the user, thereby solving the problem of wasteful resources and security caused by the unconditional multicast forwarding of the DAD-NA message in the prior art.
- an embodiment of the present invention provides a DAD proxy method.
- the embodiment of the present invention only uses the address information sent by the user, including the link layer address and the IP address to be detected, as an example, and does not exclude the IP address to be detected.
- the case of the prefix or other information, when other information is included, can be specifically processed according to the specific circumstances, but is still included in the inventive concept of the present invention.
- the IPv6 unicast address when each user in the user network is to use an IPv6 unicast address, the IPv6 unicast address must be DAD to ensure the uniqueness of the IPv6 unicast address.
- the IPv6 unicast address to be used is referred to as an IP address to be detected.
- the IPv6 unicast address may include: LLA, GUA (Global Unicast Address), and ULA (Unique Local IPv6 Addresses).
- the source address is set to an unspecified address (::), and the destination address is set to the requesting node multicast address composed of the IP address to be detected.
- the user before the user performs DAD, the user must join two multicast groups, that is, the multicast group address of all nodes and the multicast address of the requesting node.
- the former can ensure that the user can receive a DAD-NA (Neighbor Advertisement) message sent by the user who has already used the IP address to be detected, and the latter can ensure that the same to be detected is ready to be used.
- the user of the IP address can detect the presence of the other party in time.
- the method specifically includes:
- the DAD Proxy obtains the DAD-NS message.
- the DAD-NS message includes the address information sent by the user and the access location information corresponding to the address information of the user, where the address information includes the IP address to be detected and the link layer address.
- the link layer address may be a MAC address, but is not limited to a MAC address.
- the user who sends the address information may also be referred to as the user who performs the DAD.
- the obtained access location information may be sent by the user, or may be directly obtained from the DAD Proxy itself.
- the user sends the address information to the DAD Proxy through the intermediate Layer 2 network, the corresponding access of the user.
- Location information can be inserted by the intermediate Layer 2 network.
- the access location information may be an access loop identifier, where the access loop identifier includes a line identifier that is connected by the user.
- the access loop identifier may include an agent circuit ID (Agent Circuit ID) and/or an agent remote ID (Agent Remote ID) defined by RFC (Request For Comments) 3046;
- Different types of access line identifiers may have different line identifier coding formats.
- the coding format of the line identifier of the user connection is as follows:
- ANI_port [: ANI XPI.ANI XCI]
- the coding format of the line identifier connected by the user is as follows: AccessNodeIdentifier /ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port/ONU_ID
- the broadband user access line (port) information encoding format in the LAN system is encoded by the broadband user access line (port) of the PON system.
- Format, the encoding format of the line identifier of the user connection is as follows:
- the DAD Proxy after receiving the address information sent by the first user, stores the address information corresponding to the address information of the user and the address information of the user as a DAD information, where the address information of the user is The IP address to be detected and the MAC address are also corresponding, that is, the user's IP address to be detected, the MAC address, and the access location information are bound to one DAD.
- DAD Proxy can store multiple pieces of DAD information for multiple users.
- the obtained DAD-NS message has the same link layer address, the to-be-detected IP address, and the access location information in the locally stored DAD information, perform 203;
- the IP address to be detected may be duplicated.
- the obtained DAD-NS message has the same link layer address, different access location information, and different IP addresses to be detected in the locally stored DAD information, the same user may roam to other places.
- 203 In this case, it can be considered that the same user performs a repetitive operation, and no operation is performed in this case.
- the process of performing unreachable detection is:
- the NS packet is unicast-encapsulated with the IP address to be detected in the DAD information of the local storage, and is encapsulated into an IPv6 packet.
- the encapsulated IPv6 is used to compare the MAC address corresponding to the IP address to be detected in the locally stored DAD information.
- the packet is encapsulated in a link layer.
- the unicast Ipv6 message is sent to the user corresponding to the IP address to be detected, and the NA message that the user responds to is received. If the NA message is received within the preset time, the device is to be detected. If the IP address is reachable, the unreachable detection succeeds, and 205 is performed. If the NA packet is not received within the preset time, the IP address to be detected is unreachable, and the unreachable detection fails.
- the 205 Determine the IP address to be detected in the obtained address information as a duplicate address, and send a DAD-NA message to the user who performs DAD; the DAD-NA message includes the access location information of the user and/or the chain of the user. Road layer address.
- the DAD-NS message and the DAD-NA message can be received or sent in the form of a message.
- the DAD-NA packet to be sent to the D Proxy is sent to the D Proxy first, so that the ND Proxy forwards the DAD-NA packet to the DAD user.
- the DAD Proxy directly detects that the IP address to be detected is a duplicate address, and directly sends the DAD-NA message to the user who performs the DAD, thereby greatly reducing the DAD-NA message compared with the prior art. Time when the user who sent the DAD-NS packet received the DAD-NA packet.
- the DAD-NA message is sent to the user who performs the DAD, and includes:
- the DAD-NA message is sent to the user who performs DAD through the intermediate Layer 2 network.
- the DAD-NA message is sent to the DAD-enabled user through the intermediate Layer 2 network, and the method includes: the DAD-NA message includes the access location information corresponding to the DAD user, that is, the access loop identifier;
- the road identifier may further include a network identifier of the intermediate layer 2 network;
- the DAD Proxy sends the DAD-NA message to the intermediate Layer 2 network, so that the intermediate Layer 2 network determines whether the access loop identifier in the DAD-NA message has its own network identifier, and if so, according to the access loop identifier.
- the line identifier in the middle sends a DAD-NA message to the corresponding user; if not, the DAD-NA message is discarded, that is, the DAD-NA message is not forwarded.
- the access loop identifier in the DAD-NA message can be removed and then sent.
- the access loop identifier may not include the network identifier; if multiple user networks in the entire network If the identifier of the user connection is duplicated, including the network identifier in the access loop identifier may enable the user to obtain the DAD-NA message more quickly.
- the method further includes: updating the address information of the user who performs the DAD and/or the access location corresponding to the address information in the locally stored DAD information. information.
- the method further includes:
- the address information in the DAD-NS message and the access location information corresponding to the address information are stored locally.
- nomadism refers to a scene in which a user moves to the line 2 after being connected to the line 1.
- the access location information in the locally saved DAD information is the information of the line 1 connected by the user, and the information of the line 2 corresponding to the user after nomadic is not saved, the prior art cannot implement the DAD in the nomadic scene.
- the obtained DAD-NS message is compared in the locally stored DAD information, and when the same IP address to be detected, the same link layer address, and different access location information are found, the local comparison is performed.
- the stored DAD information is unreachable. If the unreachable detection fails, the locally stored DAD information is updated. After the update, the user's access location information includes the information of the line 2, so that the automatic address configuration can be performed.
- the method may further include:
- the unreachable detection performed here is the same as the above unreachable detection process.
- the DAD Proxy can be located on the IP edge device, that is, the first Layer 3 node in the network, such as BRAS, NAS, BAS, etc., or in the middle Layer 2 network.
- the beneficial effects of the embodiment of the present invention are: determining whether the IP address to be detected is repeated by comparing the obtained DAD-NS message in the locally stored DAD information; if the IP address to be detected has the possibility of repetition, by DAD
- the unicast unreachable detection is initiated by the proxy. After the unreachable detection, the IP address to be detected is determined to be duplicated. If the IP address to be detected is duplicated, the DAD-NA message is directly sent to the user who performs the DAD, which not only provides the correct DAD, but also provides the correct DAD.
- the problem of wasting resources and increasing delay caused by unconditional forwarding of DAD-NS multicast packets in the prior art is avoided, and the DAD-NS group is also avoided.
- the other user After the broadcast message is forwarded to other users, the other user obtains the address of the user and other related information from the message to perform malicious attack, thereby improving the information security of the user; and when the user appears nomadic, by updating the nomadic
- the user's access location information can still be DAD, so that automatic address configuration can be performed; further, according to the access ring Network identification and line identification restrictions in road signs
- the forwarding range of the DAD-NA message is such that the user under the network and the line without the network identifier and the line identifier cannot obtain the DAD-NA message, thereby preventing the illegal user from listening to the DAD-NA message within the access range, thereby obtaining related information. After a malicious attack.
- an embodiment of the present invention provides a DAD proxy device, where the device includes: an obtaining module 301, a storage module 302, and a processing module 303;
- the obtaining module 301 is configured to obtain an address repeat detection-neighbor request DAD-NS message, where the DAD-NS message includes address information sent by the user and access location information corresponding to the address information, where the address information includes at least an IP address to be detected and Link layer address;
- the link layer address may be a MAC address, but is not limited to a MAC address;
- the user who sends the address information may also be referred to as the user who performs the DAD.
- the access location information obtained by the obtaining module 301 may be sent by the user, or may be stored by the DAD proxy device itself, or may be inserted by the access device corresponding to the user.
- the DAD information is stored in the storage module 302, and the DAD information includes address information of at least one user and access location information corresponding to the address information.
- the address information of each user includes at least a link layer address and an IP address to be detected.
- the embodiment of the present invention only takes the address information sent by the user, including the link layer address and the to-be-detected IP address, as an example.
- the case where the address information sent by the user further includes the prefix or other information of the IP address to be detected is not excluded. When other information is included, specific processing may be performed according to specific circumstances, but it is still included in the inventive concept of the present invention.
- the processing module 303 is configured to compare the DAD-NS message acquired by the obtaining module 301 with the DAD information stored in the storage module 302 to determine whether the IP address to be detected is duplicated.
- the processing module 303 includes: a comparing unit 3030, a non-reachable detecting unit 3031, a sending unit 3032, a determining unit 3033, and an updating unit 3034;
- the comparing unit 3030 is configured to compare the DAD-NS message acquired by the obtaining module 301 in the DAD information stored by the storage module 302.
- the unreachable detecting unit 3031 is configured to compare the DAD-NS message acquired by the obtaining module 301 by the comparing unit 3030 to have the same access location information, the same IP address to be detected, and different chains in the DAD information stored in the storage module 302.
- the road layer address or,
- the comparing unit 3030 compares the DAD-NS message acquired by the obtaining module 301 with the same to-be-detected IP address, different access location information, and different link layer addresses in the DAD information stored in the storage module 302, or
- the comparing unit 3030 compares the DAD information stored in the storage module 302 by the DAD-NS message acquired by the obtaining module 301 If the same link layer address, the same IP address to be detected, and the different access location information, the address information in the locally stored DAD information compared by the comparing unit 3030 is unreachable to the IP address to be detected. If the unreachable detection is successful, the sending unit 3032 is notified; if the unreachable detection fails, the determining unit 3033 is notified;
- the unreachable detecting unit 3031 may include: a first encapsulating subunit, a second encapsulating subunit, and a transmitting subunit;
- the first encapsulation sub-unit is configured to perform unicast encapsulation on the NS packet by using the IP address to be detected in the compared DAD information, and encapsulate the packet into an IPv6 packet;
- a second encapsulation sub-unit configured to perform link layer encapsulation on the IPv6 packet encapsulated by the first encapsulation sub-unit by using a MAC address corresponding to the IP address to be detected in the compared DAD information;
- a sending sub-unit configured to send the Ipv6 message encapsulated by the link layer of the second encapsulation sub-unit to the to-be-detected
- the user corresponding to the IP address waits for the user to respond to the NA message. If the NA message is received within the preset time, it indicates that the IP address to be detected is reachable, and the notification sending unit 3032; if not received within the preset time Go to the NA message, indicating that it is to be detected.
- the IP address is unreachable, and the notification determining unit 3033.
- the sending unit 3032 is configured to: after receiving the unreachable detection success notification of the unreachable detecting unit 3021, determine that the to-be-detected IP address in the received address information is a duplicate address, and send a DAD-NA message to the DAD-enabled user; the DAD The -NA message contains the access location information of the user and/or the link layer address of the user.
- the DAD-NS message and the DAD-NA message may be received or sent in the form of a message.
- the DAD-NS message and the DAD-NA message may be received or sent in the form of a message.
- the ND Proxy After the ND Proxy forwards the obtained DAD-NS multicast packet, if another user has already used the IP address to be detected that the user who performs the DAD will use, the other user needs to respond to the DAD-NA packet first. Sending to the D Proxy, the ND Proxy forwards the DAD-NA message to the user who performs the DAD.
- the DAD Proxy directly detects that the IP address to be detected is a duplicate address, and directly The above user who sent the DAD sent
- the DAD-NA packet greatly reduces the time for the user who sends the DAD-NS packet to receive the DAD-NA packet.
- the determining unit 3033 is configured to: after receiving the unreachable detection failure notification of the unreachable detecting unit 3031, determine that the IP address to be detected in the address information acquired by the obtaining module 301 is not repeated.
- the processing module 303 further includes an updating unit 3034, configured to update, in the locally stored DAD information, the storage module 302, after the determining unit 3033 determines that the IP address to be detected in the address information acquired by the obtaining module 301 is not repeated.
- the comparison unit 3030 compares that the DAD-NS message received by the acquisition module 301 and the DAD information stored by the storage module 302 have the same link layer address, the same to-be-detected address, and different access location information. , this situation It indicates that the user who performs DAD is a nomadic user, and nomadic refers to a scene that moves to line 2 after a user connects to line 1. After the user is nomadic, because the information stored in the storage module 302 is the information of the line 1 connected by the user, and the information of the line 2 corresponding to the user after nomadic is not saved, the prior art cannot implement the DAD function in the nomadic scene.
- the embodiment of the present invention is unreachable when the DAD-NS message obtained by the obtaining module 301 and the DAD information stored in the storage module 302 have the same IP address to be detected, the same link layer address, and different access location information.
- the detecting unit 3031 performs unreachable detection on the compared locally stored DAD information, and if the unreachable detection fails, updates the locally stored DAD information of the user, and after the update, the access location information of the user includes the line 2 Information, and then DAD can be performed, so that automatic address configuration can be performed.
- the determining unit 3033 of the processing module 303 is further configured to: when the comparing unit 3030 compares the DAD-NS message acquired by the obtaining module 301, the same link layer address and the same access location in the DAD information stored by the storage module 302. Information, when different IP addresses to be detected, or
- the comparing unit 3030 compares the DAD-NS message obtained by the obtaining module 301 with the same access location information, different link layer addresses, different addresses to be detected, or
- comparison unit 3030 compares the DAD-NS message acquired by the acquisition module 301 with the same link layer address, different access location information, and different IP addresses to be detected in the DAD information stored in the storage module 302, or
- the comparison unit 3030 compares the DAD-NS message acquired by the acquisition module 301 with different access location information, different link layer addresses, and different to-be-detected addresses in the DAD information stored in the storage module 302, the obtaining module 301 is determined.
- the IP address to be detected in the obtained DAD-NS message is not duplicated, indicating that the IP address to be detected in the DAD-NS message is available.
- the storage module 302 is further configured to store the obtained address information in the DAD-NS message and the access location information corresponding to the address information to the local.
- the device may further include: a DAD information maintenance module 304, configured to perform maintenance on the DAD information stored in the storage module 302, and periodically initiate unreachable detection on the stored address information of each user, if the preset time is received.
- the NA message that the user responds to the address information retains the address information. If the NA message returned by the user corresponding to the address information is not received within the preset time, indicating that the user does not exist, the Address information.
- the beneficial effects of the embodiment of the present invention are: determining whether the IP address to be detected is repeated by comparing the obtained DAD-NS message in the locally stored DAD information; if the IP address to be detected has a possibility of repetition, The proxy device initiates the unicast unreachable detection. After the unreachable detection, it determines whether the IP address to be detected is duplicated. If the IP address to be detected is duplicated, the DAD-NA message is directly sent to the user who performs the DAD, which not only provides the correct DAD, but also provides the correct DAD. Moreover, the problem of wasting resources and increasing delay caused by unconditional forwarding of DAD-NS multicast packets in the prior art is avoided, and the DAD-NS is also avoided.
- the malicious attack is obtained by obtaining the address of the user and other related information from the message, thereby improving the information security of the user; and when the user is nomadic, the DAD can still be performed by updating the access location information of the nomadic user. , enabling automatic address configuration.
- an embodiment of the present invention provides an address repetition detection proxy system, where the system includes an address repetition detecting apparatus 300 and an access device 400;
- the address repetition detecting device 300 is the same as the device provided in Embodiment 3, and details are not described herein again.
- the obtaining module 301 is specifically configured to obtain an address repeat detection-neighbor request DAD-NS message by using the access device 400, where the DAD-NS message includes the address information sent by the user and the The access location information corresponding to the address information, where the address information includes at least an IP address to be detected and a link layer address;
- the access device includes: a receiving module 401, a determining module 402, a sending module 403, and a discarding module 404;
- the receiving module 401 is configured to receive the DAD-NA message sent by the apparatus provided in Embodiment 3; the DAD-NA message includes an access loop identifier corresponding to the user performing the DAD; and the access loop identifier includes the corresponding Access device identification and line identification;
- the determining module 402 is configured to determine whether the access ring identifier in the DAD-NA message received by the receiving module 401 has its own access device identifier; if yes, notify the sending module 403; if not, notify the discarding module 404;
- the sending module 403 is configured to send, according to the line identifier in the access loop identifier, a user who performs DAD
- the sending module 403 can remove the re-send of the access loop identifier in the DAD-NA message before sending the DAD-NA message.
- the discarding module 404 discards the DAD-NA message.
- the access loop identifier may not include the network identifier; if multiple user networks in the entire network If the identifier of the user connection is duplicated, including the network identifier in the access loop identifier may enable the user to obtain the DAD-NA message more quickly.
- the transmitting module 403 can also send a DAD-NA message to the user who performs the DAD according to the link layer address of the user who performs the DAD.
- the beneficial effects of the embodiment of the present invention are: determining whether the access loop identifier in the received DAD-NA message has its own access device identifier, and when there is its own identifier, and then according to the line in the access loop identifier
- the identifier forwards the DAD-NA message to limit the forwarding range of the DAD-NA message, so that the network and the line without the access device identifier and the line identifier are The user cannot obtain the DAD-NA message, thereby preventing the malicious user from performing a malicious attack after listening to the DAD-NA message within the access range.
- Embodiments of the invention may be implemented in software, and the corresponding software program may be stored in a readable storage medium, such as a hard disk, a cache, or an optical disk of a computer.
- a readable storage medium such as a hard disk, a cache, or an optical disk of a computer.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Description
Claims
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP09851363.3A EP2493117B1 (en) | 2009-11-17 | 2009-11-17 | Method and apparatus for duplicate address detection proxy |
KR1020127014077A KR101372988B1 (ko) | 2009-11-17 | 2009-11-17 | 복제 어드레스 검출 프록시의 방법, 장치 및 시스템 |
PCT/CN2009/074984 WO2011060571A1 (zh) | 2009-11-17 | 2009-11-17 | 一种地址重复检测代理方法、装置及系统 |
CN2009801486739A CN102246461B (zh) | 2009-11-17 | 2009-11-17 | 一种地址重复检测代理方法、装置及系统 |
JP2012539157A JP5536225B2 (ja) | 2009-11-17 | 2009-11-17 | 重複アドレス検出プロキシのための方法、装置およびシステム |
US13/472,978 US8724500B2 (en) | 2009-11-17 | 2012-05-16 | Method, apparatus, and system of duplicate address detection proxy |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2009/074984 WO2011060571A1 (zh) | 2009-11-17 | 2009-11-17 | 一种地址重复检测代理方法、装置及系统 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/472,978 Continuation US8724500B2 (en) | 2009-11-17 | 2012-05-16 | Method, apparatus, and system of duplicate address detection proxy |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2011060571A1 true WO2011060571A1 (zh) | 2011-05-26 |
Family
ID=44059175
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2009/074984 WO2011060571A1 (zh) | 2009-11-17 | 2009-11-17 | 一种地址重复检测代理方法、装置及系统 |
Country Status (6)
Country | Link |
---|---|
US (1) | US8724500B2 (zh) |
EP (1) | EP2493117B1 (zh) |
JP (1) | JP5536225B2 (zh) |
KR (1) | KR101372988B1 (zh) |
CN (1) | CN102246461B (zh) |
WO (1) | WO2011060571A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140325090A1 (en) * | 2011-10-31 | 2014-10-30 | Telefonaktiebolaget L M Ericsson (Publ) | Discovery and disconnection of client addresses in an access node for an ip network |
Families Citing this family (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101610186A (zh) * | 2009-06-19 | 2009-12-23 | 中兴通讯股份有限公司 | 一种处理报文的方法 |
US9270638B2 (en) * | 2012-01-20 | 2016-02-23 | Cisco Technology, Inc. | Managing address validation states in switches snooping IPv6 |
CN102594882A (zh) * | 2012-02-08 | 2012-07-18 | 神州数码网络(北京)有限公司 | 一种基于DHCPv6监听的邻居发现代理方法和系统 |
US8886775B2 (en) * | 2012-03-08 | 2014-11-11 | Cisco Technology, Inc. | Dynamic learning by a server in a network environment |
WO2014070931A1 (en) * | 2012-10-30 | 2014-05-08 | Quantitative Sampling Technologies, LLC | Supervisory computer system over data acquisition devices |
CN102984288B (zh) * | 2012-11-19 | 2017-11-17 | 中兴通讯股份有限公司 | 一种自动管理IPv6地址冲突的方法及系统 |
CN103347102B (zh) * | 2013-06-28 | 2016-08-10 | 华为技术有限公司 | 冲突地址检测报文的识别方法及装置 |
US9596210B2 (en) * | 2014-04-08 | 2017-03-14 | Arris Enterprises, Inc. | Subscriber-aware duplicate address detection proxy in edge devices |
US9385953B1 (en) * | 2015-02-03 | 2016-07-05 | Google Inc. | Mesh network addressing |
JP6548460B2 (ja) * | 2015-05-29 | 2019-07-24 | キヤノン株式会社 | 情報処理装置、情報処理方法およびプログラム |
US9832106B2 (en) * | 2015-06-23 | 2017-11-28 | Juniper Networks, Inc. | System and method for detecting network neighbor reachability |
US10148516B2 (en) * | 2015-07-28 | 2018-12-04 | Dell Products L.P. | Inter-networking device link provisioning system |
CN105262760A (zh) * | 2015-10-30 | 2016-01-20 | 北京奇虎科技有限公司 | 一种防止恶意访问登录/注册接口的行为的方法和装置 |
EP3443730B1 (en) * | 2016-04-15 | 2021-09-01 | Convida Wireless, LLC | 6lowpan neighbor discovery for supporting mobility and multiple border routers |
US10027576B2 (en) | 2016-05-23 | 2018-07-17 | Juniper Networks, Inc. | Method, system, and apparatus for proxying intra-subnet traffic across multiple interfaces within networks |
CN108173980B (zh) * | 2018-01-18 | 2021-02-19 | 浙江农林大学暨阳学院 | 一种sdn环境中的重复地址检测方法 |
US10547587B2 (en) | 2018-03-19 | 2020-01-28 | Didi Research America, Llc | Method and system for near real-time IP user mapping |
CN108848087B (zh) * | 2018-06-06 | 2020-11-27 | 浙江农林大学暨阳学院 | 适用于send协议的dad过程恶意na报文抑制方法 |
US20230247419A1 (en) * | 2020-08-03 | 2023-08-03 | Arris Enterprises Llc | Distributed coordination of duplicate ip address detection |
CN112217918B (zh) * | 2020-10-23 | 2022-05-24 | 新华三信息安全技术有限公司 | 一种SDN网络中IPv6地址冲突检测方法及装置 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050036471A1 (en) * | 2003-08-13 | 2005-02-17 | Samsung Electronics Co., Ltd. | Fast duplicate address detection entity for managing information for fast duplicate address detection in distribution system and fast duplicate address detection method using the same |
CN1901551A (zh) * | 2005-07-19 | 2007-01-24 | 上海贝尔阿尔卡特股份有限公司 | 一种支持IPv6的二层接入网中重复地址检测方法及其装置 |
CN1980252A (zh) * | 2005-12-06 | 2007-06-13 | 华为技术有限公司 | 地址冲突检测的实现方法及其地址冲突检测代理装置 |
CN101547223A (zh) * | 2008-03-26 | 2009-09-30 | 华为技术有限公司 | 地址配置方法、装置和系统 |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2005089098A2 (en) * | 2004-01-14 | 2005-09-29 | The Regents Of The University Of California | Ultra broadband mirror using subwavelength grating |
CN100495992C (zh) | 2007-08-30 | 2009-06-03 | 华为技术有限公司 | 用于地址冲突的重复地址检测方法及网络节点设备 |
JP2009253962A (ja) * | 2008-04-11 | 2009-10-29 | Yamaha Corp | 通信システム |
CN101901551B (zh) | 2010-06-29 | 2012-03-14 | 上海英迪信息技术有限公司 | 车辆监控系统中轨迹回放功能的优化方法 |
-
2009
- 2009-11-17 JP JP2012539157A patent/JP5536225B2/ja not_active Expired - Fee Related
- 2009-11-17 KR KR1020127014077A patent/KR101372988B1/ko active IP Right Grant
- 2009-11-17 CN CN2009801486739A patent/CN102246461B/zh not_active Expired - Fee Related
- 2009-11-17 WO PCT/CN2009/074984 patent/WO2011060571A1/zh active Application Filing
- 2009-11-17 EP EP09851363.3A patent/EP2493117B1/en not_active Not-in-force
-
2012
- 2012-05-16 US US13/472,978 patent/US8724500B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050036471A1 (en) * | 2003-08-13 | 2005-02-17 | Samsung Electronics Co., Ltd. | Fast duplicate address detection entity for managing information for fast duplicate address detection in distribution system and fast duplicate address detection method using the same |
CN1901551A (zh) * | 2005-07-19 | 2007-01-24 | 上海贝尔阿尔卡特股份有限公司 | 一种支持IPv6的二层接入网中重复地址检测方法及其装置 |
CN1980252A (zh) * | 2005-12-06 | 2007-06-13 | 华为技术有限公司 | 地址冲突检测的实现方法及其地址冲突检测代理装置 |
CN101547223A (zh) * | 2008-03-26 | 2009-09-30 | 华为技术有限公司 | 地址配置方法、装置和系统 |
Non-Patent Citations (1)
Title |
---|
See also references of EP2493117A4 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140325090A1 (en) * | 2011-10-31 | 2014-10-30 | Telefonaktiebolaget L M Ericsson (Publ) | Discovery and disconnection of client addresses in an access node for an ip network |
Also Published As
Publication number | Publication date |
---|---|
CN102246461A (zh) | 2011-11-16 |
EP2493117A4 (en) | 2012-11-07 |
EP2493117B1 (en) | 2015-01-07 |
CN102246461B (zh) | 2013-08-28 |
US8724500B2 (en) | 2014-05-13 |
JP5536225B2 (ja) | 2014-07-02 |
US20120224576A1 (en) | 2012-09-06 |
EP2493117A1 (en) | 2012-08-29 |
KR101372988B1 (ko) | 2014-03-25 |
JP2013511228A (ja) | 2013-03-28 |
KR20120084774A (ko) | 2012-07-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2011060571A1 (zh) | 一种地址重复检测代理方法、装置及系统 | |
JP4960437B2 (ja) | データ通信ネットワークに関する論理グループエンドポイントディスカバリ | |
WO2010072096A1 (zh) | IPv6环境下提高邻居发现安全性的方法及宽带接入设备 | |
US20210359971A1 (en) | Method and Apparatuses for Avoiding Paging Storm During ARP Broadcast for Ethernet Type PDU | |
WO2018214809A1 (zh) | 消息发送方法及装置、存储介质 | |
WO2019184752A1 (zh) | 网络设备的管理方法、装置及系统 | |
US20150350043A1 (en) | Methods and arrangements for checking connectivity and detecting connectivity failure | |
WO2011069419A1 (zh) | 一种IPv6报文的处理方法、设备和系统 | |
WO2008020732A1 (en) | Methods for supporting ipv6 using bridge extension in wireless communication system | |
CN115118545B (zh) | 以太网虚拟专用网多播网络中的组管理协议主机移动性 | |
WO2012075850A1 (zh) | 一种防止mac地址欺骗的方法、系统及交换机 | |
EP2182683B1 (en) | Self-configuration of a forwarding tabel in an access node | |
JP5241957B2 (ja) | 加入者装置をIPv6対応のアグリゲーションネットワークに接続するための方法および装置 | |
WO2011116710A2 (zh) | 一种邻居发现的方法,装置和系统 | |
US9025606B2 (en) | Method and network node for use in link level communication in a data communications network | |
JP4169036B2 (ja) | 移動支援装置 | |
WO2024187314A1 (zh) | 主备切换方法、装置、网关设备及存储介质 | |
JP3861885B2 (ja) | 移動端末及びパケット送信方法 | |
JP4169037B2 (ja) | 移動登録方法 | |
JP4208030B2 (ja) | 移動端末、移動支援装置およびネットワークシステム | |
JP3861903B2 (ja) | 移動端末及びパケット送信方法 | |
WO2012155570A1 (zh) | 一种IPv6地址重复后自动恢复的方法、系统和节点 | |
CN111726292A (zh) | 一种基于nhrp架构的nhrp协议隔离方法 | |
Levis | Network Working Group M. Boucadair Internet-Draft France Telecom Intended status: Informational J. Touch Expires: March 5, 2012 USC/ISI | |
WO2014101155A1 (zh) | Vpls中vc标签分配和mac地址学习的方法,设备和系统 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 200980148673.9 Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 09851363 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2012539157 Country of ref document: JP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1202/KOLNP/2012 Country of ref document: IN |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2009851363 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 20127014077 Country of ref document: KR Kind code of ref document: A |