WO2011060571A1 - 一种地址重复检测代理方法、装置及系统 - Google Patents

一种地址重复检测代理方法、装置及系统 Download PDF

Info

Publication number
WO2011060571A1
WO2011060571A1 PCT/CN2009/074984 CN2009074984W WO2011060571A1 WO 2011060571 A1 WO2011060571 A1 WO 2011060571A1 CN 2009074984 W CN2009074984 W CN 2009074984W WO 2011060571 A1 WO2011060571 A1 WO 2011060571A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
dad
information
detected
message
Prior art date
Application number
PCT/CN2009/074984
Other languages
English (en)
French (fr)
Inventor
顾杜娟
李宏宇
郑若滨
厉益舟
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to EP09851363.3A priority Critical patent/EP2493117B1/en
Priority to KR1020127014077A priority patent/KR101372988B1/ko
Priority to PCT/CN2009/074984 priority patent/WO2011060571A1/zh
Priority to CN2009801486739A priority patent/CN102246461B/zh
Priority to JP2012539157A priority patent/JP5536225B2/ja
Publication of WO2011060571A1 publication Critical patent/WO2011060571A1/zh
Priority to US13/472,978 priority patent/US8724500B2/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5046Resolving address allocation conflicts; Testing of addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2592Translation of Internet protocol [IP] addresses using tunnelling or encapsulation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5092Address allocation by self-assignment, e.g. picking addresses at random and testing if they are already in use
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/59Network arrangements, protocols or services for addressing or naming using proxies for addressing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/659Internet protocol version 6 [IPv6] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/40Support for services or applications

Definitions

  • the present invention relates to the field of communications, and in particular, to an address repeat detection proxy method, apparatus, and system. Background art
  • IPv6 will replace the Internet Protocol version 6, IPv4, as a next-generation Internet protocol, a prominent feature of the IPv6 protocol. It is to support the automatic configuration of the address of the network node, which will greatly simplify the work of the network administrator.
  • DAD Downlicate Address Detection
  • DSL Digital Subscriber Line
  • P2P Point to Point
  • PON Passive Optical Network
  • N 2 the user port on a network device is even in the same In a VLAN, the user ports are also isolated. Therefore, the network device does not forward the DAD packets of other users to the user.
  • the N: 1 VLAN is to change the VLAN ID carried in the packets from the N VLANs to the same one. VLAN ID. Therefore, the DAD function in the above scenario does not work, and the address cannot be automatically configured.
  • the DAD function can be forwarded by the ND Proxy (Neighbor Discovery Proxy) to perform the DAD function.
  • ND Proxy Neighbor Discovery Proxy
  • the NS (Neighbor Solicitation) multicast packet is sent to the D Proxy through the intermediate Layer 2 network AN1.
  • the Proxy port 1 of the ND Proxy modifies the LLA (Link-Local Address) in the packet. Link-local address) and S-MAC (Source-Media Access Control), and then forward the modified multicast packet to other ports of the D Proxy unconditionally. For example, after receiving the modification, port 2 receives the modification. After the packet is sent to the corresponding User2 through the intermediate Layer 2 network AN2.
  • LLA Link-Local Address
  • S-MAC Source-Media Access Control
  • the D Proxy can forward the multicast packet for the DAD-NS, the D Proxy unconditionally forwards the received DAD-NS multicast packet to the port except the port that receives the packet.
  • the D Proxy On all other ports, in actual applications, users on the user network corresponding to only a few ports will have duplicate addresses. If all other ports forward multicast packets, not only resources are wasted, but also a large amount of Bandwidth, and forwarding DAD-NS multicast packets to other users, other users can easily obtain the user's address and other related information from the message, which brings security risks; and, because of the need to forward through D Proxy
  • the multicast packet of the DAD-NS increases the delay of detection.
  • an embodiment of the present invention provides an address repeat detection proxy method and apparatus.
  • the technical solution is as follows:
  • An embodiment of the present invention provides an address repeat detection proxy method, where the method includes:
  • the DAD-NS message includes address information sent by the user and access location information corresponding to the address information, where the address information includes at least an IP address to be detected and a link layer
  • the DAD-NS message is compared in the locally stored DAD information, and when the IP address to be detected is not duplicated according to the result of the comparison, the DAD-NS message is added to the locally stored DAD information. And determining, according to the result of the comparison, whether the IP address to be detected is duplicated, and performing unreachable detection on the IP address to be detected according to the address information in the compared locally stored DAD information to determine the IP to be detected. Whether the address is repeated; the DAD information includes address information of at least one user and access location information corresponding to the address information.
  • An embodiment of the present invention provides an address repetition detection proxy device, where the apparatus includes: an acquisition module, a storage module, and a processing module;
  • the obtaining module is configured to obtain an address repeat detection-neighbor request DAD-NS message, where the DAD-NS message includes address information sent by the user and access location information corresponding to the address information, where the address information includes at least Detecting the IP address and the link layer address;
  • a storage module configured to store DAD information;
  • the DAD information includes address information of at least one user and access location information corresponding to the address information;
  • the processing module is configured to compare the DAD-NS message acquired by the acquiring module in the DAD information stored by the storage module, and determine, according to the result of the comparison, that the to-be-detected IP address is not duplicated, and the DAD is -NS
  • the information is added to the locally stored DAD information. If the IP address to be detected is not determined according to the result of the comparison, the unreachable detection is initiated to the IP address to be detected according to the address information in the compared locally stored DAD information. , to determine whether the IP address to be detected is repeated.
  • An embodiment of the present invention provides an address repetition detection proxy system, where the system includes: an address repetition detection proxy device and an access device;
  • the address repeat detection proxy device includes: an acquisition module, a storage module, and a processing module;
  • the obtaining module is configured to obtain an address repeat detection-neighbor request DAD-NS message by using the access device, where the DAD-NS message includes address information sent by the user and the address information inserted by the access device Access location information, where the address information includes at least an IP address to be detected and a link layer address;
  • a storage module configured to store DAD information;
  • the DAD information includes address information of at least one user and access location information corresponding to the address information;
  • the processing module is configured to compare the DAD-NS message acquired by the acquiring module in the DAD information stored by the storage module, and determine, according to the result of the comparison, that the to-be-detected IP address is not duplicated, and the DAD is -
  • the NS message is added to the locally stored DAD information; if the IP address to be detected is not determined according to the result of the comparison, the address information in the locally stored DAD information is initiated to the IP address to be detected. Detecting to determine whether the IP address to be detected is duplicated;
  • the processing module includes:
  • a comparing unit configured to compare the DAD-NS message acquired by the acquiring module in the DAD information stored by the storage module
  • the unreachable detecting unit is configured to: when the comparing unit compares the DAD-NS message acquired by the acquiring module, the same access location information and the same IP address to be detected in the DAD information stored by the storage module, different Link layer address, or,
  • the comparing unit compares that the DAD-NS message acquired by the acquiring module has the same to-be-detected IP address, different access location information, and different link layer addresses in the DAD information stored by the storage module, or ,
  • the comparing unit compares that the DAD-NS message acquired by the acquiring module has the same link layer address, the same IP address to be detected, and different access location information in the DAD information stored by the storage module, And sending the unreachable detection to the to-be-detected IP address according to the address information in the DAD information that is stored locally, and notifying the sending unit if the unreachable detection is successful; and notifying the determining unit if the unreachable detection fails;
  • the sending unit is configured to: after receiving the unreachable detection success notification of the unreachable detecting unit, determine that the to-be-detected IP address is a duplicate address, and send, by the access device, an address repeated detection-neighbor to the user Announcement DAD-NA Message
  • the determining unit is configured to: after receiving the unreachable detection failure notification of the unreachable detecting unit, determine that the IP address to be detected is not repeated;
  • the access device includes: a receiving module, a determining module, a sending module, and a discarding module;
  • the receiving module is configured to receive an address repeat detection-neighbor advertisement DAD-NA message sent by a sending unit in the processing module of the address repetition detecting proxy device;
  • the DAD-NA message includes an access ring corresponding to the user
  • the access identifier includes the access device identifier and the line identifier corresponding to the user;
  • the determining module is configured to determine whether the access channel identifier in the DAD-NA message received by the receiving module has its own access device identifier; if yes, notify the sending module; if not, notify The discarding module is configured to send the DAD-NA message to the user according to the line identifier in the access loop identifier;
  • the discarding module is configured to discard the DAD-NA message.
  • the technical solution provided by the embodiment of the present invention has the beneficial effects that: the received DAD-NS message is compared in the locally stored DAD information, and according to the comparison result, it is determined that the IP address to be detected is duplicated, according to the compared local
  • the address information in the stored DAD information initiates an unreachable detection to the IP address to be detected to determine whether the IP address to be detected is duplicated, not only can correctly perform DAD, but also does not need to be forwarded to other users that do not need to be detected.
  • other users cannot obtain the DAD-NA message for detecting the user, thereby solving the problem of waste of resources and security caused by the unconditional multicast forwarding of the DAD-NA message in the prior art.
  • FIG. 2 is a schematic flowchart of an address repeat detection proxy method according to Embodiment 1 of the present invention.
  • FIG. 3 is a schematic flowchart of an address repeat detection proxy method according to Embodiment 2 of the present invention.
  • FIG. 4 is a schematic structural diagram of an address repetition detecting proxy device according to Embodiment 3 of the present invention.
  • FIG. 5 is a schematic structural diagram of an address repetition detection proxy system according to Embodiment 4 of the present invention. detailed description
  • Example 1 Referring to FIG. 2, an embodiment of the present invention provides an address repeat detection proxy method, where the method includes:
  • the DAD-NS message includes address information sent by the user and access location information corresponding to the address information, where the address information includes an IP address to be detected and a link layer address.
  • the Link-Layer Address is the MAC address in the Ethernet link, and is the ITU Telecommunication Standardization Group in the Integrated Services Digital Network (ISDN). Sector, ITU-T) E.164 address.
  • ISDN Integrated Services Digital Network
  • the DAD-NS message is compared in the locally stored DAD information, and the DAD-NS message is added to the locally stored DAD information when the IP address to be detected is not duplicated according to the result of the comparison; And determining, according to the result of the comparison, whether the IP address to be detected is duplicated, and performing unreachable detection on the IP address to be detected according to the address information in the locally stored DAD information to determine whether the IP address to be detected is repeat.
  • the beneficial effects of the embodiment of the present invention are: by comparing the acquired DAD-NS messages in the locally stored DAD information to determine whether the IP address to be detected is duplicated, not only can the DAD be correctly performed, but also does not need to be The user who needs to perform the test forwards the multicast packet, and the users cannot obtain the DAD-NA message for detecting the user, thereby solving the problem of wasteful resources and security caused by the unconditional multicast forwarding of the DAD-NA message in the prior art.
  • an embodiment of the present invention provides a DAD proxy method.
  • the embodiment of the present invention only uses the address information sent by the user, including the link layer address and the IP address to be detected, as an example, and does not exclude the IP address to be detected.
  • the case of the prefix or other information, when other information is included, can be specifically processed according to the specific circumstances, but is still included in the inventive concept of the present invention.
  • the IPv6 unicast address when each user in the user network is to use an IPv6 unicast address, the IPv6 unicast address must be DAD to ensure the uniqueness of the IPv6 unicast address.
  • the IPv6 unicast address to be used is referred to as an IP address to be detected.
  • the IPv6 unicast address may include: LLA, GUA (Global Unicast Address), and ULA (Unique Local IPv6 Addresses).
  • the source address is set to an unspecified address (::), and the destination address is set to the requesting node multicast address composed of the IP address to be detected.
  • the user before the user performs DAD, the user must join two multicast groups, that is, the multicast group address of all nodes and the multicast address of the requesting node.
  • the former can ensure that the user can receive a DAD-NA (Neighbor Advertisement) message sent by the user who has already used the IP address to be detected, and the latter can ensure that the same to be detected is ready to be used.
  • the user of the IP address can detect the presence of the other party in time.
  • the method specifically includes:
  • the DAD Proxy obtains the DAD-NS message.
  • the DAD-NS message includes the address information sent by the user and the access location information corresponding to the address information of the user, where the address information includes the IP address to be detected and the link layer address.
  • the link layer address may be a MAC address, but is not limited to a MAC address.
  • the user who sends the address information may also be referred to as the user who performs the DAD.
  • the obtained access location information may be sent by the user, or may be directly obtained from the DAD Proxy itself.
  • the user sends the address information to the DAD Proxy through the intermediate Layer 2 network, the corresponding access of the user.
  • Location information can be inserted by the intermediate Layer 2 network.
  • the access location information may be an access loop identifier, where the access loop identifier includes a line identifier that is connected by the user.
  • the access loop identifier may include an agent circuit ID (Agent Circuit ID) and/or an agent remote ID (Agent Remote ID) defined by RFC (Request For Comments) 3046;
  • Different types of access line identifiers may have different line identifier coding formats.
  • the coding format of the line identifier of the user connection is as follows:
  • ANI_port [: ANI XPI.ANI XCI]
  • the coding format of the line identifier connected by the user is as follows: AccessNodeIdentifier /ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port/ONU_ID
  • the broadband user access line (port) information encoding format in the LAN system is encoded by the broadband user access line (port) of the PON system.
  • Format, the encoding format of the line identifier of the user connection is as follows:
  • the DAD Proxy after receiving the address information sent by the first user, stores the address information corresponding to the address information of the user and the address information of the user as a DAD information, where the address information of the user is The IP address to be detected and the MAC address are also corresponding, that is, the user's IP address to be detected, the MAC address, and the access location information are bound to one DAD.
  • DAD Proxy can store multiple pieces of DAD information for multiple users.
  • the obtained DAD-NS message has the same link layer address, the to-be-detected IP address, and the access location information in the locally stored DAD information, perform 203;
  • the IP address to be detected may be duplicated.
  • the obtained DAD-NS message has the same link layer address, different access location information, and different IP addresses to be detected in the locally stored DAD information, the same user may roam to other places.
  • 203 In this case, it can be considered that the same user performs a repetitive operation, and no operation is performed in this case.
  • the process of performing unreachable detection is:
  • the NS packet is unicast-encapsulated with the IP address to be detected in the DAD information of the local storage, and is encapsulated into an IPv6 packet.
  • the encapsulated IPv6 is used to compare the MAC address corresponding to the IP address to be detected in the locally stored DAD information.
  • the packet is encapsulated in a link layer.
  • the unicast Ipv6 message is sent to the user corresponding to the IP address to be detected, and the NA message that the user responds to is received. If the NA message is received within the preset time, the device is to be detected. If the IP address is reachable, the unreachable detection succeeds, and 205 is performed. If the NA packet is not received within the preset time, the IP address to be detected is unreachable, and the unreachable detection fails.
  • the 205 Determine the IP address to be detected in the obtained address information as a duplicate address, and send a DAD-NA message to the user who performs DAD; the DAD-NA message includes the access location information of the user and/or the chain of the user. Road layer address.
  • the DAD-NS message and the DAD-NA message can be received or sent in the form of a message.
  • the DAD-NA packet to be sent to the D Proxy is sent to the D Proxy first, so that the ND Proxy forwards the DAD-NA packet to the DAD user.
  • the DAD Proxy directly detects that the IP address to be detected is a duplicate address, and directly sends the DAD-NA message to the user who performs the DAD, thereby greatly reducing the DAD-NA message compared with the prior art. Time when the user who sent the DAD-NS packet received the DAD-NA packet.
  • the DAD-NA message is sent to the user who performs the DAD, and includes:
  • the DAD-NA message is sent to the user who performs DAD through the intermediate Layer 2 network.
  • the DAD-NA message is sent to the DAD-enabled user through the intermediate Layer 2 network, and the method includes: the DAD-NA message includes the access location information corresponding to the DAD user, that is, the access loop identifier;
  • the road identifier may further include a network identifier of the intermediate layer 2 network;
  • the DAD Proxy sends the DAD-NA message to the intermediate Layer 2 network, so that the intermediate Layer 2 network determines whether the access loop identifier in the DAD-NA message has its own network identifier, and if so, according to the access loop identifier.
  • the line identifier in the middle sends a DAD-NA message to the corresponding user; if not, the DAD-NA message is discarded, that is, the DAD-NA message is not forwarded.
  • the access loop identifier in the DAD-NA message can be removed and then sent.
  • the access loop identifier may not include the network identifier; if multiple user networks in the entire network If the identifier of the user connection is duplicated, including the network identifier in the access loop identifier may enable the user to obtain the DAD-NA message more quickly.
  • the method further includes: updating the address information of the user who performs the DAD and/or the access location corresponding to the address information in the locally stored DAD information. information.
  • the method further includes:
  • the address information in the DAD-NS message and the access location information corresponding to the address information are stored locally.
  • nomadism refers to a scene in which a user moves to the line 2 after being connected to the line 1.
  • the access location information in the locally saved DAD information is the information of the line 1 connected by the user, and the information of the line 2 corresponding to the user after nomadic is not saved, the prior art cannot implement the DAD in the nomadic scene.
  • the obtained DAD-NS message is compared in the locally stored DAD information, and when the same IP address to be detected, the same link layer address, and different access location information are found, the local comparison is performed.
  • the stored DAD information is unreachable. If the unreachable detection fails, the locally stored DAD information is updated. After the update, the user's access location information includes the information of the line 2, so that the automatic address configuration can be performed.
  • the method may further include:
  • the unreachable detection performed here is the same as the above unreachable detection process.
  • the DAD Proxy can be located on the IP edge device, that is, the first Layer 3 node in the network, such as BRAS, NAS, BAS, etc., or in the middle Layer 2 network.
  • the beneficial effects of the embodiment of the present invention are: determining whether the IP address to be detected is repeated by comparing the obtained DAD-NS message in the locally stored DAD information; if the IP address to be detected has the possibility of repetition, by DAD
  • the unicast unreachable detection is initiated by the proxy. After the unreachable detection, the IP address to be detected is determined to be duplicated. If the IP address to be detected is duplicated, the DAD-NA message is directly sent to the user who performs the DAD, which not only provides the correct DAD, but also provides the correct DAD.
  • the problem of wasting resources and increasing delay caused by unconditional forwarding of DAD-NS multicast packets in the prior art is avoided, and the DAD-NS group is also avoided.
  • the other user After the broadcast message is forwarded to other users, the other user obtains the address of the user and other related information from the message to perform malicious attack, thereby improving the information security of the user; and when the user appears nomadic, by updating the nomadic
  • the user's access location information can still be DAD, so that automatic address configuration can be performed; further, according to the access ring Network identification and line identification restrictions in road signs
  • the forwarding range of the DAD-NA message is such that the user under the network and the line without the network identifier and the line identifier cannot obtain the DAD-NA message, thereby preventing the illegal user from listening to the DAD-NA message within the access range, thereby obtaining related information. After a malicious attack.
  • an embodiment of the present invention provides a DAD proxy device, where the device includes: an obtaining module 301, a storage module 302, and a processing module 303;
  • the obtaining module 301 is configured to obtain an address repeat detection-neighbor request DAD-NS message, where the DAD-NS message includes address information sent by the user and access location information corresponding to the address information, where the address information includes at least an IP address to be detected and Link layer address;
  • the link layer address may be a MAC address, but is not limited to a MAC address;
  • the user who sends the address information may also be referred to as the user who performs the DAD.
  • the access location information obtained by the obtaining module 301 may be sent by the user, or may be stored by the DAD proxy device itself, or may be inserted by the access device corresponding to the user.
  • the DAD information is stored in the storage module 302, and the DAD information includes address information of at least one user and access location information corresponding to the address information.
  • the address information of each user includes at least a link layer address and an IP address to be detected.
  • the embodiment of the present invention only takes the address information sent by the user, including the link layer address and the to-be-detected IP address, as an example.
  • the case where the address information sent by the user further includes the prefix or other information of the IP address to be detected is not excluded. When other information is included, specific processing may be performed according to specific circumstances, but it is still included in the inventive concept of the present invention.
  • the processing module 303 is configured to compare the DAD-NS message acquired by the obtaining module 301 with the DAD information stored in the storage module 302 to determine whether the IP address to be detected is duplicated.
  • the processing module 303 includes: a comparing unit 3030, a non-reachable detecting unit 3031, a sending unit 3032, a determining unit 3033, and an updating unit 3034;
  • the comparing unit 3030 is configured to compare the DAD-NS message acquired by the obtaining module 301 in the DAD information stored by the storage module 302.
  • the unreachable detecting unit 3031 is configured to compare the DAD-NS message acquired by the obtaining module 301 by the comparing unit 3030 to have the same access location information, the same IP address to be detected, and different chains in the DAD information stored in the storage module 302.
  • the road layer address or,
  • the comparing unit 3030 compares the DAD-NS message acquired by the obtaining module 301 with the same to-be-detected IP address, different access location information, and different link layer addresses in the DAD information stored in the storage module 302, or
  • the comparing unit 3030 compares the DAD information stored in the storage module 302 by the DAD-NS message acquired by the obtaining module 301 If the same link layer address, the same IP address to be detected, and the different access location information, the address information in the locally stored DAD information compared by the comparing unit 3030 is unreachable to the IP address to be detected. If the unreachable detection is successful, the sending unit 3032 is notified; if the unreachable detection fails, the determining unit 3033 is notified;
  • the unreachable detecting unit 3031 may include: a first encapsulating subunit, a second encapsulating subunit, and a transmitting subunit;
  • the first encapsulation sub-unit is configured to perform unicast encapsulation on the NS packet by using the IP address to be detected in the compared DAD information, and encapsulate the packet into an IPv6 packet;
  • a second encapsulation sub-unit configured to perform link layer encapsulation on the IPv6 packet encapsulated by the first encapsulation sub-unit by using a MAC address corresponding to the IP address to be detected in the compared DAD information;
  • a sending sub-unit configured to send the Ipv6 message encapsulated by the link layer of the second encapsulation sub-unit to the to-be-detected
  • the user corresponding to the IP address waits for the user to respond to the NA message. If the NA message is received within the preset time, it indicates that the IP address to be detected is reachable, and the notification sending unit 3032; if not received within the preset time Go to the NA message, indicating that it is to be detected.
  • the IP address is unreachable, and the notification determining unit 3033.
  • the sending unit 3032 is configured to: after receiving the unreachable detection success notification of the unreachable detecting unit 3021, determine that the to-be-detected IP address in the received address information is a duplicate address, and send a DAD-NA message to the DAD-enabled user; the DAD The -NA message contains the access location information of the user and/or the link layer address of the user.
  • the DAD-NS message and the DAD-NA message may be received or sent in the form of a message.
  • the DAD-NS message and the DAD-NA message may be received or sent in the form of a message.
  • the ND Proxy After the ND Proxy forwards the obtained DAD-NS multicast packet, if another user has already used the IP address to be detected that the user who performs the DAD will use, the other user needs to respond to the DAD-NA packet first. Sending to the D Proxy, the ND Proxy forwards the DAD-NA message to the user who performs the DAD.
  • the DAD Proxy directly detects that the IP address to be detected is a duplicate address, and directly The above user who sent the DAD sent
  • the DAD-NA packet greatly reduces the time for the user who sends the DAD-NS packet to receive the DAD-NA packet.
  • the determining unit 3033 is configured to: after receiving the unreachable detection failure notification of the unreachable detecting unit 3031, determine that the IP address to be detected in the address information acquired by the obtaining module 301 is not repeated.
  • the processing module 303 further includes an updating unit 3034, configured to update, in the locally stored DAD information, the storage module 302, after the determining unit 3033 determines that the IP address to be detected in the address information acquired by the obtaining module 301 is not repeated.
  • the comparison unit 3030 compares that the DAD-NS message received by the acquisition module 301 and the DAD information stored by the storage module 302 have the same link layer address, the same to-be-detected address, and different access location information. , this situation It indicates that the user who performs DAD is a nomadic user, and nomadic refers to a scene that moves to line 2 after a user connects to line 1. After the user is nomadic, because the information stored in the storage module 302 is the information of the line 1 connected by the user, and the information of the line 2 corresponding to the user after nomadic is not saved, the prior art cannot implement the DAD function in the nomadic scene.
  • the embodiment of the present invention is unreachable when the DAD-NS message obtained by the obtaining module 301 and the DAD information stored in the storage module 302 have the same IP address to be detected, the same link layer address, and different access location information.
  • the detecting unit 3031 performs unreachable detection on the compared locally stored DAD information, and if the unreachable detection fails, updates the locally stored DAD information of the user, and after the update, the access location information of the user includes the line 2 Information, and then DAD can be performed, so that automatic address configuration can be performed.
  • the determining unit 3033 of the processing module 303 is further configured to: when the comparing unit 3030 compares the DAD-NS message acquired by the obtaining module 301, the same link layer address and the same access location in the DAD information stored by the storage module 302. Information, when different IP addresses to be detected, or
  • the comparing unit 3030 compares the DAD-NS message obtained by the obtaining module 301 with the same access location information, different link layer addresses, different addresses to be detected, or
  • comparison unit 3030 compares the DAD-NS message acquired by the acquisition module 301 with the same link layer address, different access location information, and different IP addresses to be detected in the DAD information stored in the storage module 302, or
  • the comparison unit 3030 compares the DAD-NS message acquired by the acquisition module 301 with different access location information, different link layer addresses, and different to-be-detected addresses in the DAD information stored in the storage module 302, the obtaining module 301 is determined.
  • the IP address to be detected in the obtained DAD-NS message is not duplicated, indicating that the IP address to be detected in the DAD-NS message is available.
  • the storage module 302 is further configured to store the obtained address information in the DAD-NS message and the access location information corresponding to the address information to the local.
  • the device may further include: a DAD information maintenance module 304, configured to perform maintenance on the DAD information stored in the storage module 302, and periodically initiate unreachable detection on the stored address information of each user, if the preset time is received.
  • the NA message that the user responds to the address information retains the address information. If the NA message returned by the user corresponding to the address information is not received within the preset time, indicating that the user does not exist, the Address information.
  • the beneficial effects of the embodiment of the present invention are: determining whether the IP address to be detected is repeated by comparing the obtained DAD-NS message in the locally stored DAD information; if the IP address to be detected has a possibility of repetition, The proxy device initiates the unicast unreachable detection. After the unreachable detection, it determines whether the IP address to be detected is duplicated. If the IP address to be detected is duplicated, the DAD-NA message is directly sent to the user who performs the DAD, which not only provides the correct DAD, but also provides the correct DAD. Moreover, the problem of wasting resources and increasing delay caused by unconditional forwarding of DAD-NS multicast packets in the prior art is avoided, and the DAD-NS is also avoided.
  • the malicious attack is obtained by obtaining the address of the user and other related information from the message, thereby improving the information security of the user; and when the user is nomadic, the DAD can still be performed by updating the access location information of the nomadic user. , enabling automatic address configuration.
  • an embodiment of the present invention provides an address repetition detection proxy system, where the system includes an address repetition detecting apparatus 300 and an access device 400;
  • the address repetition detecting device 300 is the same as the device provided in Embodiment 3, and details are not described herein again.
  • the obtaining module 301 is specifically configured to obtain an address repeat detection-neighbor request DAD-NS message by using the access device 400, where the DAD-NS message includes the address information sent by the user and the The access location information corresponding to the address information, where the address information includes at least an IP address to be detected and a link layer address;
  • the access device includes: a receiving module 401, a determining module 402, a sending module 403, and a discarding module 404;
  • the receiving module 401 is configured to receive the DAD-NA message sent by the apparatus provided in Embodiment 3; the DAD-NA message includes an access loop identifier corresponding to the user performing the DAD; and the access loop identifier includes the corresponding Access device identification and line identification;
  • the determining module 402 is configured to determine whether the access ring identifier in the DAD-NA message received by the receiving module 401 has its own access device identifier; if yes, notify the sending module 403; if not, notify the discarding module 404;
  • the sending module 403 is configured to send, according to the line identifier in the access loop identifier, a user who performs DAD
  • the sending module 403 can remove the re-send of the access loop identifier in the DAD-NA message before sending the DAD-NA message.
  • the discarding module 404 discards the DAD-NA message.
  • the access loop identifier may not include the network identifier; if multiple user networks in the entire network If the identifier of the user connection is duplicated, including the network identifier in the access loop identifier may enable the user to obtain the DAD-NA message more quickly.
  • the transmitting module 403 can also send a DAD-NA message to the user who performs the DAD according to the link layer address of the user who performs the DAD.
  • the beneficial effects of the embodiment of the present invention are: determining whether the access loop identifier in the received DAD-NA message has its own access device identifier, and when there is its own identifier, and then according to the line in the access loop identifier
  • the identifier forwards the DAD-NA message to limit the forwarding range of the DAD-NA message, so that the network and the line without the access device identifier and the line identifier are The user cannot obtain the DAD-NA message, thereby preventing the malicious user from performing a malicious attack after listening to the DAD-NA message within the access range.
  • Embodiments of the invention may be implemented in software, and the corresponding software program may be stored in a readable storage medium, such as a hard disk, a cache, or an optical disk of a computer.
  • a readable storage medium such as a hard disk, a cache, or an optical disk of a computer.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Description

一种地址重复检测代理方法、 装置及系统 技术领域
本发明涉及通信领域, 特别涉及一种地址重复检测代理方法、 装置及系统。 背景技术 说
随着互联网(Internet)技术的发展, 互联网协议第六版 ( Internet Protocol version 6, IPv6 ) 将取代互联网协议第四版 (Internet Protocol version 6, IPv4 ) 成为下一代互联网协议, IPv6 协议的一个突出特点是支持网络节点的地址自动配置, 这将极大地简化网络管理者的工作。 IPv6在自动配置地址时, 为了避免出现两个用户具有相书同的 IP地址, 在用户使用一个 IPv6 单播地址前, 必须需要进行 DAD (Duplicate Address Detection, 重复地址检测) , 即确定该 IPv6单播地址是否被另一用户使用, 以保证该地址的唯一性。
为了支持 IPv6, 一般终端都要求支持 DAD功能, 但由于 DSL (Digital Subscriber Line, 数字用户线路) 为 P2P (点到点, Point to Point) , 不是共享介质, 2个 DSL终端之间不能直 接通信; PON (Passive Optical Network, 无源光网络) 中用户终端之间也是隔离的; 在 N: l 的虚拟局域网 (Virtual Local Area Network, VLAN) 中, N 2, 一个网络设备上的用户端口 即使在同一个 VLAN中, 用户端口之间也是隔离的, 所以网络设备不会向用户转发其它用户 的 DAD报文, N: 1 VLAN是指将来自 N个 VLAN的报文所携带的 VLAN ID修改为同一个 VLAN ID。 因此, 上述场景中的 DAD功能无法起作用, 也就不能进行自动配置地址。
现有技术中可以通过 ND Proxy (Neighbor Di scovery Proxy, 邻居发现代理)来转发 DAD 组播报文以进行 DAD功能, 具体过程参见图 1, 各个 User均连接在一个用户网络, User 1将 DAD-NS (Neighbor Solicitation, 邻居请求) 的组播报文通过中间二层网络 AN1发送到 D Proxy, ND Proxy的 Proxy端口 1收到该报文后, 修改该报文内的 LLA(Link-Local Address, 链路本地地址)和 S-MAC(Source-Media Access Control, 源媒体访问控制), 然后将修改后的组 播报文无条件的转发到 D Proxy的其他端口, 例如, 端口 2收到该修改后的报文后, 通过中 间二层网络 AN2发送到对应的 User2中。
在对上述现有技术进行分析后, 发明人发现: 现有技术中虽然可以通过 D Proxy转发用于 DAD-NS的组播报文, 但 D Proxy是无条 件的将收到的 DAD-NS组播报文转发到除收到该报文的端口外的其他所有端口上, 而实际应 用中, 只有很少的几个端口对应的用户网络中的用户会出现地址重复, 如果对其他所有端口 都转发组播报文, 不仅资源浪费, 并且占用了大量的带宽, 而且将 DAD-NS组播报文转发到 其他用户, 其他用户可以很容易从该报文中获得该用户的地址和相关其他信息, 从而带来安 全风险; 并且, 由于需要通过 D Proxy转发 DAD-NS的组播报文, 也就加大了检测的延时; 更重要的是漏检查了 ND Proxy同一端口下的用户, 例如 User3, 而在同一端口下的由于前缀 信息相同的可能性更大, 地址重复的可能性也更大, 因而使得 DAD的功能不够正确, 也就 不能进行正确的地址自动配置。 发明内容
为了提供正确的 DAD代理功能, 同时解决网络中组播泛滥、 浪费资源和安全的问题, 本发明实施例提供了一种地址重复检测代理方法和装置。 所述技术方案如下:
本发明实施例提供了一种地址重复检测代理方法, 所述方法包括:
获取地址重复检测-邻居请求 DAD-NS消息, 所述 DAD-NS消息包括用户发送的地址信 息和所述地址信息对应的接入位置信息,所述地址信息至少包括待检测 IP地址和链路层地址; 将获取的所述 DAD-NS消息在本地存储的 DAD信息中进行比较, 根据比较的结果确定 所述待检测 IP地址没有重复时, 将所述 DAD-NS消息添加到本地存储的 DAD信息中; 根据 比较的结果不能确定所述待检测 IP地址是否重复时, 根据比较出的本地存储的 DAD信息中 的地址信息向所述待检测 IP地址发起不可达检测, 以确定所述待检测 IP地址是否重复; 所 述 DAD信息包括至少一个用户的地址信息和所述地址信息对应的的接入位置信息。
本发明实施例提供了一种地址重复检测代理装置, 所述装置包括: 获取模块, 存储模块 和处理模块;
所述获取模块, 用于获取地址重复检测-邻居请求 DAD-NS消息, 所述 DAD-NS消息包 括用户发送的地址信息和所述地址信息对应的接入位置信息, 所述地址信息至少包括待检测 IP地址和链路层地址;
存储模块, 用于存储 DAD信息; 所述 DAD信息包括至少一个用户的地址信息和所述地 址信息对应的的接入位置信息;
所述处理模块, 用于将所述获取模块获取的 DAD-NS 消息在所述存储模块存储的 DAD 信息中进行比较, 根据比较的结果确定所述待检测 IP地址没有重复时, 将所述 DAD-NS消 息添加到本地存储的 DAD信息中;根据比较的结果不能确定所述待检测 IP地址是否重复时, 根据比较出的本地存储的 DAD信息中的地址信息向所述待检测 IP地址发起不可达检测, 以 确定所述待检测 IP地址是否重复。
本发明实施例提供了一种地址重复检测代理系统, 所述系统包括: 地址重复检测代理装 置和接入设备;
所述地址重复检测代理装置包括: 获取模块, 存储模块和处理模块;
所述获取模块, 用于通过所述接入设备获取地址重复检测-邻居请求 DAD-NS消息, 所述 DAD-NS消息包括用户发送的地址信息和所述接入设备插入的所述地址信息对应的接入位置 信息, 所述地址信息至少包括待检测 IP地址和链路层地址;
存储模块, 用于存储 DAD信息; 所述 DAD信息包括至少一个用户的地址信息和所述地 址信息对应的的接入位置信息;
所述处理模块, 用于将所述获取模块获取的 DAD-NS消息在所述存储模块存储的 DAD信 息中进行比较, 根据比较的结果确定所述待检测 IP地址没有重复时, 将所述 DAD-NS消息添 加到本地存储的 DAD信息中; 根据比较的结果不能确定所述待检测 IP地址是否重复时, 根据 比较出的本地存储的 DAD信息中的地址信息向所述待检测 IP地址发起不可达检测, 以确定所 述待检测 IP地址是否重复;
所述处理模块包括:
比较单元, 用于将所述获取模块获取的 DAD-NS消息在所述存储模块存储的 DAD信息 中进行比较;
不可达检测单元, 用于当所述比较单元比较出所述获取模块获取的 DAD-NS消息在所述 存储模块存储的 DAD信息中有相同的接入位置信息、 相同的待检测 IP地址, 不同的链路层地 址时, 或者,
当所述比较单元比较出所述获取模块获取的 DAD-NS消息在所述存储模块存储的 DAD信 息中有相同待检测 IP地址, 不同的接入位置信息, 不同的链路层地址时, 或者,
当所述比较单元比较出所述获取模块获取的 DAD-NS消息在所述存储模块存储的 DAD信 息中有相同的链路层地址, 相同的待检测 IP地址, 不同的接入位置信息时, 根据比较出的本 地存储的 DAD信息中的地址信息向所述待检测 IP地址发起不可达检测,如果不可达检测成功, 则通知发送单元; 如果不可达检测失败, 则通知确定单元;
所述发送单元, 用于收到所述不可达检测单元的不可达检测成功通知后, 确定所述待检 测 IP地址为重复地址, 通过所述接入设备向所述用户发送地址重复检测-邻居通告 DAD-NA 消息;
所述确定单元, 用于收到所述不可达检测单元的不可达检测失败通知后, 确定所述待检 测 IP地址没有重复;
所述接入设备包括: 接收模块, 判断模块, 发送模块和丢弃模块;
所述接收模块, 用于接收所述地址重复检测代理装置的处理模块中的发送单元发送的地 址重复检测-邻居通告 DAD-NA消息; 所述 DAD-NA消息包括所述用户对应的接入环路标识; 所述接入环路标识包括所述用户对应的接入设备标识和线路标识;
所述判断模块, 用于判断所述接收模块接收的所述 DAD-NA消息中的接入环路标识中是 否有自身的接入设备标识; 如果有, 通知所述发送模块; 如果没有, 通知所述丢弃模块; 所述发送模块, 用于根据所述接入环路标识中的线路标识向所述用户发送所述 DAD-NA 消息;
所述丢弃模块, 用于丢弃所述 DAD-NA消息。
本发明实施例提供的技术方案的有益效果是:将收到的 DAD-NS消息在本地存储的 DAD 信息中进行比较, 根据比较的结果不能确定该待检测 IP地址重复时, 根据比较出的本地存储 的 DAD信息中的地址信息向所述待检测 IP地址发起不可达检测, 以确定所述待检测 IP地址 是否重复, 不仅能够正确地进行 DAD, 并且不需要向其他不需要进行检测的用户转发组播报 文, 其他用户也无法获得检测用户的 DAD-NA消息, 从而解决了由于现有技术中无条件组播 转发 DAD-NA消息带来的浪费资源和安全的问题。 附图说明
图 1是现有技术提供的 ND Proxy工作示意图;
图 2是本发明实施例 1提供的地址重复检测代理方法流程示意图;
图 3是本发明实施例 2提供的地址重复检测代理方法流程示意图;
图 4是本发明实施例 3提供的地址重复检测代理装置结构示意图;
图 5是本发明实施例 4提供的一种地址重复检测代理系统结构示意图。 具体实施方式
为使本发明的目的、 技术方案和优点更加清楚, 下面将结合附图对本发明实施方式作进 一步地详细描述。
实施例 1 参见图 2, 本发明实施例提供了一种地址重复检测代理方法, 该方法包括:
101: 获取 DAD-NS消息; 该 DAD-NS消息包括用户发送的地址信息和该地址信息对应 的接入位置信息, 该地址信息中包括待检测 IP地址和链路层地址。
举例来说, 链路层地址 (Link-Layer Address) 在以太网链路中为 MAC地址, 在综合业 务数字网 (Integrated Services Digital Network, ISDN) 中为国际电信联盟远程通信标准化组 ( ITU Telecommunication Standardization Sector, ITU-T ) E.164地址。
102: 将获取的 DAD-NS消息在本地存储的 DAD信息中进行比较, 根据比较的结果确定 所述待检测 IP地址没有重复时, 将所述 DAD-NS消息添加到本地存储的 DAD信息中; 根据 比较的结果不能确定所述待检测 IP地址是否重复时, 根据比较出的本地存储的 DAD信息中 的地址信息向所述待检测 IP地址发起不可达检测, 以确定所述待检测 IP地址是否重复。
本发明实施例的有益效果是: 通过将获取的 DAD-NS消息在本地存储的 DAD信息中进 行比较, 以确定该待检测 IP地址是否重复, 不仅能够正确地进行 DAD, 并且不需要向其他 不需要进行检测的用户转发组播报文, 这些用户也无法获得检测用户的 DAD-NA消息, 从而 解决了由于现有技术中无条件组播转发 DAD-NA消息带来的浪费资源和安全的问题。
实施例 2
参见图 3,本发明实施例提供了一种 DAD代理方法,本发明实施例仅以用户发送的地址 信息包括链路层地址和待检测 IP地址为例进行说明, 不排除还包括待检测 IP地址的前缀或 其他信息时的情况, 当还包括其他的信息时, 可以根据具体情况进行具体处理, 但仍包含在 本发明的发明思想中。
具体的, 用户网络中的每一个用户将要使用一个 IPv6单播地址时, 必须要对该 IPv6单播 地址进行 DAD, 以该保证该 IPv6单播地址的唯一性。 本实施例中, 将要使用的 IPv6单播地址 就称为待检测 IP地址。其中, 该 IPv6单播地址可以包括: LLA, GUA (Global Unicast Address, 全局单播地址)和 ULA (Unique Local IPv6 Addresses, 唯一本地地址)。 用户在发出的地址信 息中, 源地址设置为未指定地址(::), 目标地址设置为由待检测 IP地址构成的请求节点组播 地址。
需要说明的是, 用户在进行 DAD前, 该用户必须加入两个组播组, 即所有节点组播组 地址和请求节点组播地址。前者可保证该用户能够接收到已经使用该待检测 IP地址的用户发 出的 DAD-NA (Neighbor Advertisement, 邻居通告) 消息, 后者可保证准备使用相同待检测 IP地址的用户能够及时检测到对方的存在。
该方法具体包括:
201: DAD Proxy获取 DAD-NS消息; 该 DAD-NS消息中包括用户发送的地址信息和该用 户的地址信息对应的接入位置信息, 该地址信息中包括待检测 IP地址和链路层地址, 本实施 例中, 链路层地址可以是 MAC地址, 但不限于 MAC地址;
本实施例中, 发送地址信息的用户也可以称为进行 DAD的用户。
本实施例中, 获取的接入位置信息可以是由用户发送的, 也可以是从 DAD Proxy自身直 接获取的, 当用户通过中间二层网络向 DAD Proxy发送地址信息时, 该用户对应的接入位置 信息可以由该中间二层网络插入。
具体的,接入位置信息可以是接入环路标识,该接入环路标识包括用户连接的线路标识。 具体的, 接入环路标识可以包括 RFC (Request For Comments, 请求注解) 3046定义的代 理电路标识 (Agent Circuit ID) 和 /或代理远程标识 (Agent Remote ID);
对接入环路标识对应的不同类型, 可以有不同的线路标识编码格式。
例如, 当接入环路标识对应的类型为 DSL, 接入节点为 DSLAM (Digital Subscriber Line Access Multiplexer, 数字用户线路接入复用器) 时, 用户连接的线路标识的编码格式具体如 下:
{atm|eth}
AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/
ANI_port [: ANI XPI.ANI XCI]
当接入环路标识对应的类型为 PON, 接入节点为 ONU/OLT (Optical Network Unit, 光网 络单元 / optical line terminal, 光路终结点) 时, 用户连接的线路标识的编码格式具体如下: AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port/ONU_ID
[ONU_Slot/ONU_Subslot/Port_ID] [: { atm/eth|trk}/Port_XPI.Port_XCI]
[LN|EP|GP]
当接入环路标识对应的类型为 ETHernet, 接入节点为以太网交换机时, LAN系统中的宽 带用户接入线路 (端口) 信息编码格式采用 PON系统的宽带用户接入线路 (端口) 信息编码 格式, 用户连接的线路标识的编码格式具体如下:
AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port/ONU_ID ONU_Slot/ONU_Subslot/Port_ID:{atm|eth|trk|hyd}/Port_XPI.Port_XCI
{LN|EP|GP} 需要说明的是, DAD Proxy收到第一个用户发送的地址信息后, 将该用户的地址信息和 该用户的地址信息对应的接入位置信息作为一条 DAD信息进行存储, 该用户的地址信息中待 检测 IP地址和 MAC地址也是对应关系, 即用户的待检测 IP地址、 MAC地址和接入位置信息为 绑定的一条 DAD信息。 DAD Proxy可以存储多条即多个用户的 DAD信息。
202: 将获取的 DAD-NS消息在本地存储的 DAD信息中进行比较, 确定待检测 IP地址 是否重复;
如果比较出获取的 DAD-NS消息在本地存储的 DAD信息中有完全相同的链路层地址、 待检测 IP地址和接入位置信息, 则执行 203 ;
或者,如果比较出获取的 DAD-NS消息在本地存储的 DAD信息中有相同的接入位置信 息、 相同的待检测 IP地址, 不同的链路层地址, 则该待检测 IP地址有可能重复, 执行 204; 或者, 如果比较出获取的 DAD-NS消息在本地存储的 DAD信息中有相同待检测 IP地 址,不同的接入位置信息,不同的链路层地址,则表明该待检测 IP地址有可能重复,执行 204; 或者,如果比较出获取的 DAD-NS消息在本地存储的 DAD信息中有相同的链路层地址, 相同的待检测 IP地址, 不同的接入位置信息, 这种情况表明该用户为游牧用户, 执行 204; 如果比较出获取的 DAD-NS消息在本地存储的 DAD信息中有相同的链路层地址、相同 的接入位置信息, 不同的待检测 IP地址, 表明该用户有多个地址, 则执行 207;
或者,如果比较出获取的 DAD-NS消息在本地存储的 DAD信息中有相同的接入位置信 息, 不同的链路层地址, 不同的待检测地址, 表明该同一个接入位置下有不同的用户, 则执 行 207;
或者,如果比较出获取的 DAD-NS消息在本地存储的 DAD信息中有相同的链路层地址, 不同的接入位置信息,和不同的待检测 IP地址,则可能是同一用户漫游到其他地方,执行 207; 或者,如果比较出获取的 DAD-NS消息在本地存储的 DAD信息中有不同的接入位置信 息, 不同的链路层地址和不同的待检测地址, 表明该用户为新用户, 则执行 207;
203: 这种情况可以认为是同一用户进行了重复操作, 在此情况下不执行任何操作; 204: 根据比较出的本地存储的 DAD信息中的地址信息向所述待检测 IP地址发起不可达 检测, 如果不可达检测成功, 则执行 205; 如果不可达检测失败, 则执行 206;
本实施例中, 进行不可达检测的过程为:
用比较出的本地存储的 DAD信息中的待检测 IP地址对 NS报文进行单播封装, 封装后为 IPv6报文;
用比较出的本地存储的 DAD信息中的待检测 IP地址对应的 MAC地址, 对封装后的 IPv6 报文进行链路层封装;
将进行链路层封装后的 Ipv6报文单播发送给该待检测 IP地址对应的用户, 等待该用户回 应的 NA报文, 如果在预设的时间内收到 NA报文, 表明该待检测 IP地址可达, 不可达检测成 功, 执行 205; 如果在预设的时间内没有收到 NA报文, 表明该待检测 IP地址不可达, 不可达 检测失败, 执行 206。
205: 确定获取的地址信息中的待检测 IP地址为重复地址, 向上述进行 DAD的用户发送 DAD-NA消息; 该 DAD-NA消息中含有该用户的接入位置信息和 /或该用户的链路层地址。
实际应用中,可以将 DAD-NS消息和 DAD-NA消息以报文形式接收或发送,现有技术中, D Proxy将获取的 DAD-NS组播报文转发出去后, 如果另一个用户已经使用了进行 DAD的用 户将要使用的待检测 IP地址,则该另一个用户需要将回应的 DAD-NA报文先发送给 D Proxy, 使 ND Proxy将这个 DAD-NA报文转发给上述进行 DAD的用户, 而本发明实施例提供的技术方 案中 DAD Proxy直接检测到该待检测 IP地址为重复地址后, 直接向上述进行 DAD的用户发送 DAD-NA报文, 因此相对于现有技术, 大大减少了发送 DAD-NS报文的用户收到 DAD-NA报 文的时间。
具体的, 向上述进行 DAD的用户发送 DAD-NA消息, 包括:
通过中间二层网络向进行 DAD的用户发送 DAD-NA消息。
进一步地, 通过中间二层网络向进行 DAD的用户发送 DAD-NA消息, 具体包括: 该 DAD-NA消息中包括进行 DAD的用户对应的接入位置信息即接入环路标识; 该接入 环路标识还可以包括该中间二层网络的网络标识;
DAD Proxy向中间二层网络发送上述 DAD-NA消息, 使该中间二层网络判断该 DAD-NA 消息中的接入环路标识中是否有自身的网络标识, 如果有, 根据接入环路标识中的线路标识 向对应的用户发送 DAD-NA消息; 如果没有, 则丢弃该 DAD-NA消息, 即不转发该 DAD-NA 消息。
为了使用户收到的信息更加简洁, 在发送 DAD-NA消息前, 可以将 DAD-NA消息中的接 入环路标识去掉后再发送。
需要说明的是,如果整个网络中用户连接的线路标识没有重复, 即每一个线路标识能唯 一确定一个用户, 则接入环路标识中可以不包括网络标识; 如果整个网络中的多个用户网络 下的用户连接的标识有重复的, 则接入环路标识中包括网络标识可以使用户更快的得到 DAD-NA消息。
也可以根据进行 DAD的用户的链路层地址向进行 DAD的用户发送 DAD-NA消息。 206: 确定获取的地址信息中的待检测 IP地址没有重复。
进一步地, 在确定获取的地址信息中的待检测 IP地址没有重复后, 该方法还包括: 在本地存储的 DAD信息中更新进行 DAD的用户的地址信息和 /或该地址信息对应的接 入位置信息。
207: 确定获取的地址信息中的待检测 IP地址没有重复, 表明该待检测 IP地址可用。 进一步地, 在确定待检测 IP地址没有重复后, 该方法还包括:
将该 DAD-NS消息中的地址信息和该地址信息对应的接入位置信息存储到本地。
本实施例中,游牧是指当一个用户连接在线路 1上之后又移动到线路 2上的场景。用户游 牧之后, 由于本地保存的 DAD信息中的接入位置信息是该用户连接的线路 1的信息, 没有保 存用户游牧后对应的线路 2的信息, 因此现有技术无法在游牧的场景下实现 DAD功能。 而本 发明实施例将获取的 DAD-NS消息在本地存储的 DAD信息中比较后, 发现有相同的待检测 IP 地址、 相同的链路层地址和不同的接入位置信息时, 对比较出本地存储的 DAD信息进行不可 达检测, 如果不可达检测失败, 则更新本地存储的 DAD信息, 更新后, 该用户的接入位置信 息就包括线路 2的信息, 从而也就可以进行自动地址配置。
其中, 该方法还可以包括:
对本地存储的 DAD信息进行维护, 定时对存储的每一个用户的地址信息发起不可达检 测, 如果该地址信息对应的用户有回应, 则保留该地址信息; 如果该地址信息对应的用户没 有回应, 表明该用户已经不存在, 可以删除该地址信息。
此处进行的不可达检测与上述的不可达检测过程相同。
DAD Proxy可以位于 IP边缘设备上, 即网络中的第一个三层节点, 如 BRAS、 NAS、 BAS 等, 也可以位于中间二层网络中。
本发明实施例的有益效果是: 通过将获取的 DAD-NS消息在本地存储的 DAD信息中进行 比较, 以确定待检测 IP地址是否重复; 如果待检测 IP地址存在重复的可能性, 则由 DAD Proxy 发起单播不可达检测, 通过不可达检测后, 确定待检测 IP地址是否重复, 如果待检测 IP地址 重复, 则直接向进行 DAD的用户发送 DAD-NA消息, 不仅能够提供正确的 DAD, 而且不需要 像现有技术一样转发组播报文, 解决了现有技术中由于无条件转发 DAD-NS组播报文带来的 浪费资源和加大延时的问题, 也避免了将 DAD-NS组播报文转发到其他用户后, 其他用户从 该报文中获得该用户的地址和相关其他信息而进行恶意攻击得情况, 提高了该用户的信息安 全; 并且在用户出现游牧时, 通过更新游牧用户的接入位置信息, 仍然可以进行 DAD, 从而 能够进行自动地址配置; 进一步地, 还可以根据接入环路标识中的网络标识和线路标识限制 DAD-NA消息的转发范围, 使得没有该网络标识和线路标识的网络和线路下的用户无法获得 该 DAD-NA消息, 从而避免非法用户在接入范围内监听 DAD-NA消息, 从而获得有关信息后 进行恶意攻击。 实施例 3
参见图 4, 本发明实施例提供了一种 DAD代理装置, 该装置包括: 获取模块 301, 存储模 块 302和处理模块 303 ;
获取模块 301,用于获取地址重复检测-邻居请求 DAD-NS消息, 该 DAD-NS消息包括用户 发送的地址信息和该地址信息对应的接入位置信息, 该地址信息至少包括待检测 IP地址和链 路层地址; 本实施例中, 链路层地址可以是 MAC地址, 但不限于 MAC地址;
本实施例中, 发送地址信息的用户也可以称为进行 DAD的用户。
本实施例中, 获取模块 301获取的接入位置信息可以是由用户发送的, 也可以是 DAD代 理装置自身存储的, 也可以是由该用户对应的接入设备插入的。
存储模块 302中存储着 DAD信息, 该 DAD信息包括至少一个用户的地址信息和该地址信 息对应的接入位置信息。 每一个用户的地址信息包括至少包括链路层地址和待检测 IP地址。 本发明实施例仅以用户发送的地址信息包括链路层地址和待检测 IP地址为例进行说明, 不排 除用户发送的地址信息还包括待检测 IP地址的前缀或其他信息时的情况, 当还包括其他的信 息时, 可以根据具体情况进行具体处理, 但仍包含在本发明的发明思想中。
处理模块 303,用于将获取模块 301获取的 DAD-NS消息在存储模块 302存储的 DAD信息中 进行比较, 确定待检测 IP地址是否重复。
具体地, 处理模块 303包括: 比较单元 3030, 不可达检测单元 3031, 发送单元 3032, 确 定单元 3033和更新单元 3034;
比较单元 3030, 用于将获取模块 301获取的 DAD-NS消息在存储模块 302存储的 DAD信息 中进行比较;
不可达检测单元 3031,用于当比较单元 3030比较出获取模块 301获取的 DAD-NS消息在存 储模块 302存储的 DAD信息中有相同的接入位置信息、相同的待检测 IP地址, 不同的链路层地 址时, 或者,
当比较单元 3030比较出获取模块 301获取的 DAD-NS消息在存储模块 302存储的 DAD信息 中有相同待检测 IP地址, 不同的接入位置信息, 不同的链路层地址时, 或者,
当比较单元 3030比较出获取模块 301获取的 DAD-NS消息在存储模块 302存储的 DAD信息 中有相同的链路层地址, 相同的待检测 IP地址, 不同的接入位置信息时, 根据比较单元 3030 比较出的本地存储的 DAD信息中的地址信息向所述待检测 IP地址发起不可达检测, 如果不可 达检测成功, 则通知发送单元 3032; 如果不可达检测失败, 则通知确定单元 3033 ;
本实施例中, 不可达检测单元 3031可以包括: 第一封装子单元, 第二封装子单元和发送 子单元;
第一封装子单元, 用于用比较出的 DAD信息中的待检测 IP地址对 NS报文进行单播封装, 封装后为 IPv6报文;
第二封装子单元, 用于用比较出的 DAD信息中的待检测 IP地址对应的 MAC地址, 对第一 封装子单元封装后的 IPv6报文进行链路层封装;
发送子单元, 用于将经过第二封装子单元链路层封装后的 Ipv6报文单播发送给该待检测
IP地址对应的用户, 等待该用户回应 NA报文, 如果在预设的时间内收到 NA报文, 表明该待 检测 IP地址可达, 通知发送单元 3032; 如果在预设的时间内没有收到 NA报文, 表明该待检测
IP地址不可达, 通知确定单元 3033。
发送单元 3032, 用于收到不可达检测单元 3021的不可达检测成功通知后, 确定收到的地 址信息中的待检测 IP地址为重复地址, 向进行 DAD的用户发送 DAD-NA消息; 该 DAD-NA消 息中含有该用户的接入位置信息和 /或该用户的链路层地址。
实际应用中,可以将 DAD-NS消息和 DAD-NA消息以报文形式接收或发送,现有技术中,
ND Proxy将获取的 DAD-NS组播报文转发出去后, 如果另一个用户已经使用了进行 DAD的用 户将要使用的待检测 IP地址,则该另一个用户需要将回应的 DAD-NA报文先发送给 D Proxy, 使 ND Proxy将这个 DAD-NA报文转发给上述进行 DAD的用户, 而本发明实施例提供的技术方 案中 DAD Proxy直接检测到该待检测 IP地址为重复地址后, 直接向上述进行 DAD的用户发送
DAD-NA报文, 因此相对于现有技术, 大大减少了发送 DAD-NS报文的用户收到 DAD-NA报 文的时间。
确定单元 3033, 用于收到不可达检测单元 3031的不可达检测失败通知后, 确定获取模块 301获取的地址信息中的待检测 IP地址没有重复。
进一步地, 处理模块 303还包括更新单元 3034, 用于在确定单元 3033确定出获取模块 301 获取的地址信息中的待检测 IP地址没有重复后, 在本地存储的 DAD信息中更新存储模块 302 存储的进行 DAD的用户的地址信息和 /或该地址信息对应的接入位置信息。
本实施例中, 当比较单元 3030比较出获取模块 301收到的 DAD-NS消息与存储模块 302存 储的 DAD信息有相同的链路层地址、 相同的待检测地址和不同的接入位置信息时, 这种情况 表明该进行 DAD的用户为游牧用户, 游牧是指当一个用户连接在线路 1上之后又移动到线路 2 上的场景。 用户游牧之后, 由于存储模块 302中存储的是该用户连接的线路 1的信息, 没有保 存用户游牧后对应的线路 2的信息, 因此现有技术无法在游牧的场景下实现 DAD功能。 而本 发明实施例在比较出获取模块 301获取的 DAD-NS消息与存储模块 302存储的 DAD信息有相同 的待检测 IP地址、 相同的链路层地址和不同的接入位置信息时, 不可达检测单元 3031对比较 出的本地存储的 DAD信息进行不可达检测, 如果不可达检测失败, 则更新本地存储的该用户 的 DAD信息, 更新后, 该用户的接入位置信息中就包括线路 2的信息, 然后就可以进行 DAD, 从而也就可以进行自动地址配置。
或者, 处理模块 303的确定单元 3033还用于, 当比较单元 3030比较出获取模块 301获取的 DAD-NS消息在存储模块 302存储的 DAD信息中有相同的链路层地址、 相同的接入位置信息, 不同的待检测 IP地址时, 或者,
当比较单元 3030比较出获取模块 301获取的 DAD-NS消息在存储模块 302存储的 DAD信息 中有相同的接入位置信息, 不同的链路层地址, 不同的待检测地址时, 或者,
当比较单元 3030比较出获取模块 301获取的 DAD-NS消息在存储模块 302存储的 DAD信息 中有相同的链路层地址, 不同的接入位置信息, 和不同的待检测 IP地址时, 或者,
当比较单元 3030比较出获取模块 301获取的 DAD-NS消息在存储模块 302存储的 DAD信息 中有不同的接入位置信息, 不同的链路层地址和不同的待检测地址时, 确定获取模块 301获取 的 DAD-NS消息中的待检测 IP地址没有重复, 表明该 DAD-NS消息中的待检测 IP地址可用。
进一步地,存储模块 302还用于将获取的该 DAD-NS消息中的地址信息和该地址信息对应 的接入位置信息存储到本地。
进一步地, 该装置还可以包括: DAD信息维护模块 304, 用于对存储模块 302存储的 DAD 信息进行维护, 定时对存储的每一个用户的地址信息发起不可达检测, 如果在预设时间内收 到该地址信息对应的用户回应的 NA报文, 则保留该地址信息; 如果在预设时间内没有收到该 地址信息对应的用户回应的 NA报文, 表明该用户已经不存在, 可以删除该地址信息。
本发明实施例的有益效果是: 通过将获取的 DAD-NS消息在本地存储的 DAD信息中进行 比较, 以确定待检测 IP地址是否重复; 如果待检测 IP地址存在重复的可能性, 则由该代理装 置发起单播不可达检测, 通过不可达检测后, 确定待检测 IP地址是否重复, 如果待检测 IP地 址重复, 则直接向进行 DAD的用户发送 DAD-NA消息, 不仅能够提供正确的 DAD, 而且不需 要像现有技术一样转发组播报文, 解决了现有技术中由于无条件转发 DAD-NS组播报文带来 的浪费资源和加大延时的问题, 也避免了将 DAD-NS组播报文转发到其他用户后, 其他用户 从该报文中获得该用户的地址和相关其他信息而进行恶意攻击得情况, 提高了该用户的信息 安全; 并且在用户出现游牧时, 通过更新游牧用户的接入位置信息, 仍然可以进行 DAD, 从 而能够进行自动地址配置。
实施例 4
参见图 5, 本发明实施例提供了一种地址重复检测代理系统, 该系统包括地址重复检测 装置 300和接入设备 400;
其中, 地址重复检测装置 300和实施例 3提供的装置相同, 在此不再赘述。
在本实施例中获取模块 301具体用于,用于通过接入设备 400获取地址重复检测-邻居请求 DAD-NS消息, 该 DAD-NS消息包括用户发送的地址信息和接入设备 400插入的该地址信息对 应的接入位置信息, 地址信息至少包括待检测 IP地址和链路层地址;
接入设备包括: 接收模块 401, 判断模块 402, 发送模块 403和丢弃模块 404;
接收模块 401, 用于接收实施例 3提供的装置发送的 DAD-NA消息; 该 DAD-NA消息中包 括进行 DAD的用户对应的接入环路标识; 该接入环路标识包括该用户对应的接入设备标识和 线路标识;
判断模块 402, 用于判断接收模块 401接收的 DAD-NA消息中的接入环路标识中是否有自 身的接入设备标识; 如果有, 通知发送模块 403 ; 如果没有, 通知丢弃模块 404;
发送模块 403, 用于根据上述接入环路标识中的线路标识向进行 DAD的用户发送
DAD-NA消息;
为了使用户收到的信息更加简洁, 发送模块 403在发送 DAD-NA消息前,可以将 DAD-NA 消息中的接入环路标识去掉再发送。
丢弃模块 404, 丢弃该 DAD-NA消息。
需要说明的是,如果整个网络中用户连接的线路标识没有重复, 即每一个线路标识能唯 一确定一个用户, 则接入环路标识中可以不包括网络标识; 如果整个网络中的多个用户网络 下的用户连接的标识有重复的, 则接入环路标识中包括网络标识可以使用户更快的得到 DAD-NA消息。
发送模块 403也可以根据进行 DAD的用户的链路层地址向进行 DAD的用户发送 DAD-NA 消息。
本发明实施例的有益效果是: 通过判断接收的 DAD-NA消息中的接入环路标识是否有自 身的接入设备标识, 当有自身的标识时, 然后根据接入环路标识中的线路标识转发 DAD-NA 消息, 以限制 DAD-NA消息的转发范围, 使得没有该接入设备标识和线路标识的网络和线路 下的用户无法获得该 DAD-NA消息, 从而避免了非法用户在接入范围内监听 DAD-NA消息后 进行恶意攻击的情况。
以上所述仅为本发明的较佳实施例, 并不用以限制本发明, 凡在本发明的精神和原则之 内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。
本发明实施例可以利用软件实现, 相应的软件程序可以存储在可读取的存储介质中, 例 如, 计算机的硬盘、 缓存或光盘中。

Claims

权 利 要 求 书
1. 一种地址重复检测代理方法, 其特征在于, 所述方法包括:
获取地址重复检测-邻居请求 DAD-NS消息, 所述 DAD-NS消息包括用户发送的地址信 息和所述地址信息对应的接入位置信息,所述地址信息至少包括待检测 IP地址和链路层地址; 将获取的所述 DAD-NS消息在本地存储的 DAD信息中进行比较, 根据比较的结果确定 所述待检测 IP地址没有重复时, 将所述 DAD-NS消息添加到本地存储的 DAD信息中; 根据 比较的结果不能确定所述待检测 IP地址是否重复时, 根据比较出的本地存储的 DAD信息中 的地址信息向所述待检测 IP地址发起不可达检测, 以确定所述待检测 IP地址是否重复; 所 述 DAD信息包括至少一个用户的地址信息和所述地址信息对应的的接入位置信息。
2. 根据权利要求 1所述的方法, 其特征在于, 所述 DAD-NS消息中的地址信息还包括所 述待检测 IP地址的前缀信息。
3. 根据权利要求 1所述的方法, 其特征在于, 所述方法还包括:
如果比较出所述 DAD-NS消息在本地存储的 DAD信息中有完全相同的链路层地址、 待 检测 IP地址和接入位置信息, 不执行任何操作。
4. 根据权利要求 1 所述的方法, 其特征在于, 根据比较的结果不能确定所述待检测 IP 地址是否重复时, 根据比较出的本地存储的 DAD信息中的地址信息向所述待检测 IP地址发 起不可达检测, 以确定所述待检测 IP地址是否重复, 包括:
如果比较出获取的所述 DAD-NS消息在本地存储的 DAD信息中有相同的接入位置信息、 相同的待检测 IP地址, 不同的链路层地址时, 或者,
如果比较出获取的所述 DAD-NS消息在本地存储的 DAD信息中有相同待检测 IP地址, 不同的接入位置信息, 不同的链路层地址时, 或者,
如果比较出获取的所述 DAD-NS消息在本地存储的 DAD信息中有相同的链路层地址, 相同的待检测 IP地址, 不同的接入位置信息时;
根据比较出的本地存储的 DAD信息中的地址信息向所述待检测 IP地址发起不可达检测, 如果不可达检测成功, 确定所述待检测 IP地址重复, 向所述用户发送地址重复检测-邻居通 告 DAD-NA消息; 如果不可达检测失败, 确定所述待检测 IP地址没有重复。
5. 根据权利要求 4所述的方法, 其特征在于, 确定所述待检测 IP地址没有重复之后, 还 包括:
在本地存储的 DAD信息中更新所述用户的地址信息和 /或所述地址信息对应的接入位置 信息。
6. 根据权利要求 1所述的方法, 其特征在于, 根据比较的结果确定所述待检测 IP地址 没有重复时, 包括:
如果比较出获取的所述 DAD-NS消息在本地存储的 DAD信息中有相同的链路层地址、 相同的接入位置信息, 不同的待检测 IP地址时, 或者,
如果比较出获取的所述 DAD-NS消息在本地存储的 DAD信息中有相同的接入位置信息, 不同的链路层地址, 不同的待检测地址时, 或者,
如果比较出获取的所述 DAD-NS消息在本地存储的 DAD信息中有相同的链路层地址, 不同的接入位置信息, 和不同的待检测 IP地址时, 或者,
如果比较出获取的所述 DAD-NS消息在本地存储的 DAD信息中有不同的接入位置信息, 不同的链路层地址和不同的待检测 IP地址时, 确定所述待检测 IP地址没有重复。
7. 根据权利要求 4所述的方法, 其特征在于, 所述接入位置信息为接入环路标识, 所述 接入环路标识包括网络标识和用户连接的线路标识。
8. 根据权利要求 7所述的方法, 其特征在于, 获取地址重复检测-邻居请求 DAD-NS消 息, 所述 DAD-NS消息包括用户发送的地址信息和所述地址信息对应的接入位置信息, 具体 为:
通过中间二层网络获取所述 DAD-NS消息, 所述 DAD-NS消息包括用户发送的地址信息 和所述中间二层网络插入的所述地址信息对应的接入位置信息。
9. 根据权利要求 8所述的方法, 其特征在于, 所述 DAD-NA消息包括所述用户对应的接 入环路标识;
向所述用户发送 DAD-NA消息, 包括:
通过中间二层网络向所述用户发送 DAD-NA消息; 具体的, 向中间二层网络发送所述 DAD-NA消息,使所述中间二层网络判断所述 DAD-NA消息中的 接入环路标识中是否有自身的网络标识, 如果有, 根据所述接入环路标识中的线路标识向对 应的用户发送所述 DAD-NA消息; 如果没有, 则丢弃所述 DAD-NA消息。
10. 根据权利要求 1至 9任一项所述的方法, 其特征在于, 所述根据比较出的本地存储的
DAD信息中的地址信息向所述待检测 IP地址发起不可达检测, 以确定所述待检测 IP地址是否 重复, 包括:
用比较出的本地存储的 DAD信息中的待检测 IP地址将 NS报文进行单播封装, 并用比较出 的本地存储的 DAD信息中的 MAC地址对经过单播封装后的 NS报文进行链路层封装, 然后发 送给所述待检测 IP地址对应的用户, 如果在预设的时间内收到所述用户回应的 NA报文, 确定 所述待检测 IP地址为重复地址; 如果在预设的时间内没有收到所述用户回应的 NA报文, 确定 所述待检测 IP地址没有重复。
11. 根据权利要求 1所述的方法, 其特征在于, 该方法还包括:
对本地存储的 DAD信息进行维护, 定时对存储的每一个用户的地址信息发起不可达检 测, 如果所述地址信息对应的用户有回应, 则保留所述地址信息; 如果所述地址信息对应的 用户没有回应, 删除所述地址信息。
12. 一种地址重复检测代理装置, 其特征在于, 所述装置包括: 获取模块, 存储模块和 处理模块;
所述获取模块, 用于获取地址重复检测-邻居请求 DAD-NS消息, 所述 DAD-NS消息包 括用户发送的地址信息和所述地址信息对应的接入位置信息, 所述地址信息至少包括待检测 IP地址和链路层地址;
存储模块, 用于存储 DAD信息; 所述 DAD信息包括至少一个用户的地址信息和所述地 址信息对应的的接入位置信息;
所述处理模块, 用于将所述获取模块获取的 DAD-NS 消息在所述存储模块存储的 DAD 信息中进行比较, 根据比较的结果确定所述待检测 IP地址没有重复时, 将所述 DAD-NS消 息添加到本地存储的 DAD信息中;根据比较的结果不能确定所述待检测 IP地址是否重复时, 根据比较出的本地存储的 DAD信息中的地址信息向所述待检测 IP地址发起不可达检测, 以 确定所述待检测 IP地址是否重复。
13. 根据权利要求 12所述的装置, 其特征在于, 所述获取模块, 具体用于通过接入设备 获取所述 DAD-NS消息,所述 DAD-NS消息包括用户发送的地址信息和所述接入设备插入的 所述地址信息对应的接入位置信息, 所述地址信息至少包括待检测 IP地址和链路层地址。
14. 根据权利要求 12所述的装置, 其特征在于, 所述 DAD-NS消息中的地址信息还包括 所述待检测 IP地址的前缀信息。
15. 根据权利要求 12所述的装置, 其特征在于, 所述处理模块包括:
比较单元, 用于将所述获取模块获取的 DAD-NS消息在所述存储模块存储的 DAD信息 中进行比较;
不可达检测单元, 用于当所述比较单元比较出所述获取模块获取的 DAD-NS消息在所述 存储模块存储的 DAD信息中有相同的接入位置信息、 相同的待检测 IP地址, 不同的链路层地 址时, 或者,
当所述比较单元比较出所述获取模块获取的 DAD-NS消息在所述存储模块存储的 DAD信 息中有相同待检测 IP地址, 不同的接入位置信息, 不同的链路层地址时, 或者,
当所述比较单元比较出所述获取模块获取的 DAD-NS消息在所述存储模块存储的 DAD信 息有相同的链路层地址, 相同的待检测 IP地址, 不同的接入位置信息时, 根据比较出的本地 存储的 DAD信息中的地址信息向所述待检测 IP地址发起不可达检测, 如果不可达检测成功, 则通知发送单元; 如果不可达检测失败, 则通知确定单元;
所述发送单元, 用于收到所述不可达检测单元的不可达检测成功通知后, 确定所述待检 测 IP地址为重复地址, 向所述用户发送地址重复检测-邻居通告 DAD-NA消息;
所述确定单元, 用于收到所述不可达检测单元的不可达检测失败通知后, 确定所述待检 测 IP地址没有重复。
16. 根据权利要求 15所述的装置, 其特征在于, 所述处理模块还包括: 更新单元, 用于 在所述确定单元确定出所述待检测 IP地址没有重复后, 更新所述存储模块存储的所述用户的 地址信息和 /或所述地址信息对应的接入位置信息。
17. 根据权利要求 15所述的装置, 其特征在于, 所述确定单元还用于: 当所述比较单元比较出所述获取模块获取的 DAD-NS消息在所述存储模块存储的 DAD信 息中有相同的链路层地址、 相同的接入位置信息, 不同的待检测 IP地址时, 或者,
当所述比较单元比较出所述获取模块获取的 DAD-NS消息在所述存储模块存储的 DAD信 息中有相同的接入位置信息, 不同的链路层地址, 不同的待检测地址时, 或者,
当所述比较单元比较出所述获取模块获取的 DAD-NS消息在所述存储模块存储的 DAD信 息中有相同的链路层地址, 不同的接入位置信息, 和不同的待检测 IP地址时, 或者,
当所述比较单元比较出所述获取模块获取的 DAD-NS消息在所述存储模块存储的 DAD信 息中有不同的接入位置信息, 不同的链路层地址和不同的待检测地址时, 确定所述待检测 IP 地址没有重复。
18. 根据权利要求 17所述的装置, 其特征在于, 不可达检测单元包括:
第一封装子单元, 用于采用比较出的 DAD信息中的待检测 IP地址将 NS报文进行单播封 装, 封装后为 IPv6报文;
第二封装子单元, 用于采用比较出的 DAD信息中的待检测 IP地址对应的 MAC地址, 对所 述第一封装子单元封装后的 IPv6报文进行链路层封装;
发送子单元, 用于将经过所述第二封装子单元链路层封装后的 IPv6报文单播发送给所述 待检测 IP地址对应的用户, 等待所述用户回应 NA报文, 如果在预设的时间内收到 NA报文, 通知所述发送单元; 如果在预设的时间内没有收到 NA报文, 通知所述确定单元。
19. 根据权利要求 12所述的装置, 其特征在于, 所述装置还包括:
DAD信息维护模块, 用于对本地存储的 DAD信息进行维护, 定时对存储的每一个用户的 地址信息发起不可达检测, 如果不可达检测的地址信息对应的用户有回应, 则保留所述地址 信息; 如果不可达检测的地址信息对应的用户没有回应, 删除所述地址信息。
20. 一种地址重复检测代理系统, 其特征在于, 所述系统包括: 地址重复检测代理装置 和接入设备;
所述地址重复检测代理装置包括: 获取模块, 存储模块和处理模块;
所述获取模块, 用于通过所述接入设备获取地址重复检测-邻居请求 DAD-NS消息, 所述 DAD-NS消息包括用户发送的地址信息和所述接入设备插入的所述地址信息对应的接入位置 信息, 所述地址信息至少包括待检测 IP地址和链路层地址; 存储模块, 用于存储 DAD信息; 所述 DAD信息包括至少一个用户的地址信息和所述地 址信息对应的的接入位置信息;
所述处理模块, 用于将所述获取模块获取的 DAD-NS消息在所述存储模块存储的 DAD信 息中进行比较, 根据比较的结果确定所述待检测 IP地址没有重复时, 将所述 DAD-NS消息添 加到本地存储的 DAD信息中; 根据比较的结果不能确定所述待检测 IP地址是否重复时, 根据 比较出的本地存储的 DAD信息中的地址信息向所述待检测 IP地址发起不可达检测, 以确定所 述待检测 IP地址是否重复;
所述处理模块包括:
比较单元, 用于将所述获取模块获取的 DAD-NS消息在所述存储模块存储的 DAD信息 中进行比较;
不可达检测单元, 用于当所述比较单元比较出所述获取模块获取的 DAD-NS消息在所述 存储模块存储的 DAD信息中有相同的接入位置信息、 相同的待检测 IP地址, 不同的链路层地 址时, 或者,
当所述比较单元比较出所述获取模块获取的 DAD-NS消息在所述存储模块存储的 DAD信 息中有相同待检测 IP地址, 不同的接入位置信息, 不同的链路层地址时, 或者,
当所述比较单元比较出所述获取模块获取的 DAD-NS消息在所述存储模块存储的 DAD信 息中有相同的链路层地址, 相同的待检测 IP地址, 不同的接入位置信息时, 根据比较出的本 地存储的 DAD信息中的地址信息向所述待检测 IP地址发起不可达检测,如果不可达检测成功, 则通知发送单元; 如果不可达检测失败, 则通知确定单元;
所述发送单元, 用于收到所述不可达检测单元的不可达检测成功通知后, 确定所述待检 测 IP地址为重复地址, 通过所述接入设备向所述用户发送地址重复检测-邻居通告 DAD-NA 消息;
所述确定单元, 用于收到所述不可达检测单元的不可达检测失败通知后, 确定所述待检 测 IP地址没有重复;
所述接入设备包括: 接收模块, 判断模块, 发送模块和丢弃模块;
所述接收模块, 用于接收所述地址重复检测代理装置的处理模块中的发送单元发送的地 址重复检测-邻居通告 DAD-NA消息; 所述 DAD-NA消息包括所述用户对应的接入环路标识; 所述接入环路标识包括所述用户对应的接入设备标识和线路标识;
所述判断模块, 用于判断所述接收模块接收的所述 DAD-NA消息中的接入环路标识中是 否有自身的接入设备标识; 如果有, 通知所述发送模块; 如果没有, 通知所述丢弃模块; 所述发送模块, 用于根据所述接入环路标识中的线路标识向所述用户发送所述 DAD-NA 消息;
所述丢弃模块, 用于丢弃所述 DAD-NA消息。
PCT/CN2009/074984 2009-11-17 2009-11-17 一种地址重复检测代理方法、装置及系统 WO2011060571A1 (zh)

Priority Applications (6)

Application Number Priority Date Filing Date Title
EP09851363.3A EP2493117B1 (en) 2009-11-17 2009-11-17 Method and apparatus for duplicate address detection proxy
KR1020127014077A KR101372988B1 (ko) 2009-11-17 2009-11-17 복제 어드레스 검출 프록시의 방법, 장치 및 시스템
PCT/CN2009/074984 WO2011060571A1 (zh) 2009-11-17 2009-11-17 一种地址重复检测代理方法、装置及系统
CN2009801486739A CN102246461B (zh) 2009-11-17 2009-11-17 一种地址重复检测代理方法、装置及系统
JP2012539157A JP5536225B2 (ja) 2009-11-17 2009-11-17 重複アドレス検出プロキシのための方法、装置およびシステム
US13/472,978 US8724500B2 (en) 2009-11-17 2012-05-16 Method, apparatus, and system of duplicate address detection proxy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2009/074984 WO2011060571A1 (zh) 2009-11-17 2009-11-17 一种地址重复检测代理方法、装置及系统

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US13/472,978 Continuation US8724500B2 (en) 2009-11-17 2012-05-16 Method, apparatus, and system of duplicate address detection proxy

Publications (1)

Publication Number Publication Date
WO2011060571A1 true WO2011060571A1 (zh) 2011-05-26

Family

ID=44059175

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/074984 WO2011060571A1 (zh) 2009-11-17 2009-11-17 一种地址重复检测代理方法、装置及系统

Country Status (6)

Country Link
US (1) US8724500B2 (zh)
EP (1) EP2493117B1 (zh)
JP (1) JP5536225B2 (zh)
KR (1) KR101372988B1 (zh)
CN (1) CN102246461B (zh)
WO (1) WO2011060571A1 (zh)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140325090A1 (en) * 2011-10-31 2014-10-30 Telefonaktiebolaget L M Ericsson (Publ) Discovery and disconnection of client addresses in an access node for an ip network

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101610186A (zh) * 2009-06-19 2009-12-23 中兴通讯股份有限公司 一种处理报文的方法
US9270638B2 (en) * 2012-01-20 2016-02-23 Cisco Technology, Inc. Managing address validation states in switches snooping IPv6
CN102594882A (zh) * 2012-02-08 2012-07-18 神州数码网络(北京)有限公司 一种基于DHCPv6监听的邻居发现代理方法和系统
US8886775B2 (en) * 2012-03-08 2014-11-11 Cisco Technology, Inc. Dynamic learning by a server in a network environment
WO2014070931A1 (en) * 2012-10-30 2014-05-08 Quantitative Sampling Technologies, LLC Supervisory computer system over data acquisition devices
CN102984288B (zh) * 2012-11-19 2017-11-17 中兴通讯股份有限公司 一种自动管理IPv6地址冲突的方法及系统
CN103347102B (zh) * 2013-06-28 2016-08-10 华为技术有限公司 冲突地址检测报文的识别方法及装置
US9596210B2 (en) * 2014-04-08 2017-03-14 Arris Enterprises, Inc. Subscriber-aware duplicate address detection proxy in edge devices
US9385953B1 (en) * 2015-02-03 2016-07-05 Google Inc. Mesh network addressing
JP6548460B2 (ja) * 2015-05-29 2019-07-24 キヤノン株式会社 情報処理装置、情報処理方法およびプログラム
US9832106B2 (en) * 2015-06-23 2017-11-28 Juniper Networks, Inc. System and method for detecting network neighbor reachability
US10148516B2 (en) * 2015-07-28 2018-12-04 Dell Products L.P. Inter-networking device link provisioning system
CN105262760A (zh) * 2015-10-30 2016-01-20 北京奇虎科技有限公司 一种防止恶意访问登录/注册接口的行为的方法和装置
EP3443730B1 (en) * 2016-04-15 2021-09-01 Convida Wireless, LLC 6lowpan neighbor discovery for supporting mobility and multiple border routers
US10027576B2 (en) 2016-05-23 2018-07-17 Juniper Networks, Inc. Method, system, and apparatus for proxying intra-subnet traffic across multiple interfaces within networks
CN108173980B (zh) * 2018-01-18 2021-02-19 浙江农林大学暨阳学院 一种sdn环境中的重复地址检测方法
US10547587B2 (en) 2018-03-19 2020-01-28 Didi Research America, Llc Method and system for near real-time IP user mapping
CN108848087B (zh) * 2018-06-06 2020-11-27 浙江农林大学暨阳学院 适用于send协议的dad过程恶意na报文抑制方法
US20230247419A1 (en) * 2020-08-03 2023-08-03 Arris Enterprises Llc Distributed coordination of duplicate ip address detection
CN112217918B (zh) * 2020-10-23 2022-05-24 新华三信息安全技术有限公司 一种SDN网络中IPv6地址冲突检测方法及装置

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050036471A1 (en) * 2003-08-13 2005-02-17 Samsung Electronics Co., Ltd. Fast duplicate address detection entity for managing information for fast duplicate address detection in distribution system and fast duplicate address detection method using the same
CN1901551A (zh) * 2005-07-19 2007-01-24 上海贝尔阿尔卡特股份有限公司 一种支持IPv6的二层接入网中重复地址检测方法及其装置
CN1980252A (zh) * 2005-12-06 2007-06-13 华为技术有限公司 地址冲突检测的实现方法及其地址冲突检测代理装置
CN101547223A (zh) * 2008-03-26 2009-09-30 华为技术有限公司 地址配置方法、装置和系统

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005089098A2 (en) * 2004-01-14 2005-09-29 The Regents Of The University Of California Ultra broadband mirror using subwavelength grating
CN100495992C (zh) 2007-08-30 2009-06-03 华为技术有限公司 用于地址冲突的重复地址检测方法及网络节点设备
JP2009253962A (ja) * 2008-04-11 2009-10-29 Yamaha Corp 通信システム
CN101901551B (zh) 2010-06-29 2012-03-14 上海英迪信息技术有限公司 车辆监控系统中轨迹回放功能的优化方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050036471A1 (en) * 2003-08-13 2005-02-17 Samsung Electronics Co., Ltd. Fast duplicate address detection entity for managing information for fast duplicate address detection in distribution system and fast duplicate address detection method using the same
CN1901551A (zh) * 2005-07-19 2007-01-24 上海贝尔阿尔卡特股份有限公司 一种支持IPv6的二层接入网中重复地址检测方法及其装置
CN1980252A (zh) * 2005-12-06 2007-06-13 华为技术有限公司 地址冲突检测的实现方法及其地址冲突检测代理装置
CN101547223A (zh) * 2008-03-26 2009-09-30 华为技术有限公司 地址配置方法、装置和系统

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP2493117A4 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140325090A1 (en) * 2011-10-31 2014-10-30 Telefonaktiebolaget L M Ericsson (Publ) Discovery and disconnection of client addresses in an access node for an ip network

Also Published As

Publication number Publication date
CN102246461A (zh) 2011-11-16
EP2493117A4 (en) 2012-11-07
EP2493117B1 (en) 2015-01-07
CN102246461B (zh) 2013-08-28
US8724500B2 (en) 2014-05-13
JP5536225B2 (ja) 2014-07-02
US20120224576A1 (en) 2012-09-06
EP2493117A1 (en) 2012-08-29
KR101372988B1 (ko) 2014-03-25
JP2013511228A (ja) 2013-03-28
KR20120084774A (ko) 2012-07-30

Similar Documents

Publication Publication Date Title
WO2011060571A1 (zh) 一种地址重复检测代理方法、装置及系统
JP4960437B2 (ja) データ通信ネットワークに関する論理グループエンドポイントディスカバリ
WO2010072096A1 (zh) IPv6环境下提高邻居发现安全性的方法及宽带接入设备
US20210359971A1 (en) Method and Apparatuses for Avoiding Paging Storm During ARP Broadcast for Ethernet Type PDU
WO2018214809A1 (zh) 消息发送方法及装置、存储介质
WO2019184752A1 (zh) 网络设备的管理方法、装置及系统
US20150350043A1 (en) Methods and arrangements for checking connectivity and detecting connectivity failure
WO2011069419A1 (zh) 一种IPv6报文的处理方法、设备和系统
WO2008020732A1 (en) Methods for supporting ipv6 using bridge extension in wireless communication system
CN115118545B (zh) 以太网虚拟专用网多播网络中的组管理协议主机移动性
WO2012075850A1 (zh) 一种防止mac地址欺骗的方法、系统及交换机
EP2182683B1 (en) Self-configuration of a forwarding tabel in an access node
JP5241957B2 (ja) 加入者装置をIPv6対応のアグリゲーションネットワークに接続するための方法および装置
WO2011116710A2 (zh) 一种邻居发现的方法,装置和系统
US9025606B2 (en) Method and network node for use in link level communication in a data communications network
JP4169036B2 (ja) 移動支援装置
WO2024187314A1 (zh) 主备切换方法、装置、网关设备及存储介质
JP3861885B2 (ja) 移動端末及びパケット送信方法
JP4169037B2 (ja) 移動登録方法
JP4208030B2 (ja) 移動端末、移動支援装置およびネットワークシステム
JP3861903B2 (ja) 移動端末及びパケット送信方法
WO2012155570A1 (zh) 一种IPv6地址重复后自动恢复的方法、系统和节点
CN111726292A (zh) 一种基于nhrp架构的nhrp协议隔离方法
Levis Network Working Group M. Boucadair Internet-Draft France Telecom Intended status: Informational J. Touch Expires: March 5, 2012 USC/ISI
WO2014101155A1 (zh) Vpls中vc标签分配和mac地址学习的方法,设备和系统

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200980148673.9

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09851363

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2012539157

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 1202/KOLNP/2012

Country of ref document: IN

WWE Wipo information: entry into national phase

Ref document number: 2009851363

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 20127014077

Country of ref document: KR

Kind code of ref document: A