WO2012003742A1 - Method, apparatus and system for preventing user from modifying ip address privately - Google Patents

Method, apparatus and system for preventing user from modifying ip address privately Download PDF

Info

Publication number
WO2012003742A1
WO2012003742A1 PCT/CN2011/073865 CN2011073865W WO2012003742A1 WO 2012003742 A1 WO2012003742 A1 WO 2012003742A1 CN 2011073865 W CN2011073865 W CN 2011073865W WO 2012003742 A1 WO2012003742 A1 WO 2012003742A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
initial
user
accessed user
server
Prior art date
Application number
PCT/CN2011/073865
Other languages
French (fr)
Chinese (zh)
Inventor
曾红李
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2012003742A1 publication Critical patent/WO2012003742A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security

Definitions

  • the present invention relates to data communication technologies, and in particular, to a method, apparatus and system for preventing a user from modifying an IP address privately. Background technique
  • the 802.lx protocol is based on client/server (Client/Server) access control and authentication protocols. It can restrict unauthorized users/devices from accessing the LAN (Local Area Network) / Wireless Local Area Network (WLAN) through the access port (AP, Access Port).
  • 802.1x authenticates the user/device connected to the switch port. Before the authentication is passed, 802.1x only allows the EAPoL (Extensible Authentication Protocol over LAN) data to pass through the switch port connected to the device; After the authentication is passed, normal data can pass through the Ethernet port smoothly.
  • EAPoL Extensible Authentication Protocol over LAN
  • the 802.lx protocol is a Layer 2 protocol.
  • the IP address of the user is not carried in the protocol. Therefore, the IP address of the 802. lx user cannot be known on the authentication system. Therefore, if the user modifies the IP address privately on the authentication client, the authentication system cannot know it, which will cause the accounting server to still charge with the original IP address.
  • the traditional solution is as follows:
  • the authentication client encapsulates the IP address in a private attribute and sends the IP address to the authentication system through the EAPOL-Key packet.
  • This method is relatively simple. However, since the authentication client and the authentication system are encapsulated by private attributes, the client and the authentication system must agree on the value of the private attribute in advance, which causes the authentication client and the authentication system of different manufacturers to be incompatible. Therefore, this method has not been widely used.
  • IP SOURCE GUARD IP SOURCE GUARD
  • IP SOURCE GUARD source IP spoofing.
  • these technical solutions can prevent users who modify IP addresses from accessing the Internet through traffic control, they cannot force users to go offline. Users cannot get network services, but the accounting server is still counting. Fees are unfair to users. Accordingly, it would be desirable to provide an improved method and apparatus for preventing a user from modifying an IP address privately to overcome the above-discussed deficiencies. Summary of the invention
  • the technical problem to be solved by the present invention is to provide a method, device, and system for preventing a user from modifying an IP address by using a privately modified IP address to prevent an 802. lx user from modifying the IP address privately, and At the same time, the fairness of billing is guaranteed.
  • the present invention provides a method for preventing a user from modifying an IP address privately, including:
  • the authentication system obtains an initial IP address assigned by the dynamic host configuration protocol (DHCP) server to the accessed user, and associates the initial IP address with the media access control of the accessed user (MAC, Media Access) Control ) address corresponding to save;
  • DHCP dynamic host configuration protocol
  • ARP address resolution protocol
  • the method further comprises: configuring a dynamic host configuration protocol listening (DHCP snooping) program on the authentication system, and intercepting, by the DHCP snooping program, an initial IP address assigned by the DHCP server to the accessed user, and The initial IP address is saved corresponding to the MAC address of the accessed user.
  • DHCP snooping dynamic host configuration protocol listening
  • the method includes: searching, according to the correspondence between the initial IP address and the MAC address of the accessed user saved in the authentication system The initial IP address of the accessed user; comparing whether the current IP address of the accessed user is the same as the found initial IP address.
  • the method further includes: initiating an accounting request to the charging server, and carrying the initial IP address of the accessed user to implement IP-based Billing for the address.
  • the method further includes notifying the charging server to stop charging.
  • the present invention also provides an apparatus for preventing a user from modifying an IP address privately, the apparatus comprising: an initial IP address obtaining unit, an ARP request analyzing unit, and an executing unit;
  • the initial IP address obtaining unit is configured to obtain an initial IP address allocated by the dynamic host configuration protocol server to the accessed user, and save the initial IP address corresponding to the MAC address of the accessed user;
  • the ARP request analysis unit is configured to receive an ARP request sent by an accessed user, and obtain a current IP address and a MAC address of the accessed user according to the ARP request, where the execution unit is configured to determine Whether the correspondence between the current IP address and the MAC address of the accessed user obtained by the ARP request analysis unit is the same as the correspondence between the initial IP address and the MAC address saved by the initial IP address obtaining unit, and if the determination is different, the The connected user has gone offline.
  • the initial IP address obtaining unit includes: a DHCP snooping subunit and a storage subunit;
  • the DHCP snooping sub-unit is configured to intercept an initial IP address allocated by the DPCH server to the accessed user;
  • the storage subunit is configured to save the location obtained by the DHCP snooping subunit The initial IP address and MAC address of the accessed user.
  • the execution unit further includes: an IP address lookup subunit, a comparison subunit, and a control subunit; wherein
  • the IP address lookup subunit is configured to find an initial IP address of the accessed user according to the correspondence between the initial IP address and the MAC address of the accessed user saved by the initial IP address obtaining unit;
  • the comparing subunit is configured to compare whether the initial IP address found by the IP address lookup subunit is the same as the current IP address obtained by the ARP request analyzing unit;
  • the control subunit is configured to force the accessed user to go offline when the comparison result of the comparing subunits is different.
  • the apparatus further comprises an authentication unit for completing the access of the user.
  • the device further includes: a charging requesting unit, configured to: after the initial IP address obtaining unit acquires an initial IP address assigned by the DHCP server to the accessed user, initiate a charging request to the charging server, and carry the The initial IP address of the accessed user is described to implement IP address based charging.
  • a charging requesting unit configured to: after the initial IP address obtaining unit acquires an initial IP address assigned by the DHCP server to the accessed user, initiate a charging request to the charging server, and carry the The initial IP address of the accessed user is described to implement IP address based charging.
  • the apparatus further includes a stop charging unit, configured to notify the charging server to stop charging after the accessed user is forced to go offline.
  • a stop charging unit configured to notify the charging server to stop charging after the accessed user is forced to go offline.
  • the present invention also provides a system for preventing a user from modifying an IP address.
  • the system includes: an authentication server, a DHCP server, and a device for preventing a user from modifying an IP address privately; wherein the authentication server is configured to complete user access. ;
  • the DHCP server is configured to allocate an initial IP address to the accessed user.
  • the system further comprises an accounting server for performing charging based on an initial IP address of the accessed user sent by the authentication server.
  • the charging server is further configured to stop charging after the accessed user is forced to go offline.
  • the means for preventing a user from modifying the IP address privately is the same entity as the authentication server.
  • the method, device and system for preventing a user from modifying an IP address by analyzing the ARP request sent by the user after modifying the IP address, obtaining the current IP address and MAC address of the user, and the current IP address and the MAC and the DHCP server The initial IP address assigned to it is compared with the corresponding relationship of the MAC address. If it is different, the user is forced to go offline, thereby preventing the 802.1x user from modifying the IP address privately. Since the user is forced to go offline, the accounting server stops charging, so the user is prevented from modifying the IP address privately, and the fairness of the charging is ensured.
  • FIG. 1 is a flowchart of a first embodiment of a method for preventing a user from modifying an IP address privately
  • FIG. 2 is a flowchart of a second embodiment of a method for preventing a user from modifying an IP address privately
  • FIG. 4 is a schematic structural view of an embodiment of an apparatus for preventing a user from modifying an IP address privately;
  • FIG. 5 is a schematic structural diagram of another embodiment of an apparatus for preventing a user from modifying an IP address privately. detailed description
  • the present invention provides a method, device, and system for preventing a user from modifying an IP address privately, and can prevent the 802.1 X user from modifying the IP address privately by forcibly modifying the user of the IP address to go offline.
  • FIG. 1 is a flowchart of a first embodiment of a method for preventing a user from modifying an IP address privately.
  • the method for preventing a user from modifying an IP address privately includes the following steps:
  • Step S101 The authentication system acquires an initial IP address assigned by the DHCP server to the accessed user, and saves the initial IP address corresponding to the MAC address of the accessed user.
  • the step can be implemented by configuring a DHCP snooping program on the authentication system.
  • the authentication system can automatically intercept the binding relationship between the initial IP address and the MAC of the DHCP server.
  • Step S102 The authentication system receives the ARP request sent by the accessed user, and obtains the current IP address and MAC address of the accessed user according to the APR request. Specifically, after the user privately modifies the IP address, the user will automatically send a free ARP request to check whether there is an address conflict. After receiving the ARP request, the authentication system analyzes the content of the packet to obtain the current IP address and MAC address after the user modifies the IP address.
  • Step S103 determining whether the correspondence between the current IP address and the MAC address of the accessed user is the same as the correspondence between the initial IP address and the MAC address saved in the authentication system, and if not, forcing the received Enter the user offline. Specifically, forcing the accessed user to go offline includes notifying the charging server to stop charging.
  • determining whether the correspondence between the current IP address and the MAC address of the accessed user and the initial IP address and the MAC address stored in the authentication system are the same includes: according to the saved in the authentication system.
  • the correspondence between the initial IP address and the MAC address of the accessed user finds the initial IP address of the user; and compares whether the current IP address of the accessed user is the same as the found initial IP address. Because the method for preventing the user from modifying the IP address by itself is analyzed, the current IP address and MAC address of the user are obtained by analyzing the ARP request sent by the user after modifying the IP address, and the current IP address and MAC address are assigned to the user by the DHCP server. The initial IP address is compared with the MAC address.
  • mapping is different, the user is forced to go offline. This prevents the 802.1x user from modifying the IP address privately. Since the user is forced to go offline, the accounting server stops charging. Therefore, the user is prevented from modifying the IP address privately, and the fairness of the charging is ensured.
  • FIG. 2 is a flowchart of a second embodiment of a method for preventing a user from modifying an IP address privately. As shown in FIG. 2, the method for preventing a user from modifying an IP address by using a second embodiment includes the following steps:
  • Step S201 Configure a DHCP snooping program on the authentication system.
  • Step S202 The authentication system authenticates the user who initiated the authentication request: if the authentication is passed, the process proceeds to step S203; if the authentication fails, the process proceeds to step S204.
  • Step S203 The user client automatically sends a DHCP application IP address.
  • Step S204 The user goes offline.
  • Step S205 The authentication system intercepts the DHCP file through the DHCP snooping program, and obtains
  • the initial IP address assigned to the user by the DHCP server is the initial IP address assigned to the user by the DHCP server.
  • Step S206 The authentication system initiates an accounting request to the accounting server, and carries the initial IP address of the accessed user to implement IP address-based charging.
  • Step S207 After the user privately modifies the IP address, the user initiates a free ARP request.
  • Step S208 The authentication system receives the ARP request, analyzes the content of the packet, and obtains the current IP address and MAC address of the user.
  • Step S209 It is determined whether the correspondence between the current IP address and the MAC address of the accessed user is the same as the initial IP address and the MAC address stored in the authentication system. If they are the same, step S211 is performed; Then, step S210 is performed. Specifically, the step is implemented as follows: First, according to the initial IP of the accessed user saved in the authentication system The correspondence between the address and the MAC address finds the initial IP address of the user; and then compares whether the current IP address of the accessed user is the same as the found initial IP address.
  • Step S210 The user goes offline and notifies the charging server to stop charging. Specifically, it can be implemented by sending a charging stop message to the accounting server.
  • the method for preventing a user from modifying an IP address in this embodiment, by analyzing an ARP request sent by a user after modifying an IP address, obtaining a current IP address and a MAC address of the user, and assigning the current IP address and the MAC address to the initial of the DHCP server to the user If the mapping between the IP address and the MAC address is different, the user is forced to go offline, which prevents the 802.1x user from modifying the IP address privately. Since the user is forced to go offline, the accounting server stops charging. Therefore, the user is prevented from modifying the IP address privately, and the fairness of the charging is ensured.
  • Figure 3 is a block diagram showing an embodiment of a system for preventing a user from privately tampering with an IP address.
  • the system for preventing a user from modifying an IP address privately includes: a DHCP server 31, an authentication server 32, and a device for preventing a user from modifying an IP address privately.
  • the device for preventing the user from modifying the IP address and the authentication server 32 are the same entity, that is, the device for preventing the user from modifying the IP address is configured on the authentication server 32, but The device for preventing the user from modifying the IP address privately may also be an entity independent of the authentication server 32.
  • the authentication server 32 is configured to complete access by the user 34.
  • the DHCP server 31 is configured to allocate an initial IP address to the user 34.
  • the system for preventing the user from modifying the IP address by itself may further include an accounting server 33 for performing charging based on the initial IP address of the accessed user sent by the authentication server 32.
  • the charging server 33 may be further configured to stop charging after the authentication server 32 forces the accessed user to go offline.
  • the system for preventing the user from modifying the IP address privately obtains the current IP address and MAC address of the user who privately modifies the IP address through the ARP request, and assigns the current IP address and the MAC address to the initial IP address of the DHCP server.
  • the correspondence between the MAC addresses is compared. If they are different, the connected users are forced to go offline, so as to prevent the 802.1x users from modifying the IP address privately. Since the user is forced to go offline, the accounting server stops charging. Therefore, the user is prevented from modifying the IP address privately, and the fairness of the charging is ensured.
  • Figure 4 is a block diagram showing the structure of an embodiment of an apparatus for preventing a user from modifying an IP address privately.
  • the apparatus 4 for preventing a user from modifying an IP address in this embodiment includes: an initial IP address obtaining unit 41, an ARP request analyzing unit 43, and an executing unit 42; wherein the initial IP address obtaining unit 41, And configured to obtain an initial IP address allocated by the dynamic host configuration protocol server to the accessed user, and save the initial IP address corresponding to the MAC address of the accessed user;
  • the ARP request analyzing unit 43 is configured to receive an ARP request sent by the accessed user, and obtain a current IP address and a MAC address of the accessed user according to the ARP request, where the executing unit 42 is configured to: Determining whether the correspondence between the current IP address and the MAC address of the accessed user obtained by the ARP request analysis unit 43 is the same as the initial IP address and the MAC address stored by the initial IP address obtaining unit 41, if different, The access user is forced to go offline.
  • the initial IP address 41 obtaining unit includes: a DHCP snooping subunit 411 and a storage subunit 412;
  • the DHCP snooping subunit 411 is configured to intercept a DHCP server and assign it to the connected Enter the user's initial IP address;
  • the storage subunit 412 is configured to correspondingly save an initial IP address and a MAC address of the accessed user obtained by the DHCP snooping subunit 411.
  • the execution unit 42 includes: an IP address lookup subunit 421, a comparison subunit 422, and a control subunit 423;
  • the IP address lookup subunit 421 is configured to find the initial IP address of the user according to the correspondence between the initial IP address and the MAC address of the accessed user saved by the initial IP address obtaining unit 41.
  • the comparison sub-unit 422 is configured to compare whether the initial IP address found by the IP address lookup sub-unit 421 is the same as the current IP address obtained by the ARP request analysis unit 43; forcing the accessed user to go offline. Since the user is forced to go offline, the accounting server stops charging. Therefore, the user is prevented from modifying the IP address privately, and the fairness of the charging is ensured.
  • FIG. 5 is a block diagram showing another embodiment of an apparatus for preventing a user from modifying an IP address privately.
  • the apparatus for preventing a user from modifying an IP address privately includes: an initial IP address obtaining unit 51, an ARP request analyzing unit 53, an executing unit 52, an authenticating unit 54, and a charging requesting unit 55;
  • the initial IP address obtaining unit 51 is configured to acquire, by the DHCP server, the ARP request analyzing unit 53 for receiving the ARP request sent by the accessed user, and obtain the ARP request according to the ARP request.
  • the current IP address and the MAC address of the accessed user are used to determine the correspondence between the current IP address and the MAC address of the accessed user obtained by the ARP request analyzing unit 53 and the initial IP address. Whether the correspondence between the initial IP address and the MAC address saved by the obtaining unit 51 is the same. If the information is different, the access user is forced to go offline and the accounting server is notified to stop charging.
  • the authentication unit 54 is configured to complete access by a user.
  • the charging requesting unit 55 is configured to: after the initial IP address obtaining unit 51 acquires an initial IP address assigned by the DHCP server to the accessed user, initiate an accounting request to the charging server, and carry the accessed The user's initial IP address to implement IP address-based charging.
  • the correspondence between the MAC addresses is compared. If they are different, the connected users are forced to go offline, so as to prevent the 802.1x users from modifying the IP address privately. Since the user is forced to go offline, the accounting server stops charging, so that the user is allowed to modify the IP address privately, and the fairness of the charging is ensured.

Abstract

Disclosed in the invention is a method for preventing a user from modifying an Internet Protocol (IP) address privately. The method includes: obtaining, by an authentication system, an initial IP address which is allocated to an accessing user by a Dynamic Host Configuration Protocol (DHCP) server, and saving the IP address in correspondence with the Media Access Control (MAC) address of the user (S101); receiving an Address Resolution Protocol (ARP) request sent by the accessing user and obtaining, based on the ARP request, a current IP address and MAC address of the accessing user (S102); determining whether the corresponding relation between the current IP address and MAC address of the accessing user is identical with the corresponding relation between the initial IP address and MAC address saved in the authentication system, and if not, forcing the accessing user to be off-line (S103). An apparatus and a system for preventing a user from modifying an IP address privately are also provided in the invention. With the method, apparatus and system for preventing the user from modifying the IP address privately provided in the invention, the purpose of preventing the user of 802.1x from modifying the IP address privately is achieved by forcing the user who modifies the IP address privately to be off-line.

Description

防止用户私自修改 IP地址的方法、 装置及系统 技术领域  Method, device and system for preventing user from modifying IP address privately
本发明涉及数据通信技术, 尤其涉及一种防止用户私自修改 IP地址的 方法、 装置和系统。 背景技术  The present invention relates to data communication technologies, and in particular, to a method, apparatus and system for preventing a user from modifying an IP address privately. Background technique
现有的用户认证大多基于 802.1x协议实现。 802. lx协议是基于客户端 / 服务器 (Client/Server ) 的访问控制和认证协议。 它可以限制未经授权的用 户 /设备通过接入端口( AP , Access Port)访问局域网 (LAN , Local Area Network ) /无线局域网 (WLAN, Wireless Local Area Network )„ 在获得交 换机或 LAN提供的各种业务之前, 802.1x对连接到交换机端口上的用户 / 设备进行认证。 在认证通过之前, 802.1x 只允许基于局域网的扩展认证协 议 ( EAPoL, Extensible Authentication Protocol over LAN )数据通过设备连 接的交换机端口; 认证通过以后, 正常的数据可以顺利地通过以太网端口。  Existing user authentication is mostly based on the 802.1x protocol. The 802.lx protocol is based on client/server (Client/Server) access control and authentication protocols. It can restrict unauthorized users/devices from accessing the LAN (Local Area Network) / Wireless Local Area Network (WLAN) through the access port (AP, Access Port). Before the service, 802.1x authenticates the user/device connected to the switch port. Before the authentication is passed, 802.1x only allows the EAPoL (Extensible Authentication Protocol over LAN) data to pass through the switch port connected to the device; After the authentication is passed, normal data can pass through the Ethernet port smoothly.
802. lx协议是二层协议, 在协议 文中没有携带用户的 IP地址, 所以 在认证系统上无法知道 802. lx用户的 IP地址。 因此,如果用户在认证客户 端私自修改 IP地址, 认证系统无法知道, 这将导致计费服务器还在以原来 的 IP地址进行计费。  The 802.lx protocol is a Layer 2 protocol. The IP address of the user is not carried in the protocol. Therefore, the IP address of the 802. lx user cannot be known on the authentication system. Therefore, if the user modifies the IP address privately on the authentication client, the authentication system cannot know it, which will cause the accounting server to still charge with the original IP address.
传统的解决方案是: 认证客户端在认证过程中将 IP地址封装在一个私 有属性中通过 EAPOL-Key报文将 IP地址发给认证系统。 这种方法比较简 单, 但是, 由于认证客户端和认证系统是通过私有属性封装, 所以, 客户 端和认证系统必须事先约定私有属性的值, 这就造成不同厂家的认证客户 端和认证系统不能兼容, 因此, 该方法未能得到广泛应用。  The traditional solution is as follows: The authentication client encapsulates the IP address in a private attribute and sends the IP address to the authentication system through the EAPOL-Key packet. This method is relatively simple. However, since the authentication client and the authentication system are encapsulated by private attributes, the client and the authentication system must agree on the value of the private attribute in advance, which causes the authentication client and the authentication system of different manufacturers to be incompatible. Therefore, this method has not been widely used.
现在通常釆用的防止用户私自修改 IP地址的方法包括防止源 IP欺骗 ( IP SOURCE GUARD )等技术,这些技术方案虽然可以通过流量控制使私 自修改 IP地址的用户不能上网, 但是却不能做到强制用户下线, 用户得不 到网络服务, 计费服务器却还在计费, 对用户不公平。 因此, 亟待提供一 种改进的防止用户私自修改 IP地址的方法和装置以克服上述缺陷。 发明内容 The methods currently used to prevent users from modifying IP addresses privately include preventing source IP spoofing. (IP SOURCE GUARD) and other technologies. Although these technical solutions can prevent users who modify IP addresses from accessing the Internet through traffic control, they cannot force users to go offline. Users cannot get network services, but the accounting server is still counting. Fees are unfair to users. Accordingly, it would be desirable to provide an improved method and apparatus for preventing a user from modifying an IP address privately to overcome the above-discussed deficiencies. Summary of the invention
本发明要解决的技术问题在于提供一种防止用户私自修改 IP地址的方 法、 装置和系统, 可以通过强制私自修改 IP 地址的用户下线而到达防止 802. lx用户私自修改 IP地址的目的, 并且, 同时保证了计费的公平性。  The technical problem to be solved by the present invention is to provide a method, device, and system for preventing a user from modifying an IP address by using a privately modified IP address to prevent an 802. lx user from modifying the IP address privately, and At the same time, the fairness of billing is guaranteed.
为了解决上述技术问题, 本发明提供了一种防止用户私自修改 IP地址 的方法, 包括:  In order to solve the above technical problem, the present invention provides a method for preventing a user from modifying an IP address privately, including:
认证系统获取动态主机配置协议 (DHCP , Dynamic Host Configure Protocol )服务器分配给已接入用户的初始 IP地址, 并将所述初始 IP地址 与所述已接入用户的媒体访问控制 ( MAC , Media Access Control )地址对 应保存;  The authentication system obtains an initial IP address assigned by the dynamic host configuration protocol (DHCP) server to the accessed user, and associates the initial IP address with the media access control of the accessed user (MAC, Media Access) Control ) address corresponding to save;
接收已接入用户发送的地址解析协议 ( ARP , Address Resolution Protocol )请求, 并根据所述 ARP请求, 获取所述已接入用户的当前 IP地 址和 MAC地址;  Receiving an address resolution protocol (ARP) request sent by the accessed user, and acquiring a current IP address and a MAC address of the accessed user according to the ARP request;
判断所述已接入用户的当前 IP地址和 MAC地址的对应关系与所述认 证系统中保存的初始 IP地址和 MAC地址的对应关系是否相同, 确定不同 时, 强制所述已接入用户下线。  And determining whether the correspondence between the current IP address and the MAC address of the accessed user is the same as the initial relationship between the initial IP address and the MAC address saved in the authentication system, and if the determination is different, the accessed user is forced to go offline. .
优选地, 该方法进一步包括: 在所述认证系统上配置动态主机配置协 议监听( DHCP snooping )程序, 通过所述 DHCP snooping程序截取 DHCP 服务器分配给所述已接入用户的初始 IP地址,并将所述初始 IP地址与所述 已接入用户的 MAC地址对应保存。  Preferably, the method further comprises: configuring a dynamic host configuration protocol listening (DHCP snooping) program on the authentication system, and intercepting, by the DHCP snooping program, an initial IP address assigned by the DHCP server to the accessed user, and The initial IP address is saved corresponding to the MAC address of the accessed user.
具体地, 所述判断所述已接入用户的当前 IP地址和 MAC地址的对应 关系与所述认证系统中保存的初始 IP地址和 MAC地址的对应关系是否相 同, 包括: 根据所述认证系统中保存的所述已接入用户的初始 IP 地址和 MAC地址的对应关系查找到所述已接入用户的初始 IP地址; 比较所述已 接入用户的当前 IP地址与查找到的初始 IP地址是否相同。 Specifically, the determining the correspondence between the current IP address and the MAC address of the accessed user Whether the relationship between the relationship and the initial IP address and the MAC address stored in the authentication system is the same, the method includes: searching, according to the correspondence between the initial IP address and the MAC address of the accessed user saved in the authentication system The initial IP address of the accessed user; comparing whether the current IP address of the accessed user is the same as the found initial IP address.
优选地, 在获取 DHCP服务器分配给已接入用户的初始 IP地址后, 该 方法进一步包括: 向计费服务器发起计费请求, 并携带所述已接入用户的 初始 IP地址, 以实现基于 IP地址的计费。  Preferably, after obtaining the initial IP address assigned by the DHCP server to the accessed user, the method further includes: initiating an accounting request to the charging server, and carrying the initial IP address of the accessed user to implement IP-based Billing for the address.
较佳地, 在强制所述已接入用户下线后还包括通知所述计费服务器停 止计费。  Preferably, after forcing the accessed user to go offline, the method further includes notifying the charging server to stop charging.
本发明还提供了一种防止用户私自修改 IP地址的装置, 该装置包括: 初始 IP地址获取单元、 ARP请求分析单元、 以及执行单元; 其中,  The present invention also provides an apparatus for preventing a user from modifying an IP address privately, the apparatus comprising: an initial IP address obtaining unit, an ARP request analyzing unit, and an executing unit;
所述初始 IP地址获取单元, 用于获取动态主机配置协议服务器分配给 已接入用户的初始 IP地址,并将所述初始 IP地址与所述已接入用户的 MAC 地址对应保存;  The initial IP address obtaining unit is configured to obtain an initial IP address allocated by the dynamic host configuration protocol server to the accessed user, and save the initial IP address corresponding to the MAC address of the accessed user;
所述 ARP请求分析单元,用于接收已接入用户发送的 ARP请求,并根 据所述 ARP请求, 获取所述已接入用户的当前 IP地址和 MAC地址; 所述执行单元, 用于判断所述 ARP请求分析单元获得的已接入用户的 当前 IP地址和 MAC地址的对应关系与所述初始 IP地址获取单元保存的初 始 IP地址和 MAC地址的对应关系是否相同, 确定不同时, 强制所述已接 入用户下线。  The ARP request analysis unit is configured to receive an ARP request sent by an accessed user, and obtain a current IP address and a MAC address of the accessed user according to the ARP request, where the execution unit is configured to determine Whether the correspondence between the current IP address and the MAC address of the accessed user obtained by the ARP request analysis unit is the same as the correspondence between the initial IP address and the MAC address saved by the initial IP address obtaining unit, and if the determination is different, the The connected user has gone offline.
优选地, 所述初始 IP地址获取单元包括: DHCP snooping子单元以及 存储子单元; 其中,  Preferably, the initial IP address obtaining unit includes: a DHCP snooping subunit and a storage subunit;
所述 DHCP snooping子单元, 用于截取 DPCH服务器分配给已接入用 户的初始 IP地址;  The DHCP snooping sub-unit is configured to intercept an initial IP address allocated by the DPCH server to the accessed user;
所述存储子单元, 用于对应保存所述 DHCP snooping子单元获取的所 述已接入用户的初始 IP地址和 MAC地址。 The storage subunit is configured to save the location obtained by the DHCP snooping subunit The initial IP address and MAC address of the accessed user.
具体地, 所述执行单元进一步包括: IP地址查找子单元、 比较子单元、 以及控制子单元; 其中,  Specifically, the execution unit further includes: an IP address lookup subunit, a comparison subunit, and a control subunit; wherein
所述 IP地址查找子单元,用于根据所述初始 IP地址获取单元保存的所 述已接入用户的初始 IP地址和 MAC地址的对应关系查找到所述已接入用 户的初始 IP地址;  The IP address lookup subunit is configured to find an initial IP address of the accessed user according to the correspondence between the initial IP address and the MAC address of the accessed user saved by the initial IP address obtaining unit;
所述比较子单元,用于比较所述 IP地址查找子单元查找到的初始 IP地 址与 ARP请求分析单元获得的当前 IP地址是否相同;  The comparing subunit is configured to compare whether the initial IP address found by the IP address lookup subunit is the same as the current IP address obtained by the ARP request analyzing unit;
所述控制子单元, 用于当所述比较子单元的比较结果为不同时, 强迫 所述已接入用户下线。  The control subunit is configured to force the accessed user to go offline when the comparison result of the comparing subunits is different.
较佳地, 该装置进一步包括认证单元, 用于完成用户的接入。  Preferably, the apparatus further comprises an authentication unit for completing the access of the user.
优选地, 该装置进一步包括: 计费请求单元, 用于在所述初始 IP地址 获取单元获取 DHCP服务器分配给已接入用户的初始 IP地址后, 向计费服 务器发起计费请求, 并携带所述已接入用户的初始 IP地址, 以实现基于 IP 地址的计费。  Preferably, the device further includes: a charging requesting unit, configured to: after the initial IP address obtaining unit acquires an initial IP address assigned by the DHCP server to the accessed user, initiate a charging request to the charging server, and carry the The initial IP address of the accessed user is described to implement IP address based charging.
优选地, 该装置进一步包括停止计费单元, 用于当所述已接入用户被 强迫下线后, 通知计费服务器停止计费。  Preferably, the apparatus further includes a stop charging unit, configured to notify the charging server to stop charging after the accessed user is forced to go offline.
本发明还提供了一种防止用户私自修改 IP地址的系统, 该系统包括: 认证服务器、 DHCP服务器、 以及防止用户私自修改 IP地址的装置; 其中, 所述认证服务器, 用于完成用户的接入;  The present invention also provides a system for preventing a user from modifying an IP address. The system includes: an authentication server, a DHCP server, and a device for preventing a user from modifying an IP address privately; wherein the authentication server is configured to complete user access. ;
所述 DHCP服务器, 用于为已接入用户分配初始 IP地址;  The DHCP server is configured to allocate an initial IP address to the accessed user.
所述防止用户私自修改 IP地址的装置, 用于获取 DHCP服务器分配给 已接入用户的初始 IP地址, 将所述初始 IP地址与所述已接入用户的 MAC 地址对应保存;并接收已接入用户发送的 ARP请求,并根据所述 ARP请求, 获取所述已接入用户的当前 IP地址和 MAC地址, 并判断所述已接入用户 的当前 IP地址和 MAC地址的对应关系与保存的初始 IP地址和 MAC地址 的对应关系是否相同, 确定不同时, 强制所述已接入用户下线。 And the device for preventing the user from modifying the IP address to obtain the initial IP address assigned by the DHCP server to the accessed user, and storing the initial IP address corresponding to the MAC address of the accessed user; Entering an ARP request sent by the user, and obtaining a current IP address and a MAC address of the accessed user according to the ARP request, and determining the accessed user If the correspondence between the current IP address and the MAC address is the same as the relationship between the saved initial IP address and the MAC address, if the difference is determined, the connected user is forced to go offline.
优选地, 该系统进一步包括计费服务器, 用于基于所述认证服务器发 送的已接入用户的初始 IP地址, 进行计费。  Preferably, the system further comprises an accounting server for performing charging based on an initial IP address of the accessed user sent by the authentication server.
优选地, 所述计费服务器还用于在所述已接入用户被强迫下线后停止 计费。  Preferably, the charging server is further configured to stop charging after the accessed user is forced to go offline.
优选地, 所述防止用户私自修改 IP地址的装置与所述认证服务器为同 一实体。  Preferably, the means for preventing a user from modifying the IP address privately is the same entity as the authentication server.
本发明的防止用户私自修改 IP地址的方法、 装置和系统通过分析用户 修改 IP地址后发送的 ARP请求 , 获取所述用户的当前 IP地址和 MAC地 址, 并将当前 IP地址和 MAC与 DHCP 务器分配给它的初始 IP地址与 MAC 地址的对应关系相比较, 若不同, 则强迫用户下线, 从而达到防止 802.1x用户私自修改 IP地址的目的。 由于用户被强迫下线, 计费服务器停 止计费, 所以在防止用户私自修改 IP地址的同时, 保证了计费的公平性。 附图说明  The method, device and system for preventing a user from modifying an IP address by analyzing the ARP request sent by the user after modifying the IP address, obtaining the current IP address and MAC address of the user, and the current IP address and the MAC and the DHCP server The initial IP address assigned to it is compared with the corresponding relationship of the MAC address. If it is different, the user is forced to go offline, thereby preventing the 802.1x user from modifying the IP address privately. Since the user is forced to go offline, the accounting server stops charging, so the user is prevented from modifying the IP address privately, and the fairness of the charging is ensured. DRAWINGS
图 1为本发明防止用户私自修改 IP地址的方法的第一实施例的流程图; 图 2为本发明防止用户私自修改 IP地址的方法的第二实施例的流程图; 图 3为本发明防止用户私自 ^ί'爹改 IP地址的系统的一个实施例的结构示 意图;  1 is a flowchart of a first embodiment of a method for preventing a user from modifying an IP address privately; FIG. 2 is a flowchart of a second embodiment of a method for preventing a user from modifying an IP address privately; FIG. A schematic diagram of an embodiment of a system for a user to privately tamper with an IP address;
图 4为本发明防止用户私自修改 IP地址的装置的一个实施例的结构示 意图;  4 is a schematic structural view of an embodiment of an apparatus for preventing a user from modifying an IP address privately;
图 5为本发明防止用户私自修改 IP地址的装置的另一实施例的结构示 意图。 具体实施方式 FIG. 5 is a schematic structural diagram of another embodiment of an apparatus for preventing a user from modifying an IP address privately. detailed description
本发明提供了一种防止用户私自修改 IP地址的方法、 装置和系统, 可 以通过强制私自修改 IP地址的用户下线而到达防止 802.1 X用户私自修改 IP 地址的目的。  The present invention provides a method, device, and system for preventing a user from modifying an IP address privately, and can prevent the 802.1 X user from modifying the IP address privately by forcibly modifying the user of the IP address to go offline.
图 1为本发明防止用户私自修改 IP地址的方法的第一实施例的流程图 , 本实施例的防止用户私自修改 IP地址的方法, 包括以下步骤:  FIG. 1 is a flowchart of a first embodiment of a method for preventing a user from modifying an IP address privately. The method for preventing a user from modifying an IP address privately includes the following steps:
步骤 S101 : 认证系统获取 DHCP服务器分配给已接入用户的初始 IP 地址, 并将所述初始 IP地址与所述已接入用户的 MAC地址对应保存。 具 体地, 该步骤可以通过在认证系统上配置 DHCP snooping程序来实现, 认 证系统可以通过该程序自动截取 DHCP服务器分别给用户的初始 IP地址和 MAC的绑定关系。  Step S101: The authentication system acquires an initial IP address assigned by the DHCP server to the accessed user, and saves the initial IP address corresponding to the MAC address of the accessed user. Specifically, the step can be implemented by configuring a DHCP snooping program on the authentication system. The authentication system can automatically intercept the binding relationship between the initial IP address and the MAC of the DHCP server.
步骤 S102: 认证系统接收已接入用户发送的 ARP请求, 并根据所述 APR请求, 获取所述已接入用户的当前 IP地址和 MAC地址。 具体地, 用 户私自修改 IP地址后, 会主动发送免费 ARP请求以检查是否有地址冲突。 认证系统收到该 ARP请求后,分析报文内容,从而获取用户修改 IP地址后 的当前 IP地址和 MAC地址。  Step S102: The authentication system receives the ARP request sent by the accessed user, and obtains the current IP address and MAC address of the accessed user according to the APR request. Specifically, after the user privately modifies the IP address, the user will automatically send a free ARP request to check whether there is an address conflict. After receiving the ARP request, the authentication system analyzes the content of the packet to obtain the current IP address and MAC address after the user modifies the IP address.
步骤 S 103: 判断所述已接入用户的当前 IP地址和 MAC地址的对应关 系与所述认证系统中保存的初始 IP地址和 MAC地址的对应关系是否相同, 若不同, 则强迫所述已接入用户下线。 具体地, 强迫所述已接入用户下线 包括通知计费服务器停止计费。  Step S103: determining whether the correspondence between the current IP address and the MAC address of the accessed user is the same as the correspondence between the initial IP address and the MAC address saved in the authentication system, and if not, forcing the received Enter the user offline. Specifically, forcing the accessed user to go offline includes notifying the charging server to stop charging.
具体地, 判断所述已接入用户的当前 IP地址和 MAC地址的对应关系 与所述认证系统中保存的初始 IP地址和 MAC地址的对应关系是否相同具 体包括:根据所述认证系统中保存的所述已接入用户的初始 IP地址和 MAC 地址的对应关系查找到该用户的初始 IP地址; 比较所述已接入用户的当前 IP地址与查找到的初始 IP地址是否相同。 由于本实施例的防止用户私自修改 IP地址的方法, 通过分析用户修改 IP地址后发送的 ARP请求 , 获取用户的当前 IP地址和 MAC地址 , 并将当 前 IP地址和 MAC地址与 DHCP服务器分配给用户的初始 IP地址与 MAC 地址的对应关系相比较, 若不同, 则强迫用户下线, 从而达到防止 802.1x 用户私自修改 IP地址的目的。 由于用户被强迫下线,计费服务器停止计费, 所以在防止用户私自修改 IP地址的同时, 保证了计费的公平性。 Specifically, determining whether the correspondence between the current IP address and the MAC address of the accessed user and the initial IP address and the MAC address stored in the authentication system are the same includes: according to the saved in the authentication system. The correspondence between the initial IP address and the MAC address of the accessed user finds the initial IP address of the user; and compares whether the current IP address of the accessed user is the same as the found initial IP address. Because the method for preventing the user from modifying the IP address by itself is analyzed, the current IP address and MAC address of the user are obtained by analyzing the ARP request sent by the user after modifying the IP address, and the current IP address and MAC address are assigned to the user by the DHCP server. The initial IP address is compared with the MAC address. If the mapping is different, the user is forced to go offline. This prevents the 802.1x user from modifying the IP address privately. Since the user is forced to go offline, the accounting server stops charging. Therefore, the user is prevented from modifying the IP address privately, and the fairness of the charging is ensured.
图 2为本发明防止用户私自修改 IP地址的方法的第二实施例的流程图 , 如图 2所示, 第二实施例的防止用户私自修改 IP地址的方法, 包括以下步 骤:  2 is a flowchart of a second embodiment of a method for preventing a user from modifying an IP address privately. As shown in FIG. 2, the method for preventing a user from modifying an IP address by using a second embodiment includes the following steps:
步骤 S201 : 在认证系统上配置 DHCP snooping程序。  Step S201: Configure a DHCP snooping program on the authentication system.
步骤 S202: 认证系统对发起认证请求的用户进行认证: 若认证通过, 则进入步骤 S203; 若认证失败, 则进入步骤 S204。  Step S202: The authentication system authenticates the user who initiated the authentication request: if the authentication is passed, the process proceeds to step S203; if the authentication fails, the process proceeds to step S204.
步骤 S203: 用户客户端自动发出 DHCP申请 IP地址。  Step S203: The user client automatically sends a DHCP application IP address.
步骤 S204: 用户下线。  Step S204: The user goes offline.
步骤 S205: 认证系统通过 DHCP snooping程序拦截 DHCP 文, 获得 Step S205: The authentication system intercepts the DHCP file through the DHCP snooping program, and obtains
DHCP月良务器分配给该用户的初始 IP地址。 The initial IP address assigned to the user by the DHCP server.
步骤 S206: 认证系统向计费服务器发起计费请求, 并携带所述已接入 用户的初始 IP地址, 以实现基于 IP地址的计费。  Step S206: The authentication system initiates an accounting request to the accounting server, and carries the initial IP address of the accessed user to implement IP address-based charging.
步骤 S207: 用户私自修改 IP地址后, 主动发起免费 ARP请求。  Step S207: After the user privately modifies the IP address, the user initiates a free ARP request.
步骤 S208: 所述认证系统收到所述 ARP请求, 分析报文内容, 获取该 用户的当前 IP地址和 MAC地址。  Step S208: The authentication system receives the ARP request, analyzes the content of the packet, and obtains the current IP address and MAC address of the user.
步骤 S209: 判断所述已接入用户的当前 IP地址和 MAC地址的对应关 系与所述认证系统中保存的初始 IP地址和 MAC地址的对应关系是否相同, 若相同, 则执行步骤 S211 ; 若不同, 则执行步骤 S210。 具体地, 该步骤实 现方式如下: 首先, 根据所述认证系统中保存的所述已接入用户的初始 IP 地址和 MAC地址的对应关系查找到该用户的初始 IP地址; 然后比较所述 已接入用户的当前 IP地址与查找到的初始 IP地址是否相同。 Step S209: It is determined whether the correspondence between the current IP address and the MAC address of the accessed user is the same as the initial IP address and the MAC address stored in the authentication system. If they are the same, step S211 is performed; Then, step S210 is performed. Specifically, the step is implemented as follows: First, according to the initial IP of the accessed user saved in the authentication system The correspondence between the address and the MAC address finds the initial IP address of the user; and then compares whether the current IP address of the accessed user is the same as the found initial IP address.
步骤 S210: 用户下线并通知所述计费服务器停止计费。 具体地, 可以 通过向计费服务器发送计费停止报文来实现。  Step S210: The user goes offline and notifies the charging server to stop charging. Specifically, it can be implemented by sending a charging stop message to the accounting server.
本实施例的防止用户修改 IP地址的方法,通过分析用户修改 IP地址后 发送的 ARP请求, 获取用户的当前 IP地址和 MAC地址, 并将当前 IP地 址和 MAC地址与 DHCP服务器分配给用户的初始 IP地址与 MAC地址的 对应关系相比较, 若不同, 则强迫用户下线, 从而达到防止 802.1x用户私 自修改 IP地址的目的。 由于用户被强迫下线, 计费服务器停止计费, 所以 在防止用户私自修改 IP地址的同时, 保证了计费的公平性。  The method for preventing a user from modifying an IP address in this embodiment, by analyzing an ARP request sent by a user after modifying an IP address, obtaining a current IP address and a MAC address of the user, and assigning the current IP address and the MAC address to the initial of the DHCP server to the user If the mapping between the IP address and the MAC address is different, the user is forced to go offline, which prevents the 802.1x user from modifying the IP address privately. Since the user is forced to go offline, the accounting server stops charging. Therefore, the user is prevented from modifying the IP address privately, and the fairness of the charging is ensured.
图 3为本发明防止用户私自 ^ί'爹改 IP地址的系统的一个实施例的结构示 意图。如图 3所示,本实施例的防止用户私自修改 IP地址的系统包括: DHCP 服务器 31、认证服务器 32、 以及防止用户私自修改 IP地址的装置。在本实 施例中 ,所述防止用户私自修改 IP地址的装置和所述认证服务器 32为同一 实体, 即: 所述防止用户私自修改 IP地址的装置配置在所述认证服务器 32 上, 但并不以此为限, 所述防止用户私自修改 IP地址的装置也可以是独立 于认证服务器 32的实体。  Figure 3 is a block diagram showing an embodiment of a system for preventing a user from privately tampering with an IP address. As shown in FIG. 3, the system for preventing a user from modifying an IP address privately includes: a DHCP server 31, an authentication server 32, and a device for preventing a user from modifying an IP address privately. In this embodiment, the device for preventing the user from modifying the IP address and the authentication server 32 are the same entity, that is, the device for preventing the user from modifying the IP address is configured on the authentication server 32, but The device for preventing the user from modifying the IP address privately may also be an entity independent of the authentication server 32.
所述认证服务器 32, 用于完成用户 34的接入;  The authentication server 32 is configured to complete access by the user 34.
所述 DHCP服务器 31 , 用于为用户 34分配初始 IP地址;  The DHCP server 31 is configured to allocate an initial IP address to the user 34.
所述防止用户私自修改 IP地址的装置,用于获取所述 DHCP服务器 31 分配给用户 34的初始 IP地址,并将所述初始 IP地址与所述用户 34的 MAC 地址对应保存; 并接收所述用户 34发送的 ARP请求,根据所述 ARP请求, 获取所述用户 34的当前 IP地址和 MAC地址, 判断所述用户 34的当前 IP 地址和 MAC地址的对应关系与保存的初始 IP地址和 MAC地址的对应关 系是否相同, 若不同, 则强制所述已接入用户下线。 本实施例的防止用户私自修改 IP地址的系统还可以进一步包括计费服 务器 33 , 用于基于所述认证服务器 32发送的已接入用户的初始 IP地址, 进行计费。 此外, 所述计费服务器 33还可以用于在所述认证服务器 32强 迫所述已接入用户下线后停止计费。 And the device for preventing the user from modifying the IP address to obtain the initial IP address assigned by the DHCP server 31 to the user 34, and storing the initial IP address corresponding to the MAC address of the user 34; and receiving the The ARP request sent by the user 34 obtains the current IP address and MAC address of the user 34 according to the ARP request, and determines the correspondence between the current IP address and the MAC address of the user 34 and the saved initial IP address and MAC address. If the corresponding relationship is the same, if the difference is the same, the connected user is forced to go offline. The system for preventing the user from modifying the IP address by itself may further include an accounting server 33 for performing charging based on the initial IP address of the accessed user sent by the authentication server 32. In addition, the charging server 33 may be further configured to stop charging after the authentication server 32 forces the accessed user to go offline.
本实施例的防止用户私自修改 IP地址的系统,通过 ARP请求获取私自 修改 IP地址的用户的当前 IP地址和 MAC地址, 并将当前 IP地址和 MAC 地址与 DHCP服务器分配给它的初始 IP地址与 MAC地址的对应关系相比 较, 若不同, 则强制所述已接入用户下线, 从而达到防止 802.1x用户私自 修改 IP地址的目的。 由于用户被强迫下线, 计费服务器停止计费, 所以在 防止用户私自修改 IP地址的同时, 保证了计费的公平性。  In the embodiment, the system for preventing the user from modifying the IP address privately obtains the current IP address and MAC address of the user who privately modifies the IP address through the ARP request, and assigns the current IP address and the MAC address to the initial IP address of the DHCP server. The correspondence between the MAC addresses is compared. If they are different, the connected users are forced to go offline, so as to prevent the 802.1x users from modifying the IP address privately. Since the user is forced to go offline, the accounting server stops charging. Therefore, the user is prevented from modifying the IP address privately, and the fairness of the charging is ensured.
图 4为本发明防止用户私自修改 IP地址的装置的一个实施例的结构示 意图。 如图 4所示, 本实施例的防止用户私自修改 IP地址的装置 4包括: 初始 IP地址获取单元 41、 ARP请求分析单元 43、 以及执行单元 42; 其中, 所述初始 IP地址获取单元 41 ,用于获取动态主机配置协议服务器分配 给已接入用户的初始 IP地址, 并将所述初始 IP地址与所述已接入用户的 MAC地址对应保存;  Figure 4 is a block diagram showing the structure of an embodiment of an apparatus for preventing a user from modifying an IP address privately. As shown in FIG. 4, the apparatus 4 for preventing a user from modifying an IP address in this embodiment includes: an initial IP address obtaining unit 41, an ARP request analyzing unit 43, and an executing unit 42; wherein the initial IP address obtaining unit 41, And configured to obtain an initial IP address allocated by the dynamic host configuration protocol server to the accessed user, and save the initial IP address corresponding to the MAC address of the accessed user;
所述 ARP请求分析单元 43 , 用于接收已接入用户发送的 ARP请求, 并根据所述 ARP请求, 获取所述已接入用户的当前 IP地址和 MAC地址; 所述执行单元 42 , 用于判断所述 ARP请求分析单元 43获得的已接入 用户的当前 IP地址和 MAC地址的对应关系与所述初始 IP地址获取单元 41 保存的初始 IP地址和 MAC地址的对应关系是否相同, 若不同, 则强制所 述已接入用户下线。  The ARP request analyzing unit 43 is configured to receive an ARP request sent by the accessed user, and obtain a current IP address and a MAC address of the accessed user according to the ARP request, where the executing unit 42 is configured to: Determining whether the correspondence between the current IP address and the MAC address of the accessed user obtained by the ARP request analysis unit 43 is the same as the initial IP address and the MAC address stored by the initial IP address obtaining unit 41, if different, The access user is forced to go offline.
在本实施例中, 所述初始 IP地址 41获取单元包括: DHCP snooping子 单元 411和存储子单元 412; 其中,  In this embodiment, the initial IP address 41 obtaining unit includes: a DHCP snooping subunit 411 and a storage subunit 412;
所述 DHCP snooping子单元 411 , 用于截取 DHCP服务器分配给已接 入用户的初始 IP地址; The DHCP snooping subunit 411 is configured to intercept a DHCP server and assign it to the connected Enter the user's initial IP address;
所述存储子单元 412,用于对应保存所述 DHCP snooping子单元 411获 取的所述已接入用户的初始 IP地址和 MAC地址。  The storage subunit 412 is configured to correspondingly save an initial IP address and a MAC address of the accessed user obtained by the DHCP snooping subunit 411.
在本实施例中 , 所述执行单元 42包括: IP地址查找子单元 421、 比较 子单元 422、 以及控制子单元 423; 其中,  In this embodiment, the execution unit 42 includes: an IP address lookup subunit 421, a comparison subunit 422, and a control subunit 423;
所述 IP地址查找子单元 421 , 用于根据所述初始 IP地址获取单元 41 保存的所述已接入用户的初始 IP地址和 MAC地址的对应关系 , 查找到该 用户的初始 IP地址;  The IP address lookup subunit 421 is configured to find the initial IP address of the user according to the correspondence between the initial IP address and the MAC address of the accessed user saved by the initial IP address obtaining unit 41.
所述比较子单元 422 , 用于比较所述 IP地址查找子单元 421查找到的 初始 IP地址与 ARP请求分析单元 43获得的当前 IP地址是否相同; 强迫所述已接入用户下线。 由于用户被强迫下线, 计费服务器停止计费, 所以在防止用户私自修改 IP地址的同时, 保证了计费的公平性。  The comparison sub-unit 422 is configured to compare whether the initial IP address found by the IP address lookup sub-unit 421 is the same as the current IP address obtained by the ARP request analysis unit 43; forcing the accessed user to go offline. Since the user is forced to go offline, the accounting server stops charging. Therefore, the user is prevented from modifying the IP address privately, and the fairness of the charging is ensured.
图 5为本发明防止用户私自修改 IP地址的装置的另一实施例的结构示 意图。 如图 5所示, 本实施例的防止用户私自修改 IP地址的装置包括: 初 始 IP地址获取单元 51、 ARP请求分析单元 53、执行单元 52、认证单元 54、 以及计费请求单元 55; 其中,  Figure 5 is a block diagram showing another embodiment of an apparatus for preventing a user from modifying an IP address privately. As shown in FIG. 5, the apparatus for preventing a user from modifying an IP address privately includes: an initial IP address obtaining unit 51, an ARP request analyzing unit 53, an executing unit 52, an authenticating unit 54, and a charging requesting unit 55;
所述初始 IP地址获取单元 51 ,用于获取 DHCP服务器分配给已接入用 所述 ARP请求分析单元 53 , 用于接收已接入用户发送的 ARP请求, 并根据所述 ARP请求, 获取所述已接入用户的当前 IP地址和 MAC地址; 所述执行单元 52 , 用于判断所述 ARP请求分析单元 53获得的已接入 用户的当前 IP地址和 MAC地址的对应关系与所述初始 IP地址获取单元 51 保存的初始 IP地址和 MAC地址的对应关系是否相同, 若不同, 则强制所 述已接入用户下线并通知计费服务器停止计费; 所述认证单元 54, 用于完成用户的接入; The initial IP address obtaining unit 51 is configured to acquire, by the DHCP server, the ARP request analyzing unit 53 for receiving the ARP request sent by the accessed user, and obtain the ARP request according to the ARP request. The current IP address and the MAC address of the accessed user are used to determine the correspondence between the current IP address and the MAC address of the accessed user obtained by the ARP request analyzing unit 53 and the initial IP address. Whether the correspondence between the initial IP address and the MAC address saved by the obtaining unit 51 is the same. If the information is different, the access user is forced to go offline and the accounting server is notified to stop charging. The authentication unit 54 is configured to complete access by a user.
所述计费请求单元 55 ,用于在所述初始 IP地址获取单元 51获取 DHCP 服务器分配给已接入用户的初始 IP地址后, 向计费服务器发起计费请求, 并携带所述已接入用户的初始 IP地址, 以实现基于 IP地址的计费。  The charging requesting unit 55 is configured to: after the initial IP address obtaining unit 51 acquires an initial IP address assigned by the DHCP server to the accessed user, initiate an accounting request to the charging server, and carry the accessed The user's initial IP address to implement IP address-based charging.
本实施例的防止用户私自修改 IP地址的装置 ,通过 ARP请求获取私自 修改 IP地址的用户的当前 IP地址和 MAC地址, 并将当前 IP地址和 MAC 地址与 DHCP服务器分配给用户的初始 IP地址与其 MAC地址的对应关系 相比较, 若不同, 则强制所述已接入用户下线, 从而达到防止 802.1x用户 私自修改 IP地址的目的。 由于用户被强迫下线, 计费服务器停止计费, 所 以在防止用户私自修改 IP地址的同时, 保证了计费的公平性。  The device for preventing the user from modifying the IP address by using the ARP request to obtain the current IP address and MAC address of the user who modified the IP address by using the ARP request, and assigning the current IP address and the MAC address and the DHCP server to the initial IP address of the user. The correspondence between the MAC addresses is compared. If they are different, the connected users are forced to go offline, so as to prevent the 802.1x users from modifying the IP address privately. Since the user is forced to go offline, the accounting server stops charging, so that the user is allowed to modify the IP address privately, and the fairness of the charging is ensured.
以上所述仅为本发明的优选实施例, 并非因此限制本发明的专利范围, 凡是利用本发明说明书及附图内容所作的等效结构或等效流程变换, 或直 接或间接应用在其他相关的技术领域, 均同理包括在本发明的专利保护范 围内。  The above is only the preferred embodiment of the present invention, and is not intended to limit the scope of the invention, and the equivalent structure or equivalent process transformations made by the description of the invention and the drawings are directly or indirectly applied to other related The technical field is equally included in the scope of patent protection of the present invention.

Claims

权利要求书 Claim
1、 一种防止用户私自 爹改 IP地址的方法, 其特征在于, 该方法包括: 认证系统获取动态主机配置协议服务器分配给已接入用户的初始 IP地 址, 将所述初始 IP地址与所述已接入用户的 MAC地址对应保存;  A method for preventing a user from tampering with an IP address, the method comprising: the authentication system acquiring an initial IP address assigned by the dynamic host configuration protocol server to the accessed user, and the initial IP address and the The MAC address of the connected user is saved.
接收已接入用户发送的地址解析协议请求, 并根据所述地址解析协议 请求 , 获取所述已接入用户的当前 IP地址和 MAC地址;  Receiving an address resolution protocol request sent by the accessed user, and obtaining a current IP address and a MAC address of the accessed user according to the address resolution protocol request;
判断所述已接入用户的当前 IP地址和 MAC地址的对应关系与所述认 证系统中保存的初始 IP地址和 MAC地址的对应关系是否相同, 确定不同 时, 强制所述已接入用户下线。  And determining whether the correspondence between the current IP address and the MAC address of the accessed user is the same as the initial relationship between the initial IP address and the MAC address saved in the authentication system, and if the determination is different, the accessed user is forced to go offline. .
2、 根据权利要求 1所述的方法, 其特征在于, 该方法进一步包括: 在 所述认证系统上配置动态主机配置协议监听程序, 通过所述动态主机配置 协议监听程序截取动态主机配置协议服务器分配给所述已接入用户的初始 IP地址, 并将所述初始 IP地址与所述已接入用户的 MAC地址对应保存。  2. The method according to claim 1, wherein the method further comprises: configuring a dynamic host configuration protocol listener on the authentication system, and intercepting a dynamic host configuration protocol server allocation by using the dynamic host configuration protocol listener Giving the initial IP address of the accessed user, and saving the initial IP address corresponding to the MAC address of the accessed user.
3、 根据权利要求 1所述的方法, 其特征在于, 所述判断所述已接入用 户的当前 IP地址和 MAC地址的对应关系与所述认证系统中保存的初始 IP 地址和 MAC地址的对应关系是否相同 , 包括:  The method according to claim 1, wherein the determining the correspondence between the correspondence between the current IP address and the MAC address of the accessed user and the initial IP address and MAC address saved in the authentication system Whether the relationship is the same, including:
根据所述认证系统中保存的所述已接入用户的初始 IP地址和 MAC地 址的对应关系查找到所述已接入用户的初始 IP地址;  And finding an initial IP address of the accessed user according to the correspondence between the initial IP address and the MAC address of the accessed user saved in the authentication system;
比较所述已接入用户的当前 IP地址与查找到的初始 IP地址是否相同。 Compare whether the current IP address of the accessed user is the same as the found initial IP address.
4、 根据权利要求 1、 2或 3所述的方法, 其特征在于, 在获取动态主 机配置协议服务器分配给已接入用户的初始 IP地址后,该方法进一步包括: 向计费服务器发起计费请求, 并携带所述已接入用户的初始 IP地址, 以实现基于 IP地址的计费。 The method according to claim 1, 2 or 3, wherein after obtaining the initial IP address assigned by the dynamic host configuration protocol server to the accessed user, the method further comprises: initiating charging to the accounting server. Requesting, and carrying the initial IP address of the accessed user to implement IP address based charging.
5、 一种防止用户私自修改 IP地址的装置, 其特征在于, 该装置包括: 初始 IP地址获取单元、地址解析协议请求分析单元、 以及执行单元; 其中, 初始 IP地址获取单元, 用于获取 DHCP服务器分配给已接入用户的初 始 IP地址,并将所述初始 IP地址与所述已接入用户的 MAC地址对应保存; 地址解析协议请求分析单元, 用于接收已接入用户发送的地址解析协 议请求, 并根据所述地址解析协议请求, 获取所述已接入用户的当前 IP地 址和 MAC地址; 5. An apparatus for preventing a user from modifying an IP address privately, wherein the apparatus comprises: an initial IP address obtaining unit, an address resolution protocol request analyzing unit, and an executing unit; An initial IP address obtaining unit, configured to acquire an initial IP address assigned by the DHCP server to the accessed user, and save the initial IP address corresponding to the MAC address of the accessed user; the address resolution protocol request analysis unit, Receiving an address resolution protocol request sent by the accessed user, and obtaining a current IP address and a MAC address of the accessed user according to the address resolution protocol request;
执行单元, 用于判断所述地址解析协议请求分析单元获得的已接入用 户的当前 IP地址和 MAC地址的对应关系与所述初始 IP地址获取单元保存 的初始 IP地址和 MAC地址的对应关系是否相同, 确定不同时, 强制所述 已接入用户下线。  An execution unit, configured to determine whether a correspondence between a current IP address and a MAC address of the accessed user obtained by the address resolution protocol request analysis unit and an initial IP address and a MAC address saved by the initial IP address obtaining unit is If the same is determined, the connected user is forced to go offline.
6、根据权利要求 5所述的装置, 其特征在于, 所述初始 IP地址获取单 元进一步包括: 动态主机配置协议监听子单元以及存储子单元; 其中, 动态主机配置协议监听子单元, 用于截取动态主机配置协议服务器分 配给已接入用户的初始 IP地址;  The apparatus according to claim 5, wherein the initial IP address obtaining unit further comprises: a dynamic host configuration protocol listening subunit and a storage subunit; wherein the dynamic host configuration protocol listening subunit is configured to intercept The initial IP address assigned to the accessed user by the Dynamic Host Configuration Protocol server;
存储子单元, 用于对应保存所述初始 IP地址获取单元获取的所述已接 入用户的初始 IP地址和 MAC地址。  And a storage subunit, configured to save the initial IP address and the MAC address of the accessed user acquired by the initial IP address obtaining unit.
7、 根据权利要求 6所述的装置, 其特征在于, 所述执行单元进一步包 括: IP地址查找子单元、 比较子单元、 以及控制子单元; 其中,  The apparatus according to claim 6, wherein the execution unit further comprises: an IP address lookup subunit, a comparison subunit, and a control subunit;
IP地址查找子单元, 用于根据所述初始 IP地址获取单元保存的所述已 接入用户的初始 IP地址和 MAC地址的对应关系查找到所述已接入用户的 初始 IP地址;  An IP address lookup subunit, configured to find an initial IP address of the accessed user according to a correspondence between an initial IP address and a MAC address of the accessed user saved by the initial IP address obtaining unit;
比较子单元,用于比较所述 IP地址查找子单元查找到的初始 IP地址与 地址解析协议请求分析单元获得的当前 IP地址是否相同;  a comparison subunit, configured to compare whether the initial IP address found by the IP address lookup subunit is the same as the current IP address obtained by the address resolution protocol request analysis unit;
控制子单元, 用于当所述比较子单元的比较结果为不同时, 强迫所述 已接入用户下线。  And a control subunit, configured to force the accessed user to go offline when the comparison result of the comparing subunits is different.
8、 根据权利要求 5、 6或 7所述的装置, 其特征在于, 该装置进一步 包括: 认证单元, 用于完成用户的接入。 8. Apparatus according to claim 5, 6 or 7 wherein the apparatus is further Includes: An authentication unit that is used to complete user access.
9、 根据权利要求 5、 6或 7所述的装置, 其特征在于, 该装置进一步 包括: 计费请求单元, 用于在所述初始 IP地址获取单元获取动态主机配置 协议服务器分配给已接入用户的初始 IP地址后, 向计费服务器发起计费请 求, 并携带所述已接入用户的初始 IP地址, 以实现基于 IP地址的计费。  The device according to claim 5, 6 or 7, wherein the device further comprises: a charging requesting unit, configured to acquire, by the initial IP address obtaining unit, a dynamic host configuration protocol server to be allocated After the initial IP address of the user, the accounting request is initiated to the accounting server, and the initial IP address of the accessed user is carried to implement IP address-based charging.
10、一种防止用户私自修改 IP地址的系统, 其特征在于, 该系统包括: 认证服务器、 动态主机配置协议服务器、 以及防止用户私自修改 IP地址的 装置; 其中,  A system for preventing a user from modifying an IP address privately, the system comprising: an authentication server, a dynamic host configuration protocol server, and a device for preventing a user from modifying an IP address privately;
认证服务器, 用于完成用户的接入;  An authentication server, configured to complete user access;
动态主机配置协议服务器, 用于为已接入用户分配初始 IP地址; 防止用户私自修改 IP地址的装置, 用于获取动态主机配置协议服务器 分配给已接入用户的初始 IP地址,将所述初始 IP地址与所述已接入用户的 MAC地址对应保存; 并接收已接入用户发送的地址解析协议请求, 根据所 述地址解析协议请求, 获取所述已接入用户的当前 IP地址和 MAC地址, 并判断所述已接入用户的当前 IP地址和 MAC地址的对应关系与保存的初 始 IP地址和 MAC地址的对应关系是否相同, 确定不同时, 强制所述已接 入用户下线。  a dynamic host configuration protocol server, configured to allocate an initial IP address to the accessed user; and a device for preventing the user from modifying the IP address privately, for obtaining an initial IP address assigned by the dynamic host configuration protocol server to the accessed user, the initial The IP address is saved in association with the MAC address of the accessed user; and receives an address resolution protocol request sent by the accessed user, and obtains the current IP address and MAC address of the accessed user according to the address resolution protocol request. And determining whether the correspondence between the current IP address and the MAC address of the accessed user is the same as the correspondence between the saved initial IP address and the MAC address, and if the determination is different, the accessed user is forced to go offline.
11、 根据权利要求 10所述的系统, 其特征在于, 该系统进一步包括: 计费服务器, 用于基于所述认证服务器发送的已接入用户的初始 IP地 址, 进行计费。  The system according to claim 10, wherein the system further comprises: an accounting server, configured to perform charging based on an initial IP address of the accessed user sent by the authentication server.
PCT/CN2011/073865 2010-07-06 2011-05-10 Method, apparatus and system for preventing user from modifying ip address privately WO2012003742A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010220088.X 2010-07-06
CN201010220088.XA CN101895587B (en) 2010-07-06 2010-07-06 Prevent the methods, devices and systems of users from modifying IP addresses privately

Publications (1)

Publication Number Publication Date
WO2012003742A1 true WO2012003742A1 (en) 2012-01-12

Family

ID=43104652

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/073865 WO2012003742A1 (en) 2010-07-06 2011-05-10 Method, apparatus and system for preventing user from modifying ip address privately

Country Status (2)

Country Link
CN (1) CN101895587B (en)
WO (1) WO2012003742A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103095722A (en) * 2013-02-01 2013-05-08 华为技术有限公司 Method for updating network security table and network device and dynamic host configuration protocol (DHCP) server
CN116846687A (en) * 2023-08-30 2023-10-03 北京格尔国信科技有限公司 Network security monitoring method, system, device and storage medium

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101895587B (en) * 2010-07-06 2015-09-16 中兴通讯股份有限公司 Prevent the methods, devices and systems of users from modifying IP addresses privately
CN102158866B (en) * 2011-02-01 2014-02-26 杭州华三通信技术有限公司 Authentication method and device applied to WLAN (Wireless Local Area Network)
CN102316034B (en) * 2011-09-06 2017-05-10 中兴通讯股份有限公司 Method for preventing manual Internet protocol (IP) address specification in local area network and device
CN106211163B (en) * 2016-07-29 2019-08-16 Oppo广东移动通信有限公司 The method and apparatus of safe networking
CN109274784A (en) * 2018-11-13 2019-01-25 郑州云海信息技术有限公司 IP and MAC Address binding method, device, terminal and storage medium based on openstack
CN112187740B (en) * 2020-09-14 2022-09-16 锐捷网络股份有限公司 Network access control method and device, electronic equipment and storage medium
CN112929460A (en) * 2021-01-20 2021-06-08 苏州长风航空电子有限公司 IP address configuration method and configuration device based on Linux system
CN113556337A (en) * 2021-07-20 2021-10-26 迈普通信技术股份有限公司 Terminal address identification method, network system, electronic device and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1450756A (en) * 2002-04-08 2003-10-22 华为技术有限公司 Method for real time detecting ethernet connected computer on-line state through insertion equipment
CN1933419A (en) * 2005-09-15 2007-03-21 英业达股份有限公司 IP address updating system and method
CN101641933A (en) * 2006-12-22 2010-02-03 艾利森电话股份有限公司 Preventing of electronic deception
CN101895587A (en) * 2010-07-06 2010-11-24 中兴通讯股份有限公司 Method, device and system for preventing users from modifying IP addresses privately

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1233135C (en) * 2002-06-22 2005-12-21 华为技术有限公司 Method for preventing IP address deceit in dynamic address distribution
KR100533785B1 (en) * 2003-06-19 2005-12-06 주식회사 인티게이트 Method for preventing arp/ip spoofing automatically on the dynamic ip address allocating environment using dhcp packet
JP2006094417A (en) * 2004-09-27 2006-04-06 Nec Corp Subscriber's line accommodation apparatus and packet filtering method
TW200711437A (en) * 2005-09-02 2007-03-16 Digital United Inc Network certification system and method
CN200973108Y (en) * 2006-06-29 2007-11-07 中兴通讯股份有限公司 Access equipment for implementing safety access
CN101188510A (en) * 2006-11-16 2008-05-28 华为技术有限公司 Method, device and system for central address control
CN101370019B (en) * 2008-09-26 2011-06-22 北京星网锐捷网络技术有限公司 Method and switchboard for preventing packet cheating attack of address analysis protocol

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1450756A (en) * 2002-04-08 2003-10-22 华为技术有限公司 Method for real time detecting ethernet connected computer on-line state through insertion equipment
CN1933419A (en) * 2005-09-15 2007-03-21 英业达股份有限公司 IP address updating system and method
CN101641933A (en) * 2006-12-22 2010-02-03 艾利森电话股份有限公司 Preventing of electronic deception
CN101895587A (en) * 2010-07-06 2010-11-24 中兴通讯股份有限公司 Method, device and system for preventing users from modifying IP addresses privately

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103095722A (en) * 2013-02-01 2013-05-08 华为技术有限公司 Method for updating network security table and network device and dynamic host configuration protocol (DHCP) server
CN116846687A (en) * 2023-08-30 2023-10-03 北京格尔国信科技有限公司 Network security monitoring method, system, device and storage medium
CN116846687B (en) * 2023-08-30 2023-11-21 北京格尔国信科技有限公司 Network security monitoring method, system, device and storage medium

Also Published As

Publication number Publication date
CN101895587B (en) 2015-09-16
CN101895587A (en) 2010-11-24

Similar Documents

Publication Publication Date Title
WO2012003742A1 (en) Method, apparatus and system for preventing user from modifying ip address privately
US10142159B2 (en) IP address allocation
WO2015101125A1 (en) Network access control method and device
WO2013163944A1 (en) Iaas service cloud account sharing method, sharing platform and network device
US20140282920A1 (en) Dynamically selecting a dhcp server for a client terminal
WO2006088585A2 (en) System and method of reducing session transfer time from a cellular network to a wi-fi network
WO2017215492A1 (en) Device detection method and apparatus
WO2012034413A1 (en) Method for dual stack user management and broadband access server
WO2017219748A1 (en) Method and device for access permission determination and page access
EP2928141A1 (en) Ipv6 address tracing method, device, and system
CN112583910B (en) Equipment access method and device of Internet of things platform, electronic equipment and storage medium
WO2012089039A1 (en) Method and device for providing user information to carried grade network address translation cgn apparatus
WO2015196755A1 (en) Address allocation method in subscriber identifier and locator separation network, and access service router
WO2011147371A1 (en) Method and system for implementing data transmission between virtual machines
WO2009012675A1 (en) Access network gateway, terminal, method and system for setting up a data connection
CN112615810B (en) Access control method and device
WO2012089001A1 (en) Ip address allocation method and device
WO2017124965A1 (en) Network access method for multiple operating system terminal and multiple operating system terminal
WO2010000157A1 (en) Configuration method, device and system for access device
WO2012126335A1 (en) Access control method, access device and system
WO2009079896A1 (en) User access authentication method based on dynamic host configuration protocol
WO2021121040A1 (en) Broadband access method and apparatus, device, and storage medium
JP2013509837A (en) Method and system for realizing identity and location mapping
WO2014090022A1 (en) Method and apparatus for recognizing dhcp server
WO2015196580A1 (en) Wireless device access method, gateway device and wireless network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11803096

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11803096

Country of ref document: EP

Kind code of ref document: A1