WO2013020501A1 - Method and device for verifying address resolution protocol (arp) request message - Google Patents

Method and device for verifying address resolution protocol (arp) request message Download PDF

Info

Publication number
WO2013020501A1
WO2013020501A1 PCT/CN2012/079794 CN2012079794W WO2013020501A1 WO 2013020501 A1 WO2013020501 A1 WO 2013020501A1 CN 2012079794 W CN2012079794 W CN 2012079794W WO 2013020501 A1 WO2013020501 A1 WO 2013020501A1
Authority
WO
WIPO (PCT)
Prior art keywords
arp
verification
packet
address
gateway
Prior art date
Application number
PCT/CN2012/079794
Other languages
French (fr)
Chinese (zh)
Inventor
李振海
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2013020501A1 publication Critical patent/WO2013020501A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/58Caching of addresses or names

Definitions

  • the embodiments of the present invention relate to communication technologies, and in particular, to an address resolution protocol (ARP) request packet verification method and apparatus.
  • ARP address resolution protocol
  • ARP is widely used in Internet Protocol (IP) networks.
  • IP Internet Protocol
  • the local area network host needs to send an ARP request packet to the gateway to obtain the Media Access Control (MAC) address of the device of the gateway, so as to implement communication between the network devices. If the gateway fails to respond to the ARP request packet correctly and in time, the LAN host will not be able to communicate with the external network.
  • An ARP attack on the gateway may affect the gateway's response to ARP request packets.
  • the industry has proposed corresponding solutions. For example, after receiving the ARP request packet, the data plane of the gateway responds only to the ARP request packet in the data plane, and does not send it to the control plane of the gateway.
  • the data plane of the gateway has a strong ability to process ARP request packets, so it can better deal with ARP attacks.
  • the data plane of the gateway cannot effectively process all types of ARP request packets.
  • some ARP request packets contain two layers of Virtual Local Area Network (VLAN) tags (hereinafter referred to as Q pairs, refer to IEEE802.1ad for details).
  • Q pairs Virtual Local Area Network
  • the gateway After receiving the ARP request packet containing the Q pair, the gateway needs to generate an index according to the Q pair included in the ARP request packet.
  • the index range of the Q pair is very large (about 2 to the 24th power), and it is costly to establish a user session table containing 2 24 entries in the data plane.
  • the user plane table of the data plane has fewer entries, generally tens of K. Therefore, the value of the index ranges from 0 to tens of ⁇ .
  • the control plane of the gateway triggers the dynamic learning Q pair and allocates the user session table index by using the ARP request packet of the user host to establish a mapping relationship between the Q pairs of the larger value range and the user session table of the smaller value range. Establish mappings and deliver data to the gateway The plane establishes a talk session. If the ARP request packet is not sent to the control plane for processing, the user session table cannot be established, and the user host cannot communicate with the external network.
  • responding to ARP request packets only on the data plane may cause some network devices to be unable to access the external network.
  • the embodiment of the invention provides a method for verifying an ARP request packet, which can solve the problem that only the network device can respond to the ARP request packet, which may cause some network devices to fail to access the external network.
  • an ARP request packet verification method for an address resolution protocol includes:
  • the gateway receives the ARP request packet.
  • the gateway If the gateway does not query the ARP request packet in the ARP cache table, the gateway sends an ARP authentication packet.
  • the destination Internet Protocol IP address of the ARP authentication packet is the source IP address of the ARP request packet.
  • the source IP address and the source media access control MAC address of the ARP authentication packet are respectively a verification IP address and a risk MAC address, and the verification IP address and the IP address of the gateway are addresses of the same network segment, and the verification IP address The address is different from the IP address of the gateway;
  • the gateway receives the first packet, and determines whether the first packet is a response corresponding to the ARP verification packet.
  • the first packet is a response packet corresponding to the ARP authentication packet, the first packet is sent to the control plane of the gateway.
  • an ARP request packet verification apparatus provided by the embodiment of the present invention includes: a receiver, where the gateway is configured to receive an ARP request packet;
  • the gateway sends an ARP verification packet, where the destination Internet Protocol IP address of the ARP verification packet is the ARP request Source IP address of the packet, the source IP address of the ARP authentication packet.
  • the address and the source media access control MAC address are respectively a risk certificate IP address and a risk certificate MAC address, and the verification IP address is an address of the same network segment as the IP address of the gateway, and the verification IP address is different from the IP address of the gateway;
  • the gateway is configured to receive the first packet, and determine whether the first packet is a response corresponding to the ARP certificate.
  • the sending unit is configured to send the first packet to the control plane of the gateway if the first packet is a response packet corresponding to the ARP verification packet.
  • the ARP request packet verification method and device provided by the embodiment of the present invention can solve the problem that only the data plane responds to the ARP request packet, which may cause some network devices to fail to access the external network.
  • FIG. 1 is a structural diagram of a network for providing an ARP request packet verification method and apparatus for applying to a certain scene;
  • FIG. 2 is a flowchart of a method for verifying an ARP request packet according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram of an ARP request packet verification apparatus according to an embodiment of the present invention.
  • FIG. 1 is a structural diagram of networking of an application scenario according to an embodiment of the present invention.
  • the network diagram of Figure 1 consists of seven PCs, a switch, a router, and the Internet.
  • the seven personal computers are Personal Computer (PC) 1, PC2, PC3, PC4, PC5, PC6 and PC7.
  • PC 1 to PC7 form the office i or network; one switch is the switch (Switch, SW) 1;
  • One router is a router (Router, R) 1 , R1 is the gateway of the local area network, and PC1 to PC7 are connected to R1 through SW1, respectively, and R1 is connected to the Internet. Since seven PCs are in the LAN, when accessing the Internet, they need to pass through the gateway Rl. In response to R1, an ARP attack may be initiated by a host on the LAN.
  • R1 responds to the ARP request packet sent by the LAN host only on the data plane. As the ARP request packet sent by PC1 contains two VLAN tags, R1 can only respond to ARP request packets on the data plane, which may result in PC1 being unable to access the Internet.
  • Embodiment 1 is a diagrammatic representation of Embodiment 1:
  • FIG. 2 is a flowchart of an ARP request packet verification method according to an embodiment of the present invention. The method includes:
  • the gateway receives the ARP request packet.
  • the foregoing ARP request packet may be sent by a host in a local area network.
  • the host can be connected to the gateway through a twisted pair cable or through a fiber to the gateway.
  • the host can be directly connected to the gateway or connected to the gateway through a network device.
  • PC1 sends an ARP Request message to R1.
  • the gateway If the gateway does not query the entry matching the ARP request packet in the ARP cache table, the gateway sends an ARP verification packet.
  • the destination Internet Protocol IP address of the ARP authentication packet is the source IP address of the ARP request packet.
  • the source IP address and the source media access control MAC address of the ARP authentication packet are a verification IP address and a risk MAC address, respectively.
  • the verification IP address is the same network address as the IP address of the gateway.
  • the insurance certificate IP address is different from the IP address of the gateway.
  • the ARP cache table is located on the data plane of the gateway and is used to verify ARP request packets.
  • the ARP cache table may include multiple entries, each of which includes an IP address and a MAC address corresponding to the IP address.
  • the gateway If the gateway does not query the entry matching the source IP address and the source MAC address of the ARP request packet in the ARP cache table, the gateway sends an ARP authentication packet.
  • the address of the ARP authentication packet and the IP address of the gateway are the same network segment. This ensures that the response packet sent by the host to the ARP authentication packet can reach the gateway.
  • the destination IP address of the ARP authentication packet is the source IP address of the ARP request packet. This ensures that the host that sends the real ARP request packet to the local area network receives the ARP authentication packet sent by the gateway.
  • R1 receives the ARP request packet from PC1. Because the ARP request packet contains the Q pair, the user session table of the data plane of R1 does not have enough space to store the Q-to-ARP request packet sent by PC1. Respond to and generate an entry for the corresponding index. Therefore, R1 needs to access the PC1 at the control plane. R1 sends an ARP verification packet to PC1.
  • the destination IP address of the ARP authentication packet is the IP address of the PC1.
  • the source IP address and source MAC address of the ARP authentication packet are the IP address and the insurance card MAC address randomly generated by the R1 control plane.
  • the verification IP address and the IP address of R1 are on the same network segment, and the verification IP address is different from the IP address of R1.
  • the gateway receives the first packet. Determine whether the first packet is a response corresponding to the ARP verification packet.
  • the gateway can receive the first packet and determine whether the first packet is a response packet corresponding to the ARP authentication packet.
  • the data plane of the gateway is provided with an ARP verification response table, and the ARP verification response table may include multiple entries, each of which includes a verification IP address and a verification MAC address, if the destination IP address and destination MAC address of the first message
  • the first packet is a response packet corresponding to the ARP authentication packet, and is matched with an entry in the ARP certificate response table.
  • the data plane of R1 is provided with an ARP verification response table, and the ARP verification response table includes a plurality of entries, each of which includes a risk IP address and a risk certificate MAC address.
  • R1 received PC1 After the first packet is sent, the destination IP address and the destination MAC address of the first packet match an entry in the ARP authentication response table, and the first packet is determined to be a response packet corresponding to the ARP verification packet.
  • the first packet is a response packet corresponding to the ARP verification packet, send the first packet to the control plane of the gateway.
  • R1 determines that the first packet is a response packet corresponding to the ARP authentication packet, and R1 sends the first packet to the control plane of R1 for processing.
  • the ARP request packet verification method proposed by the embodiment of the present invention can solve the problem that only the data plane responds to the ARP request packet, which may cause some network devices to fail to access the external network.
  • the verification MAC address in the ARP verification message is different from the verification MAC address in the previous ARP certificate issued by the gateway.
  • the gateway sends ARP authentication packets specifically:
  • the gateway obtains the verification IP address and the verification MAC address of the ARP verification packet through the ARP verification request table.
  • the ARP verification request table includes at least one entry.
  • the third entry is the same as the first entry.
  • the third entry is one entry of the ARP verification request table.
  • the first entry is one entry in the ARP authentication response table.
  • the ARP verification response table includes at least two entries, each of which contains a verification IP address and a verification MAC address.
  • the verification MAC addresses in the at least two entries are different from each other.
  • the ARP verification request form is a subset of the ARP insurance response form.
  • the determining whether the first packet is a response packet corresponding to the ARP verification packet includes: determining, by the ARP verification response table, whether the first packet is a response packet corresponding to the ARP verification packet. Determining the first report when the destination IP address of the first packet is equal to the verification IP address of the first entry, or when the destination MAC address of the first packet is equal to the verification MAC address of the first entry. The text is the response packet corresponding to the ARP authentication packet.
  • the ARP authentication request table exists in the data plane of the gateway, and the ARP authentication request table includes at least one entry.
  • the third entry is the same as the first entry.
  • the third entry is one entry in the ARP authentication request table, and the first entry is one entry in the ARP authentication response table.
  • the technical effects of the ARP authentication packet are obtained from the ARP authentication request table.
  • the gateway After receiving the response packet corresponding to the ARP authentication packet, the gateway can find a match in the ARP authentication response table. Entry.
  • the third entry may be one entry in the ARP authentication response table (that is, the first entry), or may be one entry that is independent of the first entry of the ARP authentication response table.
  • the ARP Verification Request Table is a subset of the ARP Verification Response Table.
  • the ARP authentication packet sent by the gateway contains the verification IP address and the verification MAC address provided by the ARP verification request table.
  • the host sends a response packet corresponding to the ARP authentication packet to the gateway.
  • the response packet corresponding to the ARP authentication packet must also contain the verification IP address and the verification MAC address provided by the ARP authentication request table. After the ARP authentication packet arrives at the gateway, it will match an entry in the ARP authentication response table of the data plane of the gateway.
  • the gateway can match whether the packet matches an entry in the ARP authentication response table of the data plane of the gateway, and whether the packet is a response packet corresponding to the ARP verification packet.
  • the ARP verification response table exists in the data plane of the gateway.
  • the ARP verification response table includes at least two entries, and the verification MAC addresses in the at least two entries are different from each other.
  • the achievable technical effects include: at least two entries can be used to ensure that the first packet is a response to the ARP authentication packet. Message, another entry in the ARP Verification Response Table is used to be updated to a new entry.
  • the ARP verification response table is configured to determine whether the first packet is a response packet corresponding to the ARP authentication packet, and when the destination IP address of the first packet is equal to the verification IP address of the first entry, or when the first packet is When the destination MAC address of the packet is equal to the authentication MAC address of the first entry, the first packet is determined to be a response packet corresponding to the ARP verification packet.
  • R1 has an ARP verification request table on the data plane, and R1 is verified by ARP.
  • the table obtains the verification IP address and the verification MAC address of the ARP verification packet, and R1 uses the first entry of the ARP verification response table as the ARP verification request table.
  • R1 has an ARP verification response table on the data plane.
  • the ARP verification response table includes two entries, that is, the first entry and the second entry. The verification MAC address of the first entry and the verification MAC address of the second entry are not the same.
  • the R1 After receiving the first packet sent by the PC1, the R1 searches the ARP authentication response table for the entry that matches the first packet. If the destination IP address of the first packet is equal to the first entry of the ARP authentication response table. If the authentication IP address of the first packet is equal to the authentication MAC address of the first entry, the first packet is the response packet corresponding to the ARP authentication packet.
  • the method further includes: after the gateway sends the previous ARP verification message, the verification MAC address of the third entry is updated to the first verification MAC address.
  • the gateway Before receiving the response packet corresponding to the ARP verification packet, the gateway further includes: updating the verification MAC address of the first entry to the first verification MAC address.
  • the second entry in the ARP verification response table is used to determine whether the packet received by the gateway is a response packet corresponding to the previous ARP verification packet.
  • the first entry and the second entry are different entries in the ARP verification response table.
  • the gateway After the gateway receives the previous ARP request packet, the gateway sends the previous ARP request to the previous ARP request because the entry in the ARP cache table of the data plane does not match the previous ARP request packet.
  • the risk certificate ⁇ , ⁇ , the previous ARP risk certificate is used to determine whether the host that sent the previous ARP request message exists.
  • the gateway After the gateway sends the previous ARP authentication packet, the gateway updates the verification MAC address of the third entry to the first authentication MAC address before sending the ARP authentication packet.
  • the technical effect of the solution is that the verification MAC address of the ARP request message is different from the verification MAC address of the previous ARP verification message.
  • the gateway Before receiving the response packet corresponding to the ARP authentication packet, the gateway updates the verification MAC address of the first entry to the first verification MAC address, and the second entry in the ARP verification response table is used to determine Whether the packet received by the gateway is a response packet corresponding to the previous ARP authentication packet, and the first entry and the second entry are different entries in the ARP authentication response table.
  • the technical effects of the solution include: ensuring that the gateway accurately determines the response packet corresponding to the ARP authentication packet and the response packet corresponding to the previous ARP authentication packet.
  • the entry for determining the response packet corresponding to the ARP authentication packet and the entry for determining the response packet corresponding to the previous ARP authentication packet are different entries to ensure that the ARP verification response table is updated, thereby being available.
  • the ARP verification packet sent by the updated ARP authentication request table is determined, and the gateway determines that the response packet corresponding to the ARP verification packet sent by the ARP authentication request table is updated.
  • the authentication MAC address of the entry corresponding to the ARP authentication packet is different from that of the response packet corresponding to the previous ARP authentication packet, ensuring that the LAN host authenticates the packet through the ARP authentication packet.
  • the response packet of the MAC address and the spoofed IP address spoofing will not be able to find the matching entry in the ARP authentication response table. That is, the spoofed response packet will not be sent to the control plane of the gateway.
  • R1 implements the technical solution corresponding to the network structure diagram shown in Fig. 1 through a computer program.
  • the ARP verification response table is stored in R1's Ternary Content Addressable Memory (TCAM), and the ARP verification response table includes two entries.
  • the R1 control plane generates a verification IP address, and the verification IP address and the IP address of R1 are IP addresses of the same network segment, and the verification IP address is different from the IP address of R1.
  • R1 sends the insurance IP address to the ARP verification request form and the ARP verification response table.
  • the control plane of R1 sets a timer for updating the ARP verification request table and the ARP verification response table. The period of the timer can be 2 seconds to 5 seconds.
  • the ARP verification request table is stored in the memory of R1.
  • the ARP verification request table includes one entry.
  • the initialization process of the ARP verification response table is as follows:
  • the control plane of R1 randomly generates an authentication MAC address, and sends the risk MAC address to an entry in the ARP verification response table in the TCAM of the data plane of R1; the control plane of R1 will be in the TCAM of the data plane of R1. Another entry in the ARP Validation Response table is set to 0.
  • the initialization process of the ARP verification request form is as follows:
  • R1 starts the timer
  • the control plane of R1 sends the verification MAC address generated in the initialization process of the ARP response table to the ARP verification request table in the memory of the data plane of R1.
  • the timer of the R1 control plane expires, triggering R1 to update the ARP verification request table and the ARP certificate response table.
  • the update process of the ARP verification response table is as follows:
  • the R1 control plane randomly generates a verification MAC address.
  • the verification MAC address is not equal to the verification MAC address generated by the R1 control plane in the initialization process of the ARP verification response table.
  • the R1 control plane sends the verification MAC address to another entry in the ARP verification response table, and updates the verification MAC address of the entry.
  • the update process of the ARP verification request form is as follows:
  • the R1 control plane sends the verification MAC address generated in the update process of the ARP verification response table to the ARP verification request table located in the memory, and updates the verification MAC address of the ARP verification request table.
  • the control plane that sends the first packet to the gateway specifically includes:
  • the control plane of the gateway queries the ARP cache table of the control plane according to the source IP address and the source MAC address of the first document to check whether there is a corresponding entry in the ARP cache table of the control plane.
  • the control plane of the gateway generates a fourth entry that includes the source IP address and the source MAC address of the first packet, and the control plane of the gateway sends the fourth entry to the ARP cache table of the data plane of the gateway.
  • the risk MAC is randomly generated by the control plane of the gateway and sent by the control plane of the gateway to the data plane of the gateway.
  • Embodiment 2 The embodiment of the invention provides an ARP request packet verification apparatus, which can be used in the networking structure shown in FIG.
  • the ARP request message verification device may be R1 in FIG.
  • FIG. 3 is a schematic diagram of an ARP request packet verification apparatus according to an embodiment of the present invention.
  • the apparatus includes: a receiver 301, where the gateway is configured to receive an ARP request packet.
  • the foregoing ARP request packet may be sent by a host in a local area network.
  • the host can be connected to the gateway through a twisted pair cable or through a fiber to the gateway.
  • the host can be directly connected to the gateway or connected to the gateway through a network device.
  • PC1 sends an ARP Request message to R1.
  • the sender 302 is configured to: if the gateway does not query the ARP request packet, the gateway sends an ARP authentication packet, where the destination Internet Protocol IP address of the ARP authentication packet is the ARP Source IP address of the request packet.
  • the source IP address and the source media access control MAC address of the ARP authentication packet are the insurance IP address and the risk MAC address respectively.
  • the verification IP address is the same as the IP address of the gateway. The address of the segment, the verification IP address is different from the IP address of the gateway;
  • the ARP cache table is located on the data plane of the gateway and is used to verify ARP request packets.
  • the ARP cache table may include multiple entries, each of which includes an IP address and a MAC address corresponding to the IP address. If the gateway does not query the entry in the ARP cache table that matches the source IP address and the source MAC address of the ARP request packet, the gateway sends an ARP authentication packet.
  • the address of the ARP authentication packet and the IP address of the gateway are the same network segment address. This ensures that the response packet sent by the host to the ARP authentication packet can reach the gateway.
  • the destination IP address of the ARP authentication packet is the source IP address of the ARP request packet. This ensures that the host that sends the real ARP request packet to the local area network receives the ARP authentication packet sent by the gateway.
  • R1 receives the ARP request packet from PC1. Because the ARP request packet contains the Q pair, the user session table of the data plane of R1 does not have enough space to store the Q-to-ARP request packet sent by PC1. Respond to and generate an entry for the corresponding index. Therefore, R1 needs The PCI is to be accessed at the control plane. R1 sends an ARP authentication packet to the PCI.
  • the destination IP address of the ARP authentication packet is the IP address of the PC1.
  • the source IP address and source MAC address of the ARP authentication packet are the IP address and the risk MAC address randomly generated by the R1 control plane.
  • the verification IP address and the IP address of R1 are in the same network segment, and the verification IP address is different from the IP address of R1.
  • the verification MAC address is different from the verification MAC address in the previous ARP verification packet sent by R1.
  • the determining unit 303 is configured to receive the first packet, and determine whether the first packet is a response packet corresponding to the ARP verification packet.
  • the gateway can receive the first packet and determine whether the first packet is a response packet corresponding to the ARP authentication packet.
  • the data plane of the gateway is provided with an ARP verification response table, and the ARP verification response table may include multiple entries, each of which includes a verification IP address and a verification MAC address, if the destination IP address and destination MAC address of the first message
  • the first packet is a response packet corresponding to the ARP authentication packet, and is matched with an entry in the ARP certificate response table.
  • the data plane of R1 is provided with an ARP verification response table, and the ARP verification response table includes a plurality of entries, each of which includes a risk IP address and a risk certificate MAC address.
  • R1 receives the first packet sent by the PC1, and the destination IP address and the destination MAC address of the first packet match an entry in the ARP authentication response table, and the first packet is determined to be the response corresponding to the ARP verification packet. Message.
  • the sending unit 304 is configured to send the first packet to the control plane of the gateway if the first packet is a response packet corresponding to the ARP verification packet.
  • R1 determines that the first packet is a response packet corresponding to the ARP authentication packet, and R1 sends the first packet to the control plane of R1 for access processing.
  • the ARP request packet verification apparatus provided by the embodiment of the present invention can solve the problem that only the data plane responds to the ARP request packet, which may cause some network devices to fail to access the external network.
  • the verified MAC address in the ARP authentication packet is different from the previous ARP sent by the gateway.
  • the transmitter specifically includes:
  • the gateway is configured to obtain an authentication IP address and a verification MAC address of the ARP verification message by using an ARP verification request table.
  • the ARP verification request table includes at least one entry.
  • the third entry is the same as the first entry.
  • the third entry is one entry of the ARP verification request table.
  • the first entry is one entry in the ARP verification response table.
  • the ARP verification response table includes at least two entries, each of which contains a verification IP address and a verification MAC address.
  • the verification MAC addresses in the at least two entries are different from each other.
  • the ARP verification request table is a subset of the ARP verification response table.
  • the determining unit specifically includes:
  • the analyzing unit is configured to determine, by using the ARP verification response table, whether the first packet is a response packet corresponding to the ARP verification packet. Determining the first packet when the destination IP address of the first packet is equal to the verification IP address of the first entry, or the destination MAC address of the first packet is equal to the verification MAC address of the first entry. It is the response packet corresponding to the ARP authentication packet.
  • the ARP authentication request table exists in the data plane of the gateway, and the ARP authentication request table includes at least one entry.
  • the third entry is the same as the first entry, and the third entry is one entry of the ARP verification request table.
  • the first entry is one entry in the ARP verification response table.
  • the technical effects of the ARP authentication packet are obtained from the ARP authentication request table.
  • the gateway After receiving the response packet corresponding to the ARP authentication packet, the gateway can find a match in the ARP authentication response table. Entry.
  • the third entry may be one entry in the ARP verification response table (that is, the first entry), or may be an entry that is independent of the first entry of the ARP authentication response table.
  • the ARP Verification Request Table is a subset of the ARP Verification Response Table.
  • the ARP authentication packet sent by the gateway contains the verification IP address and the verification MAC address provided by the ARP verification request table.
  • the host that sent the ARP request packet to the real existence is the master.
  • the machine feeds back the response packet corresponding to the ARP authentication packet to the gateway.
  • the ARP authentication packet corresponding response message must also contain the verification IP address and the verification MAC address provided by the ARP verification request table. After the response packet corresponding to the ARP authentication packet arrives at the gateway, it will match an entry in the ARP authentication response table of the data plane of the gateway.
  • the gateway can match whether the packet matches an entry in the ARP authentication response table of the data plane of the gateway, and whether the packet is a response packet corresponding to the ARP verification packet.
  • the ARP verification response table exists in the data plane of the gateway, and the ARP verification response table includes at least two entries, and the verification MAC addresses in the at least two entries are different from each other.
  • the achievable technical effects include: at least two entries can be used to ensure that the first packet is a response to the ARP authentication packet. Message, another entry in the ARP Verification Response Table is used to be updated to a new entry.
  • the ARP verification response table is configured to determine whether the first packet is a response packet corresponding to the ARP authentication packet, and when the destination IP address of the first packet is equal to the verification IP address of the first entry, or when the first packet is When the destination MAC address of the packet is equal to the authentication MAC address of the first entry, the first packet is determined to be a response packet corresponding to the ARP verification packet.
  • R1 has an ARP authentication request table on the data plane.
  • R1 obtains the verification IP address and the verification MAC address of the ARP verification packet through the ARP verification request table, and R1 uses the first entry of the ARP verification response table as the ARP authentication. Request form.
  • R1 has an ARP verification response table on the data plane.
  • the ARP verification response table includes two entries, that is, the first entry and the second entry.
  • the verification MAC address of the first entry and the verification MAC address of the second entry are not the same.
  • the R1 After receiving the first packet sent by the PC1, the R1 searches the ARP authentication response table for the entry that matches the first packet. If the destination IP address of the first packet is equal to the first entry of the ARP authentication response table. If the authentication IP address of the first packet is equal to the authentication MAC address of the first entry, the first packet is the response packet corresponding to the ARP authentication packet.
  • the ARP request message verification device includes:
  • a first update unit configured to send the previous one before the gateway sends an ARP verification message After the ARP verification packet, the verification MAC address of the third entry is updated to the first verification MAC address.
  • the ARP request message verification device includes:
  • a second updating unit configured to: after the gateway receives the response packet corresponding to the ARP verification packet, update the verification MAC address of the first entry to the first verification MAC address.
  • the second entry in the ARP authentication response table is used to determine whether the packet received by the gateway is a response packet corresponding to the previous ARP authentication packet.
  • the first entry and the second entry are different entries in the ARP verification response table.
  • the gateway After the gateway receives the previous ARP request packet, the gateway sends the previous ARP request to the previous ARP request because the entry in the ARP cache table of the data plane does not match the previous ARP request packet.
  • the risk certificate ⁇ , ⁇ , the previous ARP risk certificate is used to determine whether the host that sent the previous ARP request message exists.
  • the gateway After the gateway sends the previous ARP authentication packet, the gateway updates the verification MAC address of the third entry to the first authentication MAC address before sending the ARP authentication packet.
  • the technical effect of the solution is that the verification MAC address of the ARP request message is different from the verification MAC address of the previous ARP verification message.
  • the gateway Before receiving the response packet corresponding to the ARP authentication packet, the gateway updates the verification MAC address of the first entry to the first verification MAC address, and the second entry in the ARP verification response table is used to determine that the gateway receives the response packet. Whether the packet is a response packet corresponding to the previous ARP authentication packet, and the first entry and the second entry are different entries in the ARP authentication response table.
  • the technical effects of the solution include: ensuring that the gateway accurately determines the response packet corresponding to the ARP authentication packet and the response packet corresponding to the previous ARP authentication packet.
  • the entry for determining the response packet corresponding to the ARP authentication packet and the entry for determining the response packet corresponding to the previous ARP authentication packet are different entries to ensure that the ARP verification response table is updated, thereby being available.
  • the ARP verification packet sent by the updated ARP authentication request table is determined, and the gateway determines that the response packet corresponding to the ARP verification packet sent by the ARP authentication request table is updated.
  • An entry for determining a response packet corresponding to the ARP verification packet and an entry for determining a response packet corresponding to the previous ARP verification packet Verify that the MAC address is different. Ensure that the MAC address host fails to find the matching entry in the ARP authentication response table by using the authentication MAC address in the ARP authentication packet and the response packet for authenticating the IP address. The fake response packet will not be Up to the control plane of the gateway.
  • R1 implements the technical solution corresponding to the network structure diagram shown in Fig. 1 through a computer program.
  • the ARP verification response table is stored in the TCAM of R1.
  • the ARP verification response table includes two entries.
  • the R1 control plane generates a verification IP address, and the verification IP address and the IP address of R1 are IP addresses of the same network segment, and the verification IP address is different from the IP address of R1.
  • R1 delivers the insurance IP address to the ARP verification request form and the ARP verification response table.
  • the control plane setting timer of R1 is used to update the ARP verification request table and the ARP verification response table. The period of the timer can be from 2 seconds to 5 seconds.
  • the ARP verification request table is stored in the memory of R1.
  • the ARP verification request table includes one entry.
  • the initialization process of the ARP verification response table is as follows:
  • the control plane of R1 randomly generates an authentication MAC address, and sends the risk MAC address to an entry in the ARP verification response table in the TCAM of the data plane of R1; the control plane of R1 will be in the TCAM of the data plane of R1. Another entry in the ARP Validation Response table is set to 0.
  • the initialization process of the ARP verification request form is as follows:
  • R1 starts the timer
  • the control plane of R1 sends the verification MAC address generated in the initialization process of the ARP response table to the ARP verification request table in the memory of the data plane of R1.
  • the timer of the R1 control plane expires, triggering R1 to update the ARP verification request table and the ARP certificate response table.
  • the update process of the ARP verification response table is as follows:
  • the R1 control plane randomly generates a verification MAC address.
  • the verification MAC address is not equal to the verification MAC address generated by the R1 control plane in the initialization process of the ARP verification response table.
  • the R1 control plane sends the verification MAC address to another entry in the ARP verification response table, and updates the entry. Verify the MAC address.
  • the update process of the ARP verification request form is as follows:
  • the R1 control plane sends the verification MAC address generated in the update process of the ARP verification response table to the ARP verification request table located in the memory, and updates the verification MAC address of the ARP verification request table.
  • the sending unit further includes:
  • a query unit configured by the control plane of the gateway, according to the source IP address and the source MAC address of the first packet, whether a corresponding entry exists in the ARP cache table of the control plane;
  • a generating unit configured to: if the ARP cache table of the control plane does not have a corresponding entry, the control plane of the gateway generates a fourth entry that includes a source IP address and a source MAC address of the first packet;
  • the sending unit sends the fourth entry to the ARP cache table of the data plane of the gateway.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiments of the present invention provide a method for verifying an ARP request message, the method comprises the following step: a gateway receives an ARP request message; if the gateway does not find a matching item for the ARP request message in an ARP cache list, the gateway sends an ARP verifying message of which source internet protocol (IP) address and media access control (MAC) address are a verification IP address and a verification MAC address respectively, wherein the verification IP address and the IP address of the gateway belong to the same network segment and the verification IP address is different from the IP address of the gateway; the gateway receives the first message; if the first message is a response message corresponding to the ARP verifying message, the first message is uploaded to the control plane of the gateway. In addition, the embodiments of the present invention also provide a corresponding device for verifying an ARP request message. The method and device for ARP request message verification provided by the embodiments of the present invention can resolve the problem of some network equipment being unable to access an external network due to ARP request message responses being only in the data plane.

Description

一种 ARP请求报文验证方法及装置 技术领域  Method and device for verifying ARP request message
本发明实施例涉及通信技术, 尤其涉及一种地址解析协议 (Address Resolution Protocol, ARP )请求报文验证方法及装置。  The embodiments of the present invention relate to communication technologies, and in particular, to an address resolution protocol (ARP) request packet verification method and apparatus.
背景技术 Background technique
目前 ARP广泛应用于因特网协议( Internet Protocol , IP ) 网络。 局域 网主机要实现与外部网络通信, 需要向网关发送 ARP请求报文, 从而获得 网关的设备的媒体接入控制 (Media Access Control, MAC )地址, 从而实 现网络设备之间的通信。 如果网关不能正确、 及时对 ARP请求报文做出响 应, 局域网主机将无法实现与外部网络通信。 网关受到 ARP攻击可能会影 响到网关对 ARP请求报文做出响应。  Currently, ARP is widely used in Internet Protocol (IP) networks. To implement communication with the external network, the local area network host needs to send an ARP request packet to the gateway to obtain the Media Access Control (MAC) address of the device of the gateway, so as to implement communication between the network devices. If the gateway fails to respond to the ARP request packet correctly and in time, the LAN host will not be able to communicate with the external network. An ARP attack on the gateway may affect the gateway's response to ARP request packets.
为应对 ARP攻击, 业界提出了相应的解决方案。 例如, 网关的数据平 面收到 ARP请求报文后,仅在数据平面对 ARP请求报文进行响应,不上送 至网关的控制平面。 网关的数据平面处理 ARP请求报文的能力较强, 因此 可以较好地应对 ARP攻击。  In response to ARP attacks, the industry has proposed corresponding solutions. For example, after receiving the ARP request packet, the data plane of the gateway responds only to the ARP request packet in the data plane, and does not send it to the control plane of the gateway. The data plane of the gateway has a strong ability to process ARP request packets, so it can better deal with ARP attacks.
但是, 网关的数据平面不能对所有类型的 ARP请求报文都做出有效处 理。 例如, 有的 ARP请求报文包含两层虚拟局域网 (Virtual Local Area Network, VLAN )标签(以下筒称 Q对, 具体可参考 IEEE802.1ad ) 。 收 到包含 Q对的 ARP请求报文后, 网关需要根据该 ARP请求报文中包含的 Q对, 生成一个索引。 Q对的索引范围很大(大约为 2的 24次方) , 在数 据平面建立建立一个包含 224的表项的用户会话表代价较大。 实际应用中, 数据平面的用户会话表的表项较少, 一般为几十 K。 因此索引的取值范围 在 0~几十 Κ之间。为了在较大取值范围的 Q对与较小取值范围的用户会话 表之间建立映射关系, 网关的控制平面依靠用户主机的 ARP请求报文触发 动态学习 Q对并分配用户会话表索引, 建立映射关系并下发到网关的数据 平面建立用话会话。 如果 ARP请求报文没有被送到控制平面进行处理就无 法建立用户会话表, 从而导致用户主机无法与外网进行通信。 However, the data plane of the gateway cannot effectively process all types of ARP request packets. For example, some ARP request packets contain two layers of Virtual Local Area Network (VLAN) tags (hereinafter referred to as Q pairs, refer to IEEE802.1ad for details). After receiving the ARP request packet containing the Q pair, the gateway needs to generate an index according to the Q pair included in the ARP request packet. The index range of the Q pair is very large (about 2 to the 24th power), and it is costly to establish a user session table containing 2 24 entries in the data plane. In practical applications, the user plane table of the data plane has fewer entries, generally tens of K. Therefore, the value of the index ranges from 0 to tens of 。. The control plane of the gateway triggers the dynamic learning Q pair and allocates the user session table index by using the ARP request packet of the user host to establish a mapping relationship between the Q pairs of the larger value range and the user session table of the smaller value range. Establish mappings and deliver data to the gateway The plane establishes a talk session. If the ARP request packet is not sent to the control plane for processing, the user session table cannot be established, and the user host cannot communicate with the external network.
因此, 仅在数据平面对 ARP请求报文进行响应, 可能导致部分网络设 备无法接入外部网络。  Therefore, responding to ARP request packets only on the data plane may cause some network devices to be unable to access the external network.
发明内容 Summary of the invention
本发明实施例提供一种 ARP请求报文验证方法, 可以解决仅在数据平 面对 ARP请求报文进行响应, 可能导致部分网络设备无法接入外部网络的 问题。  The embodiment of the invention provides a method for verifying an ARP request packet, which can solve the problem that only the network device can respond to the ARP request packet, which may cause some network devices to fail to access the external network.
一方面, 本发明实施例提供的一种地址解析协议 ARP请求报文验证方 法, 包括:  In one aspect, an ARP request packet verification method for an address resolution protocol provided by an embodiment of the present invention includes:
网关收到 ARP请求报文;  The gateway receives the ARP request packet.
如果该网关在 ARP緩存表中没有查询到与该 ARP请求报文匹配的表 项, 该网关发出 ARP验证报文, 该 ARP验证报文的目的因特网协议 IP地 址为该 ARP请求报文的源 IP地址,该 ARP验证报文的源 IP地址和源媒体 接入控制 MAC地址分别为验证 IP地址和险证 MAC地址, 该验证 IP地址 与该网关的 IP地址为同一网段的地址, 该验证 IP地址不同于该网关的 IP 地址;  If the gateway does not query the ARP request packet in the ARP cache table, the gateway sends an ARP authentication packet. The destination Internet Protocol IP address of the ARP authentication packet is the source IP address of the ARP request packet. The source IP address and the source media access control MAC address of the ARP authentication packet are respectively a verification IP address and a risk MAC address, and the verification IP address and the IP address of the gateway are addresses of the same network segment, and the verification IP address The address is different from the IP address of the gateway;
该网关收到第一报文, 判断该第一报文是否是该 ARP验证报文对应的 响应 4艮文;  The gateway receives the first packet, and determines whether the first packet is a response corresponding to the ARP verification packet.
如果该第一报文是该 ARP验证报文对应的响应报文, 将该第一报文上 送到该网关的控制平面。  If the first packet is a response packet corresponding to the ARP authentication packet, the first packet is sent to the control plane of the gateway.
另一方面, 本发明实施例提供的一种 ARP请求报文验证装置, 包括: 接收器, 网关用于收到 ARP请求报文;  On the other hand, an ARP request packet verification apparatus provided by the embodiment of the present invention includes: a receiver, where the gateway is configured to receive an ARP request packet;
发送器,用于如果该网关在 ARP緩存表中没有查询到与该 ARP请求报 文匹配的表项,该网关发出 ARP验证报文,该 ARP验证报文的目的因特网 协议 IP地址为该 ARP请求报文的源 IP地址, 该 ARP验证报文的源 IP地 址和源媒体接入控制 MAC地址分别为险证 IP地址和险证 MAC地址, 该 验证 IP地址与该网关的 IP地址为同一网段的地址, 该验证 IP地址不同于 该网关的 IP地址; a sender, if the gateway does not query an entry matching the ARP request packet in the ARP cache table, the gateway sends an ARP verification packet, where the destination Internet Protocol IP address of the ARP verification packet is the ARP request Source IP address of the packet, the source IP address of the ARP authentication packet. The address and the source media access control MAC address are respectively a risk certificate IP address and a risk certificate MAC address, and the verification IP address is an address of the same network segment as the IP address of the gateway, and the verification IP address is different from the IP address of the gateway;
判断单元, 该网关用于收到第一报文, 判断该第一报文是否是该 ARP 马 证 ^艮文对应的响应 ^艮文;  a judging unit, the gateway is configured to receive the first packet, and determine whether the first packet is a response corresponding to the ARP certificate.
上送单元, 用于如果该第一报文是该 ARP验证报文对应的响应报文, 将该第一报文上送到该网关的控制平面。  The sending unit is configured to send the first packet to the control plane of the gateway if the first packet is a response packet corresponding to the ARP verification packet.
可见, 通过本发明实施例提供的 ARP请求报文验证方法及装置, 可以 解决仅在数据平面对 ARP请求报文进行响应, 可能导致部分网络设备无法 接入外部网络的问题。  It can be seen that the ARP request packet verification method and device provided by the embodiment of the present invention can solve the problem that only the data plane responds to the ARP request packet, which may cause some network devices to fail to access the external network.
附图说明 DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对 实施例或现有技术描述中所需要使用的附图作一筒单地介绍, 显而易见地, 下面描述中的附图是本发明的一些实施例, 对于本领域普通技术人员来讲, 在不付出创造性劳动的前提下, 还可以根据这些附图获得其他的附图。  In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings to be used in the embodiments or the description of the prior art will be briefly described below, and obviously, the attached in the following description The drawings are some embodiments of the present invention, and those skilled in the art can obtain other drawings based on these drawings without any creative work.
图 1是本发明实施例提供 ARP请求报文验证方法及装置应用于某一场 景的组网结构图;  FIG. 1 is a structural diagram of a network for providing an ARP request packet verification method and apparatus for applying to a certain scene;
图 2是本发明实施例提供的 ARP请求报文验证方法流程图;  2 is a flowchart of a method for verifying an ARP request packet according to an embodiment of the present invention;
图 3是本发明实施例提供的 ARP请求报文验证装置示意图。  FIG. 3 is a schematic diagram of an ARP request packet verification apparatus according to an embodiment of the present invention.
具体实肺式 Specific lung
为使本发明实施例的目的、 技术方案和优点更加清楚, 下面将结合本 发明实施例中的附图, 对本发明实施例中的技术方案进行清楚、 完整地描 述, 显然, 所描述的实施例是本发明一部分实施例, 而不是全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没有作出创造性劳动前提 下所获得的所有其他实施例, 都属于本发明保护的范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is a partial embodiment of the invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明实施例提供了一种 ARP请求报文验证方法及装置, 可以解决仅 在数据平面对 ARP请求报文进行响应, 可能导致部分网络设备无法接入外 部网络的问题。 图 1为本发明实施例某一应用场景的组网结构图。 The embodiment of the invention provides an ARP request packet verification method and device, which can solve only Responding to the ARP request packet on the data plane may cause some network devices to fail to access the external network. FIG. 1 is a structural diagram of networking of an application scenario according to an embodiment of the present invention.
图 1 的组网结构图包括七台个人电脑、 一台交换机、 一台路由器以及 因特网。 七台个人电脑分别是个人电脑( Personal Computer, PC ) 1、 PC2、 PC3、 PC4、 PC5、 PC6以及 PC7 , PC 1至 PC7构成局 i或网; 一台交换机是 交换机(Switch, SW ) 1 ; 一台路由器是路由器(Router, R ) 1 , R1 为该 局域网的网关, PC1至 PC7分别通过 SW1与 R1相连, R1与因特网相连。 由于七台 PC处于局域网内, 访问因特网时, 需要通过网关 Rl。 为应对 R1 可能受到局域网内主机发起 ARP攻击, R1仅在数据平面回应局域网主机发 起的 ARP请求报文。 由于 PC1发起的 ARP请求报文中包含两层 VLAN标 签, R1仅在数据平面回应 ARP请求报文可能导致 PC1无法访问因特网。  The network diagram of Figure 1 consists of seven PCs, a switch, a router, and the Internet. The seven personal computers are Personal Computer (PC) 1, PC2, PC3, PC4, PC5, PC6 and PC7. PC 1 to PC7 form the office i or network; one switch is the switch (Switch, SW) 1; One router is a router (Router, R) 1 , R1 is the gateway of the local area network, and PC1 to PC7 are connected to R1 through SW1, respectively, and R1 is connected to the Internet. Since seven PCs are in the LAN, when accessing the Internet, they need to pass through the gateway Rl. In response to R1, an ARP attack may be initiated by a host on the LAN. R1 responds to the ARP request packet sent by the LAN host only on the data plane. As the ARP request packet sent by PC1 contains two VLAN tags, R1 can only respond to ARP request packets on the data plane, which may result in PC1 being unable to access the Internet.
实施例一:  Embodiment 1:
本发明实施例提供了一种 ARP请求报文验证方法, 可以用于图 1所示 的组网结构中, 参见图 2, 图 2是本发明实施例提供的 ARP请求报文验证 方法流程图, 该方法包括:  The embodiment of the present invention provides an ARP request packet verification method, which can be used in the networking structure shown in FIG. 1 , and FIG. 2 is a flowchart of an ARP request packet verification method according to an embodiment of the present invention. The method includes:
201: 网关收到 ARP请求报文。  201: The gateway receives the ARP request packet.
具体实现时, 上述 ARP请求报文可以是局域网内的主机发送的。 主机 可以通过双绞线与网关相连, 也可以通过光纤与网关相连; 主机可以与网 关直连, 也可以通过网络设备与网关相连。  In a specific implementation, the foregoing ARP request packet may be sent by a host in a local area network. The host can be connected to the gateway through a twisted pair cable or through a fiber to the gateway. The host can be directly connected to the gateway or connected to the gateway through a network device.
以图 1所示的场景为例, PC1向 R1发出 ARP请求报文。  Taking the scenario shown in Figure 1 as an example, PC1 sends an ARP Request message to R1.
202: 如果该网关在 ARP緩存表中没有查询到与该 ARP请求报文匹配 的表项, 该网关发出 ARP验证报文。 该 ARP验证报文的目的因特网协议 IP地址为该 ARP请求报文的源 IP地址。该 ARP验证报文的源 IP地址和源 媒体接入控制 MAC地址分别为验证 IP地址和险证 MAC地址。 该验证 IP 地址与该网关的 IP地址为同一网段的地址。该险证 IP地址不同于该网关的 IP地址。 ARP緩存表位于网关的数据平面,用于验证 ARP请求报文。 ARP緩存 表可以包括多个表项, 每个表项包括 IP地址以及该 IP地址对应的 MAC地 址。 如果网关在 ARP緩存表中没有查询到与该 ARP请求报文的源 IP地址 和源 MAC地址匹配的表项, 该网关发出 ARP验证报文。 ARP验证报文的 地址与网关的 IP地址为同一网段的地址,可以确保主机对 ARP验证报文做 出的响应报文可以到达该网关。 ARP验证报文的目的 IP地址是 ARP请求 报文的源 IP地址,可确保发出真实 ARP请求报文的存在于局域网内的主机 收到网关发出的 ARP验证报文。 202: If the gateway does not query the entry matching the ARP request packet in the ARP cache table, the gateway sends an ARP verification packet. The destination Internet Protocol IP address of the ARP authentication packet is the source IP address of the ARP request packet. The source IP address and the source media access control MAC address of the ARP authentication packet are a verification IP address and a risk MAC address, respectively. The verification IP address is the same network address as the IP address of the gateway. The insurance certificate IP address is different from the IP address of the gateway. The ARP cache table is located on the data plane of the gateway and is used to verify ARP request packets. The ARP cache table may include multiple entries, each of which includes an IP address and a MAC address corresponding to the IP address. If the gateway does not query the entry matching the source IP address and the source MAC address of the ARP request packet in the ARP cache table, the gateway sends an ARP authentication packet. The address of the ARP authentication packet and the IP address of the gateway are the same network segment. This ensures that the response packet sent by the host to the ARP authentication packet can reach the gateway. The destination IP address of the ARP authentication packet is the source IP address of the ARP request packet. This ensures that the host that sends the real ARP request packet to the local area network receives the ARP authentication packet sent by the gateway.
参见图 1 , R1 收到 PC1发出 ARP请求报文, 由于该 ARP请求报文包 含 Q对, R1的数据平面的用户会话表没有足够的空间存放可以对 PC1发出 的包含 Q对 ARP请求报文进行响应并生成相应索引的表项。 因此, R1需 要在控制平面对 PC1进行接入处理。 R1向 PC1发出 ARP验证报文。该 ARP 验证报文的目的 IP地址为 PC1的 IP地址,该 ARP验证报文的源 IP地址和 源 MAC地址为 R1控制平面随机生成的险证 IP地址和险证 MAC地址。其 中, 验证 IP地址和 R1的 IP地址处于同一网段, 验证 IP地址不同于 R1的 IP地址。  Referring to Figure 1, R1 receives the ARP request packet from PC1. Because the ARP request packet contains the Q pair, the user session table of the data plane of R1 does not have enough space to store the Q-to-ARP request packet sent by PC1. Respond to and generate an entry for the corresponding index. Therefore, R1 needs to access the PC1 at the control plane. R1 sends an ARP verification packet to PC1. The destination IP address of the ARP authentication packet is the IP address of the PC1. The source IP address and source MAC address of the ARP authentication packet are the IP address and the insurance card MAC address randomly generated by the R1 control plane. The verification IP address and the IP address of R1 are on the same network segment, and the verification IP address is different from the IP address of R1.
203: 该网关收到第一报文。 判断该第一报文是否是该 ARP验证报文 对应的响应 艮文。  203: The gateway receives the first packet. Determine whether the first packet is a response corresponding to the ARP verification packet.
网关收到第一报文, 并判断该第一报文是否是该 ARP验证报文对应的 响应报文可以有多种实现方式。例如网关的数据平面设有 ARP验证响应表, ARP验证响应表可以包括多个表项, 每个表项包括验证 IP地址以及验证 MAC地址, 如果第一^艮文的目的 IP地址和目的 MAC地址与 ARP险证响 应表中某一表项匹配,则确定第一报文是该 ARP验证报文对应的响应报文。  The gateway can receive the first packet and determine whether the first packet is a response packet corresponding to the ARP authentication packet. For example, the data plane of the gateway is provided with an ARP verification response table, and the ARP verification response table may include multiple entries, each of which includes a verification IP address and a verification MAC address, if the destination IP address and destination MAC address of the first message The first packet is a response packet corresponding to the ARP authentication packet, and is matched with an entry in the ARP certificate response table.
参见图 1 , R1的数据平面设有 ARP验证响应表, ARP验证响应表包括 多个表项, 每个表项包括险证 IP地址以及险证 MAC地址。 R1收到 PC1 发出的第一报文, 第一报文的目的 IP地址和目的 MAC地址与 ARP验证响 应表中某一表项匹配,则确定第一报文是该 ARP验证报文对应的响应报文。 Referring to FIG. 1, the data plane of R1 is provided with an ARP verification response table, and the ARP verification response table includes a plurality of entries, each of which includes a risk IP address and a risk certificate MAC address. R1 received PC1 After the first packet is sent, the destination IP address and the destination MAC address of the first packet match an entry in the ARP authentication response table, and the first packet is determined to be a response packet corresponding to the ARP verification packet.
204: 如果该第一报文是该 ARP验证报文对应的响应报文, 将该第一 报文上送到该网关的控制平面。  204: If the first packet is a response packet corresponding to the ARP verification packet, send the first packet to the control plane of the gateway.
参见图 1 , R1判断第一报文是 ARP验证报文对应的响应报文, R1将 第一报文送到 R1的控制平面做处理。  Referring to Figure 1, R1 determines that the first packet is a response packet corresponding to the ARP authentication packet, and R1 sends the first packet to the control plane of R1 for processing.
可见, 通过本发明实施例提出的 ARP请求报文验证方法, 可以解决仅 在数据平面对 ARP请求报文进行响应, 可能导致部分网络设备无法接入外 部网络的问题。  It can be seen that the ARP request packet verification method proposed by the embodiment of the present invention can solve the problem that only the data plane responds to the ARP request packet, which may cause some network devices to fail to access the external network.
进一步的,  further,
该 ARP验证报文中的验证 MAC地址不同于该网关发出的前一个 ARP 险证 4艮文中的验证 MAC地址。  The verification MAC address in the ARP verification message is different from the verification MAC address in the previous ARP certificate issued by the gateway.
进一步的,  further,
该网关发出 ARP验证报文具体包括:  The gateway sends ARP authentication packets specifically:
该网关通过 ARP验证请求表获得该 ARP验证报文的验证 IP地址和验 证 MAC地址。 该 ARP验证请求表至少包括 1个表项。 第三表项与第一表 项相同。 该第三表项为该 ARP验证请求表的 1个表项。 该第一表项为 ARP 验证响应表中的 1个表项。 该 ARP验证响应表包括至少 2个表项, 每个表 项包含验证 IP地址以及验证 MAC地址。 该至少 2个表项中的验证 MAC 地址互不相同。 该 ARP验证请求表是该 ARP险证响应表的子集。  The gateway obtains the verification IP address and the verification MAC address of the ARP verification packet through the ARP verification request table. The ARP verification request table includes at least one entry. The third entry is the same as the first entry. The third entry is one entry of the ARP verification request table. The first entry is one entry in the ARP authentication response table. The ARP verification response table includes at least two entries, each of which contains a verification IP address and a verification MAC address. The verification MAC addresses in the at least two entries are different from each other. The ARP verification request form is a subset of the ARP insurance response form.
进一步的,  further,
该判断该第一报文是否是该 ARP验证报文对应的响应报文具体包括: 通过该 ARP验证响应表判断该第一报文是否是该 ARP验证报文对应的 响应报文。 当该第一报文的目的 IP地址等于该第一表项的验证 IP地址时, 或者当该第一报文的目的 MAC地址等于该第一表项的验证 MAC地址时, 确定该第一报文是该 ARP验证报文对应的响应报文。 ARP验证请求表存在于网关的数据平面, ARP验证请求表至少包括 1 个表项。 第三表项和第一表项相同。 第三表项为 ARP验证请求表的 1个表 项,第一表项为 ARP验证响应表中的 1个表项。可以达到的技术效果包括, ARP验证报文的验证 IP地址和验证 MAC地址来源于 ARP验证请求表,网 关收到 ARP验证报文对应的响应报文后,可以在 ARP验证响应表中查找到 匹配表项。 第三表项可以是 ARP验证响应表中的 1个表项(即第一表项 ) , 也可以是独立于 ARP验证响应表的第一表项的 1个表项。 The determining whether the first packet is a response packet corresponding to the ARP verification packet includes: determining, by the ARP verification response table, whether the first packet is a response packet corresponding to the ARP verification packet. Determining the first report when the destination IP address of the first packet is equal to the verification IP address of the first entry, or when the destination MAC address of the first packet is equal to the verification MAC address of the first entry The text is the response packet corresponding to the ARP authentication packet. The ARP authentication request table exists in the data plane of the gateway, and the ARP authentication request table includes at least one entry. The third entry is the same as the first entry. The third entry is one entry in the ARP authentication request table, and the first entry is one entry in the ARP authentication response table. The technical effects of the ARP authentication packet are obtained from the ARP authentication request table. After receiving the response packet corresponding to the ARP authentication packet, the gateway can find a match in the ARP authentication response table. Entry. The third entry may be one entry in the ARP authentication response table (that is, the first entry), or may be one entry that is independent of the first entry of the ARP authentication response table.
ARP验证请求表是 ARP验证响应表的一个子集。 这样, 网关发出的 ARP验证报文包含了 ARP验证请求表提供的验证 IP地址和验证 MAC地 址。该 ARP验证报文到达之前发出 ARP请求报文的真实存在的主机后,主 机向该网关反馈 ARP验证报文对应的响应报文。 ARP验证报文对应的响应 报文也必然包含 ARP验证请求表提供的验证 IP地址和验证 MAC地址。 ARP 验证报文对应响应报文到达网关后, 将会与网关的数据平面的 ARP验证响 应表的某一表项发生匹配。 因此, 网关收到报文后, 可以根据该报文是否 与网关的数据平面的 ARP验证响应表的某一表项发生匹配, 对该报文是否 是 ARP验证报文对应的响应报文做出判断。 ARP验证响应表存在于网关的 数据平面, ARP验证响应表包括至少 2个表项, 该至少 2个表项中的验证 MAC地址互不相同。 可以达到的技术效果包括, 至少 2个表项可确保某一 时刻, ARP验证响应表的 1个表项 (即第一表项)用于判断第一报文是否 是 ARP验证报文对应的响应报文, ARP验证响应表的另一个表项用于被更 新为新的表项。  The ARP Verification Request Table is a subset of the ARP Verification Response Table. In this way, the ARP authentication packet sent by the gateway contains the verification IP address and the verification MAC address provided by the ARP verification request table. After the ARP authentication packet arrives at the host where the ARP request packet is sent, the host sends a response packet corresponding to the ARP authentication packet to the gateway. The response packet corresponding to the ARP authentication packet must also contain the verification IP address and the verification MAC address provided by the ARP authentication request table. After the ARP authentication packet arrives at the gateway, it will match an entry in the ARP authentication response table of the data plane of the gateway. Therefore, after receiving the packet, the gateway can match whether the packet matches an entry in the ARP authentication response table of the data plane of the gateway, and whether the packet is a response packet corresponding to the ARP verification packet. Judge. The ARP verification response table exists in the data plane of the gateway. The ARP verification response table includes at least two entries, and the verification MAC addresses in the at least two entries are different from each other. The achievable technical effects include: at least two entries can be used to ensure that the first packet is a response to the ARP authentication packet. Message, another entry in the ARP Verification Response Table is used to be updated to a new entry.
ARP验证响应表用于判断该第一报文是否是 ARP验证报文对应的响应 报文, 当该第一报文的目的 IP地址等于该第一表项的验证 IP地址时, 或者 当该第一报文的目的 MAC地址等于该第一表项的验证 MAC地址时, 确定 该第一报文是该 ARP验证报文对应的响应报文。  The ARP verification response table is configured to determine whether the first packet is a response packet corresponding to the ARP authentication packet, and when the destination IP address of the first packet is equal to the verification IP address of the first entry, or when the first packet is When the destination MAC address of the packet is equal to the authentication MAC address of the first entry, the first packet is determined to be a response packet corresponding to the ARP verification packet.
参见图 1 , R1在数据平面设有 ARP验证请求表, R1通过 ARP验证请 求表获得该 ARP验证报文的验证 IP地址和验证 MAC地址, R1将 ARP验 证响应表的第一表项作为 ARP验证请求表。 R1在数据平面设有 ARP验证 响应表, ARP验证响应表包括 2个表项, 即第一表项和第二表项, 第一表 项的验证 MAC地址与第二表项的验证 MAC地址不相同。 R1收到 PC1发 出的第一报文后, 在 ARP验证响应表中查找是否存在与第一报文匹配的表 项, 如果第一报文的目的 IP地址等于 ARP验证响应表的第一表项的验证 IP地址,或者第一报文的目的 MAC地址等于第一表项的验证 MAC地址时, 则表明第一报文是 ARP验证报文对应的响应报文。 Referring to Figure 1, R1 has an ARP verification request table on the data plane, and R1 is verified by ARP. The table obtains the verification IP address and the verification MAC address of the ARP verification packet, and R1 uses the first entry of the ARP verification response table as the ARP verification request table. R1 has an ARP verification response table on the data plane. The ARP verification response table includes two entries, that is, the first entry and the second entry. The verification MAC address of the first entry and the verification MAC address of the second entry are not the same. After receiving the first packet sent by the PC1, the R1 searches the ARP authentication response table for the entry that matches the first packet. If the destination IP address of the first packet is equal to the first entry of the ARP authentication response table. If the authentication IP address of the first packet is equal to the authentication MAC address of the first entry, the first packet is the response packet corresponding to the ARP authentication packet.
进一步的,  further,
该网关发出 ARP险证 4艮文前, 进一步包括: 该网关发出该前一个 ARP 验证报文后, 将该第三表项的验证 MAC地址更新为第一验证 MAC地址。  Before the gateway issues the ARP insurance certificate, the method further includes: after the gateway sends the previous ARP verification message, the verification MAC address of the third entry is updated to the first verification MAC address.
进一步的,  further,
该网关收到该 ARP验证报文对应的响应报文前, 进一步包括: 将该第 一表项的验证 MAC地址更新为该第一验证 MAC地址。 该 ARP验证响应 表中的第二表项用于判断该网关收到的报文是否是该前一个 ARP验证报文 对应的响应报文。 该第一表项和该第二表项是该 ARP验证响应表中的不同 表项。  Before receiving the response packet corresponding to the ARP verification packet, the gateway further includes: updating the verification MAC address of the first entry to the first verification MAC address. The second entry in the ARP verification response table is used to determine whether the packet received by the gateway is a response packet corresponding to the previous ARP verification packet. The first entry and the second entry are different entries in the ARP verification response table.
网关收到前一个 ARP请求报文后,由于在数据平面的 ARP緩存表中没 有查找到与该前一个 ARP请求报文匹配的表项,网关发出前一个 ARP请求 4艮文对应的前一个 ARP险证 ^艮文,前一个 ARP险证 文用于判断发出前一 个 ARP请求报文的主机是否真实存在。 网关发出前一个 ARP验证报文后, 发出 ARP验证报文前, 网关将该第三表项的验证 MAC地址更新为第一验 证 MAC地址。 该方案的技术效果包括, ARP请求报文的验证 MAC地址不 同于前一个 ARP验证报文的验证 MAC地址。  After the gateway receives the previous ARP request packet, the gateway sends the previous ARP request to the previous ARP request because the entry in the ARP cache table of the data plane does not match the previous ARP request packet. The risk certificate ^,文, the previous ARP risk certificate is used to determine whether the host that sent the previous ARP request message exists. After the gateway sends the previous ARP authentication packet, the gateway updates the verification MAC address of the third entry to the first authentication MAC address before sending the ARP authentication packet. The technical effect of the solution is that the verification MAC address of the ARP request message is different from the verification MAC address of the previous ARP verification message.
网关收到 ARP验证报文对应的响应报文前,将该第一表项的验证 MAC 地址更新为该第一验证 MAC地址, ARP验证响应表中的第二表项用于判 断该网关收到的报文是否是该前一个 ARP验证报文对应的响应报文, 第一 表项和第二表项是 ARP验证响应表中的不同表项。该方案的技术效果包括, 确保网关准确判断出 ARP验证报文对应的响应报文以及前一个 ARP验证报 文对应的响应报文。 用于判断 ARP验证报文对应的响应报文的表项和用于 判断前一个 ARP验证报文对应的响应报文的表项是不同的表项可确保对 ARP验证响应表进行更新,从而可用于判断根据更新后的 ARP验证请求表 发出的 ARP验证报文,同时确保网关准确判断出根据更新前的 ARP验证请 求表发出的 ARP验证报文对应的响应报文。用于判断 ARP验证报文对应的 响应报文的表项和用于判断前一个 ARP验证报文对应的响应报文的表项的 验证 MAC地址不同, 确保局域网主机通过 ARP验证报文中的验证 MAC 地址以及验证 IP地址伪造的响应报文将无法在 ARP验证响应表中查找到匹 配表项, 即伪造的响应报文不会被上送到网关的控制平面。 Before receiving the response packet corresponding to the ARP authentication packet, the gateway updates the verification MAC address of the first entry to the first verification MAC address, and the second entry in the ARP verification response table is used to determine Whether the packet received by the gateway is a response packet corresponding to the previous ARP authentication packet, and the first entry and the second entry are different entries in the ARP authentication response table. The technical effects of the solution include: ensuring that the gateway accurately determines the response packet corresponding to the ARP authentication packet and the response packet corresponding to the previous ARP authentication packet. The entry for determining the response packet corresponding to the ARP authentication packet and the entry for determining the response packet corresponding to the previous ARP authentication packet are different entries to ensure that the ARP verification response table is updated, thereby being available. The ARP verification packet sent by the updated ARP authentication request table is determined, and the gateway determines that the response packet corresponding to the ARP verification packet sent by the ARP authentication request table is updated. The authentication MAC address of the entry corresponding to the ARP authentication packet is different from that of the response packet corresponding to the previous ARP authentication packet, ensuring that the LAN host authenticates the packet through the ARP authentication packet. The response packet of the MAC address and the spoofed IP address spoofing will not be able to find the matching entry in the ARP authentication response table. That is, the spoofed response packet will not be sent to the control plane of the gateway.
参见图 1 , R1通过计算机程序实现图 1所示组网结构图对应的技术解 决方案。 ARP验证响应表存放在 R1 的三态内容可寻址存储器 (Ternary Content Addressable Memory, TCAM ) 中, ARP验证响应表包括 2个表项。 R1控制平面生成验证 IP地址, 该验证 IP地址和 R1的 IP地址是同一网段 的 IP地址, 该验证 IP地址不同于 R1的 IP地址。 R1将该险证 IP地址下发 到 ARP验证请求表以及 ARP验证响应表。 R1的控制平面设置定时器, 用 于对 ARP验证请求表和 ARP验证响应表进行更新。定时器的周期可以是 2 秒至 5秒。  Referring to Fig. 1, R1 implements the technical solution corresponding to the network structure diagram shown in Fig. 1 through a computer program. The ARP verification response table is stored in R1's Ternary Content Addressable Memory (TCAM), and the ARP verification response table includes two entries. The R1 control plane generates a verification IP address, and the verification IP address and the IP address of R1 are IP addresses of the same network segment, and the verification IP address is different from the IP address of R1. R1 sends the insurance IP address to the ARP verification request form and the ARP verification response table. The control plane of R1 sets a timer for updating the ARP verification request table and the ARP verification response table. The period of the timer can be 2 seconds to 5 seconds.
ARP验证请求表存放在 R1的内存中。 ARP验证请求表包括 1个表项。 ARP验证响应表的初始化流程如下:  The ARP verification request table is stored in the memory of R1. The ARP verification request table includes one entry. The initialization process of the ARP verification response table is as follows:
R1的控制平面随机生成一个验证 MAC地址, 并将该险证 MAC地址 下发至 R1的数据平面的 TCAM中的 ARP验证响应表的一个表项; R1的 控制平面将 R1的数据平面的 TCAM中的 ARP验证响应表的另一个表项设 置为 0。 ARP验证请求表的初始化流程如下: The control plane of R1 randomly generates an authentication MAC address, and sends the risk MAC address to an entry in the ARP verification response table in the TCAM of the data plane of R1; the control plane of R1 will be in the TCAM of the data plane of R1. Another entry in the ARP Validation Response table is set to 0. The initialization process of the ARP verification request form is as follows:
R1启动定时器;  R1 starts the timer;
R1的控制平面将上述 ARP响应表的初始化流程中生成的验证 MAC地 址下发至 R1的数据平面的内存中的 ARP验证请求表。  The control plane of R1 sends the verification MAC address generated in the initialization process of the ARP response table to the ARP verification request table in the memory of the data plane of R1.
R1控制平面的定时器时间到, 触发 R1对 ARP验证请求表以及 ARP 马 证响应表进行更新操作。  The timer of the R1 control plane expires, triggering R1 to update the ARP verification request table and the ARP certificate response table.
ARP验证响应表的更新流程如下:  The update process of the ARP verification response table is as follows:
R1控制平面随机生成验证 MAC地址。 该验证 MAC地址不等于 ARP 验证响应表的初始化流程中 R1控制平面生成的验证 MAC地址。 R1控制平 面将该验证 MAC地址下发至 ARP验证响应表的另一个表项, 更新该表项 的验证 MAC地址。  The R1 control plane randomly generates a verification MAC address. The verification MAC address is not equal to the verification MAC address generated by the R1 control plane in the initialization process of the ARP verification response table. The R1 control plane sends the verification MAC address to another entry in the ARP verification response table, and updates the verification MAC address of the entry.
ARP验证请求表的更新流程如下:  The update process of the ARP verification request form is as follows:
R1控制平面将上述 ARP验证响应表的更新流程中生成的验证 MAC地 址下发至位于内存的 ARP验证请求表, 更新 ARP验证请求表的验证 MAC 地址。  The R1 control plane sends the verification MAC address generated in the update process of the ARP verification response table to the ARP verification request table located in the memory, and updates the verification MAC address of the ARP verification request table.
进一步的,  further,
该将该第一报文上送到该网关的控制平面具体包括:  The control plane that sends the first packet to the gateway specifically includes:
该网关的控制平面^ f艮据该第一 文的源 IP地址和源 MAC地址查询该 控制平面的 ARP緩存表是否存在对应表项,如果该控制平面的 ARP緩存表 不存在对应表项, 该网关的控制平面生成一条包含该第一报文的源 IP地址 和源 MAC地址的第四表项,该网关的控制平面将该第四表项下发至该网关 的数据平面的 ARP緩存表。  The control plane of the gateway queries the ARP cache table of the control plane according to the source IP address and the source MAC address of the first document to check whether there is a corresponding entry in the ARP cache table of the control plane. The control plane of the gateway generates a fourth entry that includes the source IP address and the source MAC address of the first packet, and the control plane of the gateway sends the fourth entry to the ARP cache table of the data plane of the gateway.
进一步的,  further,
该险证 MAC由该网关的控制平面随机生成,并由该网关的控制平面下 发至该网关的数据平面。  The risk MAC is randomly generated by the control plane of the gateway and sent by the control plane of the gateway to the data plane of the gateway.
实施例二: 本发明实施例提供了一种 ARP请求报文验证装置, 可以用于图 1所示 的组网结构中。 该 ARP请求报文验证装置可以是图 1中的 Rl。 参见图 3, 图 3是本发明实施例提供的 ARP请求报文验证装置示意图; 该装置包括: 接收器 301 , 网关用于收到 ARP请求报文。 Embodiment 2: The embodiment of the invention provides an ARP request packet verification apparatus, which can be used in the networking structure shown in FIG. The ARP request message verification device may be R1 in FIG. Referring to FIG. 3, FIG. 3 is a schematic diagram of an ARP request packet verification apparatus according to an embodiment of the present invention. The apparatus includes: a receiver 301, where the gateway is configured to receive an ARP request packet.
具体实现时, 上述 ARP请求报文可以是局域网内的主机发送的。 主 机可以通过双绞线与网关相连, 也可以通过光纤与网关相连; 主机可以与 网关直连, 也可以通过网络设备与网关相连。  In a specific implementation, the foregoing ARP request packet may be sent by a host in a local area network. The host can be connected to the gateway through a twisted pair cable or through a fiber to the gateway. The host can be directly connected to the gateway or connected to the gateway through a network device.
以图 1所示的场景为例, PC1向 R1发出 ARP请求报文。  Taking the scenario shown in Figure 1 as an example, PC1 sends an ARP Request message to R1.
发送器 302,用于如果该网关在 ARP緩存表中没有查询到与该 ARP请 求报文匹配的表项,该网关发出 ARP验证报文,该 ARP验证报文的目的因 特网协议 IP地址为该 ARP请求报文的源 IP地址,该 ARP验证报文的源 IP 地址和源媒体接入控制 MAC地址分别为险证 IP地址和险证 MAC地址, 该验证 IP地址与该网关的 IP地址为同一网段的地址, 该验证 IP地址不同 于该网关的 IP地址;  The sender 302 is configured to: if the gateway does not query the ARP request packet, the gateway sends an ARP authentication packet, where the destination Internet Protocol IP address of the ARP authentication packet is the ARP Source IP address of the request packet. The source IP address and the source media access control MAC address of the ARP authentication packet are the insurance IP address and the risk MAC address respectively. The verification IP address is the same as the IP address of the gateway. The address of the segment, the verification IP address is different from the IP address of the gateway;
ARP緩存表位于网关的数据平面,用于验证 ARP请求报文。 ARP緩存 表可以包括多个表项, 每个表项包括 IP地址以及该 IP地址对应的 MAC地 址。 如果网关在 ARP緩存表中没有查询到与该 ARP请求报文的源 IP地址 和源 MAC地址匹配的表项, 该网关发出 ARP验证报文。 ARP验证报文的 地址与网关的 IP地址为同一网段的地址,可以确保主机对 ARP验证报文做 出的响应报文可以到达该网关。 ARP验证报文的目的 IP地址是 ARP请求 报文的源 IP地址,可确保发出真实 ARP请求报文的存在于局域网内的主机 收到网关发出的 ARP验证报文。  The ARP cache table is located on the data plane of the gateway and is used to verify ARP request packets. The ARP cache table may include multiple entries, each of which includes an IP address and a MAC address corresponding to the IP address. If the gateway does not query the entry in the ARP cache table that matches the source IP address and the source MAC address of the ARP request packet, the gateway sends an ARP authentication packet. The address of the ARP authentication packet and the IP address of the gateway are the same network segment address. This ensures that the response packet sent by the host to the ARP authentication packet can reach the gateway. The destination IP address of the ARP authentication packet is the source IP address of the ARP request packet. This ensures that the host that sends the real ARP request packet to the local area network receives the ARP authentication packet sent by the gateway.
参见图 1 , R1 收到 PC1发出 ARP请求报文, 由于该 ARP请求报文包 含 Q对, R1的数据平面的用户会话表没有足够的空间存放可以对 PC1发出 的包含 Q对 ARP请求报文进行响应并生成相应索引的表项。 因此, R1需 要在控制平面对 PCI进行接入处理。 R1向 PCI发出 ARP验证报文。该 ARP 验证报文的目的 IP地址为 PC1的 IP地址,该 ARP验证报文的源 IP地址和 源 MAC地址为 R1控制平面随机生成的险证 IP地址和险证 MAC地址。其 中, 验证 IP地址和 R1的 IP地址处于同一网段, 验证 IP地址不同于 R1的 IP地址; 验证 MAC地址不同于 R1发出的前一个 ARP验证报文中的验证 MAC地址。 Referring to Figure 1, R1 receives the ARP request packet from PC1. Because the ARP request packet contains the Q pair, the user session table of the data plane of R1 does not have enough space to store the Q-to-ARP request packet sent by PC1. Respond to and generate an entry for the corresponding index. Therefore, R1 needs The PCI is to be accessed at the control plane. R1 sends an ARP authentication packet to the PCI. The destination IP address of the ARP authentication packet is the IP address of the PC1. The source IP address and source MAC address of the ARP authentication packet are the IP address and the risk MAC address randomly generated by the R1 control plane. The verification IP address and the IP address of R1 are in the same network segment, and the verification IP address is different from the IP address of R1. The verification MAC address is different from the verification MAC address in the previous ARP verification packet sent by R1.
判断单元 303 , 该网关用于收到第一报文, 判断该第一报文是否是该 ARP验证报文对应的响应报文。  The determining unit 303 is configured to receive the first packet, and determine whether the first packet is a response packet corresponding to the ARP verification packet.
网关收到第一报文, 并判断该第一报文是否是该 ARP验证报文对应的 响应报文可以有多种实现方式。例如网关的数据平面设有 ARP验证响应表, ARP验证响应表可以包括多个表项, 每个表项包括验证 IP地址以及验证 MAC地址, 如果第一^艮文的目的 IP地址和目的 MAC地址与 ARP险证响 应表中某一表项匹配,则确定第一报文是该 ARP验证报文对应的响应报文。  The gateway can receive the first packet and determine whether the first packet is a response packet corresponding to the ARP authentication packet. For example, the data plane of the gateway is provided with an ARP verification response table, and the ARP verification response table may include multiple entries, each of which includes a verification IP address and a verification MAC address, if the destination IP address and destination MAC address of the first message The first packet is a response packet corresponding to the ARP authentication packet, and is matched with an entry in the ARP certificate response table.
参见图 1 , R1的数据平面设有 ARP验证响应表, ARP验证响应表包括 多个表项, 每个表项包括险证 IP地址以及险证 MAC地址。 R1收到 PC1 发出的第一报文, 第一报文的目的 IP地址和目的 MAC地址与 ARP验证响 应表中某一表项匹配,则确定第一报文是该 ARP验证报文对应的响应报文。  Referring to Figure 1, the data plane of R1 is provided with an ARP verification response table, and the ARP verification response table includes a plurality of entries, each of which includes a risk IP address and a risk certificate MAC address. R1 receives the first packet sent by the PC1, and the destination IP address and the destination MAC address of the first packet match an entry in the ARP authentication response table, and the first packet is determined to be the response corresponding to the ARP verification packet. Message.
上送单元 304, 用于如果该第一报文是该 ARP验证报文对应的响应报 文, 将该第一报文上送到该网关的控制平面。  The sending unit 304 is configured to send the first packet to the control plane of the gateway if the first packet is a response packet corresponding to the ARP verification packet.
参见图 1 , R1判断第一报文是 ARP验证报文对应的响应报文, R1将 第一报文送到 R1的控制平面做接入处理。  Referring to Figure 1, R1 determines that the first packet is a response packet corresponding to the ARP authentication packet, and R1 sends the first packet to the control plane of R1 for access processing.
可见, 通过本发明实施例提出的 ARP请求报文验证装置, 可以解决仅 在数据平面对 ARP请求报文进行响应, 可能导致部分网络设备无法接入外 部网络的问题。  It can be seen that the ARP request packet verification apparatus provided by the embodiment of the present invention can solve the problem that only the data plane responds to the ARP request packet, which may cause some network devices to fail to access the external network.
进一步的,  further,
该 ARP验证报文中的验证 MAC地址不同于该网关发出的前一个 ARP 险证 4艮文中的验证 MAC地址。 The verified MAC address in the ARP authentication packet is different from the previous ARP sent by the gateway. The verified MAC address in the 4th article.
进一步的,  further,
该发送器具体包括:  The transmitter specifically includes:
获得单元,该网关用于通过 ARP验证请求表获得该 ARP验证报文的验 证 IP地址和验证 MAC地址。 该 ARP验证请求表至少包括 1个表项。 第三 表项与第一表项相同。 该第三表项为该 ARP验证请求表的 1个表项。 该第 一表项为 ARP验证响应表中的 1个表项。 该 ARP验证响应表包括至少 2 个表项, 每个表项包含验证 IP地址以及验证 MAC地址。 该至少 2个表项 中的验证 MAC地址互不相同该 ARP验证请求表是该 ARP验证响应表的子 集。  Obtaining a unit, the gateway is configured to obtain an authentication IP address and a verification MAC address of the ARP verification message by using an ARP verification request table. The ARP verification request table includes at least one entry. The third entry is the same as the first entry. The third entry is one entry of the ARP verification request table. The first entry is one entry in the ARP verification response table. The ARP verification response table includes at least two entries, each of which contains a verification IP address and a verification MAC address. The verification MAC addresses in the at least two entries are different from each other. The ARP verification request table is a subset of the ARP verification response table.
进一步的,  further,
该判断单元具体包括:  The determining unit specifically includes:
分析单元,用于通过该 ARP验证响应表判断该第一报文是否是该 ARP 验证报文对应的响应报文。 当该第一报文的目的 IP地址等于该第一表项的 验证 IP地址时, 或者该第一报文的目的 MAC地址等于该第一表项的验证 MAC地址时, 确定该第一报文是该 ARP验证报文对应的响应报文。  The analyzing unit is configured to determine, by using the ARP verification response table, whether the first packet is a response packet corresponding to the ARP verification packet. Determining the first packet when the destination IP address of the first packet is equal to the verification IP address of the first entry, or the destination MAC address of the first packet is equal to the verification MAC address of the first entry. It is the response packet corresponding to the ARP authentication packet.
ARP验证请求表存在于网关的数据平面, ARP验证请求表至少包括 1 个表项。 第三表项和第一表项相同, 该第三表项为 ARP验证请求表的 1个 表项。 该第一表项为 ARP验证响应表中的 1个表项。 可以达到的技术效果 包括, ARP验证报文的验证 IP地址和验证 MAC地址来源于 ARP验证请求 表, 网关收到 ARP验证报文对应的响应报文后,可以在 ARP验证响应表中 查找到匹配表项。 第三表项可以是 ARP验证响应表中的 1个表项 (即第一 表项 ) , 也可以是独立于 ARP验证响应表的第一表项的 1个表项。  The ARP authentication request table exists in the data plane of the gateway, and the ARP authentication request table includes at least one entry. The third entry is the same as the first entry, and the third entry is one entry of the ARP verification request table. The first entry is one entry in the ARP verification response table. The technical effects of the ARP authentication packet are obtained from the ARP authentication request table. After receiving the response packet corresponding to the ARP authentication packet, the gateway can find a match in the ARP authentication response table. Entry. The third entry may be one entry in the ARP verification response table (that is, the first entry), or may be an entry that is independent of the first entry of the ARP authentication response table.
ARP验证请求表是 ARP验证响应表的一个子集。 这样, 网关发出的 ARP验证报文包含了 ARP验证请求表提供的验证 IP地址和验证 MAC地 址。该 ARP验证报文到达之前发出 ARP请求报文的真实存在的主机后,主 机向该网关反馈 ARP验证报文对应的响应报文。 ARP验证报文对应响应报 文也必然包含 ARP验证请求表提供的验证 IP地址和验证 MAC地址。 ARP 验证报文对应的响应报文到达网关后, 将会与网关的数据平面的 ARP验证 响应表的某一表项发生匹配。 因此, 网关收到报文后, 可以根据该报文是 否与网关的数据平面的 ARP验证响应表的某一表项发生匹配, 对该报文是 否是 ARP验证报文对应的响应报文做出判断。 ARP验证响应表存在于网关 的数据平面, ARP验证响应表包括至少 2个表项, 该至少 2个表项中的验 证 MAC地址互不相同。可以达到的技术效果包括, 至少 2个表项可确保某 一时刻, ARP验证响应表的 1个表项 (即第一表项)用于判断第一报文是 否是 ARP验证报文对应的响应报文, ARP验证响应表的另一个表项用于被 更新为新的表项。 The ARP Verification Request Table is a subset of the ARP Verification Response Table. In this way, the ARP authentication packet sent by the gateway contains the verification IP address and the verification MAC address provided by the ARP verification request table. After the ARP verification packet arrives, the host that sent the ARP request packet to the real existence is the master. The machine feeds back the response packet corresponding to the ARP authentication packet to the gateway. The ARP authentication packet corresponding response message must also contain the verification IP address and the verification MAC address provided by the ARP verification request table. After the response packet corresponding to the ARP authentication packet arrives at the gateway, it will match an entry in the ARP authentication response table of the data plane of the gateway. Therefore, after receiving the packet, the gateway can match whether the packet matches an entry in the ARP authentication response table of the data plane of the gateway, and whether the packet is a response packet corresponding to the ARP verification packet. Judge. The ARP verification response table exists in the data plane of the gateway, and the ARP verification response table includes at least two entries, and the verification MAC addresses in the at least two entries are different from each other. The achievable technical effects include: at least two entries can be used to ensure that the first packet is a response to the ARP authentication packet. Message, another entry in the ARP Verification Response Table is used to be updated to a new entry.
ARP验证响应表用于判断该第一报文是否是 ARP验证报文对应的响应 报文, 当该第一报文的目的 IP地址等于该第一表项的验证 IP地址时, 或者 当该第一报文的目的 MAC地址等于该第一表项的验证 MAC地址时, 确定 该第一报文是该 ARP验证报文对应的响应报文。  The ARP verification response table is configured to determine whether the first packet is a response packet corresponding to the ARP authentication packet, and when the destination IP address of the first packet is equal to the verification IP address of the first entry, or when the first packet is When the destination MAC address of the packet is equal to the authentication MAC address of the first entry, the first packet is determined to be a response packet corresponding to the ARP verification packet.
参见图 1 , R1在数据平面设有 ARP验证请求表, R1通过 ARP验证请 求表获得该 ARP验证报文的验证 IP地址和验证 MAC地址, R1将 ARP验 证响应表的第一表项作为 ARP验证请求表。 R1在数据平面设有 ARP验证 响应表, ARP验证响应表包括 2个表项, 即第一表项和第二表项, 第一表 项的验证 MAC地址与第二表项的验证 MAC地址不相同。 R1收到 PC1发 出的第一报文后, 在 ARP验证响应表中查找是否存在与第一报文匹配的表 项, 如果第一报文的目的 IP地址等于 ARP验证响应表的第一表项的验证 IP地址,或者第一报文的目的 MAC地址等于第一表项的验证 MAC地址时, 则表明第一报文是 ARP验证报文对应的响应报文。  Referring to Figure 1, R1 has an ARP authentication request table on the data plane. R1 obtains the verification IP address and the verification MAC address of the ARP verification packet through the ARP verification request table, and R1 uses the first entry of the ARP verification response table as the ARP authentication. Request form. R1 has an ARP verification response table on the data plane. The ARP verification response table includes two entries, that is, the first entry and the second entry. The verification MAC address of the first entry and the verification MAC address of the second entry are not the same. After receiving the first packet sent by the PC1, the R1 searches the ARP authentication response table for the entry that matches the first packet. If the destination IP address of the first packet is equal to the first entry of the ARP authentication response table. If the authentication IP address of the first packet is equal to the authentication MAC address of the first entry, the first packet is the response packet corresponding to the ARP authentication packet.
进一步的, ARP请求报文验证装置包括:  Further, the ARP request message verification device includes:
第一更新单元, 用于该网关发出 ARP验证报文前, 该网关发出该前一 个 ARP验证报文后,将该第三表项的验证 MAC地址更新为第一验证 MAC 地址。 a first update unit, configured to send the previous one before the gateway sends an ARP verification message After the ARP verification packet, the verification MAC address of the third entry is updated to the first verification MAC address.
进一步的, ARP请求报文验证装置包括:  Further, the ARP request message verification device includes:
第二更新单元, 用于该网关收到该 ARP验证报文对应的响应报文前, 将该第一表项的验证 MAC地址更新为该第一验证 MAC地址。 该 ARP验 证响应表中的第二表项用于判断该网关收到的报文是否是该前一个 ARP验 证报文对应的响应报文。 该第一表项和该第二表项是该 ARP验证响应表中 的不同表项。  And a second updating unit, configured to: after the gateway receives the response packet corresponding to the ARP verification packet, update the verification MAC address of the first entry to the first verification MAC address. The second entry in the ARP authentication response table is used to determine whether the packet received by the gateway is a response packet corresponding to the previous ARP authentication packet. The first entry and the second entry are different entries in the ARP verification response table.
网关收到前一个 ARP请求报文后,由于在数据平面的 ARP緩存表中没 有查找到与该前一个 ARP请求报文匹配的表项,网关发出前一个 ARP请求 4艮文对应的前一个 ARP险证 ^艮文,前一个 ARP险证 文用于判断发出前一 个 ARP请求报文的主机是否真实存在。 网关发出前一个 ARP验证报文后, 发出 ARP验证报文前, 网关将该第三表项的验证 MAC地址更新为第一验 证 MAC地址。 该方案的技术效果包括, ARP请求报文的验证 MAC地址不 同于前一个 ARP验证报文的验证 MAC地址。  After the gateway receives the previous ARP request packet, the gateway sends the previous ARP request to the previous ARP request because the entry in the ARP cache table of the data plane does not match the previous ARP request packet. The risk certificate ^,文, the previous ARP risk certificate is used to determine whether the host that sent the previous ARP request message exists. After the gateway sends the previous ARP authentication packet, the gateway updates the verification MAC address of the third entry to the first authentication MAC address before sending the ARP authentication packet. The technical effect of the solution is that the verification MAC address of the ARP request message is different from the verification MAC address of the previous ARP verification message.
网关收到 ARP验证报文对应的响应报文前,将该第一表项的验证 MAC 地址更新为该第一验证 MAC地址, ARP验证响应表中的第二表项用于判 断该网关收到的报文是否是该前一个 ARP验证报文对应的响应报文, 第一 表项和第二表项是 ARP验证响应表中的不同表项。该方案的技术效果包括, 确保网关准确判断出 ARP验证报文对应的响应报文以及前一个 ARP验证报 文对应的响应报文。 用于判断 ARP验证报文对应的响应报文的表项和用于 判断前一个 ARP验证报文对应的响应报文的表项是不同的表项可确保对 ARP验证响应表进行更新,从而可用于判断根据更新后的 ARP验证请求表 发出的 ARP验证报文,同时确保网关准确判断出根据更新前的 ARP验证请 求表发出的 ARP验证报文对应的响应报文。用于判断 ARP验证报文对应的 响应报文的表项和用于判断前一个 ARP验证报文对应的响应报文的表项的 验证 MAC地址不同, 确保局域网主机通过 ARP验证报文中的验证 MAC 地址以及验证 IP地址伪造的响应报文将无法在 ARP验证响应表中查找到匹 配表项, 即伪造的响应报文不会被上送到网关的控制平面。 Before receiving the response packet corresponding to the ARP authentication packet, the gateway updates the verification MAC address of the first entry to the first verification MAC address, and the second entry in the ARP verification response table is used to determine that the gateway receives the response packet. Whether the packet is a response packet corresponding to the previous ARP authentication packet, and the first entry and the second entry are different entries in the ARP authentication response table. The technical effects of the solution include: ensuring that the gateway accurately determines the response packet corresponding to the ARP authentication packet and the response packet corresponding to the previous ARP authentication packet. The entry for determining the response packet corresponding to the ARP authentication packet and the entry for determining the response packet corresponding to the previous ARP authentication packet are different entries to ensure that the ARP verification response table is updated, thereby being available. The ARP verification packet sent by the updated ARP authentication request table is determined, and the gateway determines that the response packet corresponding to the ARP verification packet sent by the ARP authentication request table is updated. An entry for determining a response packet corresponding to the ARP verification packet and an entry for determining a response packet corresponding to the previous ARP verification packet Verify that the MAC address is different. Ensure that the MAC address host fails to find the matching entry in the ARP authentication response table by using the authentication MAC address in the ARP authentication packet and the response packet for authenticating the IP address. The fake response packet will not be Up to the control plane of the gateway.
参见图 1 , R1通过计算机程序实现图 1所示组网结构图对应的技术解 决方案。 ARP验证响应表存放在 R1的 TCAM中, ARP验证响应表包括 2 个表项。 R1控制平面生成验证 IP地址, 该验证 IP地址和 R1的 IP地址是 同一网段的 IP地址, 该验证 IP地址不同于 R1的 IP地址。 R1将该险证 IP 地址下发到 ARP验证请求表以及 ARP验证响应表。 R1的控制平面设置定 时器,用于对 ARP验证请求表和 ARP验证响应表进行更新。定时器的周期 可以是 2秒至 5秒。  Referring to Fig. 1, R1 implements the technical solution corresponding to the network structure diagram shown in Fig. 1 through a computer program. The ARP verification response table is stored in the TCAM of R1. The ARP verification response table includes two entries. The R1 control plane generates a verification IP address, and the verification IP address and the IP address of R1 are IP addresses of the same network segment, and the verification IP address is different from the IP address of R1. R1 delivers the insurance IP address to the ARP verification request form and the ARP verification response table. The control plane setting timer of R1 is used to update the ARP verification request table and the ARP verification response table. The period of the timer can be from 2 seconds to 5 seconds.
ARP验证请求表存放在 R1的内存中。 ARP验证请求表包括 1个表项。 The ARP verification request table is stored in the memory of R1. The ARP verification request table includes one entry.
ARP验证响应表的初始化流程如下: The initialization process of the ARP verification response table is as follows:
R1的控制平面随机生成一个验证 MAC地址, 并将该险证 MAC地址 下发至 R1的数据平面的 TCAM中的 ARP验证响应表的一个表项; R1的 控制平面将 R1的数据平面的 TCAM中的 ARP验证响应表的另一个表项设 置为 0。  The control plane of R1 randomly generates an authentication MAC address, and sends the risk MAC address to an entry in the ARP verification response table in the TCAM of the data plane of R1; the control plane of R1 will be in the TCAM of the data plane of R1. Another entry in the ARP Validation Response table is set to 0.
ARP验证请求表的初始化流程如下:  The initialization process of the ARP verification request form is as follows:
R1启动定时器;  R1 starts the timer;
R1的控制平面将上述 ARP响应表的初始化流程中生成的验证 MAC地 址下发至 R1的数据平面的内存中的 ARP验证请求表。  The control plane of R1 sends the verification MAC address generated in the initialization process of the ARP response table to the ARP verification request table in the memory of the data plane of R1.
R1控制平面的定时器时间到, 触发 R1对 ARP验证请求表以及 ARP 马 证响应表进行更新操作。  The timer of the R1 control plane expires, triggering R1 to update the ARP verification request table and the ARP certificate response table.
ARP验证响应表的更新流程如下:  The update process of the ARP verification response table is as follows:
R1控制平面随机生成验证 MAC地址。 该验证 MAC地址不等于 ARP 验证响应表的初始化流程中 R1控制平面生成的验证 MAC地址。 R1控制平 面将该验证 MAC地址下发至 ARP验证响应表的另一个表项, 更新该表项 的验证 MAC地址。 The R1 control plane randomly generates a verification MAC address. The verification MAC address is not equal to the verification MAC address generated by the R1 control plane in the initialization process of the ARP verification response table. The R1 control plane sends the verification MAC address to another entry in the ARP verification response table, and updates the entry. Verify the MAC address.
ARP验证请求表的更新流程如下:  The update process of the ARP verification request form is as follows:
R1控制平面将上述 ARP验证响应表的更新流程中生成的验证 MAC地 址下发至位于内存的 ARP验证请求表, 更新 ARP验证请求表的验证 MAC 地址。  The R1 control plane sends the verification MAC address generated in the update process of the ARP verification response table to the ARP verification request table located in the memory, and updates the verification MAC address of the ARP verification request table.
进一步的, 该上送单元进一步包括:  Further, the sending unit further includes:
查询单元, 用于该网关的控制平面根据该第一报文的源 IP地址和源 MAC地址查询该控制平面的 ARP緩存表是否存在对应表项;  a query unit, configured by the control plane of the gateway, according to the source IP address and the source MAC address of the first packet, whether a corresponding entry exists in the ARP cache table of the control plane;
生成单元, 用于如果该控制平面的 ARP緩存表不存在对应表项, 该网 关的控制平面生成一条包含该第一报文的源 IP地址和源 MAC地址的第四 表项;  a generating unit, configured to: if the ARP cache table of the control plane does not have a corresponding entry, the control plane of the gateway generates a fourth entry that includes a source IP address and a source MAC address of the first packet;
下发单元, 用于该网关的控制平面将该第四表项下发至该网关的数据 平面的 ARP緩存表。  The sending unit sends the fourth entry to the ARP cache table of the data plane of the gateway.
本领域普通技术人员可以理解: 实现上述方法实施例的全部或部分步 骤可以通过程序指令相关的硬件来完成, 前述程序可以存储于一计算机可 读取存储介质中, 该程序在执行时, 执行包括上述方法实施例的步骤; 而 前述的存储介质包括: ROM、 RAM, 磁碟或者光盘等各种可以存储程序代 码的介质。  A person skilled in the art can understand that all or part of the steps of implementing the foregoing method embodiments may be implemented by hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, and when executed, the program includes The foregoing steps of the method embodiment; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.
最后应说明的是: 以上实施例仅用以说明本发明的技术方案, 而非对 其限制; 尽管参照前述实施例对本发明进行了详细的说明, 本领域的普通 技术人员应当理解: 其依然可以对前述各实施例所记载的技术方案进行修 改, 或者对其中部分技术特征进行等同替换; 而这些修改或者替换, 并不 使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。  It should be noted that the above embodiments are only for explaining the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art that: The technical solutions described in the foregoing embodiments are modified, or some of the technical features are equivalently replaced. The modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

权利要求 Rights request
1.一种地址解析协议 ARP请求报文验证方法, 其特征在于:  An address resolution protocol ARP request packet verification method, which is characterized by:
网关收到 ARP请求报文;  The gateway receives the ARP request packet.
如果所述网关在控制平面的 ARP緩存表中没有查询到与所述 ARP请求 4艮文的源因特网协议 IP地址和源媒体接入控制 MAC地址匹配的表项, 所 述网关发出 ARP险证 4艮文, 所述 ARP验证报文的目的 IP地址为所述 ARP 请求报文的源 IP地址, 所述 ARP验证报文的源 IP地址和 MAC地址分别 为验证 IP地址和险证 MAC地址, 所述验证 IP地址与所述网关的 IP地址 为同一网段的地址, 所述验证 IP地址不同于所述网关的 IP地址;  If the gateway does not query an entry matching the source Internet Protocol IP address and the source media access control MAC address of the ARP request message in the ARP cache table of the control plane, the gateway issues an ARP insurance certificate 4 The source IP address of the ARP authentication packet is the source IP address of the ARP request packet, and the source IP address and the MAC address of the ARP authentication packet are the verification IP address and the risk MAC address respectively. The verification IP address is an address of the same network segment as the IP address of the gateway, and the verification IP address is different from the IP address of the gateway;
所述网关收到第一报文, 判断所述第一报文是否是所述 ARP验证报文 对应的响应 艮文;  The gateway receives the first packet, and determines whether the first packet is a response message corresponding to the ARP verification packet.
如果所述第一报文是所述 ARP验证报文对应的响应报文, 将所述第一 报文上送到所述网关的控制平面。  And sending the first packet to the control plane of the gateway, if the first packet is a response packet corresponding to the ARP verification packet.
2.根据权利要求 1所述方法, 其特征在于:  2. The method of claim 1 wherein:
所述 ARP验证报文中的验证 MAC地址不同于所述网关发出的前一个 ARP险证 4艮文中的验证 MAC地址。  The verification MAC address in the ARP verification message is different from the verification MAC address in the previous ARP certificate issued by the gateway.
3.根据权利要求 1或 2所述方法, 其特征在于:  3. Method according to claim 1 or 2, characterized in that it:
所述网关发出 ARP验证报文具体包括:  The ARP verification packet sent by the gateway specifically includes:
所述网关通过 ARP验证请求表获得所述 ARP验证报文的验证 IP地址 和验证 MAC地址, 所述 ARP验证请求表至少包括 1个表项, 第三表项与 第一表项相同, 所述第三表项为所述 ARP验证请求表的 1个表项, 所述第 一表项为 ARP验证响应表中的 1个表项,所述 ARP验证响应表包括至少 2 个表项, 每个表项包含验证 IP地址以及验证 MAC地址, 所述至少 2个表 项中的验证 MAC地址互不相同,所述 ARP验证请求表是所述 ARP验证响 应表的子集。  The gateway obtains the verification IP address and the verification MAC address of the ARP verification packet by using the ARP verification request table, where the ARP verification request table includes at least one entry, and the third entry is the same as the first entry. The third entry is one entry of the ARP verification request table, where the first entry is one entry in the ARP verification response table, and the ARP verification response table includes at least two entries, each The entry includes a verification IP address and a verification MAC address, and the verification MAC addresses in the at least two entries are different from each other, and the ARP verification request table is a subset of the ARP verification response table.
4.根据权利要求 3所述方法, 其特征在于: 所述判断所述第一报文是否是所述 ARP验证报文对应的响应报文具体 包括: 4. The method of claim 3 wherein: The determining, by the determining whether the first packet is a response packet corresponding to the ARP verification packet, specifically includes:
通过所述 ARP验证响应表判断所述第一报文是否是所述 ARP验证报文 对应的响应报文, 当所述第一报文的目的 IP地址等于所述第一表项的验证 IP地址时, 或者当所述第一报文的目的 MAC地址等于所述第一表项的验 证 MAC地址时,确定所述第一报文是所述 ARP验证报文对应的响应报文。  Determining, by the ARP verification response table, whether the first packet is a response packet corresponding to the ARP verification packet, where the destination IP address of the first packet is equal to the verification IP address of the first entry. When the destination MAC address of the first packet is equal to the verification MAC address of the first entry, the first packet is determined to be a response packet corresponding to the ARP verification packet.
5.根据权利要求 3所述方法, 其特征在于:  5. The method of claim 3, wherein:
所述网关发出 ARP险证 4艮文前, 进一步包括: 所述网关发出所述前一 个 ARP验证报文后, 将所述第三表项的验证 MAC地址更新为第一验证 MAC地址。  Before the gateway sends the ARP certificate, the gateway further includes: after the gateway sends the previous ARP verification packet, the verification MAC address of the third entry is updated to the first verification MAC address.
6.根据权利要求 5所述方法, 其特征在于:  6. The method of claim 5 wherein:
所述网关收到所述 ARP验证报文对应的响应报文前, 进一步包括: 将 所述第一表项的验证 MAC地址更新为所述第一验证 MAC地址,所述 ARP 验证响应表中的第二表项用于判断所述网关收到的报文是否是所述前一个 ARP验证报文对应的响应报文, 所述第一表项和所述第二表项是所述 ARP 验证响应表中的不同表项。  Before the gateway receives the response packet corresponding to the ARP verification packet, the method further includes: updating the verification MAC address of the first entry to the first verification MAC address, where the ARP verification response table is The second entry is used to determine whether the packet received by the gateway is a response packet corresponding to the previous ARP verification packet, and the first entry and the second entry are the ARP verification response. Different entries in the table.
7.根据权利要求 1至 6中任一所述方法, 其特征在于:  7. A method according to any one of claims 1 to 6, characterized in that:
所述将所述第一 ^艮文上送到所述网关的控制平面具体包括:  The control plane for sending the first message to the gateway specifically includes:
所述网关的控制平面才艮据所述第一^艮文的源 IP地址和源 MAC地址查 询所述控制平面的 ARP緩存表是否存在对应表项, 如果所述控制平面的 ARP緩存表不存在对应表项, 所述网关的控制平面生成一条包含所述第一 报文的源 IP地址和源 MAC地址的第四表项, 所述网关的控制平面将所述 第四表项下发至所述网关的数据平面的 ARP緩存表。  The control plane of the gateway queries whether the ARP cache table of the control plane has a corresponding entry according to the source IP address and the source MAC address of the first packet, if the ARP cache table of the control plane does not exist. Corresponding to the entry, the control plane of the gateway generates a fourth entry that includes the source IP address and the source MAC address of the first packet, and the control plane of the gateway sends the fourth entry to the The ARP cache table of the data plane of the gateway.
8.根据权利要求 1至 7中任一所述方法, 其特征在于:  8. A method according to any one of claims 1 to 7, characterized in that:
所述验证 MAC由所述网关的控制平面随机生成,并由所述网关的控制 平面下发至所述网关的数据平面。 The verification MAC is randomly generated by the control plane of the gateway, and is sent by the control plane of the gateway to the data plane of the gateway.
9.一种 ARP请求报文验证装置, 其特征在于, 包括: An apparatus for verifying an ARP request packet, comprising:
接收器, 网关用于收到 ARP请求报文;  a receiver, the gateway is configured to receive an ARP request packet;
发送器, 用于如果所述网关在 ARP緩存表中没有查询到与所述 ARP 请求报文匹配的表项,所述网关发出 ARP验证报文,所述 ARP验证报文的 目的因特网协议 IP地址为所述 ARP请求报文的源 IP地址,所述 ARP验证 4艮文的源 IP地址和源媒体接入控制 MAC地址分别为险证 IP地址和险证 MAC地址, 所述验证 IP地址与所述网关的 IP地址为同一网段的地址, 所 述验证 IP地址不同于所述网关的 IP地址, 所述验证 MAC地址不同于所述 网关发出的前一个 ARP验证报文中的验证 MAC地址;  a sender, configured to: if the gateway does not query an entry that matches the ARP request packet in the ARP cache table, the gateway sends an ARP verification packet, and the destination Internet Protocol IP address of the ARP verification packet For the source IP address of the ARP request packet, the source IP address and the source media access control MAC address of the ARP authentication message are a security IP address and a risk certificate MAC address, respectively, and the verification IP address and the location The IP address of the gateway is the address of the same network segment, the verification IP address is different from the IP address of the gateway, and the verification MAC address is different from the verification MAC address in the previous ARP verification packet sent by the gateway;
判断单元, 所述网关用于收到第一报文, 判断所述第一报文是否是所 述 ARP验证报文对应的响应报文;  a determining unit, the gateway is configured to receive the first packet, and determine whether the first packet is a response packet corresponding to the ARP verification packet;
上送单元, 用于如果所述第一报文是所述 ARP验证报文对应的响应报 文, 将所述第一报文上送到所述网关的控制平面。  The sending unit is configured to send the first packet to the control plane of the gateway, if the first packet is a response packet corresponding to the ARP verification packet.
10.根据权利要求 9所述装置, 其特征在于:  10. Apparatus according to claim 9 wherein:
所述 ARP验证报文中的验证 MAC地址不同于所述网关发出的前一个 ARP险证 4艮文中的验证 MAC地址。  The verification MAC address in the ARP verification message is different from the verification MAC address in the previous ARP certificate issued by the gateway.
11.根据权利要求 9或 10所述装置, 其特征在于:  11. Apparatus according to claim 9 or 10, characterized in that:
所述发送器具体包括:  The transmitter specifically includes:
获得单元,所述网关用于通过 ARP验证请求表获得所述 ARP验证报文 的验证 IP地址和验证 MAC地址,所述 ARP验证请求表至少包括 1个表项, 第三表项与第一表项相同, 所述第三表项为所述 ARP验证请求表的 1个表 项,所述第一表项为 ARP验证响应表中的 1个表项,所述 ARP验证响应表 包括至少 2个表项, 每个表项包含验证 IP地址以及验证 MAC地址, 所述 至少 2个表项中的验证 MAC地址互不相同。  Obtaining a unit, the gateway is configured to obtain a verification IP address and a verification MAC address of the ARP verification packet by using an ARP verification request table, where the ARP verification request table includes at least one entry, a third entry, and a first table. The third entry is the first entry of the ARP verification request table, and the first entry is one entry in the ARP verification response table, and the ARP verification response table includes at least two entries. The entry, each of the entries includes a verification IP address and a verification MAC address, and the verification MAC addresses in the at least two entries are different from each other.
12.根据权利要求 11所述装置, 其特征在于:  12. Apparatus according to claim 11 wherein:
所述判断单元具体包括: 分析单元, 用于通过所述 ARP验证响应表判断所述第一报文是否是所 述 ARP验证报文对应的响应报文,当所述第一报文的目的 IP地址等于所述 第一表项的验证 IP地址时, 或者当所述第一报文的目的 MAC地址等于所 述第一表项的验证 MAC地址时, 确定所述第一报文是所述 ARP验证报文 对应的响应 艮文。 The determining unit specifically includes: An analyzing unit, configured to determine, by using the ARP verification response table, whether the first packet is a response packet corresponding to the ARP verification packet, where a destination IP address of the first packet is equal to the first table When the IP address of the item is verified, or when the destination MAC address of the first packet is equal to the verification MAC address of the first entry, the first packet is determined to be a response corresponding to the ARP verification packet. Text.
13.根据权利要求 12所述装置, 其特征在于, 进一步包括:  The device according to claim 12, further comprising:
第一更新单元, 用于所述网关发出 ARP验证报文前, 所述网关发出所 述前一个 ARP验证报文后, 将所述第三表项的验证 MAC地址更新为第一 验证 MAC地址。  And a first update unit, configured to: after the gateway sends the ARP verification message, the gateway updates the verification MAC address of the third entry to the first verification MAC address.
14.根据权利要求 13所述装置, 其特征在于, 进一步包括:  The device according to claim 13, further comprising:
第二更新单元, 用于所述网关收到所述 ARP验证报文对应的响应报文 前, 将所述第一表项的验证 MAC地址更新为所述第一验证 MAC地址, 所 述 ARP验证响应表中的第二表项用于判断所述网关收到的报文是否是所述 前一个 ARP验证报文对应的响应报文, 所述第一表项和所述第二表项是所 述 ARP验证响应表中的不同表项。  a second update unit, configured to: after the gateway receives the response packet corresponding to the ARP verification packet, update the verification MAC address of the first entry to the first verification MAC address, where the ARP verification is performed. The second entry in the response table is used to determine whether the packet received by the gateway is a response packet corresponding to the previous ARP verification packet, where the first entry and the second entry are Different entries in the ARP verification response table.
15.根据权利要求 9至 14中任一所述装置, 其特征在于:  15. Apparatus according to any one of claims 9 to 14 wherein:
所述上送单元进一步包括:  The uploading unit further includes:
查询单元, 用于所述网关的控制平面根据所述第一报文的源 IP地址和 源 MAC地址查询所述控制平面的 ARP緩存表是否存在对应表项;  a query unit, the control plane for the gateway, according to the source IP address and the source MAC address of the first packet, query whether the ARP cache table of the control plane has a corresponding entry;
生成单元, 用于如果所述控制平面的 ARP緩存表不存在对应表项, 所 述网关的控制平面生成一条包含所述第一报文的源 IP地址和源 MAC地址 的第四表项;  a generating unit, configured to: if the ARP cache table of the control plane does not have a corresponding entry, the control plane of the gateway generates a fourth entry that includes a source IP address and a source MAC address of the first packet;
下发单元, 用于所述网关的控制平面将所述第四表项下发至所述网关 的数据平面的 ARP緩存表。  And a sending unit, where the control plane for the gateway sends the fourth entry to the ARP cache table of the data plane of the gateway.
PCT/CN2012/079794 2011-08-08 2012-08-08 Method and device for verifying address resolution protocol (arp) request message WO2013020501A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110226131.8A CN102255984B (en) 2011-08-08 2011-08-08 Method and device for verifying ARP (Address Resolution Protocol) request message
CN201110226131.8 2011-08-08

Publications (1)

Publication Number Publication Date
WO2013020501A1 true WO2013020501A1 (en) 2013-02-14

Family

ID=44982973

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/079794 WO2013020501A1 (en) 2011-08-08 2012-08-08 Method and device for verifying address resolution protocol (arp) request message

Country Status (2)

Country Link
CN (1) CN102255984B (en)
WO (1) WO2013020501A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106899554A (en) * 2015-12-21 2017-06-27 北京奇虎科技有限公司 A kind of method and device for preventing ARP from cheating
CN111835764A (en) * 2020-07-13 2020-10-27 中国联合网络通信集团有限公司 ARP anti-spoofing method, tunnel endpoint and electronic equipment
CN112600951A (en) * 2020-12-08 2021-04-02 杭州迪普信息技术有限公司 Message forwarding method and device
US11277442B2 (en) * 2019-04-05 2022-03-15 Cisco Technology, Inc. Verifying the trust-worthiness of ARP senders and receivers using attestation-based methods

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102255984B (en) * 2011-08-08 2015-06-03 华为技术有限公司 Method and device for verifying ARP (Address Resolution Protocol) request message
US20150326524A1 (en) * 2013-01-24 2015-11-12 Krishna Mouli TANKALA Address resolution in software-defined networks
CN107395786B (en) * 2017-08-09 2020-12-04 杭州迪普科技股份有限公司 ARP (Address resolution protocol) table item indexing method and device
CN110062064B (en) * 2019-05-30 2022-06-21 新华三信息安全技术有限公司 Address Resolution Protocol (ARP) request message response method and device
CN111431732B (en) * 2020-02-11 2021-04-20 西安交通大学 Method and system for carrying out increment verification on computer network data plane
CN112769791A (en) * 2020-12-30 2021-05-07 北京天融信网络安全技术有限公司 Network defense method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050198242A1 (en) * 2004-01-05 2005-09-08 Viascope Int. System and method for detection/interception of IP collision
CN101094236A (en) * 2007-07-20 2007-12-26 华为技术有限公司 Method for processing message in address resolution protocol, communication system, and forwarding planar process portion
CN101110821A (en) * 2007-09-06 2008-01-23 华为技术有限公司 Method and apparatus for preventing ARP address cheating attack
CN102255984A (en) * 2011-08-08 2011-11-23 华为技术有限公司 Method and device for verifying ARP (Address Resolution Protocol) request message

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050198242A1 (en) * 2004-01-05 2005-09-08 Viascope Int. System and method for detection/interception of IP collision
CN101094236A (en) * 2007-07-20 2007-12-26 华为技术有限公司 Method for processing message in address resolution protocol, communication system, and forwarding planar process portion
CN101110821A (en) * 2007-09-06 2008-01-23 华为技术有限公司 Method and apparatus for preventing ARP address cheating attack
CN102255984A (en) * 2011-08-08 2011-11-23 华为技术有限公司 Method and device for verifying ARP (Address Resolution Protocol) request message

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106899554A (en) * 2015-12-21 2017-06-27 北京奇虎科技有限公司 A kind of method and device for preventing ARP from cheating
US11277442B2 (en) * 2019-04-05 2022-03-15 Cisco Technology, Inc. Verifying the trust-worthiness of ARP senders and receivers using attestation-based methods
CN111835764A (en) * 2020-07-13 2020-10-27 中国联合网络通信集团有限公司 ARP anti-spoofing method, tunnel endpoint and electronic equipment
CN112600951A (en) * 2020-12-08 2021-04-02 杭州迪普信息技术有限公司 Message forwarding method and device

Also Published As

Publication number Publication date
CN102255984B (en) 2015-06-03
CN102255984A (en) 2011-11-23

Similar Documents

Publication Publication Date Title
WO2013020501A1 (en) Method and device for verifying address resolution protocol (arp) request message
US10972478B2 (en) Data processing method and apparatus, terminal, and access point computer
US8875233B2 (en) Isolation VLAN for layer two access networks
WO2017114362A1 (en) Packet forwarding method, device and system
TWI506472B (en) Network device and method for avoiding arp attacks
CN101834870A (en) Method and device for preventing deceptive attack of MAC (Medium Access Control) address
US7451479B2 (en) Network apparatus with secure IPSec mechanism and method for operating the same
US10348687B2 (en) Method and apparatus for using software defined networking and network function virtualization to secure residential networks
WO2016192608A2 (en) Authentication method, authentication system and associated device
CN103428211A (en) Network authentication system on basis of switchboards and authentication method for network authentication system
CN104601566A (en) Authentication method and device
CN101808097B (en) Method and equipment for preventing ARP attack
CN105592062A (en) Method and device for remaining IP address unchanged
CN105207778A (en) Method of realizing package identity identification and digital signature on access gateway equipment
WO2011107052A2 (en) Method and access node for preventing address conflict
CN102571811A (en) User access authority control system and method thereof
US11546297B2 (en) Secure communication method, client and non-public server
WO2009043304A1 (en) Method, system, and device for verifying the relation of dada link layer address and its transmitting party
TWI660284B (en) Method and apparatus for blocking network, and computer-readable medium
CN104683500A (en) Generation method and device for security entries
CN114338522A (en) IPv6 addressing and networking method based on identification management
US20200267116A1 (en) Internet protocol version six address management
TW201806360A (en) IPv6 networking system for controlling Internet of Things equipment capable of preventing DoS attacks initiated by malicious devices, and improving gateway safety and stability
JP2010187314A (en) Network relay apparatus with authentication function, and terminal authentication method employing the same
Nuhu et al. Mitigating DHCP starvation attack using snooping technique

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12822763

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12822763

Country of ref document: EP

Kind code of ref document: A1