CN101552783B - Method and apparatus for preventing counterfeit message attack - Google Patents

Method and apparatus for preventing counterfeit message attack Download PDF

Info

Publication number
CN101552783B
CN101552783B CN2009100841311A CN200910084131A CN101552783B CN 101552783 B CN101552783 B CN 101552783B CN 2009100841311 A CN2009100841311 A CN 2009100841311A CN 200910084131 A CN200910084131 A CN 200910084131A CN 101552783 B CN101552783 B CN 101552783B
Authority
CN
China
Prior art keywords
message
address
access point
list item
state
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN2009100841311A
Other languages
Chinese (zh)
Other versions
CN101552783A (en
Inventor
林涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN2009100841311A priority Critical patent/CN101552783B/en
Publication of CN101552783A publication Critical patent/CN101552783A/en
Application granted granted Critical
Publication of CN101552783B publication Critical patent/CN101552783B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The present invention discloses a method of preventing counterfeit message attack, including: NAS establishing a address binding table according to a repeat address detection neighbor request DAD NS message received from a non-trusted node, and maintaining the address binding table according to a router bulletin RA message received from a trusted node, a neighbor request NS message received from anon-trusted node, and neighbor bulletin NA message received from a trusted node and a non-trusted node; the NAS filtering the data message received from a non-trusted node according to the address binding. The invention also discloses an apparatus for preventing counterfeit message attack. The technical scheme of the invention can prevent counterfeit neighbor from discovering ND message attack effectively.

Description

A kind of method and apparatus that prevents attack of counterfeit message
Technical field
The present invention relates to network communications technology field, refer to a kind of method and apparatus that prevents attack of counterfeit message especially.
Background technology
The Internet protocol of the 6th version (IPv6, Internet Protocol Version 6) is the IP next generation protocol that is used for substituting current edition IP agreement (IPv4) of the Internet engineering duty group (IETF, Internet Engineering Task Force) design.
Neighbours find that (ND, Neighbor Discovery) agreement is the element of IPv6.The ND agreement uses five types the 6th version the Internet Internet Control Message Protocol (ICMPv6, InternetControl Message Protocol Version 6) message to realize following function: whether address resolution, checking neighbours can reach, duplicate address detection, the discovery of router discoverys/prefix, the address disposes automatically and be redirected etc.Five types the ICMPv6 packets that the ND agreement is used and act on as shown in table 1:
Figure G2009100841311D00011
Table 1
The function that realizes in the face of five types ICMPv6 packets of ND agreement is down carried out brief account:
1, address resolution
Address resolution is the link layer address that obtains the neighbor node on the same link, realizes through neighbor request message NS and neighbor advertisement message NA.
Fig. 1 is the sketch map of the address resolution procedure of prior art.As shown in Figure 1; Node A will obtain the link layer address of Node B, and then node A sends the NS message with the multicast mode, and the source address of this NS message is the interface IPv6 address of node A; Destination address be Node B by the requesting node multicast address, comprised the link layer address of node A in the message content; After Node B is received the NS message; Judge wherein destination address whether be own IPv6 address correspondence by the requesting node multicast address; If; Then Node B is learnt the link layer address of node A, and returns the NA message with mode of unicast to node A, has comprised the link layer address of Node B in this NA message; Node A receives the NA message, therefrom obtains the link layer address of Node B.
2, whether the checking neighbours can reach
After getting access to the link layer address of neighbor node, can verify through NS message and NA message whether neighbor node can reach.Be specially: node sends the NS message, and destination address wherein is the IPv6 address of neighbor node, if receive the affirmation message NA of neighbor node, thinks that then neighbor node can reach, otherwise, think that neighbours are unreachable.
3, duplicate address detection (DAD)
After node gets access to an IPv6 address, need to use the duplicate address detection function to confirm whether this address is used by other nodes.
Fig. 2 is the sketch map of duplicate address detection process of the prior art.As shown in Figure 2, node A sends the NS message, and the source address of this NS message is unspecified address, with ":: " expression, destination address be IPv6 address to be detected corresponding by the requesting node multicast address, comprised IPv6 address to be detected in the NS content of message; If Node B has been used this IPv6 address to be detected, then can return the NA message, comprised the IPv6 address of Node B self in this NA message; Node A just knows this IPv6 address after receiving the NA message of Node B transmission, otherwise, explaining that then this address is not used, node A can use this IPv6 address.
4, discovery of router discovery/prefix and stateless address dispose automatically
Dactylus point obtained the prefix of neighbor router and place network when router discovery/prefix was found from the RA message of receiving, and other configuration parameters.
Stateless address configuration automatically is meant the node information that discovery is obtained according to router discovery/prefix, configuration of IP v6 address automatically.
Router discovery/prefix is found to realize that through RS and RA message detailed process is following: when (1) node starts, send request through the RS message to router, request prefix and other configuration informations are for use in the configuration of node; (2) router returns the RA message, comprising prefix information option; Need to prove except responding the RS router and also can periodically issue the RA message; (3) node utilizes address prefix and other configuration parameters in the RA message that router returns, automatically IPv6 address and other information of configuration interface.When automatically configuration generates the IPv6 address, for prevent with existing network in other equipment or host address conflict, need carry out the duplicate address detection process one time, detecting does not have the repeat to address (RA), then come into force in the address.
Not only comprise address prefix information in the prefix information option, also comprise first-selected lifetime (preferred lifetime) and effective lifetime (valid lifetime) of this address prefix.After node is received the RA message that router periodically sends, can upgrade the first-selected lifetime of prefix and effective lifetime according to this message.In effective lifetime, the address that generates automatically can normally be used, and effectively the lifetime crosses after date, and the address of generation will be deleted automatically.
5, redirection function
When host-initiated, possibly have only a default route in its routing table to default gateway.When meeting some requirements, default gateway can send the ICMPv6 redirection message to source host, and the notice main frame selects better next bar to carry out the transmission of subsequent packet.The ICMPv6 redirection message that equipment can transmission meeting main frame when satisfying following condition be redirected:
(1) interface of reception and forwarding data message is same interface;
(2) selecteed route itself is not created or was revised by the ICMPv6 redirection message;
(3) selecteed route is not a default route;
(4) do not comprise the route extension header in the IPv6 data message that is forwarded.
The function that five types ICMPv6 packets of the above-mentioned ND of being agreement is realized.
But in the prior art, the ND protocol massages all is expressly to transmit, and therefore in link, possibly have the attack of counterfeit message that is directed against ND agreement use aspect:
(1) forge router: the connector sends router advertisement RA message, makes that other nodes on the network think that all this connector is exactly a router;
(2) forge main frame and send message: the connector is behind access network; Forge and send the message of non-machine IP address; Comprise data message and control message; The control message just as the NA message etc. of replying NS, thereby counterfeit other main frames and equipment perhaps influence the neighbor discovery process of other main frames or equipment.
To the attack problem of above-mentioned counterfeit message, adopted in the prior art with static address and distributed and " SEND " scheme.Wherein, the static address allocative decision is on access switch, to be directed against each possible connector, allocates the IPv6 address in advance, and itself and link address, access point are bound, and access point is the link layer tie point, like the port in the Ethernet.The SEND scheme is carried out encrypting and authenticating to the ND message, guarantees the mutual fail safe of ND, needs router and main frame all to support encrypting and authenticating.
But the static address allocative decision is disposed for large-scale IPv6, and management cost is higher, and the SEND scheme then needs current device and main frame upgrading IPv6 protocol stack, and to support the encrypting and authenticating process, the system that supports at present is few, lacks the possibility of deployment.
Therefore, need a new scheme that prevents attack of counterfeit message.
Summary of the invention
The invention provides a kind of method that prevents attack of counterfeit message, this method can effectively prevent the attack of counterfeit message.
The present invention also provides a kind of device that prevents attack of counterfeit message, and this device can effectively prevent the attack of counterfeit message.
For achieving the above object, technical scheme of the present invention specifically is achieved in that
The invention discloses a kind of method that prevents attack of counterfeit message, this method is applied to access to netwoks Control Server NAS, the last trust access point of having specified of NAS, and the last access point except that trusting access point of NAS is non-trust access point, this method comprises:
NAS sets up and safeguards legal prefix table according to the prefix content from the RA message of trusting the access point reception;
NAS receives purpose IP address when being the first DAD NS message of assigned ip address from non-trust access point; After confirming that according to legal prefix table the prefix of its purpose IP address is legal, set up the legal address binding table of prefix according to purpose IP address, source link address and the access point of this DAD NS message;
After setting up the legal address binding table of prefix; If NAS receives the NA message of responding said first DAD NS from other access points in the given time; Then delete the legal address binding table of said prefix, otherwise the legal address binding table of prefix changes to the legal address binding table in address;
NAS is according to the NS message and the NA message that receive from non-trust access point, and the life span of the address binding table that scheduler is legal guarantees not worn out when its neighbours at corresponding access point are online;
NAS intercepts and inserts the DAD NS that sends again behind main frame switching access point or the link address, if listen to corresponding response NA message in the given time, does not then upgrade access point and link address in the legal address binding table of corresponding address; Otherwise,, then upgrade access point and link address in the legal address binding table of corresponding address if do not listen to corresponding response NA message in the given time;
NAS filters the data message that receives from non-trust access point according to the address binding table.
The invention also discloses a kind of device that prevents attack of counterfeit message; This device is arranged among the access to netwoks Control Server NAS; Specified the trust access point on the said NAS, the last access point except that trusting access point of NAS is non-trust access point, and this device comprises: the ND message is intercepted module, filtering module and memory module; Wherein
The ND message is intercepted module, is used for basis and sets up and safeguard legal prefix table from the prefix content of the RA message of the trust access point reception of NAS; Be used for receiving purpose IP address when being the first DAD NS message of assigned ip address at non-trust access point from NAS; After confirming that according to legal prefix table the prefix of its purpose IP address is legal, set up the legal address binding table of prefix according to purpose IP address, source link address and the access point of this DAD NS message; Be used for after setting up the legal address binding table of prefix; If other access points from NAS receive the NA message of responding said first DAD NS in the given time; Then delete the legal address binding table of said prefix; Otherwise the legal address binding table of prefix changes to the legal address binding table in address; Be used for NS message and the NA message of basis from the non-trust access point reception of NAS, the life span of the address binding table that scheduler is legal guarantees not worn out when its neighbours at corresponding access point are online; Be used for receiving when inserting main frame and switching the DAD NS that sends again behind access point or the link address,, then do not upgrade access point and link address in the legal address binding table of corresponding address if listen to corresponding response NA message in the given time at NAS; Otherwise,, then upgrade access point and link address in the legal address binding table of corresponding address if do not listen to corresponding response NA message in the given time;
Memory module is used for the memory address binding table;
Filtering module is used for filtering the data message that receives from the non-trust access point of NAS according to the address binding table.
Visible by technique scheme; This NAS of the present invention sets up the address binding table according to the duplicate address detection DAD neighbor request NS message that receives from non-trust access point, and the neighbor request NS message that receives according to the router advertisement RA message that receives from trusted node, from non-trust access point and safeguard said address binding table from trusting the neighbor advertisement NA message that access point and non-trust access point receive; NAS can effectively prevent the attack of counterfeit message from the technical scheme of the data message of non-trust access point reception according to the filtration of address binding table.
Description of drawings
Fig. 1 is the sketch map of the address resolution procedure of prior art;
Fig. 2 is the sketch map of duplicate address detection process of the prior art;
Fig. 3 is a kind of flow chart that prevents the method for attack of counterfeit message of the embodiment of the invention;
Fig. 4 is the state exchange sketch map of the address binding list item in the embodiment of the invention;
Fig. 5 is a kind of composition structured flowchart that prevents the device of attack of counterfeit message of the embodiment of the invention.
Embodiment
Fig. 3 is a kind of flow chart that prevents the method for attack of counterfeit message of the embodiment of the invention.As shown in Figure 3, this method comprises:
Step 301, access to netwoks Control Server NAS goes up to specify and trusts access point, and the last access point except that trusting access point of NAS is non-trust access point.
In this step, access to netwoks Control Server (NAS, Network Access Server) specifically can provide the equipment of access control for access-layer switch or router etc.Trusting access point can specify according to concrete networking, for example when NAS is access-layer switch or the router in the IPv6 network, the trust access point can be for this equipment disposition the VLAN interface of IPv6 address.
Step 302; NAS sets up the address binding table according to the duplicate address detection neighbor request DADNS message that receives from non-trust access point; And, safeguard said address binding table according to the router advertisement RA message that receives from trusted node, from the neighbor request NS message of non-trust access point reception and from trusting the neighbor advertisement NA message that access point and non-trust access point receive.
Because (RFC4862 standard-required) in the prior art; IPv6 stateless address no matter disposes automatically, or DHCPv6 or manual address configuration, behind host configuration IPv6 address; All will carry out DAD earlier detects; Promptly send earlier DAD NS message, wait for that then IPv6 address to be detected becomes effectively available address after, could send other messages.Therefore generate corresponding address binding table through intercepting DAD NS message among the present invention.
In the prior art, all connectors, as main frame etc. can normal configuration oneself the IP address, and in case after the configuration, can only use the own IP address that disposes to send message as source address.In addition, all connectors can safeguard the neighbor entry of oneself, according to ND state machine (RFC4861) timed sending ND message, so safeguard the address binding list item through intercepting relevant ND message among the present invention, and then guarantee each connector's legitimacy.
Step 303, NAS filters the data message that receives from non-trust access point according to the address binding table.
In existing IPv6 network, before the IPv6 data message forwarding, the ND message at first is sent out, with the duplicate detection of carrying out self address, People Near Me address resolution etc.Scheme of the present invention is utilized these characteristics that the ND message is intercepted just and is realized goal of the invention.For making the object of the invention, technical scheme and advantage clearer, below ginseng is to further explain of the present invention.
Address binding table in the embodiment of the invention is as shown in table 2:
The IP address Link address Access point Link address to be become Access point to be become The list item state
IP1 LA1 ACP1 P-LA1 P-ACP1 INIT
IP2 LA2 ACP2 P-LA2 P-ACP2 LGLA
…… …… …… …… …… ……
Table 2
As shown in table 2, each list item of address binding table comprises: Internet protocol IP address, link address, access point, link address to be become, wait to become access point and list item state.Wherein, link address is the address of link layer protocol, like link corresponding address in the Ethernet; Access point is the link layer tie point, like port in the Ethernet etc.; The list item state is got a kind of in following five kinds of states at any time: the legal (LGLP of prefix; Legal Prefix) state, the legal (LGLA in address; Legal Address) state, aging (AGNG; Aging) state, access point are waited to become (ACPP, Access Point Pending) state and link address and are treated a kind of in change (LNAP, Link Address Pending) state; The corresponding successively timer T1 of said LGLP state, LGLA state, AGNG state, ACPP state and LNAP state, T2, T3, T4 and T5.
Can preset two duration variables A and B in an embodiment of the present invention, then T1, T2, T3, T4 and T5 can distinguish assignment A, B, A, A, A.Wherein, duration variables A acquiescence equals " RETRANS_TIMER " in the RFC4861 standard, is specially 1000 milliseconds; Duration variable B acquiescence equals " DELAY_FIRST_PROBE_TIME "+" RETRANS_TIMER " of RFC4861 standard.Certainly, duration variables A and B also can adjust according to actual needs.
In above-mentioned steps 302, NAS realizes the foundation of address binding table and maintenance: NAS is set up and safeguard legal prefix table according to the prefix content from the RA message of trusting the access point reception as follows; NAS receives purpose IP address when being the first DAD NS message of assigned ip address from non-trust access point; After confirming that according to legal prefix table the prefix of its purpose IP address is legal, set up the legal address binding table of prefix according to purpose IP address, source link address and the access point of this DAD NS message; After setting up the legal address binding table of prefix; If NAS receives the NA message of responding said first DAD NS from other access points in the given time; Then delete the legal address binding table of said prefix, otherwise the legal address binding table of prefix changes to the legal address binding table in address; NAS is according to the NS message and the NA message that receive from non-trust access point, and the life span of the address binding table that scheduler is legal guarantees not worn out when its neighbours at corresponding access point are online; NAS intercepts and inserts the DAD NS that sends again behind main frame switching access point or the link address, if listen to corresponding response NA message in the given time, does not then upgrade access point and link layer address in the legal address binding table of corresponding address; Otherwise,, then upgrade access point and link address in the legal address binding table of corresponding address if do not listen to corresponding response NA message in the given time.
Introduce the above-mentioned detailed process of setting up binding table and safeguarding below in detail, comprise following two processing procedures:
One, the generation of legal prefix table
1, NAS sets up according to the RA message that on the trust access point, listens to and safeguards legal prefix table, and the RA message of receiving on other non-trust access points abandons without exception.
Because take to trust all in the present invention from the ND method of message of trusting access point, therefore trusting the prefix that RA announced that listens on the access point is legal prefix.
The legal prefix table that NAS sets up according to the prefix content that the RA message is announced is as shown in table 3:
Legal prefix The prefix bulletin sends the time Prefix life cycle
Prefix
1 T11 T12
Prefix 2 T21 T22
…… …… ……
Table 3
As shown in table 3, each list item of legal prefix table comprises: prefix, prefix bulletin sends time and prefix life cycle.
NAS exceeds its corresponding prefix during life cycle in the prefix of a prefix entries, deletes this prefix entries.(FE80: :/10) be legal prefix, acquiescence is present in the legal prefix table link local address prefix, and be permanent its life cycle.
2, NAS will be transmitted to the trust access point from the RS message that non-trust access point receives.
In one embodiment of the invention, what trust the access point connection is router, therefore can the RS message be transmitted to trust access point, i.e. router.
Two, the generation of address binding table and maintenance mechanism
1, NAS intercepts DAD NS on the non-trust access point (source address is unspecified IPv6 address; Destination address is the ND message of requesting node multicast address) message to be to generate and the scheduler binding table; Wherein, Receive purpose IP address (being the IP address of pending duplicate address detection), the source link address in the DAD NS message and receive the access point inquire address binding table of this DAD NS message according to non-trust access point, following different processing mode is arranged according to different Query Results:
If there is not the list item that has with the purpose IP address identical ip addresses of DAD NS message in the ■ address binding table, whether the prefix of purpose IP address of then inquiring about this DAD NS message of legal prefix table is legal; Do not abandon this DAD NS message if conform to rule; If it is legal then transmit this DAD NS message; And respectively with purpose IP address, source link address and the access point correspondence of this NAD NS message add to IP address entry in the new list item in the address binding table, link address to the access point item in; And this list item is the LGLP state and starts timer T1; This list item transferred the LGLA state to and starts timer T2 when T1 was overtime; This list item transferred the AGNG state to and starts timer T3 when T2 was overtime, from the address binding table, deleted this list item when T3 is overtime.
If there is the list item that has with said purpose IP address identical ip addresses in the ■ address binding table, judge whether the state of this list item is the LGLP state earlier, be then to abandon this DAD NS message, otherwise continue to judge whether link address is identical.
Figure G2009100841311D00091
is if link address is different; Then transmit this DAD NS message; And this pairing link address of DAD NS message and access point are write treating in this list item become link address and wait to become in the access point; This list item is changed to the LNAP state and starts timer T5; This list item transferred the LGLA state to when T5 was overtime; And become link address and wait to become access point and replace link address and access point in this list item respectively with treating in this list item, deletion is waited to become link address and is waited to become the content in the access point;
Figure G2009100841311D00101
judges further then whether access point is also identical if link address is also identical; If access point is also identical, then transmit this DAD NS message; If access point is inequality; Then earlier that this DADNS message is corresponding access point writes in this list item; This list item is changed to the ACPP state and starts timer T4, transmit this DAD NS message then, this list item transferred the LGLA state to when T4 was overtime; And change the access point in this list item with the access point to be become in this list item, deletion waits to become the content in the access point.
2, NAS does not promptly participate in the foundation and the maintenance of address binding table from the NS message of trusting the access point entering to directly transmitting from the NS message of trusting the access point entering.
3, NAS is when non-trust access point receives the NS message except that DAD NS message, according to source IP address, the source link address of this NS message with receive the access point inquire address binding table of this NS message;
If do not have list item in the ■ address binding table, then abandon this NS message with IP address, link address and the access point consistent with source IP address, source link address and the access point of NS message;
If there is list item in the ■ address binding table with IP address, link address and the access point consistent with source IP address, source link address and the access point of NS message; And this list item state is not the LGLP state, and promptly the state of this list item is LGLA, AGNG, ACPP or LNAP state, then this list item is changed to the LGLA state and starts timer T2; Delete the corresponding timer of previous status of this list item; And transmit this NS message, wherein, when the previous status of this list item is ACPP or LNAP state; The change of treating that also will remove this list item is listed as, and comprises and waits to become link address and access point to be become.
4, NAS is from access point (trust access point or non-trust access point all can) when receiving the NA message, according to target ip address of announcing in this NA message and target link address and the access point inquire address binding table that receives this NA message;
If have target ip address and target link address of announcing in IP address, link address and access point and this NA message and the consistent list item of access point that receives this NA message in the ■ bind address table, then judge the state of this list item;
Figure G2009100841311D00102
is if this list item is ACPP or LNAP state; Then this list item is changed to the LGLA state and starts timer T2; Delete treating in this list item and become link address and wait to become the content in the access point, and transmit this NA message;
Figure G2009100841311D00111
then abandons this NA message if this list item is the LGLP state;
Figure G2009100841311D00112
is if this list item is the LGLA state; Then with the timer T2 zero clearing of association, and directly transmit this NA message;
Figure G2009100841311D00113
is if this list item is the AGNG state; Then this list item is changed to the LGLA state and starts timer T2, and transmit this NA message;
If exist the target ip address of announcing in IP address and this NA message identical in the ■ bind address table; But the target link address of announcing in link corresponding address and this NA message is different; Perhaps; Corresponding access point is different with the access point that this NA message is got into, and all different list item of access point that the target link address of perhaps announcing in link corresponding address and access point and this NA message and this NA message are got into judges then whether this NA message is the NA message of response duplicate address detection;
Figure G2009100841311D00114
then is regarded as counterfeit message and abandons this NA message if respond the NA message of duplicate address detection;
Figure G2009100841311D00115
judges then if not the NA message of responding duplicate address detection whether this list item is the LGLP state; If not the LGLP state, then abandon this NA message; If the LGLP state judges further then whether the access point that receives this NA message is to trust access point; If the trust access point then with this list item deletion, is transmitted this NA message; If not trusting access point, then abandon this NA message.
Said process is for ND message forwarding process, as to NA message and NS message forwarding, identical with ND message forwarding process of the prior art.
Based on above-mentioned address binding table through setting up and safeguarding, the NAS described in the step 303 according to the address binding table filter the data message that receives from non-trust access point specifically comprise following some:
(1) when the appointment list item in the binding table of address when the LGLP state transfers the LGLA state to; NAS is specifying configurating filtered rule on the pairing access point of list item according to the content of specifying list item, and according to the filtering rule that is disposed filter specify list item the data message received on the corresponding access point;
Said filtering rule comprises: receive data message for specifying on the pairing access point of list item; IP address in having only source IP address and specifying list item is identical; And/or the source link address can get into NAS and carry out follow-up forwarding with the identical data message of link address in specifying list item;
Said filtering rule can further include: receiving velocity and transmission rate for the data message of the appointment source IP address that gets into NAS limit;
(2) when the list item in the binding table of address be AGNG state and timer T3 when overtime, delete the filtering rule that is disposed on the pairing access point of this list item in the time of this list item of NAS deletion;
(3) when the list item in the binding table of address when ACCP state or LNAP state transfer the LGLA state to, NAS is according to the filtering rule on the pairing access point of this list item of the corresponding renewal of content of this list item after upgrading.Promptly when ACCP state or LNAP state transfer the LGLA state to,, then delete original filtering rule, issue filtering rule again if any in link address and the access point changes.
(4) when the list item in the binding table of address when the LGLA state transfers ACCP state, LNAP state or AGNG state to, filtering rule does not issue again.
In order to describe the state conversion process of the list item in the above-mentioned address binding table cheer and brightly, provided state transition graph shown in Figure 4 in the embodiment of the invention.
Fig. 4 is the state exchange sketch map of the address binding list item in the embodiment of the invention.In Fig. 4; " E " expression makes the incident of address binding list item state transition; Performed action during the state transition of " A " presentation address binding table; The sequence of events that then makes the state transition of address binding list item is shown in 4, and the action sequence of carrying out during the state transition of address binding list item list item is as shown in table 5:
Case Number Event description
E1 Listen to and insert the DAD NS message that main frame sends, and do not have corresponding list item in the address binding table; Get the prefix of list item, find corresponding legal prefix at legal prefix table;
E2 The T1 timer expiry;
E3 The T2 timer expiry;
E4 The T3 timer expiry;
E5 Listen to DAD NS content and exist list item IP address identical, link address is identical, but access point is different;
E6 The T4 timer expiry, or receive the NA message consistent with contents in table, or receive the NS message consistent with contents in table;
E7 Listen to the DADNS content and exist list item IP address identical, link address is inequality;
E8 The T5 timer expiry, or receive the NA message consistent with contents in table, or receive the NS message consistent with contents in table;
E9 Receive the NS/NA message consistent with contents in table;
E10 The trust access point listens to consistent with list item IP address, but the inconsistent NA message in link address or access point IP address;
Table 4
The action numbering Action specification
A1 Create binding list item, state is LGLP;
A2 State is adjourned LGLA, issues filtering rule;
A3 State is adjourned AGNG;
A4 The list item deletion, the filtering rule deletion;
A5 State is adjourned ACCP, writes down access point to be become;
A6 Adjourn the LGLA state.When the T4 timer expiry causes state variation, use access point to be become to replace original access point, upgrade filtering rule;
A7 State is adjourned LNAP, and link address and access point waited to become in record;
A8 Adjourn the LGLA state.When the T5 timer expiry caused state variation, use waits to become link address and access point is replaced original link address and access point, upgraded filtering rule;
A9 Adjourn the LGLA state;
A10 The list item deletion;
A11 Restart T2, i.e. T2 zero clearing
Table 5
In embodiments of the present invention, NAS can also carry out record to the generation of address binding list item and deletion and the message that is abandoned.Recording mode can be selected the report gateway server or store in the non-volatile memory, to make things convenient for network management personnel's inquiry maintenance.
Concrete a ND message can be set when realizing technical scheme of the present invention intercept module in NAS, be used to carry out above-mentioned foundation and safeguard the address binding table, and according to the function of address binding table filtering packets.
When considering a plurality of NAS networking, require all NAS in the same VLAN all to dispose scheme of the present invention, then the main frame in this VLAN will receive the restriction of scheme of the present invention.In such cases, each NAS guarantees the authenticity of the message of the own main frame that is inserted, promptly non-forgery property.
Through technique scheme, can guarantee can not carry out illegal attack of counterfeit message arbitrarily at network through the access main frame of NAS access network, guaranteed the fail safe of network.
Fig. 5 is a kind of composition structured flowchart that prevents the device of attack of counterfeit message of the embodiment of the invention.Device as shown in Figure 5 is arranged among the access to netwoks Control Server NAS; Specified the trust access point on the said NAS; The last access point except that trusting access point of NAS is non-trust access point; Then as shown in Figure 5, this device comprises: the ND message is intercepted module 501, filtering module 502 and memory module 503, wherein:
The ND message is intercepted module 501; Be used for setting up the address binding table according to the duplicate address detection neighbor request DAD NS message that the non-trust access point from NAS receives; And the neighbor request NS message that receives according to the router advertisement RA message that receives from the trusted node of NAS, from non-trust access point and from trusting the neighbor advertisement NA message that access point and non-trust access point receive, safeguard said address binding table;
Memory module 503 is used for the memory address binding table;
Filtering module 502 is used for filtering the data message that receives from the non-trust access point of NAS according to the address binding table.
In Fig. 5, the ND message is intercepted module 501, is used for basis and sets up and safeguard legal prefix table from the prefix content of the RA message of the trust access point reception of NAS; Be used for receiving purpose IP address when being the first DAD NS message of assigned ip address at non-trust access point from NAS; After confirming that according to legal prefix table the prefix of its purpose IP address is legal, set up the legal address binding table of prefix according to purpose IP address, source link address and the access point of this DAD NS message; Be used for after setting up the legal address binding table of prefix; If other access points from NAS receive the NA message of responding said first DAD NS in the given time; Then delete the legal address binding table of said prefix; Otherwise the legal address binding table of prefix changes to the legal address binding table in address; Be used for NS message and the NA message of basis from the non-trust access point reception of NAS, the life span of the address binding table that scheduler is legal guarantees not worn out when its neighbours at corresponding access point are online; Be used for receiving when inserting main frame and switching the DAD NS that sends again behind access point or the link address,, then do not upgrade access point and link layer address in the legal address binding table of corresponding address if listen to corresponding response NA message in the given time at NAS; Otherwise,, then upgrade access point and link address in the legal address binding table of corresponding address if do not listen to corresponding response NA message in the given time.
In Fig. 5, each list item that the ND message is intercepted the address binding table that module 501 set up comprises: Internet protocol IP address, link address, access point, link address to be become, wait to become access point and list item state; Wherein, the list item state is got the legal LGLP state of prefix, the legal LGLA state in address, aging AGNG state, access point and is waited to become ACPP state and link address and wait to become a kind of in the LNAP state; The corresponding successively timer T1 of said five kinds of states, T2, T3, T4 and T5;
The ND message is intercepted module 501, is used for when the non-trust access point from NAS receives DAD NS message, according to purpose IP address, source link address in this DAD NS message with receive the access point inquire address binding table of this DADNS message; If there is not the list item that has with said purpose IP address identical ip addresses in the address binding table, whether the prefix of then inquiring about the said purpose IP of legal prefix table address is legal; Do not abandon said DAD NS message if conform to rule; If it is legal then transmit said DAD NS message; And said purpose IP address, source link address and access point correspondence added in the list item in the address binding table; And this list item is the LGLP state and starts timer T1; This list item transferred the LGLA state to and starts timer T2 when T1 was overtime, and this list item transferred the AGNG state to and starts timer T3 when T2 was overtime, deleted this list item when T3 is overtime; If there is the list item that has with said purpose IP address identical ip addresses in the address binding table, judge whether the state of this list item is the LGLP state earlier, be then to abandon this DAD NS message, otherwise continue to judge whether link address is identical also identical; If link address is different; Then transmit this DAD NS message; And this pairing link address of DAD NS message and access point are write treating in this list item become link address and wait to become in the access point, this list item is changed to the LNAP state and starts timer T5, this list item transferred the LGLA state to when T5 was overtime; And become link address and wait to become access point and replace link address and access point in this list item respectively with treating in this list item, deletion is waited to become link address and is waited to become the content in the access point; If link address is also identical, judge further then whether access point is also identical, if access point is also identical; Then transmit this DAD NS message, if access point is inequality, then earlier that this DAD NS message is corresponding access point writes in this list item; This list item is changed to the ACPP state and starts timer T4, transmit this DAD NS message then, this list item transferred the LGLA state to when T4 was overtime; And change the access point in this list item with the access point to be become in this list item, deletion waits to become the content in the access point;
The ND message is intercepted module 501, is used for when the non-trust access point from NAS receives the NS message except that the DADNS message, according to source IP address, the source link address of this NS message with receive the access point inquire address binding table of this NS message; If there is not list item in the address binding table with IP address, link address and the access point consistent with source IP address, source link address and the access point of NS message; Then abandon this NS message; If instead there is consistent list item, and this list item state is not the LGLP state, then this list item is changed to the LGLA state and starts timer T2; Delete the corresponding timer of previous status of this list item, and transmit this NS message;
The ND message is intercepted module 501, is used for when the access point from NAS receives the NA message, according to target ip address of announcing in this NA message and target link address and the access point inquire address binding table that receives this NA message; If have target ip address and target link address of announcing in IP address, link address and access point and this NA message and the consistent list item of access point that receives this NA message in the bind address table, then judge the state of this list item; If this list item is ACPP or LNAP state, then this list item is changed to the LGLA state and starts timer T2, delete treating in this list item and become link address and wait to become the content in the access point; And transmit this NA message, if this list item is the LGLP state, then abandon this NA message; If this list item is the LGLA state,, and transmit this NA message then with timer T2 zero clearing; If this list item is the AGNG state, then this list item is changed to the LGLA state and starts timer T2, and transmit this NA message; If exist the target ip address of announcing in IP address and this NA message identical in the bind address table, but target link address of announcing in link address and/or access point and this NA message and/or the different list item of access point that receives this NA message judge whether this NA message is the NA message of responding duplicate address detection; If respond the NA message of duplicate address detection, then abandon this NA message, if not the NA message of responding duplicate address detection; Judge that then whether this list item is the LGLP state, if not the LGLP state, then abandons this NA message; If the LGLP state judges further then whether the access point that receives this NA message is to trust access point, if trust access point; Then with this list item deletion; Transmit this NA message,, then abandon this NA message if not trusting access point.
In Fig. 5; Filtering module 502; Be used for when the appointment list item of address binding table when the LGLP state transfers the LGLA state to; Specifying configurating filtered rule on the pairing access point of list item according to the content of specifying list item, and according to the filtering rule that is disposed filter specify list item the data message received on the corresponding access point; Said filtering rule comprises: receive data message for specifying on the pairing access point of list item; IP address in having only source IP address and specifying list item is identical; And/or the source link address can get into NAS and carry out follow-up forwarding with the identical data message of link address in specifying list item; Said filtering rule also comprises: receiving velocity and transmission rate for the data message of the appointment source IP address that gets into NAS limit;
Filtering module 502, being used for specifying list item is AGNG state and timer T3 when overtime, the filtering rule that is disposed on the pairing access point of list item is specified in deletion;
Filtering module 502 is used for specifying the filtering rule on the pairing access point of list item specifying list item when ACCP state or LNAP state transfer the LGLA state to according to the corresponding renewal of content of the appointment list item after upgrading.
Device as shown in Figure 5 also further comprises: record memory module 504; The ND message is intercepted module 501, is used for to generation and the deletion and the message accounting that is abandoned of address binding list item and be saved in record memory module 504.
In Fig. 5, the ND message is intercepted module 501 according to comprising from trusting the prefix entries that RA content of message that access point receives set up: prefix, prefix bulletin send time and prefix life cycle; The ND message is intercepted module 501, is used for exceeding its corresponding prefix during life cycle in the prefix of a prefix entries, deletes this prefix entries.
In Fig. 5, the ND message is intercepted module 501, is further used for directly transmitting from the NS message of trusting the access point reception; To be transmitted to the trust access point from the RS message that non-trust access point receives; Will be from the RA packet loss of non-trust access point reception.
In sum; This NAS of the present invention sets up the address binding table according to the duplicate address detection DAD neighbor request NS message that receives from non-trust access point, and the neighbor request NS message that receives according to the router advertisement RA message that receives from trusted node, from non-trust access point and safeguard said address binding table from trusting the neighbor advertisement NA message that access point and non-trust access point receive; NAS can effectively prevent the attack of counterfeit message from the technical scheme of the message of non-trust access point reception according to the filtration of address binding table.
The above is merely preferred embodiment of the present invention, is not to be used to limit protection scope of the present invention, all any modifications of within spirit of the present invention and principle, being made, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (12)

1. a method that prevents attack of counterfeit message is characterized in that, this method is applied to access to netwoks Control Server NAS, the last trust access point of having specified of NAS, and the last access point except that trusting access point of NAS is non-trust access point, this method comprises:
NAS sets up and safeguards legal prefix table according to the prefix content from the RA message of trusting the access point reception;
NAS receives purpose IP address when being the first DAD NS message of assigned ip address from non-trust access point; After confirming that according to legal prefix table the prefix of its purpose IP address is legal, set up the legal address binding table of prefix according to purpose IP address, source link address and the access point of this DAD NS message;
After setting up the legal address binding table of prefix; If NAS receives the NA message of responding said first DAD NS from other access points in the given time; Then delete the legal address binding table of said prefix, otherwise the legal address binding table of prefix changes to the legal address binding table in address;
NAS is according to the NS message and the NA message that receive from non-trust access point, and the life span of the address binding table that scheduler is legal guarantees not worn out when its neighbours at corresponding access point are online;
NAS intercepts and inserts the DAD NS that sends again behind main frame switching access point or the link address, if listen to corresponding response NA message in the given time, does not then upgrade access point and link address in the legal address binding table of corresponding address; Otherwise,, then upgrade access point and link address in the legal address binding table of corresponding address if do not listen to corresponding response NA message in the given time;
NAS filters the data message that receives from non-trust access point according to the address binding table.
2. the method for claim 1; It is characterized in that; The mode of address binding table status machine is safeguarded in employing, realizes that said NAS sets up according to the prefix content from trust the RA message that access point receives and safeguards each step after the legal prefix table, specifically comprises:
Each list item of said address binding table comprises: Internet protocol IP address, link address, access point, link address to be become, wait to become access point and list item state; Wherein, the list item state is got the legal LGLP state of prefix, the legal LGLA state in address, aging AGNG state, access point and is waited to become ACPP state and link address and wait to become a kind of in the LNAP state; The corresponding successively timer T1 of said five kinds of states, T2, T3, T4 and T5;
When NAS receives DAD NS message from non-trust access point, according to purpose IP address, source link address in this DAD NS message with receive the access point inquire address binding table of this DAD NS message; If there is not the list item that has with said purpose IP address identical ip addresses in the address binding table, whether the prefix of then inquiring about the said purpose IP of legal prefix table address is legal; Do not abandon said DAD NS message if conform to rule; If it is legal then transmit said DAD NS message; And said purpose IP address, source link address and access point correspondence added in the list item in the address binding table; And this list item is the LGLP state and starts timer T1; This list item transferred the LGLA state to and starts timer T2 when T1 was overtime, and this list item transferred the AGNG state to and starts timer T3 when T2 was overtime, deleted this list item when T3 is overtime; If there is the list item that has with said purpose IP address identical ip addresses in the address binding table, judge whether the state of this list item is the LGLP state earlier, be then to abandon this DAD NS message, otherwise continue to judge whether link address is identical; If link address is different; Then transmit this DAD NS message; And this pairing link address of DAD NS message and access point are write treating in this list item become link address and wait to become in the access point, this list item is changed to the LNAP state and starts timer T5, this list item transferred the LGLA state to when T5 was overtime; And become link address and wait to become access point and replace link address and access point in this list item respectively with treating in this list item, deletion is waited to become link address and is waited to become the content in the access point; If link address is also identical, judge further then whether access point is also identical, if access point is also identical; Then transmit this DAD NS message, if access point is inequality, then earlier that this DAD NS message is corresponding access point writes in this list item; This list item is changed to the ACPP state and starts timer T4, transmit this DAD NS message then, this list item transferred the LGLA state to when T4 was overtime; And change the access point in this list item with the access point to be become in this list item, deletion waits to become the content in the access point;
When NAS receives the NS message except that DAD NS message from non-trust access point, according to source IP address, the source link address of this NS message with receive the access point inquire address binding table of this NS message; If there is not list item in the address binding table with IP address, link address and the access point consistent with source IP address, source link address and the access point of NS message; Then abandon this NS message; If instead there is consistent list item, and this list item state is not the LGLP state, then this list item is changed to the LGLA state and starts timer T2; Delete the corresponding timer of previous status of this list item, and transmit this NS message;
When NAS receives the NA message, according to target ip address of announcing in this NA message and target link address and the access point inquire address binding table that receives this NA message; If have target ip address and target link address of announcing in IP address, link address and access point and this NA message and the consistent list item of access point that receives this NA message in the address binding table, then judge the state of this list item; If this list item is ACPP or LNAP state, then this list item is changed to the LGLA state and starts timer T2, delete treating in this list item and become link address and wait to become the content in the access point; And transmit this NA message, if this list item is the LGLP state, then abandon this NA message; If this list item is the LGLA state,, and transmit this NA message then with timer T2 zero clearing; If this list item is the AGNG state, then this list item is changed to the LGLA state and starts timer T2, and transmit this NA message; If exist the target ip address of announcing in IP address and this NA message identical in the address binding table, but target link address of announcing in link address and/or access point and this NA message and/or the different list item of access point that receives this NA message judge whether this NA message is the NA message of responding duplicate address detection; If respond the NA message of duplicate address detection, then abandon this NA message, if not the NA message of responding duplicate address detection; Judge that then whether this list item is the LGLP state, if not the LGLP state, then abandons this NA message; If the LGLP state judges further then whether the access point that receives this NA message is to trust access point, if trust access point; Then with this list item deletion; Transmit this NA message,, then abandon this NA message if not trusting access point.
3. method as claimed in claim 2 is characterized in that, said NAS filters the data message that receives from non-trust access point according to the address binding table and comprises:
When the appointment list item in the binding table of address when the LGLP state transfers the LGLA state to; NAS is specifying configurating filtered rule on the pairing access point of list item according to the content of specifying list item, and according to the filtering rule that is disposed filter specify list item the data message received on the corresponding access point; Said filtering rule comprises: receive data message for specifying on the pairing access point of list item; IP address in having only source IP address and specifying list item is identical; And/or the source link address can get into NAS and carry out follow-up forwarding with the identical data message of link address in specifying list item; Said filtering rule also comprises: receiving velocity and transmission rate for the data message of the appointment source IP address that gets into NAS limit;
When specifying list item is AGNG state and timer T3 when overtime, and the filtering rule that is disposed on the pairing access point of list item was specified in deletion when list item was specified in the NAS deletion;
When specifying list item when ACCP state or LNAP state transfer the LGLA state to, NAS specifies the filtering rule on the pairing access point of list item according to the corresponding renewal of content of the appointment list item after upgrading.
4. method as claimed in claim 3 is characterized in that, this method further comprises:
NAS carries out record to the generation of address binding list item and deletion and the message that abandoned.
5. the method for claim 1 is characterized in that, said NAS sets up according to the prefix content from the RA message of trusting the access point reception and safeguards that legal prefix table comprises:
NAS is according to comprising from trusting the prefix entries that RA content of message that access point receives set up: prefix, prefix bulletin send time and prefix life cycle;
NAS exceeds its corresponding prefix during life cycle in the prefix of a prefix entries, deletes this prefix entries.
6. like each described method in the claim 1 to 5, it is characterized in that this method further comprises:
NAS will directly transmit from the NS message of trusting the access point reception;
NAS will be transmitted to the trust access point from the RS message that non-trust access point receives;
NAS will be from the RA packet loss of non-trust access point reception.
7. device that prevents attack of counterfeit message; It is characterized in that this device is arranged among the access to netwoks Control Server NAS, has specified the trust access point on the said NAS; The last access point except that trusting access point of NAS is non-trust access point; This device comprises: the ND message is intercepted module, filtering module and memory module, wherein
The ND message is intercepted module, is used for basis and sets up and safeguard legal prefix table from the prefix content of the RA message of the trust access point reception of NAS; Be used for receiving purpose IP address when being the first DAD NS message of assigned ip address at non-trust access point from NAS; After confirming that according to legal prefix table the prefix of its purpose IP address is legal, set up the legal address binding table of prefix according to purpose IP address, source link address and the access point of this DAD NS message; Be used for after setting up the legal address binding table of prefix; If other access points from NAS receive the NA message of responding said first DAD NS in the given time; Then delete the legal address binding table of said prefix; Otherwise the legal address binding table of prefix changes to the legal address binding table in address; Be used for NS message and the NA message of basis from the non-trust access point reception of NAS, the life span of the address binding table that scheduler is legal guarantees not worn out when its neighbours at corresponding access point are online; Be used for receiving when inserting main frame and switching the DAD NS that sends again behind access point or the link address,, then do not upgrade access point and link address in the legal address binding table of corresponding address if listen to corresponding response NA message in the given time at NAS; Otherwise,, then upgrade access point and link address in the legal address binding table of corresponding address if do not listen to corresponding response NA message in the given time;
Memory module is used for the memory address binding table;
Filtering module is used for filtering the data message that receives from the non-trust access point of NAS according to the address binding table.
8. device as claimed in claim 7 is characterized in that,
Each list item that the ND message is intercepted the address binding table that module sets up comprises: Internet protocol IP address, link address, access point, link address to be become, wait to become access point and list item state; Wherein, the list item state is got the legal LGLP state of prefix, the legal LGLA state in address, aging AGNG state, access point and is waited to become ACPP state and link address and wait to become a kind of in the LNAP state; The corresponding successively timer T1 of said five kinds of states, T2, T3, T4 and T5;
The ND message is intercepted module, is used for when the non-trust access point from NAS receives DAD NS message, according to purpose IP address, source link address in this DAD NS message with receive the access point inquire address binding table of this DAD NS message; If there is not the list item that has with said purpose IP address identical ip addresses in the address binding table, whether the prefix of then inquiring about the said purpose IP of legal prefix table address is legal; Do not abandon said DAD NS message if conform to rule; If it is legal then transmit said DAD NS message; And said purpose IP address, source link address and access point correspondence added in the list item in the address binding table; And this list item is the LGLP state and starts timer T1; This list item transferred the LGLA state to and starts timer T2 when T1 was overtime, and this list item transferred the AGNG state to and starts timer T3 when T2 was overtime, deleted this list item when T3 is overtime; If there is the list item that has with said purpose IP address identical ip addresses in the address binding table, judge whether the state of this list item is the LGLP state earlier, be then to abandon this DAD NS message, otherwise continue to judge whether link address is identical; If link address is different; Then transmit this DAD NS message; And this pairing link address of DAD NS message and access point are write treating in this list item become link address and wait to become in the access point, this list item is changed to the LNAP state and starts timer T5, this list item transferred the LGLA state to when T5 was overtime; And become link address and wait to become access point and replace link address and access point in this list item respectively with treating in this list item, deletion is waited to become link address and is waited to become the content in the access point; If link address is also identical, judge further then whether access point is also identical, if access point is also identical; Then transmit this DAD NS message, if access point is inequality, then earlier that this DAD NS message is corresponding access point writes in this list item; This list item is changed to the ACPP state and starts timer T4, transmit this DAD NS message then, this list item transferred the LGLA state to when T4 was overtime; And change the access point in this list item with the access point to be become in this list item, deletion waits to become the content in the access point;
The ND message is intercepted module, is used for when the non-trust access point from NAS receives the NS message except that DAD NS message, according to source IP address, the source link address of this NS message with receive the access point inquire address binding table of this NS message; If there is not list item in the address binding table with IP address, link address and the access point consistent with source IP address, source link address and the access point of NS message; Then abandon this NS message; If instead there is consistent list item, and this list item state is not the LGLP state, then this list item is changed to the LGLA state and starts timer T2; Delete the corresponding timer of previous status of this list item, and transmit this NS message;
The ND message is intercepted module, is used for when the access point from NAS receives the NA message, according to target ip address of announcing in this NA message and target link address and the access point inquire address binding table that receives this NA message; If have target ip address and target link address of announcing in IP address, link address and access point and this NA message and the consistent list item of access point that receives this NA message in the address binding table, then judge the state of this list item; If this list item is ACPP or LNAP state, then this list item is changed to the LGLA state and starts timer T2, delete treating in this list item and become link address and wait to become the content in the access point; And transmit this NA message, if this list item is the LGLP state, then abandon this NA message; If this list item is the LGLA state,, and transmit this NA message then with timer T2 zero clearing; If this list item is the AGNG state, then this list item is changed to the LGLA state and starts timer T2, and transmit this NA message; If exist the target ip address of announcing in IP address and this NA message identical in the address binding table, but target link address of announcing in link address and/or access point and this NA message and/or the different list item of access point that receives this NA message judge whether this NA message is the NA message of responding duplicate address detection; If respond the NA message of duplicate address detection, then abandon this NA message, if not the NA message of responding duplicate address detection; Judge that then whether this list item is the LGLP state, if not the LGLP state, then abandons this NA message; If the LGLP state judges further then whether the access point that receives this NA message is to trust access point, if trust access point; Then with this list item deletion; Transmit this NA message,, then abandon this NA message if not trusting access point.
9. device as claimed in claim 8 is characterized in that,
Filtering module; Be used for when the appointment list item of address binding table when the LGLP state transfers the LGLA state to; Specifying configurating filtered rule on the pairing access point of list item according to the content of specifying list item, and according to the filtering rule that is disposed filter specify list item the data message received on the corresponding access point; Said filtering rule comprises: for specifying the data message of receiving on the pairing access point of list item; IP address in having only source IP address and specifying list item is identical; And/or the source link address can get into NAS and carry out follow-up forwarding with the identical data message of link address in specifying list item; Said filtering rule also comprises: receiving velocity and transmission rate for the data message of the appointment source IP address that gets into NAS limit;
Filtering module, being used for specifying list item is AGNG state and timer T3 when overtime, the filtering rule that is disposed on the pairing access point of list item is specified in deletion;
Filtering module is used for specifying the filtering rule on the pairing access point of list item specifying list item when ACCP state or LNAP state transfer the LGLA state to according to the corresponding renewal of content of the appointment list item after upgrading.
10. device as claimed in claim 9 is characterized in that, this device further comprises: the record memory module;
The ND message is intercepted module, is used for to generation and the deletion and the message accounting that is abandoned of address binding list item and be saved in the record memory module.
11. device as claimed in claim 7 is characterized in that,
The ND message is intercepted module according to comprising from trusting the prefix entries that RA content of message that access point receives set up: prefix, prefix bulletin send time and prefix life cycle;
The ND message is intercepted module, is used for exceeding its corresponding prefix during life cycle in the prefix of a prefix entries, deletes this prefix entries.
12. like each described device in the claim 7 to 11, it is characterized in that,
The ND message is intercepted module, is further used for directly transmitting from the NS message of trusting the access point reception; To be transmitted to the trust access point from the RS message that non-trust access point receives; Will be from the RA packet loss of non-trust access point reception.
CN2009100841311A 2009-05-20 2009-05-20 Method and apparatus for preventing counterfeit message attack Active CN101552783B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009100841311A CN101552783B (en) 2009-05-20 2009-05-20 Method and apparatus for preventing counterfeit message attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009100841311A CN101552783B (en) 2009-05-20 2009-05-20 Method and apparatus for preventing counterfeit message attack

Publications (2)

Publication Number Publication Date
CN101552783A CN101552783A (en) 2009-10-07
CN101552783B true CN101552783B (en) 2012-07-04

Family

ID=41156774

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009100841311A Active CN101552783B (en) 2009-05-20 2009-05-20 Method and apparatus for preventing counterfeit message attack

Country Status (1)

Country Link
CN (1) CN101552783B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101692674B (en) 2009-10-30 2012-10-17 杭州华三通信技术有限公司 Method and equipment for double stack access
CN102137073B (en) * 2010-01-22 2013-12-25 杭州华三通信技术有限公司 Method and access equipment for preventing imitating internet protocol (IP) address to attack
CN102130905B (en) * 2011-01-27 2015-09-16 中兴通讯股份有限公司 A kind of method and device improving safety of neighbor discovery snooping
CN103024862A (en) * 2011-09-23 2013-04-03 华为技术有限公司 Method, system and equipment for updating network address
CN102546431A (en) * 2012-02-08 2012-07-04 神州数码网络(北京)有限公司 Secure access method, system and device for router advertisements
CN105939209B (en) * 2015-12-30 2019-08-06 杭州迪普科技股份有限公司 Handle the method and device of neighbor entry
CN107547510B (en) * 2017-07-04 2020-03-06 新华三技术有限公司 Neighbor discovery protocol security table item processing method and device
CN108848087B (en) * 2018-06-06 2020-11-27 浙江农林大学暨阳学院 DAD process malicious NA message suppression method suitable for SEND protocol
CN111431913B (en) * 2020-03-30 2022-06-21 中国人民解放军战略支援部队信息工程大学 Router advertisement protection mechanism existence detection method and device
CN111416887B (en) * 2020-03-31 2021-07-16 清华大学 Address detection method, device, switch and storage medium
CN112769694B (en) * 2021-02-02 2022-05-27 新华三信息安全技术有限公司 Address checking method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1859304A (en) * 2006-02-13 2006-11-08 华为技术有限公司 Method for realizing neighbour discovery
US7360245B1 (en) * 2001-07-18 2008-04-15 Novell, Inc. Method and system for filtering spoofed packets in a network
CN101222513A (en) * 2008-01-28 2008-07-16 杭州华三通信技术有限公司 Method and network appliance for preventing repeated address detection attack
CN101415002A (en) * 2008-11-11 2009-04-22 华为技术有限公司 Method for preventing message aggression, data communication equipment and communication system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7360245B1 (en) * 2001-07-18 2008-04-15 Novell, Inc. Method and system for filtering spoofed packets in a network
CN1859304A (en) * 2006-02-13 2006-11-08 华为技术有限公司 Method for realizing neighbour discovery
CN101222513A (en) * 2008-01-28 2008-07-16 杭州华三通信技术有限公司 Method and network appliance for preventing repeated address detection attack
CN101415002A (en) * 2008-11-11 2009-04-22 华为技术有限公司 Method for preventing message aggression, data communication equipment and communication system

Also Published As

Publication number Publication date
CN101552783A (en) 2009-10-07

Similar Documents

Publication Publication Date Title
CN101552783B (en) Method and apparatus for preventing counterfeit message attack
CN101577675B (en) Method and device for protecting neighbor table in IPv6 network
US20100313265A1 (en) Method and Apparatus for Preventing Spoofed Packet Attacks
JP4664143B2 (en) Packet transfer apparatus, communication network, and packet transfer method
KR100886433B1 (en) IPv6 Support Method for Bridge Extension Using Wireless Communications System
CN100583904C (en) Automatic configuration method for host address in IPV6 network
KR100908320B1 (en) Method for protecting and searching host in internet protocol version 6 network
CN101582888B (en) Method for creating neighbor discovery table item and server
WO2009138034A1 (en) Method and apparatus for internet protocol version six (ipv6) addressing and packet filtering in broadband networks
Oliveira et al. Denial of service mitigation approach for IPv6‐enabled smart object networks
CN101321102A (en) Detection method and access equipment of DHCP server
CN102137024A (en) Message processing method, exit routing device and border routing device
CN101459653B (en) Method for preventing DHCP packet attack based on Snooping technique
CN101610254B (en) Multicast user permission control method, multicast authentication server and access device
CN102546428A (en) System and method for internet protocol version 6 (IPv6) message switching based on dynamic host configuration protocol for IPv6 (DHCPv6) interception
JP5241957B2 (en) Method and apparatus for connecting a subscriber unit to an aggregation network supporting IPv6
Park et al. Multicast delivery based on unicast and subnet multicast
US6917977B2 (en) Method and system of automatic allocation of unique subnet identifier to a subnet in the network having multiple subnets and a plurality of associated routers and router interfaces
CN101494536B (en) Method, apparatus and system for preventing ARP aggression
Wang et al. A secure IPv6 address configuration scheme for a MANET
CN102571592B (en) There is three-layer switching equipment and the data message forwarding method of port binding function
CN101572675B (en) Method for finding operating VRRP network equipment in directly connected network segment and device thereof
WO2012114684A1 (en) Router device, packet control method based on prefix management, and program
CN112291378B (en) Address management device and address management method
WO2023222028A1 (en) Network programming technology processing method and system, and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: Huasan Communication Technology Co., Ltd.

CP03 Change of name, title or address