CN101552783A - Method and apparatus for preventing counterfeit message attack - Google Patents

Method and apparatus for preventing counterfeit message attack Download PDF

Info

Publication number
CN101552783A
CN101552783A CNA2009100841311A CN200910084131A CN101552783A CN 101552783 A CN101552783 A CN 101552783A CN A2009100841311 A CNA2009100841311 A CN A2009100841311A CN 200910084131 A CN200910084131 A CN 200910084131A CN 101552783 A CN101552783 A CN 101552783A
Authority
CN
China
Prior art keywords
message
address
access point
list item
state
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2009100841311A
Other languages
Chinese (zh)
Other versions
CN101552783B (en
Inventor
林涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN2009100841311A priority Critical patent/CN101552783B/en
Publication of CN101552783A publication Critical patent/CN101552783A/en
Application granted granted Critical
Publication of CN101552783B publication Critical patent/CN101552783B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention discloses a method of preventing counterfeit message attack, including: NAS establishing a address binding table according to a repeat address detection neighbor request DAD NS message received from a non-trusted node, and maintaining the address binding table according to a router bulletin RA message received from a trusted node, a neighbor request NS message received from a non-trusted node, and neighbor bulletin NA message received from a trusted node and a non-trusted node; the NAS filtering the data message received from a non-trusted node according to the address binding. The invention also discloses an apparatus for preventing counterfeit message attack. The technical scheme of the invention can prevent counterfeit neighbor from discovering ND message attack effectively.

Description

A kind of method and apparatus that prevents that counterfeit message from attacking
Technical field
The present invention relates to network communications technology field, refer to a kind of method and apparatus that prevents that counterfeit message from attacking especially.
Background technology
Internet protocol (the IPv6 of the 6th version, Internet Protocol Version 6) is the IP next generation protocol that is used for substituting current edition IP agreement (IPv4) of the Internet engineering duty group (IETF, Internet Engineering Task Force) design.
Neighbours find that (ND, Neighbor Discovery) agreement is the element of IPv6.The ND agreement uses five types the 6th version the Internet Internet Control Message Protocol (ICMPv6, InternetControl Message Protocol Version 6) message to realize following function: whether address resolution, checking neighbours can reach, duplicate address detection, the discovery of router discoverys/prefix, the address disposes automatically and be redirected etc.Five types the ICMPv6 packets that the ND agreement is used and act on as shown in table 1:
Figure A20091008413100101
Table 1
The function that five types ICMPv6 packets of ND agreement is realized is simply introduced below:
1, address resolution
Address resolution is the link layer address that obtains the neighbor node on the same link, realizes by neighbor request message NS and neighbor advertisement message NA.
Fig. 1 is the schematic diagram of the address resolution procedure of prior art.As shown in Figure 1, node A will obtain the link layer address of Node B, and then node A sends the NS message in the multicast mode, and the source address of this NS message is the interface IPv6 address of node A, destination address be Node B be requested the node multicast address, comprised the link layer address of node A in the message content; After Node B is received the NS message, judge wherein destination address whether be oneself IPv6 address correspondence be requested the node multicast address, if, then Node B is learnt the link layer address of node A, and return the NA message to node A with mode of unicast, comprised the link layer address of Node B in this NA message; Node A receives the NA message, therefrom obtains the link layer address of Node B.
2, whether the checking neighbours can reach
After getting access to the link layer address of neighbor node, can verify by NS message and NA message whether neighbor node can reach.Be specially: node sends the NS message, and destination address wherein is the IPv6 address of neighbor node, if receive the affirmation message NA of neighbor node, thinks that then neighbor node can reach, otherwise, think that neighbours are unreachable.
3, duplicate address detection (DAD)
After node gets access to an IPv6 address, need to use the duplicate address detection function to determine whether this address is used by other nodes.
Fig. 2 is the schematic diagram of duplicate address detection process of the prior art.As shown in Figure 2, node A sends the NS message, and the source address of this NS message is unspecified address, with ":: " expression, destination address be IPv6 address correspondence to be detected be requested the node multicast address, comprised IPv6 address to be detected in the NS content of message; If Node B has been used this IPv6 address to be detected, then can return the NA message, comprised the IPv6 address of Node B self in this NA message; Node A just knows this IPv6 address after receiving the NA message of Node B transmission, otherwise, illustrating that then this address is not used, node A can use this IPv6 address.
4, discovery of router discovery/prefix and stateless address dispose automatically
Dactylus point obtained the prefix of neighbor router and place network when router discovery/prefix was found from the RA message of receiving, and other configuration parameters.
Stateless address configuration automatically is meant the node information that discovery is obtained according to router discovery/prefix, configuration of IP v6 address automatically.
Router discovery/prefix is found to realize that by RS and RA message detailed process is as follows: when (1) node starts, send request by the RS message to router, request prefix and other configuration informations are for use in the configuration of node; (2) router returns the RA message, comprising prefix information option; Need to prove except responding the RS router and also can periodically issue the RA message; (3) node utilizes address prefix and other configuration parameters in the RA message that router returns, automatically IPv6 address and other information of configuration interface.When automatically configuration generates the IPv6 address, in order to prevent to conflict, need carry out the duplicate address detection process one time with other equipment or host address in the existing network, detecting does not have the repeat to address (RA), and then come into force in the address.
Not only comprise address prefix information in the prefix information option, also comprise first-selected lifetime (preferred lifetime) and effective lifetime (valid lifetime) of this address prefix.After node is received the RA message that router periodically sends, can upgrade the first-selected lifetime of prefix and effective lifetime according to this message.In effective lifetime, the address that generates can normally be used automatically, and effectively the lifetime crosses after date, and the address of generation is with deleted automatically.
5, redirection function
When host-initiated, may have only a default route in its routing table to default gateway.When meeting some requirements, default gateway can send the ICMPv6 redirection message to source host, and the notice main frame selects better next bar to carry out the transmission of subsequent packet.The ICMPv6 redirection message that equipment can transmission meeting main frame when satisfying following condition be redirected:
(1) interface of reception and forwarding data message is same interface;
(2) selecteed route itself is not created or was revised by the ICMPv6 redirection message;
(3) selecteed route is not a default route;
(4) do not comprise the route extension header in the IPv6 data message that is forwarded.
The function that five types ICMPv6 packets of the above-mentioned ND of being agreement is realized.
But in the prior art, the ND protocol massages all is expressly to transmit, and therefore in link, may exist and attack at the counterfeit message of ND agreement use aspect:
(1) forge router: the connector sends router advertisement RA message, makes that other nodes on the network think that all this connector is exactly a router;
(2) forge main frame and send message: the connector is behind access network, forge and send the message of non-machine IP address, comprise data message and control message, the control message just as the NA message etc. of replying NS, thereby counterfeit other main frames and equipment perhaps influence the neighbor discovery process of other main frames or equipment.
At the attack problem of above-mentioned counterfeit message, adopted in the prior art with static address and distributed and " SEND " scheme.Wherein, the static address allocative decision be on access switch at each possible connector, allocate the IPv6 address in advance, and itself and link address, access point bound, access point is the link layer tie point, as the port in the Ethernet.The SEND scheme is carried out encrypting and authenticating to the ND message, guarantees the mutual fail safe of ND, needs router and main frame all to support encrypting and authenticating.
But the static address allocative decision is disposed for large-scale IPv6, and management cost is higher, and the SEND scheme then needs current device and main frame upgrading IPv6 protocol stack, and to support the encrypting and authenticating process, the system that supports is few at present, lacks the possibility of deployment.
Therefore, need a new scheme that prevents the counterfeit message attack.
Summary of the invention
The invention provides a kind of method that prevents that counterfeit message from attacking, this method can effectively prevent the attack of counterfeit message.
The present invention also provides a kind of device that prevents that counterfeit message from attacking, and this device can effectively prevent the attack of counterfeit message.
For achieving the above object, technical scheme of the present invention specifically is achieved in that
The invention discloses a kind of method that prevents that counterfeit message from attacking, this method is applied to access to netwoks Control Server NAS, has specified the trust access point on the NAS, and the access point except that trusting access point on the NAS is non-trust access point, and this method comprises:
NAS sets up the address binding table according to the duplicate address detection neighbor request DAD NS message that receives from non-trust access point, and, safeguard described address binding table according to the router advertisement RA message that receives from trusted node, from the neighbor request NS message of non-trust access point reception and from trusting the neighbor advertisement NA message that access point and non-trust access point receive;
NAS filters the data message that receives from non-trust access point according to the address binding table.
The invention also discloses a kind of device that prevents that counterfeit message from attacking, this device is arranged among the access to netwoks Control Server NAS, specified the trust access point on the described NAS, the access point except that trusting access point on the NAS is non-trust access point, this device comprises: the ND message is intercepted module, filtering module and memory module, wherein
The ND message is intercepted module, be used for setting up the address binding table according to the duplicate address detection neighbor request DAD NS message that the non-trust access point from NAS receives, and the neighbor request NS message that receives according to the router advertisement RA message that receives from the trusted node of NAS, from non-trust access point and from trusting the neighbor advertisement NA message that access point and non-trust access point receive, safeguard described address binding table;
Memory module is used for the memory address binding table;
Filtering module is used for filtering the data message that receives from the non-trust access point of NAS according to the address binding table.
As seen from the above technical solution, this NAS of the present invention sets up the address binding table according to the duplicate address detection DAD neighbor request NS message that receives from non-trust access point, and the neighbor request NS message that receives according to the router advertisement RA message that receives from trusted node, from non-trust access point and safeguard described address binding table from trusting the neighbor advertisement NA message that access point and non-trust access point receive; NAS can effectively prevent the attack of counterfeit message from the technical scheme of the data message of non-trust access point reception according to the filtration of address binding table.
Description of drawings
Fig. 1 is the schematic diagram of the address resolution procedure of prior art;
Fig. 2 is the schematic diagram of duplicate address detection process of the prior art;
Fig. 3 is a kind of flow chart that prevents the method that counterfeit message is attacked of the embodiment of the invention;
Fig. 4 is the state exchange schematic diagram of the address binding list item in the embodiment of the invention;
Fig. 5 is a kind of composition structured flowchart that prevents the device that counterfeit message is attacked of the embodiment of the invention.
Embodiment
Fig. 3 is a kind of flow chart that prevents the method that counterfeit message is attacked of the embodiment of the invention.As shown in Figure 3, this method comprises:
Step 301, access to netwoks Control Server NAS goes up to specify and trusts access point, and the access point except that trusting access point on the NAS is non-trust access point.
In this step, access to netwoks Control Server (NAS, Network Access Server) is specifically as follows the equipment that access-layer switch or router etc. provide access control.Trusting access point can specify according to concrete networking, for example when NAS is access-layer switch in the IPv6 network or router, the trust access point can be for this equipment disposition the VLAN interface of IPv6 address.
Step 302, NAS sets up the address binding table according to the duplicate address detection neighbor request DADNS message that receives from non-trust access point, and, safeguard described address binding table according to the router advertisement RA message that receives from trusted node, from the neighbor request NS message of non-trust access point reception and from trusting the neighbor advertisement NA message that access point and non-trust access point receive.
Because (RFC4862 standard-required) in the prior art, IPv6 stateless address no matter disposes automatically, or DHCPv6 or manual address configuration, behind host configuration IPv6 address, all will carry out DAD earlier detects, promptly send earlier DAD NS message, wait for that then IPv6 address to be detected becomes effectively available address after, could send other messages.Therefore generate corresponding address binding table by intercepting DAD NS message among the present invention.
In the prior art, all connectors, as main frame etc. can normal configuration oneself the IP address, and in case after the configuration, can only use the own IP address that disposes to send message as source address.In addition, all connectors can safeguard the neighbor entry of oneself, according to ND state machine (RFC4861) timed sending ND message, so safeguard the address binding list item by intercepting relevant ND message among the present invention, and then guarantee each connector's legitimacy.
Step 303, NAS filters the data message that receives from non-trust access point according to the address binding table.
In existing IPv6 network, before the IPv6 data message forwarding, the ND message at first is sent out, with the duplicate detection of carrying out self address, People Near Me address resolution etc.The solution of the present invention is utilized these characteristics that the ND message is intercepted just and is realized goal of the invention.For making purpose of the present invention, technical scheme and advantage clearer, below the present invention is described in more detail for ginseng.
Address binding table in the embodiment of the invention is as shown in table 2:
The IP address Link address Access point Link address to be become Access point to be become The list item state
IP1 LA1 ACP1 P-LA1 P-ACP1 INIT
IP2 LA2 ACP2 P-LA2 P-ACP2 LGLA
...... ...... ...... ...... ...... ......
Table 2
As shown in table 2, each list item of address binding table comprises: Internet protocol IP address, link address, access point, link address to be become, wait to become access point and list item state.Wherein, link address is the address of link layer protocol, as link corresponding address in the Ethernet; Access point is the link layer tie point, as port in the Ethernet etc.; The list item state is got a kind of in following five kinds of states at any time: the legal (LGLP of prefix, Legal Prefix) state, the legal (LGLA in address, Legal Address) state, aging (AGNG, Aging) state, access point wait to become (ACPP, Access Point Pending) state and link address wait to become a kind of in (LNAP, Link Address Pending) state; The corresponding successively timer T1 of described LGLP state, LGLA state, AGNG state, ACPP state and LNAP state, T2, T3, T4 and T5.
Can preset two duration variables A and B in an embodiment of the present invention, then T1, T2, T3, T4 and T5 can distinguish assignment A, B, A, A, A.Wherein, duration variables A acquiescence equals " RETRANS_TIMER " in the RFC4861 standard, is specially 1000 milliseconds; Duration variable B acquiescence equals " DELAY_FIRST_PROBE_TIME "+" RETRANS_TIMER " of RFC4861 standard.Certainly, duration variables A and B also can adjust according to actual needs.
In above-mentioned steps 302, NAS realizes the foundation of address binding table and maintenance: NAS is set up and safeguard legal prefix table according to the prefix content from the RA message of trusting the access point reception as follows; NAS receives purpose IP address when being the first DAD NS message of assigned ip address from non-trust access point, after confirming that according to legal prefix table the prefix of its purpose IP address is legal, set up the legal address binding table of prefix according to purpose IP address, source link address and the access point of this DAD NS message; After setting up the legal address binding table of prefix, if NAS receives the NA message of responding described first DAD NS from other access points in the given time, then delete the legal address binding table of described prefix, otherwise the legal address binding table of prefix changes to the legal address binding table in address; NAS is according to the NS message and the NA message that receive from non-trust access point, and the life span of the address binding table that scheduler is legal guarantees not worn out when its neighbours at corresponding access point are online; NAS intercepts and inserts the DAD NS that sends again behind main frame switching access point or the link address, if listen to corresponding response NA message in the given time, does not then upgrade access point and link layer address in the legal address binding table of corresponding address; Otherwise,, then upgrade access point and link address in the legal address binding table of corresponding address if do not listen to corresponding response NA message in the given time.
Introduce the above-mentioned detailed process of setting up binding table and safeguarding below in detail, comprise following two processing procedures:
One, the generation of legal prefix table
1, NAS sets up according to the RA message that listens on the trust access point and safeguards legal prefix table, and the RA message of receiving on other non-trust access points abandons without exception.
Because take to trust all in the present invention from the ND method of message of trusting access point, therefore trusting the prefix that RA announced that listens on the access point is legal prefix.
The legal prefix table that NAS sets up according to the prefix content that the RA message is announced is as shown in table 3:
Legal prefix The prefix bulletin sends the time Prefix life cycle
Prefix
1 T11 T12
Prefix 2 T21 T22
...... ...... ......
Table 3
As shown in table 3, each list item of legal prefix table comprises: prefix, prefix bulletin sends time and prefix life cycle.
NAS exceeds its corresponding prefix during life cycle in the prefix of a prefix entries, deletes this prefix entries.(FE80: :/10) be legal prefix, acquiescence is present in the legal prefix table link local address prefix, and be permanent its life cycle.
2, NAS will be transmitted to the trust access point from the RS message that non-trust access point receives.
In one embodiment of the invention, what trust the access point connection is router, therefore the RS message can be transmitted to trust access point, i.e. router.
Two, the generation of address binding table and maintenance mechanism
1, NAS intercepts DAD NS on the non-trust access point (source address is unspecified IPv6 address, destination address is the ND message of requesting node multicast address) message to be to generate and the scheduler binding table, wherein, receive purpose IP address (being the IP address of pending duplicate address detection), the source link address in the DAD NS message and receive the access point inquire address binding table of this DAD NS message according to non-trust access point, following different processing mode is arranged according to different Query Results:
If there is not the list item that has with the purpose IP address identical ip addresses of DAD NS message in the ■ address binding table, whether the prefix of purpose IP address of then inquiring about this DAD NS message of legal prefix table is legal; Do not abandon this DAD NS message if conform to rule; If it is legal then transmit this DAD NS message, and respectively purpose IP address, source link address and the access point correspondence of this NAD NS message are added to IP address entry in the new list item in the address binding table, link address to the access point item in, and this list item is the LGLP state and starts timer T1, this list item transferred the LGLA state to and starts timer T2 when T1 was overtime, this list item transferred the AGNG state to and starts timer T3 when T2 was overtime, deleted this list item when T3 is overtime from the address binding table.
If there is the list item that has with described purpose IP address identical ip addresses in the ■ address binding table, judge whether the state of this list item is the LGLP state earlier, be then to abandon this DAD NS message, otherwise continue to judge whether link address is identical.
Figure A20091008413100181
If link address difference, then transmit this DAD NS message, and this pairing link address of DAD NS message and access point are write treating in this list item become link address and wait to become in the access point, this list item is changed to the LNAP state and starts timer T5, this list item transferred the LGLA state to when T5 was overtime, and become link address and waiting with treating in this list item and become access point and replace link address and access point in this list item respectively, deletion is waited to become link address and is waited to become content in the access point;
Figure A20091008413100191
If link address is also identical, judge further then whether access point is also identical; If access point is also identical, then transmit this DAD NS message; If access point is inequality, then earlier the access point of this DADNS message correspondence is write in this list item, this list item is changed to the ACPP state and starts timer T4, transmit this DAD NS message then, this list item transferred the LGLA state to when T4 was overtime, and change access point in this list item with the access point to be become in this list item, deletion waits to become the content in the access point.
2, NAS directly transmits the NS message that enters from the trust access point, and promptly the NS message that enters from the trust access point does not participate in the foundation and the maintenance of address binding table.
3, NAS is when non-trust access point receives NS message except that DAD NS message, according to source IP address, the source link address of this NS message with receive the access point inquire address binding table of this NS message;
If do not have list item in the ■ address binding table, then abandon this NS message with IP address, link address and the access point consistent with source IP address, source link address and the access point of NS message;
If there is the source IP address that has with the NS message in the ■ address binding table, the IP address that the source link address is consistent with access point, the list item of link address and access point, and this list item state is not the LGLP state, promptly the state of this list item is LGLA, AGNG, ACPP or LNAP state, then this list item is changed to the LGLA state and starts timer T2, delete the timer of the previous status correspondence of this list item, and transmit this NS message, wherein, when the previous status of this list item is ACPP or LNAP state, the change for the treatment of that also will remove this list item is listed as, and comprises and waits to become link address and access point to be become.
4, NAS is from access point (trust access point or non-trust access point all can) when receiving the NA message, according to target ip address of announcing in this NA message and target link address and the access point inquire address binding table that receives this NA message;
If have target ip address and target link address of announcing in IP address, link address and access point and this NA message and the consistent list item of access point that receives this NA message in the ■ bind address table, then judge the state of this list item;
Figure A20091008413100192
If this list item is ACPP or LNAP state, then this list item is changed to the LGLA state and starts timer T2, delete treating in this list item and become link address and the content of waiting to become in the access point, and transmit this NA message;
Figure A20091008413100201
If this list item is the LGLP state, then abandon this NA message;
Figure A20091008413100202
If this list item is the LGLA state,, and directly transmit this NA message then with the timer T2 zero clearing of association;
Figure A20091008413100203
If this list item is the AGNG state, then this list item is changed to the LGLA state and starts timer T2, and transmit this NA message;
If exist the target ip address of announcing in IP address and this NA message identical in the ■ bind address table, but the target link address of announcing in link corresponding address and this NA message is different, perhaps, corresponding access point is different with the access point that this NA message is entered, perhaps all different list item of access point that entered of the target link address of announcing in link corresponding address and access point and this NA message and this NA message judges then whether this NA message is the NA message of responding duplicate address detection;
Figure A20091008413100204
If respond the NA message of duplicate address detection, then be considered as counterfeit message and abandon this NA message;
Figure A20091008413100205
If not the NA message of responding duplicate address detection, judge then whether this list item is the LGLP state; If not the LGLP state, then abandon this NA message; If the LGLP state judges further then whether the access point that receives this NA message is to trust access point; If the trust access point then with this list item deletion, is transmitted this NA message; If not trusting access point, then abandon this NA message.
Said process is for ND message forwarding process, as to NA message and NS message forwarding, identical with ND message forwarding process of the prior art.
Based on above-mentioned address binding table through setting up and safeguarding, the NAS described in the step 303 according to the address binding table filter the data message that receives from non-trust access point specifically comprise following some:
(1) when the appointment list item in the binding table of address when the LGLP state transfers the LGLA state to, NAS is specifying configurating filtered rule on the pairing access point of list item according to the content of specifying list item, and according to the filtering rule that is disposed filter specify list item the data message received on the corresponding access point;
Described filtering rule comprises: receive data message for specifying on the pairing access point of list item, IP address in having only source IP address and specifying list item is identical, and/or the data message that the source link address is identical with link address in specifying list item can enter NAS and carry out follow-up forwarding;
Described filtering rule can further include: receiving velocity and transmission rate for the data message of the appointment source IP address that enters NAS limit;
(2) when the list item in the binding table of address be AGNG state and timer T3 when overtime, NAS deletes the filtering rule that is disposed on the pairing access point of this list item when deleting this list item;
(3) when the list item in the binding table of address when ACCP state or LNAP state transfer the LGLA state to, NAS is according to the filtering rule on the pairing access point of this list item of the corresponding renewal of content of this list item after upgrading.Promptly when ACCP state or LNAP state transfer the LGLA state to,, then delete original filtering rule, issue filtering rule again if any in link address and the access point changes.
(4) when the list item in the binding table of address when the LGLA state transfers ACCP state, LNAP state or AGNG state to, filtering rule does not issue again.
In order to describe the state conversion process of the list item in the above-mentioned address binding table cheer and brightly, provided state transition graph shown in Figure 4 in the embodiment of the invention.
Fig. 4 is the state exchange schematic diagram of the address binding list item in the embodiment of the invention.In Fig. 4, " E " expression makes the incident of address binding list item state transition, performed action during the state transition of " A " presentation address binding table, the sequence of events that then makes the state transition of address binding list item is shown in 4, and the action sequence of carrying out during the state transition of address binding list item list item is as shown in table 5:
Case Number Event description
E1 Listen to and insert the DADNS message that main frame sends, and do not have corresponding list item in the address binding table; Get the prefix of list item, find corresponding legal prefix at legal prefix table;
E2 The T1 timer expiry;
E3 The T2 timer expiry;
E4 The T3 timer expiry;
E5 Listen to DAD NS content and exist list item IP address identical, link address is identical, but the access point difference;
E6 The T4 timer expiry, or receive the NA message consistent with contents in table, or receive the NS message consistent with contents in table;
E7 Listen to the DADNS content and exist list item IP address identical, link address is inequality;
E8 The T5 timer expiry, or receive the NA message consistent with contents in table, or receive the NS message consistent with contents in table;
E9 Receive the NS/NA message consistent with contents in table;
E10 The trust access point listens to consistent with list item IP address, but the inconsistent NA message in link address or access point IP address;
Table 4
The action numbering Action specification
A1 Create binding list item, state is LGLP;
A2 State is adjourned LGLA, issues filtering rule;
A3 State is adjourned AGNG;
A4 The list item deletion, the filtering rule deletion;
A5 State is adjourned ACCP, writes down access point to be become;
A6 Adjourn the LGLA state.When the T4 timer expiry causes state variation, use access point to be become to replace original access point, upgrade filtering rule;
A7 State is adjourned LNAP, and link address and access point waited to become in record;
A8 Adjourn the LGLA state.When the T5 timer expiry caused state variation, use waits to become link address and access point is replaced original link address and access point, upgraded filtering rule;
A9 Adjourn the LGLA state;
A10 The list item deletion;
A11 Restart T2, i.e. T2 zero clearing
Table 5
In embodiments of the present invention, NAS can also carry out record to the generation of address binding list item and deletion and the message that is abandoned.Recording mode can be selected the report gateway server or store in the non-volatile memory, to make things convenient for network management personnel's inquiry maintenance.
During specific implementation technical scheme of the present invention a ND message can be set in NAS and intercept module, be used to carry out above-mentioned foundation and safeguard the address binding table, and according to the function of address binding table filtering packets.
When considering a plurality of NAS networking, require all NAS in the same VLAN all to dispose the solution of the present invention, then the main frame in this VLAN will be subjected to the restriction of the solution of the present invention.In such cases, each NAS guarantees the authenticity of the message of the own main frame that is inserted, promptly non-forgery.
By technique scheme, can guarantee can not carry out illegal arbitrarily counterfeit message attack at network by the access main frame of NAS access network, guaranteed the fail safe of network.
Fig. 5 is a kind of composition structured flowchart that prevents the device that counterfeit message is attacked of the embodiment of the invention.Device as shown in Figure 5 is arranged among the access to netwoks Control Server NAS, specified the trust access point on the described NAS, the access point except that trusting access point on the NAS is non-trust access point, then as shown in Figure 5, this device comprises: the ND message is intercepted module 501, filtering module 502 and memory module 503, wherein:
The ND message is intercepted module 501, be used for setting up the address binding table according to the duplicate address detection neighbor request DAD NS message that the non-trust access point from NAS receives, and the neighbor request NS message that receives according to the router advertisement RA message that receives from the trusted node of NAS, from non-trust access point and from trusting the neighbor advertisement NA message that access point and non-trust access point receive, safeguard described address binding table;
Memory module 503 is used for the memory address binding table;
Filtering module 502 is used for filtering the data message that receives from the non-trust access point of NAS according to the address binding table.
In Fig. 5, the ND message is intercepted module 501, is used for basis and sets up and safeguard legal prefix table from the prefix content of the RA message of the trust access point reception of NAS; Be used for receiving purpose IP address when being the first DAD NS message of assigned ip address at non-trust access point from NAS, after confirming that according to legal prefix table the prefix of its purpose IP address is legal, set up the legal address binding table of prefix according to purpose IP address, source link address and the access point of this DAD NS message; Be used for after setting up the legal address binding table of prefix, if other access points from NAS receive the NA message of responding described first DAD NS in the given time, then delete the legal address binding table of described prefix, otherwise the legal address binding table of prefix changes to the legal address binding table in address; Be used for NS message and the NA message of basis from the non-trust access point reception of NAS, the life span of the address binding table that scheduler is legal guarantees not worn out when its neighbours at corresponding access point are online; Be used for receiving when inserting main frame and switching the DAD NS that sends again behind access point or the link address,, then do not upgrade access point and link layer address in the legal address binding table of corresponding address if listen to corresponding response NA message in the given time at NAS; Otherwise,, then upgrade access point and link address in the legal address binding table of corresponding address if do not listen to corresponding response NA message in the given time.
In Fig. 5, each list item that the ND message is intercepted the address binding table that module 501 set up comprises: Internet protocol IP address, link address, access point, link address to be become, wait to become access point and list item state; Wherein, the list item state is got the legal LGLP state of prefix, the legal LGLA state in address, aging AGNG state, access point and is waited to become ACPP state and link address and wait to become a kind of in the LNAP state; The corresponding successively timer T1 of described five kinds of states, T2, T3, T4 and T5;
The ND message is intercepted module 501, is used for when the non-trust access point from NAS receives DAD NS message, according to purpose IP address, source link address in this DAD NS message with receive the access point inquire address binding table of this DADNS message; If there is not the list item that has with described purpose IP address identical ip addresses in the address binding table, whether the prefix of then inquiring about the described purpose IP of legal prefix table address is legal; Do not abandon described DAD NS message if conform to rule; If it is legal then transmit described DAD NS message, and described purpose IP address, source link address and access point correspondence added in the list item in the address binding table, and this list item is the LGLP state and starts timer T1, this list item transferred the LGLA state to and starts timer T2 when T1 was overtime, this list item transferred the AGNG state to and starts timer T3 when T2 was overtime, deleted this list item when T3 is overtime; If there is the list item that has with described purpose IP address identical ip addresses in the address binding table, judge whether the state of this list item is the LGLP state earlier, be then to abandon this DAD NS message, otherwise continue to judge whether link address is identical also identical; If link address difference, then transmit this DAD NS message, and this pairing link address of DAD NS message and access point are write treating in this list item become link address and wait to become in the access point, this list item is changed to the LNAP state and starts timer T5, this list item transferred the LGLA state to when T5 was overtime, and become link address and waiting with treating in this list item and become access point and replace link address and access point in this list item respectively, deletion is waited to become link address and is waited to become content in the access point; If link address is also identical, judge further then whether access point is also identical, if access point is also identical, then transmit this DAD NS message, if access point is inequality, then earlier the access point of this DAD NS message correspondence is write in this list item, this list item is changed to the ACPP state and starts timer T4, transmit this DAD NS message then, this list item transferred the LGLA state to when T4 was overtime, and change access point in this list item with the access point to be become in this list item, deletion waits to become the content in the access point;
The ND message is intercepted module 501, is used for when the non-trust access point from NAS receives NS message except that the DADNS message, according to source IP address, the source link address of this NS message with receive the access point inquire address binding table of this NS message; If there is not list item in the address binding table with IP address, link address and the access point consistent with source IP address, source link address and the access point of NS message, then abandon this NS message, if instead there is consistent list item, and this list item state is not the LGLP state, then this list item is changed to the LGLA state and starts timer T2, delete the timer of the previous status correspondence of this list item, and transmit this NS message;
The ND message is intercepted module 501, is used for when the access point from NAS receives the NA message, according to target ip address of announcing in this NA message and target link address and the access point inquire address binding table that receives this NA message; If have target ip address and target link address of announcing in IP address, link address and access point and this NA message and the consistent list item of access point that receives this NA message in the bind address table, then judge the state of this list item; If this list item is ACPP or LNAP state, then this list item is changed to the LGLA state and starts timer T2, delete treating in this list item and become link address and the content of waiting to become in the access point, and transmit this NA message, if this list item is the LGLP state, then abandon this NA message, if this list item is the LGLA state, then with timer T2 zero clearing, and transmit this NA message, if this list item is the AGNG state, then this list item is changed to the LGLA state and starts timer T2, and transmit this NA message; If exist the target ip address of announcing in IP address and this NA message identical in the bind address table, but target link address of announcing in link address and/or access point and this NA message and/or the different list item of access point that receives this NA message, judge whether this NA message is the NA message of responding duplicate address detection, if respond the NA message of duplicate address detection, then abandon this NA message, if not the NA message of responding duplicate address detection, judge then whether this list item is the LGLP state, if not the LGLP state, then abandon this NA message, if the LGLP state judges further then whether the access point that receives this NA message is to trust access point, if trust access point, then with this list item deletion, transmit this NA message,, then abandon this NA message if not trusting access point.
In Fig. 5, filtering module 502, be used for when the appointment list item of address binding table when the LGLP state transfers the LGLA state to, specifying configurating filtered rule on the pairing access point of list item according to the content of specifying list item, and according to the filtering rule that is disposed filter specify list item the data message received on the corresponding access point; Described filtering rule comprises: receive data message for specifying on the pairing access point of list item, IP address in having only source IP address and specifying list item is identical, and/or the data message that the source link address is identical with link address in specifying list item can enter NAS and carry out follow-up forwarding; Described filtering rule also comprises: receiving velocity and transmission rate for the data message of the appointment source IP address that enters NAS limit;
Filtering module 502, being used for specifying list item is AGNG state and timer T3 when overtime, the filtering rule that is disposed on the pairing access point of list item is specified in deletion;
Filtering module 502 is used for specifying list item when ACCP state or LNAP state transfer the LGLA state to, specifies filtering rule on the pairing access point of list item according to the corresponding renewal of content of the appointment list item after upgrading.
Device as shown in Figure 5 also further comprises: record memory module 504; The ND message is intercepted module 501, is used for to generation and the deletion and the message accounting that is abandoned of address binding list item and be saved in record memory module 504.
In Fig. 5, the ND message is intercepted module 501 according to comprising from trusting the prefix entries that RA content of message that access point receives set up: prefix, prefix bulletin send time and prefix life cycle; The ND message is intercepted module 501, is used for exceeding its corresponding prefix during life cycle in the prefix of a prefix entries, deletes this prefix entries.
In Fig. 5, the ND message is intercepted module 501, is further used for directly transmitting from the NS message of trusting the access point reception; To be transmitted to the trust access point from the RS message that non-trust access point receives; Will be from the RA packet loss of non-trust access point reception.
In sum, this NAS of the present invention sets up the address binding table according to the duplicate address detection DAD neighbor request NS message that receives from non-trust access point, and the neighbor request NS message that receives according to the router advertisement RA message that receives from trusted node, from non-trust access point and safeguard described address binding table from trusting the neighbor advertisement NA message that access point and non-trust access point receive; NAS can effectively prevent the attack of counterfeit message from the technical scheme of the message of non-trust access point reception according to the filtration of address binding table.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention, all any modifications of being made within the spirit and principles in the present invention, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (14)

1, a kind of method that prevents that counterfeit message from attacking is characterized in that this method is applied to access to netwoks Control Server NAS, has specified the trust access point on the NAS, and the access point except that trusting access point on the NAS is non-trust access point, and this method comprises:
NAS sets up the address binding table according to the duplicate address detection neighbor request DAD NS message that receives from non-trust access point, and, safeguard described address binding table according to the router advertisement RA message that receives from trusted node, from the neighbor request NS message of non-trust access point reception and from trusting the neighbor advertisement NA message that access point and non-trust access point receive;
NAS filters the data message that receives from non-trust access point according to the address binding table.
2, the method for claim 1 is characterized in that,
Described NAS sets up the address binding table according to the duplicate address detection neighbor request DAD NS message that receives from non-trust access point, and, safeguard that described address binding table comprises according to the router advertisement RA message that receives from trusted node, from the neighbor request NS message of non-trust access point reception and from trusting the neighbor advertisement NA message that access point and non-trust access point receive:
NAS sets up and safeguards legal prefix table according to the prefix content from the RA message of trusting the access point reception;
NAS receives purpose IP address when being the first DAD NS message of assigned ip address from non-trust access point, after confirming that according to legal prefix table the prefix of its purpose IP address is legal, set up the legal address binding table of prefix according to purpose IP address, source link address and the access point of this DAD NS message;
After setting up the legal address binding table of prefix, if NAS receives the NA message of responding described first DAD NS from other access points in the given time, then delete the legal address binding table of described prefix, otherwise the legal address binding table of prefix changes to the legal address binding table in address;
NAS is according to the NS message and the NA message that receive from non-trust access point, and the life span of the address binding table that scheduler is legal guarantees not worn out when its neighbours at corresponding access point are online;
NAS intercepts and inserts the DAD NS that sends again behind main frame switching access point or the link address, if listen to corresponding response NA message in the given time, does not then upgrade access point and link layer address in the legal address binding table of corresponding address; Otherwise,, then upgrade access point and link address in the legal address binding table of corresponding address if do not listen to corresponding response NA message in the given time.
3, method as claimed in claim 2, it is characterized in that, the mode of address binding table status machine is safeguarded in employing, realizes that described NAS sets up and safeguard each step after the legal prefix table according to the prefix content from trust the RA message that access point receives, specifically comprise:
Each list item of described address binding table comprises: Internet protocol IP address, link address, access point, link address to be become, wait to become access point and list item state; Wherein, the list item state is got the legal LGLP state of prefix, the legal LGLA state in address, aging AGNG state, access point and is waited to become ACPP state and link address and wait to become a kind of in the LNAP state; The corresponding successively timer T1 of described five kinds of states, T2, T3, T4 and T5;
When NAS receives DAD NS message from non-trust access point, according to purpose IP address, source link address in this DAD NS message with receive the access point inquire address binding table of this DAD NS message; If there is not the list item that has with described purpose IP address identical ip addresses in the address binding table, whether the prefix of then inquiring about the described purpose IP of legal prefix table address is legal; Do not abandon described DAD NS message if conform to rule; If it is legal then transmit described DAD NS message, and described purpose IP address, source link address and access point correspondence added in the list item in the address binding table, and this list item is the LGLP state and starts timer T1, this list item transferred the LGLA state to and starts timer T2 when T1 was overtime, this list item transferred the AGNG state to and starts timer T3 when T2 was overtime, deleted this list item when T3 is overtime; If there is the list item that has with described purpose IP address identical ip addresses in the address binding table, judge whether the state of this list item is the LGLP state earlier, be then to abandon this DAD NS message, otherwise continue to judge whether link address is identical also identical; If link address difference, then transmit this DADNS message, and this pairing link address of DAD NS message and access point are write treating in this list item become link address and wait to become in the access point, this list item is changed to the LNAP state and starts timer T5, this list item transferred the LGLA state to when T5 was overtime, and become link address and waiting with treating in this list item and become access point and replace link address and access point in this list item respectively, deletion is waited to become link address and is waited to become content in the access point; If link address is also identical, judge further then whether access point is also identical, if access point is also identical, then transmit this DAD NS message, if access point is inequality, then earlier the access point of this DADNS message correspondence is write in this list item, this list item is changed to the ACPP state and starts timer T4, transmit this DAD NS message then, this list item transferred the LGLA state to when T4 was overtime, and change access point in this list item with the access point to be become in this list item, deletion waits to become the content in the access point;
When NAS receives NS message except that DAD NS message from non-trust access point, according to source IP address, the source link address of this NS message with receive the access point inquire address binding table of this NS message; If there is not list item in the address binding table with IP address, link address and the access point consistent with source IP address, source link address and the access point of NS message, then abandon this NS message, if instead there is consistent list item, and this list item state is not the LGLP state, then this list item is changed to the LGLA state and starts timer T2, delete the timer of the previous status correspondence of this list item, and transmit this NS message;
When NAS receives the NA message, according to target ip address of announcing in this NA message and target link address and the access point inquire address binding table that receives this NA message; If have target ip address and target link address of announcing in IP address, link address and access point and this NA message and the consistent list item of access point that receives this NA message in the bind address table, then judge the state of this list item; If this list item is ACPP or LNAP state, then this list item is changed to the LGLA state and starts timer T2, delete treating in this list item and become link address and the content of waiting to become in the access point, and transmit this NA message, if this list item is the LGLP state, then abandon this NA message, if this list item is the LGLA state, then with timer T2 zero clearing, and transmit this NA message, if this list item is the AGNG state, then this list item is changed to the LGLA state and starts timer T2, and transmit this NA message; If exist the target ip address of announcing in IP address and this NA message identical in the bind address table, but target link address of announcing in link address and/or access point and this NA message and/or the different list item of access point that receives this NA message, judge whether this NA message is the NA message of responding duplicate address detection, if respond the NA message of duplicate address detection, then abandon this NA message, if not the NA message of responding duplicate address detection, judge then whether this list item is the LGLP state, if not the LGLP state, then abandon this NA message, if the LGLP state judges further then whether the access point that receives this NA message is to trust access point, if trust access point, then with this list item deletion, transmit this NA message,, then abandon this NA message if not trusting access point.
4, method as claimed in claim 3 is characterized in that, described NAS filters the data message that receives from non-trust access point according to the address binding table and comprises:
When the appointment list item in the binding table of address when the LGLP state transfers the LGLA state to, NAS is specifying configurating filtered rule on the pairing access point of list item according to the content of specifying list item, and according to the filtering rule that is disposed filter specify list item the data message received on the corresponding access point; Described filtering rule comprises: receive data message for specifying on the pairing access point of list item, IP address in having only source IP address and specifying list item is identical, and/or the data message that the source link address is identical with link address in specifying list item can enter NAS and carry out follow-up forwarding; Described filtering rule also comprises: receiving velocity and transmission rate for the data message of the appointment source IP address that enters NAS limit;
When specifying list item is AGNG state and timer T3 when overtime, and the filtering rule that is disposed on the pairing access point of list item was specified in deletion when list item was specified in the NAS deletion;
When specifying list item when ACCP state or LNAP state transfer the LGLA state to, NAS specifies filtering rule on the pairing access point of list item according to the corresponding renewal of content of the appointment list item after upgrading.
5, method as claimed in claim 4 is characterized in that, this method further comprises:
NAS carries out record to the generation of address binding list item and deletion and the message that abandoned.
6, method as claimed in claim 2 is characterized in that, described NS sets up according to the prefix content from the RA message of trusting the access point reception and safeguards that legal prefix table comprises:
NAS is according to comprising from trusting the prefix entries that RA content of message that access point receives set up: prefix, prefix bulletin send time and prefix life cycle;
NAS exceeds its corresponding prefix during life cycle in the prefix of a prefix entries, deletes this prefix entries.
7, as each described method in the claim 1 to 6, it is characterized in that this method further comprises:
NAS will directly transmit from the NS message of trusting the access point reception;
NAS will be transmitted to the trust access point from the RS message that non-trust access point receives;
NAS will be from the RA packet loss of non-trust access point reception.
8, a kind of device that prevents that counterfeit message from attacking, it is characterized in that, this device is arranged among the access to netwoks Control Server NAS, specified the trust access point on the described NAS, the access point except that trusting access point on the NAS is non-trust access point, this device comprises: the ND message is intercepted module, filtering module and memory module, wherein
The ND message is intercepted module, be used for setting up the address binding table according to the duplicate address detection neighbor request DAD NS message that the non-trust access point from NAS receives, and the neighbor request NS message that receives according to the router advertisement RA message that receives from the trusted node of NAS, from non-trust access point and from trusting the neighbor advertisement NA message that access point and non-trust access point receive, safeguard described address binding table;
Memory module is used for the memory address binding table;
Filtering module is used for filtering the data message that receives from the non-trust access point of NAS according to the address binding table.
9, device as claimed in claim 8 is characterized in that,
The ND message is intercepted module, is used for basis and sets up and safeguard legal prefix table from the prefix content of the RA message of the trust access point reception of NAS; Be used for receiving purpose IP address when being the first DAD NS message of assigned ip address at non-trust access point from NAS, after confirming that according to legal prefix table the prefix of its purpose IP address is legal, set up the legal address binding table of prefix according to purpose IP address, source link address and the access point of this DAD NS message; Be used for after setting up the legal address binding table of prefix, if other access points from NAS receive the NA message of responding described first DAD NS in the given time, then delete the legal address binding table of described prefix, otherwise the legal address binding table of prefix changes to the legal address binding table in address; Be used for NS message and the NA message of basis from the non-trust access point reception of NAS, the life span of the address binding table that scheduler is legal guarantees not worn out when its neighbours at corresponding access point are online; Be used for receiving when inserting main frame and switching the DAD NS that sends again behind access point or the link address,, then do not upgrade access point and link layer address in the legal address binding table of corresponding address if listen to corresponding response NA message in the given time at NAS; Otherwise,, then upgrade access point and link address in the legal address binding table of corresponding address if do not listen to corresponding response NA message in the given time.
10, device as claimed in claim 9 is characterized in that,
Each list item that the ND message is intercepted the address binding table that module sets up comprises: Internet protocol IP address, link address, access point, link address to be become, wait to become access point and list item state; Wherein, the list item state is got the legal LGLP state of prefix, the legal LGLA state in address, aging AGNG state, access point and is waited to become ACPP state and link address and wait to become a kind of in the LNAP state; The corresponding successively timer T1 of described five kinds of states, T2, T3, T4 and T5;
The ND message is intercepted module, is used for when the non-trust access point from NAS receives DAD NS message, according to purpose IP address, source link address in this DAD NS message with receive the access point inquire address binding table of this DAD NS message; If there is not the list item that has with described purpose IP address identical ip addresses in the address binding table, whether the prefix of then inquiring about the described purpose IP of legal prefix table address is legal; Do not abandon described DAD NS message if conform to rule; If it is legal then transmit described DAD NS message, and described purpose IP address, source link address and access point correspondence added in the list item in the address binding table, and this list item is the LGLP state and starts timer T1, this list item transferred the LGLA state to and starts timer T2 when T1 was overtime, this list item transferred the AGNG state to and starts timer T3 when T2 was overtime, deleted this list item when T3 is overtime; If there is the list item that has with described purpose IP address identical ip addresses in the address binding table, judge whether the state of this list item is the LGLP state earlier, be then to abandon this DAD NS message, otherwise continue to judge whether link address is identical also identical; If link address difference, then transmit this DAD NS message, and this pairing link address of DAD NS message and access point are write treating in this list item become link address and wait to become in the access point, this list item is changed to the LNAP state and starts timer T5, this list item transferred the LGLA state to when T5 was overtime, and become link address and waiting with treating in this list item and become access point and replace link address and access point in this list item respectively, deletion is waited to become link address and is waited to become content in the access point; If link address is also identical, judge further then whether access point is also identical, if access point is also identical, then transmit this DAD NS message, if access point is inequality, then earlier the access point of this DAD NS message correspondence is write in this list item, this list item is changed to the ACPP state and starts timer T4, transmit this DAD NS message then, this list item transferred the LGLA state to when T4 was overtime, and change access point in this list item with the access point to be become in this list item, deletion waits to become the content in the access point;
The ND message is intercepted module, is used for when the non-trust access point from NAS receives NS message except that DAD NS message, according to source IP address, the source link address of this NS message with receive the access point inquire address binding table of this NS message; If there is not list item in the address binding table with IP address, link address and the access point consistent with source IP address, source link address and the access point of NS message, then abandon this NS message, if instead there is consistent list item, and this list item state is not the LGLP state, then this list item is changed to the LGLA state and starts timer T2, delete the timer of the previous status correspondence of this list item, and transmit this NS message;
The ND message is intercepted module, is used for when the access point from NAS receives the NA message, according to target ip address of announcing in this NA message and target link address and the access point inquire address binding table that receives this NA message; If have target ip address and target link address of announcing in IP address, link address and access point and this NA message and the consistent list item of access point that receives this NA message in the bind address table, then judge the state of this list item; If this list item is ACPP or LNAP state, then this list item is changed to the LGLA state and starts timer T2, delete treating in this list item and become link address and the content of waiting to become in the access point, and transmit this NA message, if this list item is the LGLP state, then abandon this NA message, if this list item is the LGLA state, then with timer T2 zero clearing, and transmit this NA message, if this list item is the AGNG state, then this list item is changed to the LGLA state and starts timer T2, and transmit this NA message; If exist the target ip address of announcing in IP address and this NA message identical in the bind address table, but target link address of announcing in link address and/or access point and this NA message and/or the different list item of access point that receives this NA message, judge whether this NA message is the NA message of responding duplicate address detection, if respond the NA message of duplicate address detection, then abandon this NA message, if not the NA message of responding duplicate address detection, judge then whether this list item is the LGLP state, if not the LGLP state, then abandon this NA message, if the LGLP state judges further then whether the access point that receives this NA message is to trust access point, if trust access point, then with this list item deletion, transmit this NA message,, then abandon this NA message if not trusting access point.
11, device as claimed in claim 10 is characterized in that,
Filtering module, be used for when the appointment list item of address binding table when the LGLP state transfers the LGLA state to, specifying configurating filtered rule on the pairing access point of list item according to the content of specifying list item, and according to the filtering rule that is disposed filter specify list item the data message received on the corresponding access point; Described filtering rule comprises: for specifying the data message of receiving on the pairing access point of list item, IP address in having only source IP address and specifying list item is identical, and/or the data message that the source link address is identical with link address in specifying list item can enter NAS and carry out follow-up forwarding; Described filtering rule also comprises: receiving velocity and transmission rate for the data message of the appointment source IP address that enters NAS limit;
Filtering module, being used for specifying list item is AGNG state and timer T3 when overtime, the filtering rule that is disposed on the pairing access point of list item is specified in deletion;
Filtering module is used for specifying list item when ACCP state or LNAP state transfer the LGLA state to, specifies filtering rule on the pairing access point of list item according to the corresponding renewal of content of the appointment list item after upgrading.
12, device as claimed in claim 11 is characterized in that, this device further comprises: the record memory module;
The ND message is intercepted module, is used for to generation and the deletion and the message accounting that is abandoned of address binding list item and be saved in the record memory module.
13, device as claimed in claim 9 is characterized in that,
The ND message is intercepted module according to comprising from trusting the prefix entries that RA content of message that access point receives set up: prefix, prefix bulletin send time and prefix life cycle;
The ND message is intercepted module, is used for exceeding its corresponding prefix during life cycle in the prefix of a prefix entries, deletes this prefix entries.
14, as each described device in the claim 8 to 13, it is characterized in that,
The ND message is intercepted module, is further used for directly transmitting from the NS message of trusting the access point reception; To be transmitted to the trust access point from the RS message that non-trust access point receives; Will be from the RA packet loss of non-trust access point reception.
CN2009100841311A 2009-05-20 2009-05-20 Method and apparatus for preventing counterfeit message attack Active CN101552783B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009100841311A CN101552783B (en) 2009-05-20 2009-05-20 Method and apparatus for preventing counterfeit message attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009100841311A CN101552783B (en) 2009-05-20 2009-05-20 Method and apparatus for preventing counterfeit message attack

Publications (2)

Publication Number Publication Date
CN101552783A true CN101552783A (en) 2009-10-07
CN101552783B CN101552783B (en) 2012-07-04

Family

ID=41156774

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009100841311A Active CN101552783B (en) 2009-05-20 2009-05-20 Method and apparatus for preventing counterfeit message attack

Country Status (1)

Country Link
CN (1) CN101552783B (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546431A (en) * 2012-02-08 2012-07-04 神州数码网络(北京)有限公司 Secure access method, system and device for router advertisements
WO2012100494A1 (en) * 2011-01-27 2012-08-02 中兴通讯股份有限公司 Method and apparatus for improving security of neighbor discovery snooping
CN101692674B (en) * 2009-10-30 2012-10-17 杭州华三通信技术有限公司 Method and equipment for double stack access
CN103024862A (en) * 2011-09-23 2013-04-03 华为技术有限公司 Method, system and equipment for updating network address
CN102137073B (en) * 2010-01-22 2013-12-25 杭州华三通信技术有限公司 Method and access equipment for preventing imitating internet protocol (IP) address to attack
CN105939209A (en) * 2015-12-30 2016-09-14 杭州迪普科技有限公司 Method and device for processing neighbour table items
CN107547510A (en) * 2017-07-04 2018-01-05 新华三技术有限公司 A kind of safe list item treating method and apparatus of Neighbor Discovery Protocol
CN108848087A (en) * 2018-06-06 2018-11-20 浙江农林大学暨阳学院 DAD process malice NA message suppressing method suitable for SEND agreement
CN111416887A (en) * 2020-03-31 2020-07-14 清华大学 Address detection method, device, switch and storage medium
CN111431913A (en) * 2020-03-30 2020-07-17 中国人民解放军战略支援部队信息工程大学 Router advertisement protection mechanism existence detection method and device
CN112769694A (en) * 2021-02-02 2021-05-07 新华三信息安全技术有限公司 Address checking method and device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7360245B1 (en) * 2001-07-18 2008-04-15 Novell, Inc. Method and system for filtering spoofed packets in a network
CN100411390C (en) * 2006-02-13 2008-08-13 华为技术有限公司 Method for realizing neighbour discovery
CN101222513B (en) * 2008-01-28 2012-06-20 杭州华三通信技术有限公司 Method and network appliance for preventing repeated address detection attack
CN101415002B (en) * 2008-11-11 2011-12-28 华为技术有限公司 Method for preventing message aggression, data communication equipment and communication system

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101692674B (en) * 2009-10-30 2012-10-17 杭州华三通信技术有限公司 Method and equipment for double stack access
US9094264B2 (en) 2009-10-30 2015-07-28 Hangzhou H3C Technologies Co., Ltd. Method and apparatus for dual stack access
US9756052B2 (en) 2009-10-30 2017-09-05 Hewlett Packard Enterprise Development Lp Method and apparatus for dual stack access
CN102137073B (en) * 2010-01-22 2013-12-25 杭州华三通信技术有限公司 Method and access equipment for preventing imitating internet protocol (IP) address to attack
WO2012100494A1 (en) * 2011-01-27 2012-08-02 中兴通讯股份有限公司 Method and apparatus for improving security of neighbor discovery snooping
CN103024862A (en) * 2011-09-23 2013-04-03 华为技术有限公司 Method, system and equipment for updating network address
CN102546431A (en) * 2012-02-08 2012-07-04 神州数码网络(北京)有限公司 Secure access method, system and device for router advertisements
CN105939209A (en) * 2015-12-30 2016-09-14 杭州迪普科技有限公司 Method and device for processing neighbour table items
CN107547510A (en) * 2017-07-04 2018-01-05 新华三技术有限公司 A kind of safe list item treating method and apparatus of Neighbor Discovery Protocol
CN107547510B (en) * 2017-07-04 2020-03-06 新华三技术有限公司 Neighbor discovery protocol security table item processing method and device
CN108848087A (en) * 2018-06-06 2018-11-20 浙江农林大学暨阳学院 DAD process malice NA message suppressing method suitable for SEND agreement
CN108848087B (en) * 2018-06-06 2020-11-27 浙江农林大学暨阳学院 DAD process malicious NA message suppression method suitable for SEND protocol
CN111431913A (en) * 2020-03-30 2020-07-17 中国人民解放军战略支援部队信息工程大学 Router advertisement protection mechanism existence detection method and device
CN111431913B (en) * 2020-03-30 2022-06-21 中国人民解放军战略支援部队信息工程大学 Router advertisement protection mechanism existence detection method and device
CN111416887A (en) * 2020-03-31 2020-07-14 清华大学 Address detection method, device, switch and storage medium
CN112769694A (en) * 2021-02-02 2021-05-07 新华三信息安全技术有限公司 Address checking method and device

Also Published As

Publication number Publication date
CN101552783B (en) 2012-07-04

Similar Documents

Publication Publication Date Title
CN101552783B (en) Method and apparatus for preventing counterfeit message attack
US20100313265A1 (en) Method and Apparatus for Preventing Spoofed Packet Attacks
CN101577675B (en) Method and device for protecting neighbor table in IPv6 network
CN101179566B (en) Method and apparatus for preventing ARP packet attack
KR100886433B1 (en) IPv6 Support Method for Bridge Extension Using Wireless Communications System
KR100908320B1 (en) Method for protecting and searching host in internet protocol version 6 network
CN100583904C (en) Automatic configuration method for host address in IPV6 network
CN101582888B (en) Method for creating neighbor discovery table item and server
JP2007036374A (en) Packet transfer apparatus, communication network, and packet transfer method
WO2010072096A1 (en) Method and broadband access device for improving the security of neighbor discovery in ipv6 environment
CN101321102A (en) Detection method and access equipment of DHCP server
CN102014109A (en) Flood attack prevention method and device
CN101459653B (en) Method for preventing DHCP packet attack based on Snooping technique
CN101272350B (en) Output access control method and output access control device
JP5241957B2 (en) Method and apparatus for connecting a subscriber unit to an aggregation network supporting IPv6
CN101605070A (en) Source address verification method and device based on the control message monitoring
US6917977B2 (en) Method and system of automatic allocation of unique subnet identifier to a subnet in the network having multiple subnets and a plurality of associated routers and router interfaces
CN101494536B (en) Method, apparatus and system for preventing ARP aggression
Vida et al. Rfc 3810: Multicast listener discovery version 2 (mldv2) for ipv6
JP4334379B2 (en) Network system
CN101888387B (en) Method, device and snooping equipment for reestablishing binding table entry
WO2012114684A1 (en) Router device, packet control method based on prefix management, and program
CN112291378B (en) Address management device and address management method
WO2011139138A1 (en) Method of providing multi address binding in a network
Jinlong et al. Source address validation based Ethernet switches for IPv6 network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: Huasan Communication Technology Co., Ltd.