[go: up one dir, main page]

CN101197828B - Safety ARP implementing method and network appliance - Google Patents

Safety ARP implementing method and network appliance Download PDF

Info

Publication number
CN101197828B
CN101197828B CN2007100328660A CN200710032866A CN101197828B CN 101197828 B CN101197828 B CN 101197828B CN 2007100328660 A CN2007100328660 A CN 2007100328660A CN 200710032866 A CN200710032866 A CN 200710032866A CN 101197828 B CN101197828 B CN 101197828B
Authority
CN
China
Prior art keywords
arp
address
secure
unit
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2007100328660A
Other languages
Chinese (zh)
Other versions
CN101197828A (en
Inventor
胡虹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2007100328660A priority Critical patent/CN101197828B/en
Publication of CN101197828A publication Critical patent/CN101197828A/en
Application granted granted Critical
Publication of CN101197828B publication Critical patent/CN101197828B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a realization method for a safe ARP and a network thereof, wherein the method for realizing the ARP comprises the following steps of: encrypting the local end address and a requested target device; generating a safe ARP request message which carries a security identifier and the encrypted address information; casting an ARP request in the network through the safe ARP request message. With the method, the embodiment of the invention ensures that the IP-MAC address mapping can not be obtained by plaintext, and the IP-MAC address mapping information of the device can be effectively protected through the encryption of information, thereby preventing the device from being attacked by other devices. The realization method of the invention can effectively protect network devices and keep the network security like the firewall program of the prior art, but is superior to the firewall program in terms of simplicity, low cost and saving energy.

Description

一种安全ARP的实现方法及网络设备A method for implementing secure ARP and network equipment

技术领域technical field

本发明涉及通信领域,尤其涉及一种安全ARP的实现方法及网络设备。The invention relates to the field of communication, in particular to a method for realizing secure ARP and network equipment.

背景技术Background technique

数据链路上的设备需要一种方法来发现邻居的数据链路标识,即媒体访问控制(Media Access Control,MAC)地址,以便将数据传送到正确的目的地。因特网的地址解析协议(Address Resolution Protocol,ARP)根据指定的IP地址来获取对应的MAC地址。Devices on a data link need a way to discover a neighbor's data link identity, known as a Media Access Control (MAC) address, in order to deliver data to the correct destination. The Address Resolution Protocol (ARP) of the Internet obtains the corresponding MAC address according to the specified IP address.

根据因特网标准RFC826,ARP的机制是:当一台网络设备需要获取同一链路上的另一台网络设备的MAC地址时,它将组装ARP请求消息,在这个消息中包括:设备一的MAC地址、IP地址和设备二的IP地址。然后,ARP请求消息在数据链路上被广播,即数据链路上的所有设备都将收到该帧,并且必须检查帧内封装的消息。IP地址与ARP请求消息中的目标IP地址相同的设备二将向ARP请求消息的发送者地址发送ARP响应消息,以提供自己的MAC地址,而其他设备则不会发送答复消息。于是,地址解析操作的结果就是发送源设备即设备一获得了设备二的MAC地址,并且在本地的ARP缓存表中记录目标设备即设备二的MAC地址和IP地址的映射关系。According to the Internet standard RFC826, the mechanism of ARP is: when a network device needs to obtain the MAC address of another network device on the same link, it will assemble an ARP request message, which includes: the MAC address of device one , IP address, and IP address of Device 2. The ARP request message is then broadcast on the data link, i.e. all devices on the data link will receive the frame and must examine the messages encapsulated within the frame. Device two with the same IP address as the target IP address in the ARP request message will send an ARP response message to the sender address of the ARP request message to provide its own MAC address, while other devices will not send a reply message. Therefore, the result of the address resolution operation is that the sending source device, that is, device one, obtains the MAC address of device two, and records the mapping relationship between the target device, that is, device two's MAC address and the IP address, in the local ARP cache table.

当前的ARP通过明文的广播询问、应答,可以获得同网段网络中所有主机的IP与MAC地址的对应关系。因此,只要攻击设备能拿到其他设备的IP-MAC(IP地址与MAC地址)地址的映射关系,就能对其他设备进行相应的攻击。当某接入设备中毒,导致同网内的其他设备受到攻击,这样的攻击经常发生在机房或者办公室等同一个网段的网络中。The current ARP can obtain the corresponding relationship between IP and MAC addresses of all hosts in the same network segment through plaintext broadcast inquiries and responses. Therefore, as long as the attacking device can obtain the IP-MAC (IP address and MAC address) address mapping relationship of other devices, it can attack other devices accordingly. When an access device is poisoned, causing other devices in the same network to be attacked, such attacks often occur in the same network segment as the computer room or office.

随着全IP网络的发展,安全问题已经越来越受到重视,在第三代合作伙伴计划(3rd Generation Partnership Project,3GPP)领域,也定义了比如IP层协议安全结构(Security Architecture for IP network,IPSEC)等IP层以上的安全技术,形成安全域,组织安全网络。但是这种保护仅仅能对服务器程序进行保护,对 设备本身,尤其是位于同一网段进行交互的两个设备,没有保护作用。请参见图1所示,图1为采用IPSEC等安全IP手段进行对相关内容的保护,设备一要安全访问设备二,设备一上的客户程序含有设备二的IP地址,该方法实现方式如下:With the development of all-IP networks, more and more attention has been paid to security issues. In the field of the 3rd Generation Partnership Project (3GPP), for example, the IP layer protocol security structure (Security Architecture for IP network, IPSEC) and other security technologies above the IP layer form a security domain and organize a secure network. However, this protection can only protect the server program, and has no protective effect on the device itself, especially two devices that are located in the same network segment for interaction. Please refer to Figure 1. Figure 1 uses IPSEC and other security IP methods to protect relevant content. Device 1 needs to access Device 2 safely. The client program on Device 1 contains the IP address of Device 2. The implementation of this method is as follows:

设备一向网络广播普通ARP请求消息;The device broadcasts a normal ARP request message to the network;

设备二接收到普通ARP请求消息后,将含有MAC地址信息的响应消息返回给设备一;After receiving the normal ARP request message, device two returns a response message containing MAC address information to device one;

获得设备二的IP-MAC地址映射关系的设备一的客户程序能通过安全IP接口与设备二的服务器程序进行通讯,通讯内容受到安全IP的保护。The client program of device 1, which obtains the IP-MAC address mapping relationship of device 2, can communicate with the server program of device 2 through the secure IP interface, and the communication content is protected by the secure IP.

但与此同时,设备一上的病毒程序也能够通过普通IP接口,利用ARP缓存表存储的IP-MAC地址映射关系,攻击到设备二。其他设备也能通过ARP协议,获得网络中设备的IP与MAC地址映射关系,并能实施攻击。But at the same time, the virus program on the device 1 can also attack the device 2 by using the IP-MAC address mapping relationship stored in the ARP cache table through the common IP interface. Other devices can also obtain the mapping relationship between IP and MAC addresses of devices in the network through the ARP protocol, and can carry out attacks.

为了实现对设备的保护,请参见图2所示,公开了一种在设备二前放置一台防火墙,通过防火墙的设置,安全的消息可以通过防火墙,而攻击消息将被过滤掉。但是在每一台设备前都放置一台防火墙,不仅需要花费巨大的成本,还需要进行不断的维护。In order to protect the device, please refer to FIG. 2 , which discloses a method of placing a firewall in front of the device 2. Through the setting of the firewall, safe messages can pass through the firewall, while attack messages will be filtered out. But placing a firewall in front of each device not only requires huge costs, but also requires constant maintenance.

发明内容Contents of the invention

有鉴于此,本发明实施例提供了一种安全ARP的实现方法及网络设备。可在节约成本的前提下实现安全ARP。In view of this, the embodiments of the present invention provide a secure ARP implementation method and network equipment. Secure ARP can be realized on the premise of cost saving.

本发明实施例提供了一种安全ARP的实现方法,该方法至少包括以下步骤:The embodiment of the present invention provides a method for implementing secure ARP, which at least includes the following steps:

对本端设备地址和需请求的目标设备的地址进行加密;Encrypt the address of the local device and the address of the target device to be requested;

生成安全ARP请求消息,所述消息中的某一字段被设置有安全标识并且所述消息中携带所述加密后的地址信息;Generate a secure ARP request message, a certain field in the message is set with a security flag and the message carries the encrypted address information;

通过所述安全ARP请求消息向网络中广播安全ARP请求;broadcast a secure ARP request to the network through the secure ARP request message;

接收目标设备的ARP响应消息,所述ARP响应消息中的某一字段被设置有安全标识并且所述ARP响应消息中携带经过加密后的地址字段;receiving an ARP response message from the target device, where a certain field in the ARP response message is set with a security identifier and the ARP response message carries an encrypted address field;

解密所述ARP响应消息的地址字段,获取所述目标设备的地址。Decrypt the address field of the ARP response message to obtain the address of the target device.

该方法还进一步包括:The method further includes:

在接收到目标设备的ARP响应消息后,解密所述ARP响应消息的地址字段,获取所述目标设备的地址。After receiving the ARP response message of the target device, decrypt the address field of the ARP response message to obtain the address of the target device.

在接收到目标设备的ARP响应消息后,还进一步包括:After receiving the ARP response message of the target device, it further includes:

判断所述ARP响应消息中的某一字段是否被设置有安全标识,如果判断为是,则解密所述ARP响应消息的地址字段,获取所述目标设备的地址。Judging whether a certain field in the ARP response message is set with a security flag, if it is judged to be yes, decrypting the address field of the ARP response message to obtain the address of the target device.

该方法还再进一步包括:The method still further includes:

客户程序通过安全IP接口以及安全ARP接口获得所述解密获取的目标设备的地址。The client program obtains the address of the target device obtained through decryption through the secure IP interface and the secure ARP interface.

本发明实施例提供了一种安全ARP的实现方法,该方法至少包括以下步骤:The embodiment of the present invention provides a method for implementing secure ARP, which at least includes the following steps:

接收安全ARP请求,所述安全ARP请求中的某一字段被设置有安全标识并且所述安全ARP请求中携带经过加密的地址字段;receiving a secure ARP request, where a certain field in the secure ARP request is set with a security identifier and the secure ARP request carries an encrypted address field;

解密所述安全APR请求的地址字段得到源请求设备的地址信息;Decrypt the address field of the secure APR request to obtain the address information of the source requesting device;

解密完成后,将本端设备的地址信息以及源请求设备的地址信息进行加密;After the decryption is completed, encrypt the address information of the local device and the address information of the source requesting device;

生成安全ARP响应消息,所述消息中的某一字段被设置有安全标识并且所述消息中携带所述加密后的地址信息;Generate a secure ARP response message, a certain field in the message is set with a security flag and the message carries the encrypted address information;

通过所述安全ARP响应消息向所述ARP请求的源设备发送安全ARP响应。Sending a secure ARP response to the source device of the ARP request through the secure ARP response message.

在接收到安全ARP请求消息后,还进一步包括:After receiving the secure ARP request message, it further includes:

判断所述ARP请求消息中的某一字段是否被设置有安全标识,如果判断为是,则解密所述ARP请求消息的地址字段,获取所述ARP请求的源设备的地址以及需请求的地址。Judging whether a certain field in the ARP request message is set with a security flag, if it is judged to be yes, then decrypting the address field of the ARP request message to obtain the address of the source device of the ARP request and the address to be requested.

本发明实施例提供了一种网络设备,该网络设备包括:An embodiment of the present invention provides a network device, which includes:

加密单元,用于对本端设备地址和需请求的目标设备的地址进行加密;The encryption unit is used to encrypt the address of the local device and the address of the target device to be requested;

生成单元,用于生成安全ARP请求消息,所述消息中的某一字段被设置有安全标识并且所述消息中携带所述加密后的地址信息;A generating unit, configured to generate a secure ARP request message, a certain field in the message is set with a security identifier and the message carries the encrypted address information;

发送单元,用于通过所述安全ARP请求消息向网络中广播安全ARP请求。A sending unit, configured to broadcast a secure ARP request to the network through the secure ARP request message.

所述网络设备还包括:The network equipment also includes:

接收单元,用于接收目标设备的ARP响应消息;A receiving unit, configured to receive the ARP response message of the target device;

解密单元,用于解密所述接收单元接收到的ARP响应消息的地址字段,获取所述目标设备的地址。The decryption unit is configured to decrypt the address field of the ARP response message received by the receiving unit to obtain the address of the target device.

所述网络设备还包括:The network equipment also includes:

判断单元,用于判断所述接收单元接收到的ARP响应消息中的某一字段是否被设置有安全标识,当判断结果为是时,向所述解密单元输出肯定的判断结果。A judging unit, configured to judge whether a certain field in the ARP response message received by the receiving unit is set with a security flag, and when the judging result is yes, output a positive judging result to the decrypting unit.

所述网络设备还包括:The network equipment also includes:

请求单元,用于发起目标设备访问请求;a request unit, configured to initiate a target device access request;

安全接口单元,用于向所述请求单元发送所述解密单元解密后的目标设备地址信息。A security interface unit, configured to send the target device address information decrypted by the decryption unit to the request unit.

所述安全接口单元包括安全IP接口单元和安全ARP接口单元。The security interface unit includes a security IP interface unit and a security ARP interface unit.

本发明实施例提供了一种网络设备,该网络设备包括:An embodiment of the present invention provides a network device, which includes:

接收单元,接收安全ARP请求,所述安全ARP请求中的某一字段被设置有安全标识并且所述安全ARP消息中携带经过加密的地址字段;The receiving unit receives a secure ARP request, a certain field in the secure ARP request is set with a security identifier and the secure ARP message carries an encrypted address field;

解密单元,用于解密所述接收单元接收到的安全APR请求的地址字段得到源请求设备的地址信息;A decryption unit, configured to decrypt the address field of the secure APR request received by the receiving unit to obtain the address information of the source requesting device;

加密单元,用于在所述解密单元解密完成后,将本端设备的地址信息以及源请求设备的地址信息进行加密;An encryption unit, configured to encrypt the address information of the local device and the address information of the source requesting device after the decryption by the decryption unit is completed;

生成单元,用于生成安全ARP响应消息,所述消息中的某一字段被设置有安全标识并且所述消息中携带所述加密后的地址信息;A generating unit, configured to generate a secure ARP response message, a certain field in the message is set with a security identifier and the message carries the encrypted address information;

发送单元,用于通过所述安全ARP响应消息向所述ARP请求的源设备发送安全ARP响应。A sending unit, configured to send a secure ARP response to the source device of the ARP request through the secure ARP response message.

所述网络设备还包括:The network equipment also includes:

判断单元,用于判断所述接收单元接收到的ARP请求消息中的某一字段是否被设置有安全标识,如果判断为是,则向所述解密单元输出肯定的判断结果。A judging unit, configured to judge whether a certain field in the ARP request message received by the receiving unit is set with a security flag, and if it is judged to be yes, output a positive judgment result to the decrypting unit.

本发明实施例在通过对本端设备地址和需请求的目标设备的地址进行加密和生成安全ARP请求消息,使得IP-MAC地址映射关系不能通过明文获得,而且通过对信息的加密使设备的IP-MAC地址映射关系信息受到有效的保护,避免该设备受到其他设备的攻击;而在后续的通讯时,同一设备上的程序只能通过安全IP的专用接口,才能访问ARP缓存表,这样这台设备的其他程序就无法利用ARP缓存表的存储内容对其他设备进行攻击。本发明的实现方法和现有技术采用防火墙的方案均可有效保护网络设备和维护网络安全,但是本发明实现 方法具有比所述防火墙的方案简便,有效降低成本,节约资源的优点。In the embodiment of the present invention, by encrypting the address of the local device and the address of the target device to be requested and generating a secure ARP request message, the IP-MAC address mapping relationship cannot be obtained in plain text, and the IP-MAC address of the device cannot be obtained by encrypting the information. The MAC address mapping relationship information is effectively protected to prevent the device from being attacked by other devices; and in the subsequent communication, the program on the same device can only access the ARP cache table through the dedicated interface of the secure IP, so that the device Other programs cannot use the storage content of the ARP cache table to attack other devices. Both the implementation method of the present invention and the prior art scheme using a firewall can effectively protect network equipment and maintain network security, but the implementation method of the present invention has the advantages of being simpler than the firewall scheme, effectively reducing costs, and saving resources.

附图说明Description of drawings

图1为采用安全IP方法实现网络安全的原理示意图;Fig. 1 is a schematic diagram of the principle of implementing network security by adopting the security IP method;

图2为采用设置防火墙方法实现网络安全的原理示意图;Fig. 2 is the schematic diagram of the principle of implementing network security by setting a firewall method;

图3为以太网中的ARP请求或应答消息的分组消息的一种格式组成示意图;Fig. 3 is a schematic diagram of a format composition of a packet message of an ARP request or response message in Ethernet;

图4为本发明实施例实现安全ARP的系统示意图;FIG. 4 is a schematic diagram of a system implementing secure ARP according to an embodiment of the present invention;

图5为本发明实施例实现安全ARP方法的流程图。FIG. 5 is a flowchart of a method for implementing secure ARP according to an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明的目的、技术方案及优点更加清楚明白,以下参照附图对本发明实施例进一步详细说明。In order to make the object, technical solution and advantages of the present invention clearer, the embodiments of the present invention will be described in detail below with reference to the accompanying drawings.

请参见图4所示,图4为本发明实施例实现安全ARP的系统示意图,该系统包括第一网络设备10和第二网络设备20,两个设备通过网络进行连接。Please refer to FIG. 4 . FIG. 4 is a schematic diagram of a system implementing secure ARP according to an embodiment of the present invention. The system includes a first network device 10 and a second network device 20 , and the two devices are connected through a network.

其中,第一网络设备10包括:请求单元11、安全接口单元12、第一加密单元13、第一生成单元14、第一发送单元15、第一接收单元16、第一判断单元17以及第一解密单元18。请参照图4,其中,请求单元11和安全接口单元12相连;第一加密单元13、第一生成单元14和第一发送单元15依次相连;第一接收单元16、第一判断单元17以及第一解密单元18依次相连;安全接口单元12、分别和第一加密单元13以及第一解密单元18连接。Among them, the first network device 10 includes: a request unit 11, a security interface unit 12, a first encryption unit 13, a first generation unit 14, a first sending unit 15, a first receiving unit 16, a first judging unit 17 and a first Decryption unit 18. Please refer to Fig. 4, wherein, the request unit 11 is connected with the safety interface unit 12; the first encryption unit 13, the first generation unit 14 and the first sending unit 15 are connected in sequence; A decryption unit 18 is connected sequentially; the security interface unit 12 is connected to the first encryption unit 13 and the first decryption unit 18 respectively.

请求单元11,用于发起对第二网络设备20访问请求,该单元根据需客户程序的需要发起对第二网络设备20的访问请求,在ARP缓存表没有存储第二网络设备20的IP-MAC(具体实现中,MAC地址可为设备的以太网地址)地址映射关系的情况下需要获得该IP-MAC地址映射关系。The requesting unit 11 is used to initiate an access request to the second network device 20. This unit initiates an access request to the second network device 20 according to the needs of the client program, and the IP-MAC of the second network device 20 is not stored in the ARP cache table (In specific implementation, the MAC address may be the Ethernet address of the device) In the case of the address mapping relationship, the IP-MAC address mapping relationship needs to be obtained.

安全接口单元12,该单元进一步包括:安全IP接口单元121和安全ARP接口单元122。所述安全IP接口121,通过IPSEC等安全IP手段进行同网络设备内不同单元或者不同网络设备之间的安全通讯;所述安全ARP接口单元122,是在客户程序调用地址信息时用于保护获得的IP-MAC地址映射关系不被其他程序盗用,有效避免的含有病毒的程序获得其他网络设备的IP-MAC地址映射关系,并对其进行攻击。A security interface unit 12 , which further includes: a security IP interface unit 121 and a security ARP interface unit 122 . The secure IP interface 121 performs secure communication with different units in the network device or between different network devices through secure IP means such as IPSEC; the secure ARP interface unit 122 is used to protect and obtain address information when the client program calls address information. The unique IP-MAC address mapping relationship will not be embezzled by other programs, which effectively prevents programs containing viruses from obtaining the IP-MAC address mapping relationship of other network devices and attacking them.

第一加密单元13,用于对第一网络设备10的地址和需请求的第二网络设备20的地址进行加密,所述的第一网络设备10的地址和需请求的第二网络设备20的地址包括第一网络设备10的MAC地址、所述第一网络设备10的IP地址、所述第二网络设备20的IP地址以及所述第二网络设备的MAC地址。图3为以太网中的ARP请求或应答消息的分组消息的一种格式组成示意图,本图中的MAC地址为设备的以太网地址,如图3所示,OP字段之后的发送端以太网地址、发送端IP地址、目的以太网地址、目的IP地址为需要加密保护的信息,具 体实现中,可采用静态配置加密,通过第一加密单元13的配置程序将密匙与IP的对应关系进行加密,并将加密后的ARP请求消息发送到第一生成单元14。另外,还可以采用动态获得密匙加密,由请求单元11在调用客户程序时向第三方认证服务器发出认证请求,再接收到认证响应后获得认证服务器返回的密匙,请求单元11再通过安全接口单元12将密匙与IP对应关系发送给第一加密单元13进行加密。除了这两种加密方法在实际应用中还可以根据安全程度采用其他的加密方法。The first encryption unit 13 is configured to encrypt the address of the first network device 10 and the address of the second network device 20 to be requested, the address of the first network device 10 and the address of the second network device 20 to be requested The address includes the MAC address of the first network device 10, the IP address of the first network device 10, the IP address of the second network device 20, and the MAC address of the second network device. Figure 3 is a schematic diagram of a format composition of an ARP request or response message in Ethernet. The MAC address in this figure is the Ethernet address of the device. As shown in Figure 3, the sender's Ethernet address after the OP field , sending end IP address, destination Ethernet address, destination IP address are the information that needs encryption protection, in concrete realization, can adopt static configuration encryption, carry out the corresponding relation of key and IP by the configuration program of the first encryption unit 13 Encrypt, and send the encrypted ARP request message to the first generating unit 14. In addition, dynamic key encryption can also be used, and the requesting unit 11 sends an authentication request to the third-party authentication server when calling the client program, and then obtains the key returned by the authentication server after receiving the authentication response, and the requesting unit 11 passes through the security interface. Unit 12 sends the correspondence between the key and the IP to the first encryption unit 13 for encryption. In addition to these two encryption methods, other encryption methods can also be used according to the degree of security in practical applications.

第一生成单元14,用于生成安全ARP请求消息,所述消息中携带有安全标识和所述加密后的地址信息。参见图3所示,所述的安全标识是对原有的OP字段进行扩展,图3中的OP字段定义操作类型和对应的值,按照RFC826的原有定义如下:ARP请求(1),ARP应答(2),RARP请求(3),RARP应答(4),发送端以太网地址、发送端IP地址、目的以太网地址、目的IP地址在原协议中为明文。通过扩充将OP字段标识如下:安全ARP请求(5),安全ARP应答(6),安全RARP请求(7),安全RARP应答(8),其中括号的数字为操作类型的值,但不限于这一种定义方式,操作类型所对应的值可以改变。在完成对加密的ARP请求消息后生成所述的安全ARP请求消息,本实施例采用上述对OP字段的扩展进行标识,即将OP字段标识为:安全ARP请求(5),并将标识后的消息下放到第一发送单元15。The first generation unit 14 is configured to generate a secure ARP request message, where the message carries a security identifier and the encrypted address information. Referring to shown in Fig. 3, described security mark is to expand original OP field, and OP field among Fig. 3 defines operation type and corresponding value, is as follows according to the original definition of RFC826: ARP request (1), ARP Response (2), RARP request (3), RARP response (4), sender's Ethernet address, sender's IP address, destination Ethernet address, and destination IP address are plain text in the original protocol. The OP field is identified as follows by expansion: secure ARP request (5), secure ARP response (6), secure RARP request (7), secure RARP response (8), where the numbers in brackets are the values of the operation type, but not limited to this A definition in which the value corresponding to the operation type can change. After completing the encrypted ARP request message to generate the secure ARP request message, the present embodiment adopts the above-mentioned expansion of the OP field to identify, that is, the OP field is identified as: secure ARP request (5), and the message after the identification Down to the first sending unit 15.

第一发送单元15,该单元用于通过所述安全ARP请求消息向网络中广播安全ARP请求。A first sending unit 15, configured to broadcast a secure ARP request to the network through the secure ARP request message.

第一接收单元16,用于接收第二网络设备20返回的ARP响应消息。当第二网络设备20返回ARP响应消息后,第一网络设备10通过第一接收单元16接收该响应消息。The first receiving unit 16 is configured to receive the ARP response message returned by the second network device 20 . After the second network device 20 returns the ARP response message, the first network device 10 receives the response message through the first receiving unit 16 .

第一判断单元17,用于判断第一接收单元16接收到的ARP响应消息中是否携带有安全标识,本实施例中采用OP字段进行安全标识,根据上述的OP字段定义,如果第二网络设备20返回ARP响应消息的OP字段为安全ARP应答(6),则向第一解密单元18输出肯定的判断结果,并由第一解密单元18对第二网络设备20返回的安全ARP响应消息进行解密。The first judging unit 17 is configured to judge whether the ARP response message received by the first receiving unit 16 carries a security identifier. In this embodiment, the OP field is used for the security identifier. According to the definition of the OP field above, if the second network device 20 returns the OP field of ARP response message to be security ARP response (6), then to the first deciphering unit 18 output affirmative judgment result, and the security ARP response message that second network equipment 20 is returned by first deciphering unit 18 is decrypted .

第一解密单元18,用于解密所述第一接收单元16接收到的安全APR响应消息的地址字段。The first decryption unit 18 is configured to decrypt the address field of the secure APR response message received by the first receiving unit 16 .

第二网络设备20包括:第二接收单元21、第二判断单元22、第二解密单元23、第二加密单元24、第二生成单元25和第二发送单元26。第二接收单元21、第二判断单元22和第二解密单元23一次相连;第二加密单元24、第二生成单元25和第二发送单元26依次相连。The second network device 20 includes: a second receiving unit 21 , a second judging unit 22 , a second decrypting unit 23 , a second encrypting unit 24 , a second generating unit 25 and a second sending unit 26 . The second receiving unit 21 , the second judging unit 22 and the second decrypting unit 23 are connected once; the second encrypting unit 24 , the second generating unit 25 and the second sending unit 26 are connected sequentially.

第二接收单元21,用于接收第一网络设备10广播的ARP请求消息。当第一网络设备10向网络中广播安全ARP请求消息后,第二网络设备20通过第二接收单元21接收该请求消息。The second receiving unit 21 is configured to receive the ARP request message broadcast by the first network device 10 . After the first network device 10 broadcasts the secure ARP request message to the network, the second network device 20 receives the request message through the second receiving unit 21 .

第二判断单元22,用于判断第二接收单元21接收到的ARP请求消息中是否携带有安全标识,本实施例中采用OP字段进行安全标识,根据上述的OP字段定义,如果第一网络设备10向网络中广播的ARP请求消息的OP字段为安全ARP请求(5),则向第二解密单元23输出肯定的判断结果,并由第二解密单元23对第一网络设备10广播的安全ARP请求消息进行解密。The second judging unit 22 is configured to judge whether the ARP request message received by the second receiving unit 21 carries a security identifier. In this embodiment, the OP field is used for the security identifier. According to the definition of the OP field above, if the first network device 10, the OP field of the ARP request message broadcast in the network is a secure ARP request (5), then an affirmative judgment result is output to the second deciphering unit 23, and the security ARP of the first network device 10 broadcast by the second deciphering unit 23 Requests the message to be decrypted.

第二解密单元23,用于解密所述第二接收单元21接收到的安全APR请求消息的地址字段。The second decryption unit 23 is configured to decrypt the address field of the secure APR request message received by the second receiving unit 21 .

第二加密单元24,用于在所述解密单元解密完成后,将第二网络设备20的地址信息以及第一网络设备10的地址信息进行加密,所述的第一网络设备10的地址和需请求的第二网络设备20的地址包括第一网络设备10的MAC地址、所述第一网络设备10的IP地址、所述第二网络设备20的IP地址以及所述第二网络设备的MAC地址。参见图3所示,OP字段之后的发送端以太网地址、发送端IP地址、目的以太网地址、目的IP地址为需要加密保护的信息,具体实现中,可采用静态配置加密,通过第二加密单元24的配置程序将密匙与IP的对应关系进行加密,并将加密后的ARP响应消息发送到第二生成单元25。另外,还可以采用动态获得密匙进行加密。由第二网络设备20在调用相关程序时向第三方认证服务器发出认证请求,再接收到认证响应后获得认证服务器返回的密匙,将密匙与IP对应关系发送给第二加密单元24进行加密。除了这两种加密方法在实际应用中还可以根据安全程度采用其他的加密方法。The second encryption unit 24 is configured to encrypt the address information of the second network device 20 and the address information of the first network device 10 after the decryption by the decryption unit is completed, and the address and the required address of the first network device 10 The requested address of the second network device 20 includes the MAC address of the first network device 10, the IP address of the first network device 10, the IP address of the second network device 20, and the MAC address of the second network device . As shown in Figure 3, the sender's Ethernet address, sender's IP address, destination Ethernet address, and destination IP address after the OP field are information that needs to be encrypted and protected. In specific implementations, static configuration encryption can be used, and the second encryption The configuration program of unit 24 encrypts the correspondence between the key and the IP, and sends the encrypted ARP response message to the second generation unit 25 . In addition, it is also possible to use a dynamically obtained key for encryption. The second network device 20 sends an authentication request to the third-party authentication server when calling the relevant program, and then obtains the key returned by the authentication server after receiving the authentication response, and sends the corresponding relationship between the key and the IP to the second encryption unit 24 for encryption . In addition to these two encryption methods, other encryption methods can also be used according to the degree of security in practical applications.

第二生成单元25,用于生成安全ARP响应消息,所述消息中携带有安全标识和所述加密后的地址信息;本实施例采用上述的对OP字段扩充来标识,根据上述操作类型和对应的值的定义,将加密的ARP响应消息生成为安全ARP响应消息,即将OP字段标识为:安全ARP应答(6),并将标识后的消息下放到第 二发送单元26。The second generating unit 25 is configured to generate a secure ARP response message, which carries a security identifier and the encrypted address information; in this embodiment, the above-mentioned expansion of the OP field is used to identify, according to the above-mentioned operation type and corresponding The definition of the value of the encrypted ARP response message is generated as a secure ARP response message, that is, the OP field is identified as: a secure ARP response (6), and the message after the identification is delivered to the second sending unit 26.

第二发送单元26,用于通过所述安全ARP响应消息向所述ARP第一网络设备10发送安全ARP响应消息。The second sending unit 26 is configured to send a secure ARP response message to the ARP first network device 10 through the secure ARP response message.

本实施例采用对OP字段进行安全标识,但并不仅限于此,参见图3,还可以以同样的方式对帧类型、硬件类型或者协议类型等进行安全标识。本实施例中的第一网络设备10和第二网络设备20在判断出不是安全ARP交互消息时还可以进行普通的ARP交互。In this embodiment, the security identification of the OP field is adopted, but it is not limited thereto. Referring to FIG. 3 , the security identification of the frame type, hardware type, or protocol type, etc. may also be performed in the same manner. In this embodiment, the first network device 10 and the second network device 20 may also perform ordinary ARP interaction when it is determined that the message is not a secure ARP interaction message.

具体实现中,信息的交互是双向进行的,因此所述第一网络设备可同时包括所述第二网络设备的功能模块,所述第二网络设备也可同时包括所述第一网络设备的功能模块。In a specific implementation, the interaction of information is bidirectional, so the first network device may also include the functional modules of the second network device, and the second network device may also include the functions of the first network device at the same time module.

请参见图5,图5为本发明实施例实现安全ARP方法的流程图,该图简要示出了通过对ARP字段的操作实现安全ARP方法,结合图5,本发明实施例实现安全ARP具体步骤描述如下:Please refer to FIG. 5. FIG. 5 is a flowchart of a method for implementing a secure ARP according to an embodiment of the present invention. This figure briefly shows a method for implementing a secure ARP through the operation of the ARP field. In conjunction with FIG. 5, the specific steps for implementing a secure ARP according to an embodiment of the present invention Described as follows:

步骤S101,对第一设备地址和需请求的第二设备的地址进行加密。所述的第一网络设备10的地址和需请求的第二网络设备20的地址包括第一网络设备10的MAC地址、所述第一网络设备10的IP地址以及所述第二网络设备20的IP地址。参见图3所示,OP字段后的发送端以太网地址、发送端IP地址、目的以太网地址、目的IP地址为需要保护的信息,本实施例采用静态配置加密,通过配置程序将密匙与IP的对应关系进行加密。除此之外,还可以采用动态获得密匙加密,在调用客户程序时向第三方认证服务器发出认证请求,再接收到认证响应后获得认证服务器返回的密匙,再将密匙与IP对应关系进行加密。除了这两种加密方法在实际应用中还可以根据安全程度采用其他的加密方法。Step S101, encrypting the address of the first device and the address of the second device to be requested. The address of the first network device 10 and the address of the second network device 20 to be requested include the MAC address of the first network device 10, the IP address of the first network device 10 and the address of the second network device 20. IP address. Referring to Fig. 3, the sender's Ethernet address, sender's IP address, destination Ethernet address, and destination IP address after the OP field are information that needs to be protected. This embodiment adopts static configuration encryption, and the encryption key and The corresponding relationship of IP is encrypted. In addition, it is also possible to dynamically obtain key encryption, send an authentication request to the third-party authentication server when calling the client program, and then obtain the key returned by the authentication server after receiving the authentication response, and then map the key to the IP correspondence to encrypt. In addition to these two encryption methods, other encryption methods can also be used according to the degree of security in practical applications.

步骤S102,生成安全ARP请求消息。请参见图3所示,所述的安全标识是通过程序对原有的OP字段进行扩展,图3中的OP字段定义操作类型,定义如下:ARP请求(1),ARP应答(2),RARP请求(3),RARP应答(4),其中括号的数字为操作类型的值,但不限于这一种定义方式,操作类型和值均可以改变。发送端以太网地址、发送端IP地址、目的以太网地址、目的IP地址在原协议中为明文。通过扩充将OP字段标识如下:安全ARP请求(5),安全ARP应答(6),安全RARP请求(7),安全RARP应答(8),其中括号的数字为对应操作类型 的值,但不限于这一种定义方式,操作类型和值均可以改变。本实施例采用上述对OP字段的扩展进行标识,即将OP字段标识为:安全ARP请求(5)。Step S102, generating a secure ARP request message. Please refer to shown in Figure 3, the described security mark is to expand the original OP field by the program, and the OP field definition operation type in Figure 3 is defined as follows: ARP request (1), ARP response (2), RARP Request (3), RARP response (4), where the number in brackets is the value of the operation type, but not limited to this definition, the operation type and value can be changed. The Ethernet address of the sender, the IP address of the sender, the Ethernet address of the destination, and the IP address of the destination are plain text in the original protocol. The OP field is identified by extension as follows: secure ARP request (5), secure ARP response (6), secure RARP request (7), secure RARP response (8), where the numbers in brackets are the values of the corresponding operation types, but not limited to In this way of definition, both the operation type and value can be changed. In this embodiment, the above-mentioned extension of the OP field is used to identify, that is, the OP field is identified as: secure ARP request (5).

步骤S103,通过所述安全ARP请求消息向网络中广播安全ARP请求。Step S103, broadcast a secure ARP request to the network through the secure ARP request message.

步骤S104,第二设备接收安全ARP请求消息。第二设备对接收的广播请求进行判断,如果识别出该请求含有安全标识的OP字段,即含有标识为安全ARP请求(5)的OP字段,则判断为安全ARP请求消息,进入后续的处理步骤;否则判断为非安全广播请求,进入普通的ARP过程或者不作响应。Step S104, the second device receives the secure ARP request message. The second device judges the received broadcast request, if it recognizes that the request contains the OP field of the security identifier, that is, contains the OP field identified as a secure ARP request (5), then it is judged to be a secure ARP request message, and enters subsequent processing steps ; Otherwise, it is judged as a non-secure broadcast request, and enters the normal ARP process or does not respond.

步骤S105,判断所述ARP请求消息中是否携带有安全标识。本实施例中采用OP字段进行安全标识,根据上述的OP字段定义,如果第一设备向网络中广播的ARP请求消息的OP字段为安全ARP请求(5),则进行后续的解密处理。如果为非安全ARP请求消息,则进行普通的ARP交互或者不作响应。Step S105, judging whether the ARP request message carries a security identifier. In this embodiment, the OP field is used for security identification. According to the above definition of the OP field, if the OP field of the ARP request message broadcast by the first device to the network is a secure ARP request (5), subsequent decryption processing is performed. If it is a non-secure ARP request message, perform normal ARP interaction or do not respond.

步骤S106,解密所述安全APR请求。在步骤S105判断为安全ARP请求后进入步骤S106,对该消息的加密部分进行相应的解密。如果解密正确,则进入后续的处理步骤;如果解密错误,则不作响应。Step S106, decrypt the secure APR request. After step S105 determines that it is a secure ARP request, proceed to step S106 to decrypt the encrypted part of the message accordingly. If the decryption is correct, enter the subsequent processing steps; if the decryption is wrong, no response will be made.

步骤S107,将第二设备的地址信息以及第一设备的地址信息进行加密。在经过步骤S106解密正确后,第二设备将IP地址和MAC地址填入ARP响应的相应字段。对第二设备地址和需响应的第一设备的地址进行加密。当采用静态密码配置时,通过配置程序对所述的第二设备的地址和需响应的第一设备的地址进行加密。参见图3所示,发送端以太网地址、发送端IP地址、目的以太网地址、目的IP地址为需要保护的信息,本实施例采用静态配置加密,通过配置程序将密匙与IP的对应关系进行加密。除此之外,还可以采用动态获得密匙加密,在调用客户程序时向第三方认证服务器发出认证请求,再接收到认证响应后获得认证服务器返回的密匙,再将密匙与IP对应关系进行加密。除了这两种加密方法在实际应用中还可以根据安全程度采用其他的加密方法。Step S107, encrypting the address information of the second device and the address information of the first device. After the decryption is correct in step S106, the second device fills the IP address and the MAC address into corresponding fields of the ARP response. The address of the second device and the address of the first device to be responded are encrypted. When static password configuration is adopted, the address of the second device and the address of the first device to be responded are encrypted through a configuration program. Referring to Fig. 3, the Ethernet address of the sending end, the IP address of the sending end, the Ethernet address of the destination, and the IP address of the destination are information that needs to be protected. This embodiment adopts static configuration encryption, and the corresponding relationship between the key and the IP to encrypt. In addition, it is also possible to dynamically obtain key encryption, send an authentication request to the third-party authentication server when calling the client program, and then obtain the key returned by the authentication server after receiving the authentication response, and then map the key to the IP correspondence to encrypt. In addition to these two encryption methods, other encryption methods can also be used according to the degree of security in practical applications.

步骤S108,生成安全ARP响应消息。本实施例采用上述的对OP字段扩充来进行安全标识,根据上述操作类型和对应值的定义,将加密的ARP响应消息生成为安全ARP响应消息,即将OP字段标识为:安全ARP应答(6)。Step S108, generating a secure ARP response message. This embodiment adopts the above-mentioned expansion of the OP field to perform security identification, and according to the definition of the above-mentioned operation type and corresponding value, the encrypted ARP response message is generated as a secure ARP response message, and the OP field is identified as: secure ARP response (6) .

步骤S109,向所述ARP请求的第一设备发送安全ARP响应。第二设备将带有加密之后并含有安全标识的安全ARP响应消息直接发送给第一设备,因为已经在安全ARP请求消息获得了第一设备的IP-MAC地址映射关系,所以这里 第二设备可以直接将安全ARP响应发送给第一设备。Step S109, sending a secure ARP response to the first device of the ARP request. The second device directly sends the encrypted secure ARP response message containing the security identifier to the first device, because the IP-MAC address mapping relationship of the first device has been obtained in the secure ARP request message, so here the second device can The secure ARP response is sent directly to the first device.

步骤S110,第一设备接收到第二设备的ARP响应消息。Step S110, the first device receives an ARP response message from the second device.

步骤S111,判断所述ARP响应消息中是否携带有安全标识。如果识别出该请求含有安全标识的OP字段,即含有标识为安全ARP应答(6)的OP字段,则判断为安全ARP响应消息,则进入后续的处理步骤;否则判断为非安全ARP响应,进入普通的ARP过程或者不作响应。Step S111, judging whether the ARP response message carries a security identifier. If it is recognized that the request contains the OP field of the security identifier, that is, the OP field identified as a secure ARP response (6), then it is judged as a secure ARP response message, and then enters the subsequent processing steps; otherwise it is judged as a non-secure ARP response, and enters Ordinary ARP process or do not respond.

步骤S112,解密所述ARP响应消息的地址字段。在步骤S111判断为安全ARP响应后进入步骤S112,对该消息的加密部分进行相应的解密。如果解密正确,则进入后续的处理步骤;如果解密错误,则不作响应。Step S112, decrypt the address field of the ARP response message. After step S111 determines that it is a secure ARP response, proceed to step S112 to decrypt the encrypted part of the message accordingly. If the decryption is correct, enter the subsequent processing steps; if the decryption is wrong, no response will be made.

步骤S113,客户程序通过安全IP接口以及安全ARP接口获得所述解密获取的目标设备的地址。安全IP通过安全ARP接口获得目标设备的MAC地址信息,可以进行进一步的通讯,这样其他的程序的将无法使用第二设备的IP-MAC地址映射关系信息。Step S113, the client program obtains the address of the target device acquired through decryption through the secure IP interface and the secure ARP interface. The secure IP obtains the MAC address information of the target device through the secure ARP interface, and can carry out further communication, so that other programs will not be able to use the IP-MAC address mapping relationship information of the second device.

本实施例采用对OP字段进行安全标识,但并不仅限于此,参见图3,还可以以同样的方式对帧类型、硬件类型或者协议类型等进行安全标识。本实施例中的第一设备和第二设备在判断出不是安全ARP交互消息时可以进行普通的ARP交互。In this embodiment, the security identification of the OP field is adopted, but it is not limited thereto. Referring to FIG. 3 , the security identification of the frame type, hardware type, or protocol type, etc. may also be performed in the same manner. In this embodiment, the first device and the second device may perform normal ARP interaction when it is determined that the message is not a secure ARP interaction message.

本发明实施例在通过对本端设备地址和需请求的目标设备的地址进行加密和生成安全ARP请求消息,使得IP-MAC地址映射关系不能通过明文获得,而且通过对信息的加密使设备的IP-MAC地址映射关系信息受到有效的保护,避免该设备受到其他设备的攻击;而在后续的通讯时,同一设备上的程序只能通过安全IP的专用接口,才能访问ARP缓存表,这样这台设备的其他程序就无法利用ARP缓存表的存储内容对其他设备进行攻击。本发明的实现方法在满足现有技术采用防火墙的方案能够有效保护网络设备和维护网络安全的同时,具有比所述防火墙的方案简便,有效降低成本,节约资源的优点。In the embodiment of the present invention, by encrypting the address of the local device and the address of the target device to be requested and generating a secure ARP request message, the IP-MAC address mapping relationship cannot be obtained in plain text, and the IP-MAC address of the device cannot be obtained by encrypting the information. The MAC address mapping relationship information is effectively protected to prevent the device from being attacked by other devices; and in the subsequent communication, the program on the same device can only access the ARP cache table through the dedicated interface of the secure IP, so that the device Other programs cannot use the storage content of the ARP cache table to attack other devices. The realization method of the present invention satisfies the existing technology that the solution using a firewall can effectively protect network equipment and maintain network security, and at the same time has the advantages of being simpler than the solution of the firewall, effectively reducing costs, and saving resources.

以上所列举的仅为本发明的较佳实施例而已,当然不能以此来限定本发明之权利范围,因此依本发明权利要求所作的等同变化,仍属本发明所涵盖的范围。The above-listed are only preferred embodiments of the present invention, which certainly cannot limit the scope of rights of the present invention. Therefore, equivalent changes made according to the claims of the present invention still fall within the scope of the present invention.

Claims (11)

1.一种安全ARP的实现方法,其特征在于,该方法至少包括以下步骤:1. A method for implementing secure ARP, characterized in that the method at least comprises the following steps: 对本端设备地址和需请求的目标设备的地址进行加密;Encrypt the address of the local device and the address of the target device to be requested; 生成安全ARP请求消息,所述消息中的某一字段被设置有安全标识并且所述消息中携带所述加密后的地址信息;Generate a secure ARP request message, a certain field in the message is set with a security flag and the message carries the encrypted address information; 通过所述安全ARP请求消息向网络中广播安全ARP请求;broadcast a secure ARP request to the network through the secure ARP request message; 接收目标设备的ARP响应消息,所述ARP响应消息中的某一字段被设置有安全标识并且所述ARP响应消息中携带经过加密后的地址字段;receiving an ARP response message from the target device, where a certain field in the ARP response message is set with a security identifier and the ARP response message carries an encrypted address field; 解密所述ARP响应消息的地址字段,获取所述目标设备的地址。Decrypt the address field of the ARP response message to obtain the address of the target device. 2.如权利要求1所述的安全ARP的实现方法,其特征在于,在接收到目标设备的ARP响应消息后,还进一步包括:2. the realization method of safe ARP as claimed in claim 1, is characterized in that, after receiving the ARP response message of target equipment, also further comprises: 判断所述ARP响应消息中的某一字段是否被设置有安全标识,如果判断为是,则解密所述ARP响应消息的地址字段,获取所述目标设备的地址。Judging whether a certain field in the ARP response message is set with a security flag, if it is judged to be yes, decrypting the address field of the ARP response message to obtain the address of the target device. 3.如权利要求1或2所述的安全ARP的实现方法,其特征在于,该方法还进一步包括:3. the realization method of safe ARP as claimed in claim 1 or 2 is characterized in that, this method also further comprises: 客户程序通过安全IP接口以及安全ARP接口获得所述解密获取的目标设备的地址。The client program obtains the address of the target device obtained through decryption through the secure IP interface and the secure ARP interface. 4.一种安全ARP的实现方法,其特征在于,该方法至少包括以下步骤:4. A method for implementing secure ARP, characterized in that the method at least comprises the following steps: 接收安全ARP请求,所述安全ARP请求中的某一字段被设置有安全标识并且所述安全ARP请求中携带经过加密的地址字段;receiving a secure ARP request, where a certain field in the secure ARP request is set with a security identifier and the secure ARP request carries an encrypted address field; 解密所述安全ARP请求的地址字段得到源请求设备的地址信息;Decrypt the address field of the secure ARP request to obtain the address information of the source requesting device; 解密完成后,将本端设备的地址信息以及源请求设备的地址信息进行加密;After the decryption is completed, encrypt the address information of the local device and the address information of the source requesting device; 生成安全ARP响应消息,所述消息中的某一字段被设置有安全标识并且所述消息中携带所述加密后的地址信息;Generate a secure ARP response message, a certain field in the message is set with a security flag and the message carries the encrypted address information; 通过所述安全ARP响应消息向所述ARP请求的源设备发送安全ARP响应。Sending a secure ARP response to the source device of the ARP request through the secure ARP response message. 5.如权利要求4所述的安全ARP的实现方法,其特征在于,在接收到安全ARP请求消息后,还进一步包括:5. the realization method of safe ARP as claimed in claim 4 is characterized in that, after receiving safe ARP request message, also further comprises: 判断所述ARP请求消息中的某一字段是否被设置有安全标识,如果判断为是,则解密所述ARP请求消息的地址字段,获取所述ARP请求的源设备的地址以及需请求的地址。Judging whether a certain field in the ARP request message is set with a security flag, if it is judged to be yes, then decrypting the address field of the ARP request message to obtain the address of the source device of the ARP request and the address to be requested. 6.一种网络设备,其特征在于,包括:6. A network device, characterized in that, comprising: 加密单元,用于对本端设备地址和需请求的目标设备的地址进行加密;The encryption unit is used to encrypt the address of the local device and the address of the target device to be requested; 生成单元,用于生成安全ARP请求消息,所述消息中的某一字段被设置有安全标识并且所述消息中携带所述加密后的地址信息;A generating unit, configured to generate a secure ARP request message, a certain field in the message is set with a security identifier and the message carries the encrypted address information; 发送单元,用于通过所述安全ARP请求消息向网络中广播安全ARP请求;a sending unit, configured to broadcast a secure ARP request to the network through the secure ARP request message; 接收单元,用于接收目标设备的ARP响应消息;A receiving unit, configured to receive the ARP response message of the target device; 解密单元,用于解密所述接收单元接收到的ARP响应消息的地址字段,获取所述目标设备的地址。The decryption unit is configured to decrypt the address field of the ARP response message received by the receiving unit to obtain the address of the target device. 7.如权利要求6所述的网络设备,其特征在于,所述网络设备还包括:7. The network device according to claim 6, wherein the network device further comprises: 判断单元,用于判断所述接收单元接收到的ARP响应消息中的某一字段是否被设置有安全标识,当判断结果为是时,向所述解密单元输出肯定的判断结果;A judging unit, configured to judge whether a certain field in the ARP response message received by the receiving unit is set with a security flag, and when the judging result is yes, output a positive judging result to the decrypting unit; 相应的,所述解密单元接收所述肯定的判断结果后,解密所述接收单元接收到的ARP响应消息的地址字段,获取所述目标设备的地址。Correspondingly, after receiving the affirmative judgment result, the decryption unit decrypts the address field of the ARP response message received by the receiving unit to obtain the address of the target device. 8.如权利要求6或7所述的网络设备,其特征在于,所述网络设备还包括:8. The network device according to claim 6 or 7, wherein the network device further comprises: 请求单元,用于发起目标设备访问请求;a request unit, configured to initiate a target device access request; 安全接口单元,用于向所述请求单元发送所述解密单元解密后的目标设备地址信息。A security interface unit, configured to send the target device address information decrypted by the decryption unit to the request unit. 9.如权利要求8所述的网络设备,其特征在于,所述安全接口单元包括安全IP接口单元或安全ARP接口单元。9. The network device according to claim 8, wherein the security interface unit comprises a security IP interface unit or a security ARP interface unit. 10.一种网络设备,其特征在于,包括:10. A network device, characterized in that, comprising: 接收单元,接收安全ARP请求,所述安全ARP请求中的某一字段被设置有安全标识并且所述安全ARP消息中携带经过加密的地址字段;The receiving unit receives a secure ARP request, a certain field in the secure ARP request is set with a security identifier and the secure ARP message carries an encrypted address field; 解密单元,用于解密所述接收单元接收到的安全APR请求的地址字段得到源请求设备的地址信息;A decryption unit, configured to decrypt the address field of the secure APR request received by the receiving unit to obtain the address information of the source requesting device; 加密单元,用于在所述解密单元解密完成后,将本端设备的地址信息以及源请求设备的地址信息进行加密;An encryption unit, configured to encrypt the address information of the local device and the address information of the source requesting device after the decryption by the decryption unit is completed; 生成单元,用于生成安全ARP响应消息,所述消息中的某一字段被设置有安全标识并且所述消息中携带所述加密后的地址信息;A generating unit, configured to generate a secure ARP response message, a certain field in the message is set with a security identifier and the message carries the encrypted address information; 发送单元,用于通过所述安全ARP响应消息向所述ARP请求的源设备发送安全ARP响应。A sending unit, configured to send a secure ARP response to the source device of the ARP request through the secure ARP response message. 11.如权利要求10所述的网络设备,其特征在于,所述网络设备还包括:11. The network device according to claim 10, wherein the network device further comprises: 判断单元,用于判断所述接收单元接收到的ARP请求消息中的某一字段是否被设置有安全标识,如果判断为是,则向所述解密单元输出肯定的判断结果;A judging unit, configured to judge whether a certain field in the ARP request message received by the receiving unit is set with a security flag, and if it is judged to be yes, then output a positive judgment result to the decrypting unit; 相应的,所述解密单元接收所述肯定的判断结果后,解密所述接收单元接收到的ARP响应消息的地址字段,获取所述目标设备的地址。Correspondingly, after receiving the affirmative judgment result, the decryption unit decrypts the address field of the ARP response message received by the receiving unit to obtain the address of the target device.
CN2007100328660A 2007-12-25 2007-12-25 Safety ARP implementing method and network appliance Expired - Fee Related CN101197828B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2007100328660A CN101197828B (en) 2007-12-25 2007-12-25 Safety ARP implementing method and network appliance

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2007100328660A CN101197828B (en) 2007-12-25 2007-12-25 Safety ARP implementing method and network appliance

Publications (2)

Publication Number Publication Date
CN101197828A CN101197828A (en) 2008-06-11
CN101197828B true CN101197828B (en) 2010-12-15

Family

ID=39547977

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007100328660A Expired - Fee Related CN101197828B (en) 2007-12-25 2007-12-25 Safety ARP implementing method and network appliance

Country Status (1)

Country Link
CN (1) CN101197828B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102143019A (en) * 2010-12-30 2011-08-03 华为数字技术有限公司 Network detection method and system
CN103916359A (en) * 2012-12-30 2014-07-09 航天信息股份有限公司 Method and device for preventing attacks from ARP middleman in network
CN103297559A (en) * 2013-05-09 2013-09-11 厦门亿联网络技术股份有限公司 Method for quickly searching equipment information within local area network
CN104243413A (en) * 2013-06-14 2014-12-24 航天信息股份有限公司 Method and system for preventing ARP man-in-the-middle attacks in local area network
CN104410642B (en) * 2014-12-11 2017-10-10 国家电网公司 Equipment access cognitive method based on ARP protocol
CN106375491A (en) * 2016-08-31 2017-02-01 浙江远望信息股份有限公司 Method, device and system for discovering network equipment
CN108833612B (en) * 2018-09-03 2021-06-15 武汉虹信科技发展有限责任公司 Local area network equipment communication method based on ARP protocol
CN113347198B (en) * 2021-06-23 2022-07-08 深圳壹账通智能科技有限公司 ARP message processing method, device, network equipment and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101009689A (en) * 2006-01-26 2007-08-01 西门子(中国)有限公司 A method for preventing the address parsing cheating

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101009689A (en) * 2006-01-26 2007-08-01 西门子(中国)有限公司 A method for preventing the address parsing cheating

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
Frouzan等.数据通信与网络.机械工业出版社,2007,404-405. *
杨萍、李杰.基于ARP欺骗的中间人攻击的分析与研究.计算机时代 2007年第5期.2007,(2007年第5期),26-27.
杨萍、李杰.基于ARP欺骗的中间人攻击的分析与研究.计算机时代 2007年第5期.2007,(2007年第5期),26-27. *
邓清华,陈松乔.ARP欺骗攻击及其防范.微机发展14 8.2004,14(8),126-128.
邓清华,陈松乔.ARP欺骗攻击及其防范.微机发展14 8.2004,14(8),126-128. *

Also Published As

Publication number Publication date
CN101197828A (en) 2008-06-11

Similar Documents

Publication Publication Date Title
US8886934B2 (en) Authorizing physical access-links for secure network connections
CN101197828B (en) Safety ARP implementing method and network appliance
US8661252B2 (en) Secure network address provisioning
US7039713B1 (en) System and method of user authentication for network communication through a policy agent
US7058181B2 (en) Wireless bridge for roaming in network environment
CN1833403B (en) Communication system, communication device, communication method
US7853783B2 (en) Method and apparatus for secure communication between user equipment and private network
JP5291725B2 (en) IP address delegation
KR20010004791A (en) Apparatus for securing user's informaton and method thereof in mobile communication system connecting with internet
US20050172333A1 (en) Method and apparatus for handling authentication on IPv6 network
CN102546661B (en) A kind of method and system preventing IPv6 gateway neighbours spoofing attack
US7243368B2 (en) Access control system and method for a networked computer system
CN108712364B (en) Security defense system and method for SDN (software defined network)
Liyanage et al. Securing virtual private LAN service by efficient key management
Younes Securing ARP and DHCP for mitigating link layer attacks
CN101471767A (en) Method, equipment and system for distributing cipher key
JP2018074395A (en) Data communication system, cache dns device and cyber attack prevention method
CN101772025B (en) User identification method, device and system
WO2009004590A2 (en) Method, apparatus, system and computer program for key parameter provisioning
CN115348078A (en) Method, electronic device and storage medium for preventing APP eavesdropping based on verification signature certificate
CN103188258B (en) A kind of encryption device and method that realizes safety amendment information protocol message
CN100589485C (en) Apparatus and method for using multiple alerters to traverse gateway devices
CN118200917B (en) A method, system and medium for securely accessing protected applications in a mobile network environment
CN118199991B (en) A method, system and medium for securely accessing protected applications in a fixed network environment
US12238204B1 (en) Systems and methods for implementing transparent end-to-end network public-key encryption

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20101215

CF01 Termination of patent right due to non-payment of annual fee