[go: up one dir, main page]

WO2010072096A1 - Procédé et dispositif d'accès à bande large pour améliorer la sécurité d'une découverte de voisins dans un environnement ipv6 - Google Patents

Procédé et dispositif d'accès à bande large pour améliorer la sécurité d'une découverte de voisins dans un environnement ipv6 Download PDF

Info

Publication number
WO2010072096A1
WO2010072096A1 PCT/CN2009/074278 CN2009074278W WO2010072096A1 WO 2010072096 A1 WO2010072096 A1 WO 2010072096A1 CN 2009074278 W CN2009074278 W CN 2009074278W WO 2010072096 A1 WO2010072096 A1 WO 2010072096A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
node
record
access device
request message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2009/074278
Other languages
English (en)
Chinese (zh)
Inventor
孙鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Publication of WO2010072096A1 publication Critical patent/WO2010072096A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/128Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]

Definitions

  • the present invention relates to an IP Version 6 (IPv6) network, and more particularly to a Neighbor Discovery (ND) process in an IPv6 network and a broadband access device therefor.
  • IPv6 IP Version 6
  • ND Neighbor Discovery
  • IPv6 Neighbor Discovery is a set of messages and procedures that determine the relationship between neighboring nodes. ND replaces "Address Resolution Protocol (ARP)", “Internet Control Message Protocol (ICMP)", “Router Discovery”, and “ICMP Redirection” used in IP Version 4 (IPv4) And offers other features. ND is described in RFC 2461 "Neighbor Discovery for IP Version 6 (IPv6)”.
  • Interface ID When the network interface of a user node starts to be enabled, a 64-bit Interface Identifier (interface ID) is first generated according to the 48-bit Media Access Control (MAC) address of the network interface (if the network is considered) The identity secret problem during communication, the Interface ID at this time will be randomly generated according to RFC 3041). Add this interface ID to the link local address prefix FE80:: /64, and the network interface gets a temporary link-local address, which is the temporary IP address of the network interface. Before binding this temporary IP address to the network interface, in order to prevent IP address conflicts with other nodes, Duplicate Address Detection (DAD) is required for the temporary IP address, and the user node requests the IP address.
  • DAD Duplicate Address Detection
  • the user node also sends a multicast listener report to the multicast address.
  • the user node receives an advertisement message from the neighboring node of the temporary IP address, it indicates that other nodes on the link are using the IP address, and the user node can only randomly generate the interface ID or Manual configuration by the administrator.
  • a malicious attack node in the link can listen to DAD packets of the link and extract each one.
  • the to-be-detected address in the DAD packet is used to forge a neighbor node announcement message (NA) packet to reply.
  • NA neighbor node announcement message
  • the attacked node receives the falsified data packet and considers that the address has been used. Therefore, only a new temporary IP address can be generated, and DAD is sent to send the DAD packet again.
  • the attacking node always responds to the DAD packet, so the attacked node will never be able to obtain the IP address that is detected and not duplicated, thus cutting off the contact between the attacked node and the outside world.
  • the malicious attack node thus achieved a Denial of Service (DoS) attack by exploiting the vulnerability in duplicate address detection.
  • DoS Denial of Service
  • the attack node in the link Since the attack node in the link does not need to use any spoofing means, it can directly receive all DAD messages in the entire link (even in the data exchange network environment, the switch performs port binding according to the source MAC address of the data packet, The DAD packet whose destination MAC address is Ethernet multicast address 33:33:FF:XX: XX.XX will be forwarded to each port on the network device). If the attacker replies to the DAD packet in the entire link, it will cause the entire link to communicate. In the experiment, the duplicate address detection DoS attack can effectively block the communication of the attacked node.
  • the adjacency list on the router has the IP address and Media Access Control (MAC) address information of all user nodes served by the router.
  • MAC Media Access Control
  • the router In order to keep the table available, the router periodically sends a host request message to the user node to resolve the user's MAC address.
  • the IPv6 address information of the user node does not spread to the lines of other user nodes, thus it is difficult to ensure the security of the user data stream.
  • the technical problem to be solved by the present invention is to provide a method for improving security, which can effectively prevent duplicate address detection DoS attacks in an IPv6 network, block communication by a DoS attack node, avoid communication defects of the entire link, and improve IPv6 environment.
  • the present invention provides a method for improving security, including: when a user node performs duplicate address detection on a temporary IP address, sending a neighbor node request message to the associated broadband access device, where the neighboring point The request packet carries the temporary IP address of the user node. And MAC address;
  • the broadband access device After receiving the request message of the neighboring node, the broadband access device only determines that the temporary access table of the broadband access device already contains the record of the temporary IP address, but the MAC address and location in the record When the neighboring node requests the MAC address in the message to be different, the neighbor node announces the message to the user node;
  • the above method may also have the following features:
  • the broadband access device determines that the record in the adjacency list includes the temporary IP address, and the MAC address in the record is the same as the MAC address in the neighboring node request, the neighboring device discards the neighbor The node requests 4 and does not respond to the user node.
  • the above method may also have the following features:
  • the broadband access device determines that the temporary IP address is not included in the record of the adjacency list, the broadband access device saves the temporary IP address and the MAC address in the neighboring node request message to a record in the adjacency list.
  • the above method may also have the following features:
  • Any one of the records of the adjacency list includes an IP address, a MAC address, and a line information.
  • the broadband access device sends a neighbor node request when determining that the temporary IP address is not included in the record of the adjacency list.
  • the line information of the user node of the message and the temporary IP address and MAC address in the request message of the neighbor node are saved in the same record of the adjacency list.
  • the invention also provides a broadband access device for improving security, comprising a storage module, a parsing module, a judging module and a response module, wherein:
  • the storage module is configured to save an adjacency list, where the adjacency list includes an IP address field and a MAC address field of the user node;
  • the parsing module is configured to parse the temporary IP address in the received neighbor request message and
  • the determining module is configured to determine, in the record of the adjacency list, the temporary IP address, and When the MAC address in the record is the same as the user MAC address in the neighboring request message, the response module is instructed to respond, in other cases, the response module is not instructed to respond; the response module is used to: After receiving the indication of the response sent by the determining module, the user node that requests the sending node to respond to the neighboring node announces the message;
  • the above broadband access device may also have the following features:
  • the above broadband access device may also have the following features:
  • the adjacency table saved by the storage module further includes a line information field, where the determining module sends a neighboring node requesting the user if the temporary IP address is not included in the record of the adjacency list.
  • the line information of the node is stored in the line information field of the added record.
  • the neighbor node request message sent by the user node is not forwarded to other user lines, and only the broadband access device controls and uniformly replies, and other users cannot attack through the ND request, so Block the communication of nodes attacked by DoS and avoid the embarrassment of communication over the entire link.
  • Another technical problem to be solved by the present invention is to provide a method for ensuring neighbor discovery security in an IPv6 environment, which can ensure that user IPv6 address information does not spread to other subscriber lines.
  • the present invention provides a method for improving security, including: the broadband access device maintains an adjacency list, and the adjacency list records the IP address, MAC address, and location information of the served user node;
  • the broadband access device After receiving the neighbor discovery request message sent by the network side, the broadband access device searches for the record with the IP address in the adjacency list according to the IP address of the user node in the neighbor discovery request message, if yes, according to the presence Forwarding the neighbor discovery request message to the corresponding user node, or discarding the text; This improves the security of neighbor discovery in an IPv6 environment.
  • the neighbor discovery request message sent by the network side received by the broadband access device may be a host request message sent by the router.
  • the invention also provides a broadband access device for implementing the above method, comprising a storage module, a parsing module, a judging module and a forwarding module, wherein:
  • the storage module is configured to save an adjacency list, where the adjacency list includes an IP address field, a MAC address field, and a line information field of the user node;
  • the parsing module is configured to parse an IP address in a neighbor discovery request message sent by the network side, and send the IP address to the determining module;
  • the determining module is configured to: when determining that the IP address of the adjacency table is sent by the parsing module, instructing the forwarding module to forward the neighbor discovery request message;
  • the forwarding module is configured to forward the neighbor discovery request message to the corresponding line information according to the line information in the record in which the adjacency list has the IP address, after receiving the indication sent by the determining module User node.
  • the ND mechanism capable of providing IPv6 network security ensures that the user's IPv6 address information does not spread to other users' lines on the basis of ensuring the normal service data of the user node, thereby ensuring the security of the user data stream. .
  • Figure 1 is a networking diagram of a broadband access network
  • FIG. 2 is a schematic diagram of a signaling flow of a method according to a first embodiment of the present invention
  • Figure 3 is a flow chart of the method of the second embodiment of the present invention.
  • This embodiment provides a technical solution for how to effectively prevent duplicate address detection DOS attacks.
  • a malicious attack node in a link can perform a DoS attack by means of a duplicate address detection vulnerability.
  • the user's IPv6 address information is spread to other nodes in the link, and the malicious attack node can listen. All DAD packets of this link.
  • the neighbor node request message sent by the user node of the present invention is not forwarded to other user lines, and only the broadband access device controls and uniformly replies, so other users cannot attack through the ND request.
  • the networking diagram of the broadband access network is shown in Figure 1. It includes a router, a broadband access device, and multiple user nodes connected to the broadband access device, such as host 1 and host 2 in Figure 1.
  • the broadband access device may be a Multi-Service Access Network (MSAN), a Digital Subscriber Line Access Multiplexer (DSLAM) or an Optical Line Terminal (OLT). ), capable of providing Layer 2 convergence and security capabilities.
  • MSAN Multi-Service Access Network
  • DSLAM Digital Subscriber Line Access Multiplexer
  • OLT Optical Line Terminal
  • the network side and the user side of the broadband access device are configured with different types of interfaces. In this system, different user nodes are isolated from each other and cannot be interconnected at the second layer (that is, the data link layer). The user nodes here may also be other types of nodes.
  • the broadband access device needs to be improved to implement the function of preventing duplicate address detection DoS attacks.
  • the broadband access device comprises a storage module, a parsing module, a judging module and a response module, wherein:
  • the storage module is configured to store an adjacency list, where the adjacency list includes an IP address field and a MAC address field of the user node.
  • the parsing module is configured to parse the temporary IP address and the MAC address in the received neighbor request message, and send the result to the judging module.
  • the judging module is configured to: when the temporary IP address in the record of the adjacency list is determined, and the MAC address in the record is the same as the user MAC address in the request message of the neighboring node, the response module is instructed to respond, in other cases, In response to the response module responding; wherein, when it is determined that there is no temporary IP address in the record of the adjacency list, a record is added to the adjacency list, and the neighboring node requests the temporary IP address in the message (in this case, the temporary The IP address also becomes the sending neighbor node request report.
  • the IP address of the user node of the text, the MAC address, and the line information of the user node that sent the neighbor node request message are stored in the corresponding field of the record.
  • the response module is configured to: after receiving the indication sent by the determining module to respond, send a neighboring node advertisement to the user node that sends the neighboring request message.
  • the ND and DHCP snooping capability are enabled on the broadband access device, and the IP address, the MAC address, and the line information of the user node are obtained, and the three pieces of information of the same user node are bound and recorded in the adjacency.
  • the structure of the adjacency table is as shown in Table 1 below, including fields such as IP address, MAC address, and line information.
  • other methods even manual static configuration, may be used to maintain the adjacency list.
  • each user node checks whether the IP address is duplicated through the DAD mechanism. The existence of the address before the temporary IP address can be used.
  • the user node (represented by the host A in the figure) sends an ND request to the broadband access device to perform DAD detection by sending a request message of the neighbor node, where the request message includes the temporary IP address of the user node. And MAC address;
  • the broadband access device parses the received neighbor node request packet, and obtains the temporary IP address and
  • the temporary IP address and MAC address, and the user section are The line information of the point (the corresponding port of the user node and the virtual local area network (VLAN) information) is added to the adjacency list for the next query, and the broadband access device does not respond to the request message of the neighbor node;
  • VLAN virtual local area network
  • the broadband access device simulates the user node that has used the temporary IP address, and responds to a neighbor node advertisement message to the user node that sends the neighbor node request message, and the user node receives the neighbor node advertisement message. After that, a new IP address is generated to re-apply;
  • the MAC address in the record is the same as the MAC address in the request message of the neighbor, indicating that the user node has sent the neighbor node request message.
  • the incoming device directly discards the neighboring node request packet received by the device, and does not respond to the request from the neighboring node.
  • This embodiment provides a technical solution for effectively preventing user IPv6 address information from spreading to other subscriber lines.
  • the networking diagram of the broadband access network is the same as that of the first embodiment, as shown in FIG.
  • the router periodically sends a host request packet (that is, initiates an ND request) to the user node recorded in the adjacency list, and the packet carries the IP address of the user node.
  • a host request packet that is, initiates an ND request
  • the host request packet is first sent to the broadband access device to which the user node belongs.
  • the broadband access device In order not to spread the IP address of the user node to the unrelated subscriber line, the broadband access device must forward the host request packet to the corresponding subscriber line.
  • the user node After receiving the host request message, the user node sends a response to the router, carrying its own MAC address, and the router refreshes its own adjacency list according to the content of the user node response to keep the adjacency list data available.
  • the maintenance of the adjacency list on the broadband access device can be performed in the same manner as the first embodiment. For example, you can enable the ND and DHCP snooping capability to obtain the IP address, MAC address, and line information of the user node, such as the request from the neighboring node. His way, even manual static configuration to maintain the adjacency list. The description will not be repeated here.
  • the broadband access device includes a storage module, a parsing module, a judging module, and a forwarding module, where:
  • the storage module is configured to save the adjacency list, where the adjacency list includes an IP address field, a MAC address field, and a line information field of the user node;
  • the parsing module is configured to parse the IP address in the neighbor discovery request packet (such as the host request packet of the router) sent by the network, and then send the packet to the judging module;
  • the determining module is configured to: when determining that the IP address of the adjacency table is sent by the parsing module, instructing the forwarding module to forward the neighbor discovery request;
  • the forwarding module is configured to forward the neighbor discovery request message to the corresponding user node according to the line information in the record with the IP address in the adjacency list after receiving the indication sent by the determining module.
  • the process of the method in this embodiment is as shown in FIG. 3, and includes:
  • Step 310 The router sends a host request message to the user node recorded in the adjacency list, where the packet carries the IP address of the user node.
  • Step 320 After receiving the host request packet sent by the router, the broadband access device parses the IP address of the user node in the packet, and searches the adjacency list according to the IP address:
  • Step 330 If the record with the IP address is searched, go to step 340. Otherwise, directly discard the host request and do not respond, and end;
  • Step 340 The broadband access device extracts the subscriber line information in the record, and forwards the received host request message to the subscriber line. In this way, the broadband access device does not forward the IPv6 address information of a certain user node to other user lines, thereby preventing the data packet from being stolen and leaking the IP address of the user node, thereby improving the security of the ND process.
  • the broadband access device For ND request packets sent by other network-side devices, the broadband access device is processed in the same manner. It should be noted that the method of the present invention may be changed or replaced according to the technical solutions of the present invention and the beneficial effects thereof, and all such changes or substitutions are within the scope of the claims of the present invention.
  • the neighbor node request message sent by the user node is not forwarded to other user lines, and only the broadband access device uniformly controls and uniformly answers Other users cannot attack through the ND request, so it can effectively block the communication of the node attacked by the DoS and avoid the embarrassment of communication of the entire link.
  • the ND mechanism that can provide IPv6 network security ensures that the user's IPv6 address information does not spread to other users' lines on the basis of ensuring the normal service data of the user node, thereby ensuring the security of the user data stream.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)
  • Small-Scale Networks (AREA)

Abstract

L'invention concerne un procédé et un dispositif d'accès à bande large pour améliorer la sécurité d'une découverte de voisins dans un environnement IPV6. Les messages de sollicitation de nœud voisin envoyés par les nœuds d'utilisateurs sont régulés et répondus seulement par le dispositif d'accès à bande large de manière uniforme, sans être transférés à d'autres lignes d'utilisateurs, et les autres utilisateurs ne peuvent pas lancer une attaque par une demande de découverte de voisins, de sorte que la communication du nœud attaqué par un déni de service est interdite efficacement et la paralysie de la communication de liaison entière est évitée. La mise en œuvre de l'invention peut donner au réseau IPv6 le mécanisme sécurisé de découverte de voisins, et dans le principe de garantie des données de service normal du nœud d'utilisateur, garantir que les informations d'adresses IPv6 ne sont pas diffusées à d'autres lignes d'utilisateurs, de sorte que la sécurité du flux de données d'utilisateurs est garantie.
PCT/CN2009/074278 2008-12-25 2009-09-28 Procédé et dispositif d'accès à bande large pour améliorer la sécurité d'une découverte de voisins dans un environnement ipv6 Ceased WO2010072096A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810176582.3 2008-12-25
CN2008101765823A CN101764734B (zh) 2008-12-25 2008-12-25 IPv6环境下提高邻居发现安全性的方法及宽带接入设备

Publications (1)

Publication Number Publication Date
WO2010072096A1 true WO2010072096A1 (fr) 2010-07-01

Family

ID=42286878

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/074278 Ceased WO2010072096A1 (fr) 2008-12-25 2009-09-28 Procédé et dispositif d'accès à bande large pour améliorer la sécurité d'une découverte de voisins dans un environnement ipv6

Country Status (2)

Country Link
CN (1) CN101764734B (fr)
WO (1) WO2010072096A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106537844A (zh) * 2014-06-12 2017-03-22 康维达无线有限责任公司 场境感知邻居发现
CN114465776A (zh) * 2021-12-31 2022-05-10 华为技术有限公司 一种泛洪攻击防御方法及相关装置
CN115086271A (zh) * 2022-06-17 2022-09-20 杭州云合智网技术有限公司 局域网中设备查找方法
CN118659896A (zh) * 2024-05-24 2024-09-17 中国人民解放军战略支援部队信息工程大学 基于探测验证的IPv6邻居发现协议欺骗威胁检测方法及系统

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101938411B (zh) * 2010-08-03 2012-04-18 杭州华三通信技术有限公司 一种nd探听表项的处理方法和设备
CN101951415B (zh) * 2010-08-30 2013-10-16 清华大学 提高地址冲突检测过程安全性的方法
CN102143248A (zh) * 2011-02-28 2011-08-03 华为数字技术有限公司 一种ip地址冲突检测方法和设备
CN102347903B (zh) * 2011-10-13 2014-07-02 北京星网锐捷网络技术有限公司 一种数据报文转发方法、装置及系统
CN102333134B (zh) * 2011-10-17 2014-03-19 中兴通讯股份有限公司 一种介质访问控制地址冲突检测方法、装置和系统
CN102571816B (zh) * 2012-02-15 2015-09-30 神州数码网络(北京)有限公司 一种防止邻居学习攻击的方法和系统
CN103795821A (zh) * 2014-02-11 2014-05-14 江苏沁恒股份有限公司 联网产品通过互联网申请独立mac地址的方法及装置
CN104967632B (zh) * 2014-04-22 2017-02-15 腾讯科技(深圳)有限公司 网页异常数据处理方法、数据服务器及系统
CN104301141B (zh) * 2014-10-10 2018-02-09 华为技术有限公司 一种保存配置信息的方法、装置及系统
US10027576B2 (en) * 2016-05-23 2018-07-17 Juniper Networks, Inc. Method, system, and apparatus for proxying intra-subnet traffic across multiple interfaces within networks
CN109120741B (zh) * 2018-08-27 2020-10-02 南京中兴新软件有限责任公司 一种重复地址检测方法及装置、计算机可读存储介质
CN109981813B (zh) * 2019-03-19 2021-09-17 新华三技术有限公司 报文处理方法及装置
JP7417395B2 (ja) * 2019-10-01 2024-01-18 アズビル株式会社 不正検出装置および不正検出方法
CN113098737B (zh) * 2019-12-23 2022-12-30 北京神经元网络技术有限公司 用户节点准入控制方法及装置、电子设备
CN113347282A (zh) * 2021-05-25 2021-09-03 清华大学 一种用于卫星互联网的ip地址分配与查重方法及系统
CN116208582A (zh) * 2021-11-30 2023-06-02 华为技术有限公司 一种地址检测方法及装置

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1901551A (zh) * 2005-07-19 2007-01-24 上海贝尔阿尔卡特股份有限公司 一种支持IPv6的二层接入网中重复地址检测方法及其装置
CN101222513A (zh) * 2008-01-28 2008-07-16 杭州华三通信技术有限公司 一种防止重复地址检测攻击的方法及网络设备

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1980252A (zh) * 2005-12-06 2007-06-13 华为技术有限公司 地址冲突检测的实现方法及其地址冲突检测代理装置
CN101018146A (zh) * 2006-02-10 2007-08-15 北京航空航天大学 一种用于层次化移动IPv6的本地管理单元

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1901551A (zh) * 2005-07-19 2007-01-24 上海贝尔阿尔卡特股份有限公司 一种支持IPv6的二层接入网中重复地址检测方法及其装置
CN101222513A (zh) * 2008-01-28 2008-07-16 杭州华三通信技术有限公司 一种防止重复地址检测攻击的方法及网络设备

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106537844A (zh) * 2014-06-12 2017-03-22 康维达无线有限责任公司 场境感知邻居发现
US10659940B2 (en) 2014-06-12 2020-05-19 Convida Wireless, Llc Method and apparatus for context aware neighbor discovery in a network
CN114465776A (zh) * 2021-12-31 2022-05-10 华为技术有限公司 一种泛洪攻击防御方法及相关装置
WO2023125239A1 (fr) * 2021-12-31 2023-07-06 华为技术有限公司 Procédé de défense contre les attaques par inondation et dispositif associé
CN114465776B (zh) * 2021-12-31 2023-09-12 华为技术有限公司 一种泛洪攻击防御方法及相关装置
CN115086271A (zh) * 2022-06-17 2022-09-20 杭州云合智网技术有限公司 局域网中设备查找方法
CN115086271B (zh) * 2022-06-17 2023-09-26 杭州云合智网技术有限公司 局域网中设备查找方法
CN118659896A (zh) * 2024-05-24 2024-09-17 中国人民解放军战略支援部队信息工程大学 基于探测验证的IPv6邻居发现协议欺骗威胁检测方法及系统

Also Published As

Publication number Publication date
CN101764734A (zh) 2010-06-30
CN101764734B (zh) 2012-12-19

Similar Documents

Publication Publication Date Title
CN101764734B (zh) IPv6环境下提高邻居发现安全性的方法及宽带接入设备
US8953601B2 (en) Internet protocol version six (IPv6) addressing and packet filtering in broadband networks
CN101179566B (zh) 一种防御arp报文攻击的方法和装置
CN102246461B (zh) 一种地址重复检测代理方法、装置及系统
CN102025734B (zh) 一种防止mac地址欺骗的方法、系统及交换机
US20100313265A1 (en) Method and Apparatus for Preventing Spoofed Packet Attacks
US8477782B2 (en) VRRP and learning bridge CPE
KR100908320B1 (ko) IPv6 네트워크 내 호스트 차단 및 탐색방법
EP2724508B1 (fr) Prévention d'attaques par déni de service fondées sur une découverte de voisin
EP2362587B1 (fr) Procédé et appareil pour réaliser une limitation de diffusion de demandes ARP
Anbar et al. Review of security vulnerabilities in the IPv6 neighbor discovery protocol
CN101621525B (zh) 合法表项的处理方法和设备
CN101662423A (zh) 单一地址反向传输路径转发的实现方法及装置
WO2011020254A1 (fr) Procédé et dispositif pour prévenir des attaques de réseau
WO2013053266A1 (fr) Procédé, dispositif et système de prise de connaissance de messages
CN101820432A (zh) 无状态地址配置的安全控制方法及装置
JP5241957B2 (ja) 加入者装置をIPv6対応のアグリゲーションネットワークに接続するための方法および装置
WO2011107052A2 (fr) Procédé permettant d'éviter les conflits d'adresse et noeud de réception associé
CN101471966B (zh) 一种防止ip地址泄露的系统和设备
WO2010130181A1 (fr) Dispositif et procédé de prévention d'attaque frauduleuse d'adresse de protocole internet version 6 (ipv6)
Thaler Evolution of the IP Model
Haberman et al. Multicast Router Discovery
Xiaorong et al. Security analysis for IPv6 neighbor discovery protocol
EP2362610B1 (fr) Procédé et système pour attribuer une adresse locale de liaison IPv6
JP2004104709A (ja) アクセスネットワークシステム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09834049

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09834049

Country of ref document: EP

Kind code of ref document: A1