[go: up one dir, main page]

CN116634435B - A safety protection method, device, equipment and medium - Google Patents

A safety protection method, device, equipment and medium

Info

Publication number
CN116634435B
CN116634435B CN202310724145.5A CN202310724145A CN116634435B CN 116634435 B CN116634435 B CN 116634435B CN 202310724145 A CN202310724145 A CN 202310724145A CN 116634435 B CN116634435 B CN 116634435B
Authority
CN
China
Prior art keywords
target
data packet
base station
address
network element
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310724145.5A
Other languages
Chinese (zh)
Other versions
CN116634435A (en
Inventor
姜坤
季新生
陶剑
王春晓
张停
杨梅樾
贲星
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zijinshan Laboratory
Network Communication and Security Zijinshan Laboratory
Original Assignee
Zijinshan Laboratory
Network Communication and Security Zijinshan Laboratory
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zijinshan Laboratory, Network Communication and Security Zijinshan Laboratory filed Critical Zijinshan Laboratory
Priority to CN202310724145.5A priority Critical patent/CN116634435B/en
Publication of CN116634435A publication Critical patent/CN116634435A/en
Application granted granted Critical
Publication of CN116634435B publication Critical patent/CN116634435B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/108Source integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本申请公开了一种安全防护方法、装置、设备及介质,涉及移动通信安全领域,应用于用户平面功能网元,包括:获取各数据包;校验首数据包对应的首IPv6地址中的首IPv6前缀和对应的首基站地址与目标基站地址和目标IPv6前缀是否一致;若一致校验目标基站地址和首IPv6地址与后续数据包对应的后续基站地址和后续IPv6地址是否一致,若一致将所述后续数据包发送至目标网络设备,若不一致丢弃后续数据包,以确保发送至目标网络设备的后续数据包都是由发送首数据包的用户通过发送首数据包的终端基于目标基站发送的;由于本申请发送至目标网络设备的数据包都是首数据包的用户和终端发送的,因此不会存在大量虚假用户,只会有一个用户存在。

The present application discloses a security protection method, apparatus, device and medium, which relate to the field of mobile communication security and are applied to user plane functional network elements, including: obtaining each data packet; verifying whether the first IPv6 prefix in the first IPv6 address corresponding to the first data packet and the corresponding first base station address are consistent with the target base station address and the target IPv6 prefix; if they are consistent, verifying whether the target base station address and the first IPv6 address are consistent with the subsequent base station address and the subsequent IPv6 address corresponding to the subsequent data packet; if they are consistent, sending the subsequent data packet to the target network device; if they are inconsistent, discarding the subsequent data packet to ensure that the subsequent data packets sent to the target network device are all sent by the user who sent the first data packet through the terminal that sent the first data packet based on the target base station; since the data packets sent to the target network device in this application are all sent by the user and terminal of the first data packet, there will not be a large number of false users, and there will only be one user.

Description

Safety protection method, device, equipment and medium
Technical Field
The present invention relates to the field of mobile communications security, and in particular, to a security protection method, apparatus, device, and medium.
Background
Currently, an IPv6 address of a terminal in 5G (5 th Generation Mobile Communication Technology, fifth generation mobile communication technology) is allocated to the terminal by a core network, specifically, a session management network element allocates an interface identifier to the terminal first, the terminal generates a new 64bit interface identifier according to the interface identifier in combination with an own MAC (MEDIA ACCESS Control ) address, meanwhile, the terminal obtains a 64bit prefix allocated by the core network, the prefix and the interface identifier are combined to form an IPv6 address of the terminal, the terminal can access an internet data network of a network device through the core network by using the address, a user plane functional network element in the core network is an interface between a data plane of the core network and an external internet, and the user plane functional network element performs packet detection (that is, checks the 64bit prefix) on a data packet initiated by the terminal after decapsulation, and performs routing forwarding, qos (Quality of Service ) service, charging and the like according to a rule matched by the packet detection.
When aiming at an IPv6 user, the existing processing flow of the operator mainly checks the front 64bitIPv prefix of the user source address, so that when the 64bit prefix of the terminal is intercepted by a counterfeiter, the counterfeiter can randomly counterfeits the IPv6 address of the terminal according to the IPv6 prefix, then uses the IPv6 address of the terminal to access internet data, can steal data traffic and can cause the original terminal user to generate additional billing, and further, if the counterfeiter utilizes the 64bit prefix to counterfeits a large number of false users to access the internet data, the counterfeiter can cause occupation of the bandwidth of the user plane of a core network and form serious influence on DDOS (Distributed Denial of Service, distributed blocking service) attack on an internet server.
In summary, how to prevent counterfeiters from forging a large number of false users is a current urgent problem to be solved.
Disclosure of Invention
In view of the above, the present invention aims to provide a security protection method, device, apparatus and medium, capable of preventing counterfeiters from forging a large number of false users, comprising the following specific steps:
In a first aspect, the present application discloses a security protection method applied to a user plane function network element, including:
acquiring each data packet sent to local access target network equipment;
Checking whether a first IPv6 prefix in a first IPv6 address corresponding to a first data packet in each data packet is consistent with a corresponding first base station address, and whether a target base station address issued by a session management network element is consistent with the target IPv6 prefix or not, wherein the IPv6 address comprises an IPv6 prefix and an interface identifier;
If so, checking whether the target base station address and the first IPv6 address are consistent with the subsequent base station address and the subsequent IPv6 address corresponding to the subsequent data packet in the data packets, if so, sending the subsequent data packet to the target network equipment, and if not, discarding the subsequent data packet to ensure that the subsequent data packet sent to the target network equipment is sent by a user sending the first data packet through a terminal sending the first data packet based on the target base station;
and if not, taking the next data packet in the data packets as the first data packet, and jumping to the step of checking whether the first IPv6 prefix in the first IPv6 address corresponding to the first data packet in the data packets is consistent with the corresponding first base station address, and the target base station address issued by the session management network element is consistent with the target IPv6 prefix or not until the data packet checking is completed.
Optionally, before the acquiring each data packet sent to the local access target network device, the method further includes:
After a target user accesses a session management network element and initiates a session request based on the target base station through a target terminal, acquiring the target base station address and the target IPv6 prefix of the target base station sent by the session management network element;
The target IPv6 prefix is sent to the target terminal, so that the target terminal distributes the target IPv6 prefix for the target user, a target interface identifier provided by the target terminal and the target IPv6 prefix are combined to obtain a target IPv6 address, then the target terminal constructs an initial data packet based on the target IPv6 address and sends the initial data packet to the user plane function network element through the target base station, wherein the target base station adds the target base station address as a source address into the initial data packet to obtain a target data packet after acquiring the initial data packet, and sends the target data packet to the user plane function network element, and the target interface identifier is an interface identifier generated by the target terminal according to a terminal media access control address and the initial interface identifier distributed by the session management network element for the target terminal.
Optionally, after the obtaining the target base station address and the target IPv6 prefix sent by the session management network element, the method further includes:
and determining a target base station based on the target base station address, and establishing a target tunnel between the target base station and the user plane function network element so that the target base station sends the target data packet to the user plane function network element through the target tunnel.
Optionally, the sending the target IPv6 prefix to the target terminal includes:
And acquiring the target terminal to send a router request, and returning a router advertisement to the target terminal based on the router request, wherein the router advertisement comprises the target IPv6 prefix.
Optionally, the obtaining the target base station address and the target IPv6 prefix of the target base station sent by the session management network element includes:
and acquiring a session establishment message sent by a session management network element, and acquiring a target base station address of the target base station carried by a first field of the session establishment message and a target IPv6 prefix carried by a second field of the session establishment message.
Optionally, before the acquiring each data packet sent to the local access target network device, the method further includes:
And acquiring a target field carrying the target base station address and issued by the session management network element, and acquiring the target base station address based on the target field, wherein the target field is an original field between the multiplexed session management network element and the user plane function network element.
In a second aspect, the present application discloses a security protection apparatus applied to a user plane function network element, including:
the data packet acquisition module is used for acquiring each data packet sent to the local access target network equipment;
The first verification module is used for verifying whether a first IPv6 prefix in a first IPv6 address corresponding to a first data packet in each data packet is consistent with a corresponding first base station address, and a target base station address issued by a session management network element is consistent with the target IPv6 prefix, wherein the IPv6 address comprises an IPv6 prefix and an interface identifier;
The second checking module is configured to check whether the target base station address and the first IPv6 address are consistent, and if so, whether a subsequent base station address corresponding to a subsequent data packet in the data packets and the subsequent IPv6 address are consistent, and if not, discard the subsequent data packet, so as to ensure that the subsequent data packet sent to the target network device is sent by a user sending the first data packet through a terminal sending the first data packet based on the target base station;
and the first data packet determining module is used for taking the next data packet in the data packets as the first data packet, and jumping to the step of checking whether the first IPv6 prefix in the first IPv6 address corresponding to the first data packet in the data packets is consistent with the corresponding first base station address, and the target base station address issued by the session management network element is consistent with the target IPv6 prefix or not until the data packet checking is completed.
Optionally, the safety device further includes:
The information acquisition module is used for acquiring the target base station address and the target IPv6 prefix of the target base station sent by the session management network element after a target user accesses the session management network element through the target terminal based on the target base station and initiates a session request;
And the information sending module is used for sending the target IPv6 prefix to the target terminal so that the target terminal distributes the target IPv6 prefix for the target user, combines a target interface identifier provided by the target terminal with the target IPv6 prefix to obtain a target IPv6 address, constructs an initial data packet based on the target IPv6 address by the target terminal, and sends the initial data packet to the user plane function network element through the target base station, wherein after the target base station acquires the initial data packet, the target base station address is used as a source address to be added into the initial data packet to obtain a target data packet, and the target data packet is sent to the user plane function network element.
In a third aspect, the present application discloses an electronic device, comprising:
a memory for storing a computer program;
And a processor for executing the computer program to implement the previously disclosed security protection method.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program, wherein the computer program when executed by a processor implements the previously disclosed security protection method.
The method comprises the steps of obtaining each data packet sent to local access target network equipment, checking whether a head IPv6 prefix in a head IPv6 address corresponding to a head data packet in each data packet is consistent with a corresponding head base station address, if not, discarding the subsequent data packet to ensure that the subsequent data packet sent to the target network equipment is sent by a user terminal sending the head data packet based on the target base station, if not, checking whether the target base station address is consistent with the head IPv6 address, checking whether the subsequent base station address corresponding to the subsequent data packet in each data packet is consistent with the head IPv6 address, and if so, sending the subsequent data packet to the target network equipment, and if not, discarding the subsequent data packet to ensure that the subsequent data packet sent to the target network equipment is sent by the user terminal sending the head data packet based on the target base station, and if not, sending the next IPv6 address in each data packet is used as the head data packet corresponding to the head base station address, and checking whether the step of the head data packet is consistent with the head base station address corresponding to the head base station address 6. Therefore, the head IPv6 address (comprising the head IPv6 prefix and the head interface identifier) of the head data packet passing through the IPv6 prefix verification is used for verifying the subsequent data packet, so that the subsequent data packet sent to the target network equipment is sent by the user terminal sending the head data packet based on the target base station, only the data packet sent by one user based on the target base station through one terminal is obtained at the moment, and therefore the data packet sent by other users based on the target base station through other terminals is not obtained, a large number of false users are avoided, and only one user exists.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for protecting safety disclosed by the application;
FIG. 2 is a flow chart of a specific method of protecting safety disclosed in the present application;
FIG. 3 is a schematic diagram of a safety protection process according to the present disclosure;
FIG. 4 is a schematic view of a safety device according to the present disclosure;
Fig. 5 is a block diagram of an electronic device according to the present disclosure.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
When the 64bit prefix of the terminal is intercepted by a counterfeiter, the counterfeiter can randomly forge the IPv6 address of the terminal, then use the IPv6 address of the terminal to access the Internet data, steal the data traffic and generate additional billing for the original terminal user, and further, if the counterfeiter counterfeits a large number of false users to access the Internet data by using the 64bit prefix, the counterfeiter can occupy the bandwidth of the user plane of the core network and form serious influence on DDOS (Distributed Denial of Service, distributed blocking service) attacks on the Internet server.
Therefore, the embodiment of the application provides a safety protection scheme which can prevent counterfeiters from forging a large number of false users.
The embodiment of the application discloses a safety protection method which is applied to a user plane functional network element, and is shown in fig. 1, and the method comprises the following steps:
step S11, each data packet sent to the local access target network equipment is obtained.
In this embodiment, the data packets may include a target data packet, a dummy data packet sent based on the target IPv6 prefix after the target IPv6 prefix is intercepted by the dummy user, and other data packets unrelated to the target IPv6 prefix. It is pointed out that the false user can intercept the target IPv6 prefix, then combine the false interface identifier of the terminal where the false user is located to construct a false IPv6 address, and send a false data packet based on the false IPv6 address, wherein the false interface identifier is the interface identifier of the terminal where the false user corresponding to the false user is actually located.
In this embodiment, before obtaining each data packet sent to the local access target network device, the method further includes obtaining a target field carrying the target base station address and issued by the session management network element, and obtaining the target base station address based on the target field, where the target field is an original field between the session management network element and the user plane function network element that are multiplexed.
It should be noted that the original multiplexing field is a Source IP ADDRESS field, and the reason for using the field is that firstly, the internal structure of the field satisfies the use of the tunnel IPv4 and IPv6 dual stack addresses, secondly, the field originally only relates to the use of multi-downlink multicast with special functions of the user plane network element, multiplexing does not affect the use of the basic functions of the user plane network element, the use of two functions of the field can be distinguished by a characteristic function switch in the user plane network element, and thirdly, the existing field of multiplexing 3GPP ((3 rd Generation Partnership Project, third generation partnership project) is selected instead of constructing a private field to store the target base station address, because the construction of the private field may cause abnormal butt joint between the session function network element and the user plane function network element of a different manufacturer.
It should be noted that, because the existing matching process of the operator does not check the base station address of the data packet, the counterfeiter can also intervene the backhaul network from the base station to the user plane network element by counterfeiting the base station address, if the counterfeiter uses the base station address to forge a large amount of uplink data packets to access the internet data, the counterfeiter can also cause a data storm to occupy the bandwidth of the user plane of the core network, thereby causing serious influence that the normal user cannot access the internet, so the user plane network element can further ensure that the user can access the internet normally by acquiring the target base station address and adding the step of checking the target base station address.
Step S12, checking whether a first IPv6 prefix in a first IPv6 address corresponding to a first data packet in each data packet is consistent with a corresponding first base station address, wherein a target base station address issued by a session management network element is consistent with the target IPv6 prefix, the IPv6 address comprises an IPv6 prefix and an interface identifier, one user corresponds to one IPv6 prefix, and one interface identifier corresponds to one terminal.
In this embodiment, the user plane functional network element and the session management network element both belong to a core network element.
In this embodiment, the checking whether the first base station address is consistent with the target base station address is to ensure that the data packet is a data packet forwarded by the target base station corresponding to the target base station address.
In this embodiment, checking whether the first IPv6 prefix is consistent with the target IPv6 prefix is to determine whether the data packet is a data packet sent based on the target IPv6 prefix, and it should be noted that although one user corresponds to one IPv6 prefix, the dummy user may intercept the target IPv6 prefix of the target user, and at this time, the prefix of the dummy data packet sent by the dummy user is also the target IPv6 prefix.
In summary, whether the first IPv6 prefix is consistent with the target IPv6 prefix cannot be determined whether the user sending the data packet is a target user or a false user, but other data packets unrelated to the target IPv6 prefix can be excluded, so that it is further ensured that the prefix used by the user sending the data packet is the target IPv6 prefix.
And S13, if so, checking whether the target base station address and the first IPv6 address are consistent, and if so, sending the subsequent data packet to the target network equipment, and if not, discarding the subsequent data packet so as to ensure that the subsequent data packet sent to the target network equipment is sent by a user sending the first data packet through a terminal sending the first data packet based on the target base station.
In this embodiment, if the prefix of the first IPv6 is checked to be consistent with the prefix of the target IPv6, it is determined that the prefix used by the user sending the data packet is the prefix of the target IPv6, that is, the target user or any virtual user, and at this time, the target base station address and the first IPv6 address are checked to be consistent with the address of the subsequent base station corresponding to the subsequent data packet in each data packet, that is, whether the address of the target base station is consistent with the address of the subsequent base station, whether the prefix of the first IPv6 in the address of the first IPv6 is consistent with the prefix of the subsequent IPv6, and whether the identifier of the first interface in the address of the first IPv6 is consistent with the identifier of the subsequent interface in the subsequent IPv6 address are checked, and if all of the prefixes are consistent, the subsequent data packets sent to the target network device are sent by the user sending the first data packet through the terminal sending the first data packet based on the target base station, that is the same as the terminal sending the first data packet and the terminal receiving the first data packet.
And step S14, if the data packets are inconsistent, taking the next data packet in the data packets as the first data packet, and jumping to the step of checking whether the first IPv6 prefix in the first IPv6 address corresponding to the first data packet in the data packets is consistent with the corresponding first base station address, and the target base station address issued by the session management network element is consistent with the target IPv6 prefix until the data packet checking is completed.
In this embodiment, if the first data packet is inconsistent, the current first data packet is discarded, and the next data packet in the data packets is used as the first data packet.
In summary, only one fixed user can send a data packet to the target network device through one fixed terminal.
Therefore, the application uses the head IPv6 address (comprising the head IPv6 prefix and the head interface identifier) of the head data packet passing the IPv6 prefix verification to verify the subsequent data packet, so that the subsequent data packet sent to the target network equipment is sent by the user sending the head data packet through the terminal sending the head data packet based on the target base station, only one user can obtain the data packet sent by the user through one terminal based on the target base station at the moment, a large number of false users cannot exist, only one user exists, and when the head IPv6 address is the address forged by the false user after intercepting the target IPv6 prefix, the subsequent obtained data packet can only be sent by the false user, and when the head IPv6 address is the target IPv6 address of the target user, the subsequent obtained data packet is also sent by the target user.
The embodiment of the application discloses a specific security protection method which is applied to a user plane function network element, and compared with the previous embodiment, the embodiment further describes and optimizes the technical scheme. Referring to fig. 2, the method specifically includes:
And S21, after a target user accesses a session management network element based on the target base station through a target terminal and initiates a session request, acquiring the target base station address and the target IPv6 prefix of the target base station sent by the session management network element.
In this embodiment, before the verification process, the target terminal is required to access the session management network element through the target base station and initiate a session request, the target terminal is required to create the target IPv6 address, and a data packet transmission channel between the target base station and the user plane function network element is required to be established.
In this embodiment, establishing a data packet transmission channel between a target base station and a user plane function network element is shown below, and after the target base station address and the target IPv6 prefix sent by a session management network element are obtained, determining a target base station based on the target base station address, and establishing a target tunnel between the target base station and the user plane function network element, so that the target base station sends the target data packet to the user plane function network element through the target tunnel.
It should be noted that the target tunnel is a general packet radio service tunnel.
In this embodiment, before obtaining each data packet sent to the local access target network device, the method further includes obtaining a target field carrying the target base station address and issued by the session management network element, and obtaining the target base station address based on the target field, where the target field is an original field between the session management network element and the user plane function network element that are multiplexed.
It should be noted that, because the existing matching process of the operator only checks the address of the user plane network element corresponding to the target tunnel, the counterfeiter can also intervene the backhaul network from the base station to the user plane network element by forging the base station address corresponding to the target tunnel, if the counterfeiter utilizes the base station address to forge a large amount of uplink data packets to access the internet data, the counterfeiter can also cause a data storm to occupy the bandwidth of the user plane of the core network, thereby causing serious influence that the normal user cannot access the internet, so that the user plane network element obtains the target base station address, and the step of additionally checking the target base station address can further ensure that the user can access the internet normally.
In this embodiment, the obtaining the target base station address and the target IPv6 prefix of the target base station sent by the session management network element includes obtaining a session establishment message sent by the session management network element, and obtaining a target base station address of the target base station carried in a first field of the session establishment message and a target IPv6 prefix carried in a second field of the session establishment message. It is noted that the first field is one of the multiplexed fields in the session establishment message.
Step S22, the target IPv6 prefix is sent to the target terminal, so that the target terminal distributes the target IPv6 prefix for the target user, a target interface identifier provided by the target terminal and the target IPv6 prefix are combined to obtain a target IPv6 address, then the target terminal constructs an initial data packet based on the target IPv6 address, and sends the initial data packet to the user plane function network element through the target base station, wherein after the target base station acquires the initial data packet, the target base station address is added into the initial data packet as a source address to obtain a target data packet, and the target data packet is sent to the user plane function network element.
In this embodiment, the sending the target IPv6 prefix to the target terminal includes obtaining a router request sent by the target terminal, and returning a router advertisement to the target terminal based on the router request, where the router advertisement includes the target IPv6 prefix.
In this embodiment, the user plane function network element also binds the target IPv6 prefix with the target base station address, so as to facilitate subsequent verification, and reduce potential safety hazards caused by forging the target tunnel from the base station to the user plane function network element, that is, prevent the target base station from being replaced by another base station.
In this embodiment, the target interface identifier is an interface identifier generated by the target terminal according to a terminal media access control address and an initial interface identifier allocated by the session management network element to the target terminal.
The method comprises the steps of obtaining a target base station address and a target IPv6 prefix of a target base station sent by a session management network element after a target user accesses the session management network element through the target terminal based on the target base station and initiates a session request, sending the target IPv6 prefix to the target terminal so that the target terminal distributes the target IPv6 prefix for the target user, combining a target interface identifier provided by the target terminal with the target IPv6 prefix to obtain a target IPv6 address, then constructing an initial data packet by the target terminal based on the target IPv6 address, and sending the initial data packet to the user plane function network element through the target base station, wherein the target base station adds the target base station address as a source address into the initial data packet to obtain a target data packet after obtaining the initial data packet, and sends the target data packet to the user plane function network element. Therefore, before the verification process is performed, the target terminal is required to access the session management network element through the target base station and initiate the session request, the target terminal is required to create the target IPv6 address, and a data packet transmission channel between the target base station and the user plane function network element is required to be established so as to perform subsequent data packet transmission and verification work.
Referring to fig. 3, a schematic diagram of a safety protection flow is shown;
step1, a target terminal accesses a core network through a target base station, initiates a session establishment flow, a session management network element transmits PFCP Session Establishment Request messages (session establishment messages) to a user plane function network element, wherein CREATE PDR = > IP Multicast Addressing Info = > Source IP ADDRESS fields carry target base station addresses (gNB_ip), specifically, a first field Source IP ADDRESS under a multiplexing field IP Multicast Addressing Info carries target base station addresses, CREATE PDR = > PDI= > UE IP ADDRESS fields (second fields) carry target IPv6 prefixes UE_ ipA of the terminal dynamically allocated by the session management network element, and the user plane function network element creates and records session related information according to the session establishment messages transmitted by the session management network element;
And 2, establishing a GTP (GPRS tunneling protocol ) tunnel at the N3 side between the target base station (the base station corresponding to the target base station address gNB_ip) and the user plane function network element.
I.e., the target tunnel, for transmitting data;
Step 3, the target terminal obtains a target IPv6 prefix UE_ ipA of the terminal dynamically allocated by the session management network element through an RS ((Router Solicitation, router request)/RA (Router Advertisement ) message, and then combines a target interface identifier UE_ ipB generated by the MAC address of the target terminal, and the UE_ ipA +UE_ ipB combines the target IPv6 address UE_ip generated by the terminal for accessing internet data;
And 4, the target terminal accesses the internet data of the target network equipment side by using the target IPv6 address UE_ip, if the first packet on the data stream passes through the user plane function network element, the user plane function network element checks whether the source address gtp_ gNBip (first base station address) of the GTP head of the outer layer of the data packet is the same as the target base station address gNB_ip issued by the session management network element, and checks whether the prefix (first IPv6 prefix) of the source address UE_ip of the inner layer of the data packet is the same as the target IPv6 prefix UE_ ipA of the terminal dynamically allocated by the session management network element. If the verification is passed, the user plane function network element forwards the data packet to target network equipment, records the complete target IPv6 address UE_ip of the target terminal, updates the data packet to CREATE PDR = > PDI= > UE IP ADDRESS field, replaces the original value UE_ ipA in the field to be UE_ip;
And 5, when the subsequent data packet of the data flow of the target terminal access internet passes through the user plane function network element, the user plane function network element checks whether the source address gtp_ gNBip (the subsequent base station address) of the GTP head of the outer layer of the data packet is the same as the target base station address gNB_ip issued by the session management network element, and checks whether the source address UE_ip (the subsequent IPv6 address) of the IPv6 of the inner layer of the data packet is the same as the target IPv6 address UE_ip of the terminal recorded under the field CREATE PDR = > PDI= > UE IP ADDRESS. And if the verification is not passed, the user plane function network element discards the data packet.
In summary, the scheme increases the verification of the interface identifier, thereby achieving the aim of safety protection. The application can effectively reduce the risk of user information leakage and DDOS attack to the Internet caused by the counterfeit interface identifier of IPv6 by matching and checking the full 128bit IPv6 address, and can prevent the target base station from being replaced by binding the user address (target IPv6 address) with the access base station address. Compared with the existing user plane function network element data packet matching flow, the method provided by the application has the advantages that the safety is improved, the performance of the user plane function network element is not affected, and the PFCP private field is not increased.
Correspondingly, the embodiment of the application also discloses a safety protection device which is applied to the user plane function network element, and the device comprises:
A data packet obtaining module 11, configured to obtain each data packet sent to the local access target network device;
The first verification module 12 is configured to verify whether a first IPv6 prefix in a first IPv6 address corresponding to a first data packet in each data packet and a corresponding first base station address are consistent with a target base station address issued by a session management network element and a target IPv6 prefix, where the IPv6 address includes an IPv6 prefix and an interface identifier;
A second checking module 13, configured to check, if the target base station address and the first IPv6 address are consistent, whether a subsequent base station address corresponding to a subsequent data packet in the data packets and the subsequent IPv6 address are consistent, if the target base station address and the subsequent IPv6 address are consistent, send the subsequent data packet to the target network device, and discard the subsequent data packet if the subsequent data packet is inconsistent, so as to ensure that the subsequent data packet sent to the target network device is all sent by a user sending the first data packet through a terminal sending the first data packet based on the target base station;
And the first data packet determining module 14 is configured to take the next data packet in the data packets as the first data packet, and skip to the step of checking whether the first IPv6 prefix in the first IPv6 address corresponding to the first data packet in the data packets and the corresponding first base station address are consistent with the target base station address and the target IPv6 prefix issued by the session management network element.
The more specific working process of each module may refer to the corresponding content disclosed in the foregoing embodiment, and will not be described herein.
Therefore, the application uses the head IPv6 address (comprising the head IPv6 prefix and the head interface identifier) of the head data packet passing the IPv6 prefix verification to verify the subsequent data packet, so that the subsequent data packet sent to the target network equipment is sent by the user and the terminal sending the head data packet based on the target base station, only one user and one terminal can obtain the data packet sent by the user and the terminal based on the target base station at the moment, and therefore, a large number of false users do not exist and only one user exists.
Further, the embodiment of the application also provides electronic equipment. Fig. 5 is a block diagram of an electronic device 20, according to an exemplary embodiment, and is not intended to limit the scope of use of the present application in any way.
Fig. 5 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present application. The electronic device 20 may include, in particular, at least one processor 21, at least one memory 22, a display screen 23, an input-output interface 24, a communication interface 25, a power supply 26, and a communication bus 27. Wherein the memory 22 is used for storing a computer program, and the computer program is loaded and executed by the processor 21 to implement the relevant steps in the safety protection method disclosed in any of the foregoing embodiments. In addition, the electronic device 20 in the present embodiment may be specifically an electronic computer.
In this embodiment, the power supply 26 is configured to provide working voltages for each hardware device on the electronic device 20, the communication interface 25 is capable of creating a data transmission channel with an external device for the electronic device 20, and the communication protocol to be followed is any communication protocol applicable to the technical solution of the present application, which is not specifically limited herein, and the input/output interface 24 is configured to obtain external input data or output data to the external device, and the specific interface type of the input/output interface may be selected according to the specific application needs and is not specifically limited herein.
The memory 22 may be a read-only memory, a random access memory, a magnetic disk, an optical disk, or the like, and the resources stored thereon may include the computer program 221, which may be stored in a temporary or permanent manner. Wherein the computer program 221 may further comprise a computer program capable of performing other specific tasks in addition to the computer program capable of performing the security protection method performed by the electronic device 20 as disclosed in any of the previous embodiments.
Further, the embodiment of the application also discloses a computer readable storage medium for storing a computer program, wherein the computer program is executed by a processor to realize the safety protection method disclosed in the prior art.
For specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no further description is given here.
In the present disclosure, each embodiment is described in a progressive manner, and each embodiment focuses on the difference from other embodiments, and the same or similar parts between the embodiments refer to each other, that is, for the device disclosed in the embodiments, since the device corresponds to the method disclosed in the embodiments, the description is relatively simple, and the relevant parts refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
The foregoing describes the principles and embodiments of the present application in detail using specific examples to facilitate understanding of the method and core ideas of the present application, and meanwhile, the present application should not be construed as being limited to the above description, since modifications in the detailed description and application range will be apparent to those skilled in the art from the teachings herein.

Claims (10)

1. A security protection method, applied to a user plane functional network element, comprising:
acquiring each data packet sent to local access target network equipment;
Checking whether a first IPv6 prefix in a first IPv6 address corresponding to a first data packet in each data packet is consistent with a corresponding first base station address, and whether a target base station address issued by a session management network element is consistent with the target IPv6 prefix or not, wherein the IPv6 address comprises an IPv6 prefix and an interface identifier;
If so, checking whether the target base station address and the first IPv6 address are consistent with the subsequent base station address and the subsequent IPv6 address corresponding to the subsequent data packet in the data packets, if so, sending the subsequent data packet to the target network equipment, and if not, discarding the subsequent data packet to ensure that the subsequent data packet sent to the target network equipment is sent by a user sending the first data packet through a terminal sending the first data packet based on the target base station;
and if not, taking the next data packet in the data packets as the first data packet, and jumping to the step of checking whether the first IPv6 prefix in the first IPv6 address corresponding to the first data packet in the data packets is consistent with the corresponding first base station address, and the target base station address issued by the session management network element is consistent with the target IPv6 prefix or not until the data packet checking is completed.
2. The method of claim 1, wherein before the obtaining each data packet sent to the local access destination network device, further comprises:
After a target user accesses a session management network element and initiates a session request based on the target base station through a target terminal, acquiring the target base station address and the target IPv6 prefix of the target base station sent by the session management network element;
The target IPv6 prefix is sent to the target terminal, so that the target terminal distributes the target IPv6 prefix for the target user, a target interface identifier provided by the target terminal and the target IPv6 prefix are combined to obtain a target IPv6 address, then the target terminal constructs an initial data packet based on the target IPv6 address and sends the initial data packet to the user plane function network element through the target base station, wherein the target base station adds the target base station address as a source address into the initial data packet to obtain a target data packet after acquiring the initial data packet, and sends the target data packet to the user plane function network element, and the target interface identifier is an interface identifier generated by the target terminal according to a terminal media access control address and the initial interface identifier distributed by the session management network element for the target terminal.
3. The method according to claim 2, wherein after the obtaining the target base station address and the target IPv6 prefix of the target base station sent by the session management network element, further comprises:
and determining a target base station based on the target base station address, and establishing a target tunnel between the target base station and the user plane function network element so that the target base station sends the target data packet to the user plane function network element through the target tunnel.
4. The security protection method according to claim 2, wherein the sending the target IPv6 prefix to the target terminal includes:
And acquiring the target terminal to send a router request, and returning a router advertisement to the target terminal based on the router request, wherein the router advertisement comprises the target IPv6 prefix.
5. The method according to claim 2, wherein the obtaining the target base station address and the target IPv6 prefix of the target base station sent by the session management network element includes:
and acquiring a session establishment message sent by a session management network element, and acquiring a target base station address of the target base station carried by a first field of the session establishment message and a target IPv6 prefix carried by a second field of the session establishment message.
6. The method of claim 2, wherein before the obtaining each data packet sent to the local access destination network device, further comprises:
And acquiring a target field carrying the target base station address and issued by the session management network element, and acquiring the target base station address based on the target field, wherein the target field is an original field between the multiplexed session management network element and the user plane function network element.
7. A security protection apparatus, applied to a user plane functional network element, comprising:
the data packet acquisition module is used for acquiring each data packet sent to the local access target network equipment;
The first verification module is used for verifying whether a first IPv6 prefix in a first IPv6 address corresponding to a first data packet in each data packet is consistent with a corresponding first base station address, and a target base station address issued by a session management network element is consistent with the target IPv6 prefix, wherein the IPv6 address comprises an IPv6 prefix and an interface identifier;
The second checking module is configured to check whether the target base station address and the first IPv6 address are consistent, and if so, whether a subsequent base station address corresponding to a subsequent data packet in the data packets and the subsequent IPv6 address are consistent, and if not, discard the subsequent data packet, so as to ensure that the subsequent data packet sent to the target network device is sent by a user sending the first data packet through a terminal sending the first data packet based on the target base station;
and the first data packet determining module is used for taking the next data packet in the data packets as the first data packet, and jumping to the step of checking whether the first IPv6 prefix in the first IPv6 address corresponding to the first data packet in the data packets is consistent with the corresponding first base station address, and the target base station address issued by the session management network element is consistent with the target IPv6 prefix or not until the data packet checking is completed.
8. The safety shield apparatus of claim 7, further comprising:
The information acquisition module is used for acquiring the target base station address and the target IPv6 prefix of the target base station sent by the session management network element after a target user accesses the session management network element through the target terminal based on the target base station and initiates a session request;
And the information sending module is used for sending the target IPv6 prefix to the target terminal so that the target terminal distributes the target IPv6 prefix for the target user, combines a target interface identifier provided by the target terminal with the target IPv6 prefix to obtain a target IPv6 address, constructs an initial data packet based on the target IPv6 address by the target terminal, and sends the initial data packet to the user plane function network element through the target base station, wherein after the target base station acquires the initial data packet, the target base station address is used as a source address to be added into the initial data packet to obtain a target data packet, and the target data packet is sent to the user plane function network element.
9. An electronic device, comprising:
a memory for storing a computer program;
A processor for executing the computer program to implement the safety protection method as claimed in any one of claims 1 to 6.
10. A computer-readable storage medium for storing a computer program, wherein the computer program when executed by a processor implements the safety protection method according to any one of claims 1 to 6.
CN202310724145.5A 2023-06-16 2023-06-16 A safety protection method, device, equipment and medium Active CN116634435B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310724145.5A CN116634435B (en) 2023-06-16 2023-06-16 A safety protection method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310724145.5A CN116634435B (en) 2023-06-16 2023-06-16 A safety protection method, device, equipment and medium

Publications (2)

Publication Number Publication Date
CN116634435A CN116634435A (en) 2023-08-22
CN116634435B true CN116634435B (en) 2025-10-28

Family

ID=87613514

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310724145.5A Active CN116634435B (en) 2023-06-16 2023-06-16 A safety protection method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN116634435B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101971569A (en) * 2008-08-26 2011-02-09 上海贝尔股份有限公司 Method and device for transferring packet in ipv6 access node
CN106953849A (en) * 2017-02-28 2017-07-14 华为技术有限公司 A kind of data message matching process and device based on IPv6 addresses

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114979090B (en) * 2022-05-27 2024-07-05 深圳市领创星通科技有限公司 IPv6 data packet processing method, device, computer equipment and storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101971569A (en) * 2008-08-26 2011-02-09 上海贝尔股份有限公司 Method and device for transferring packet in ipv6 access node
CN106953849A (en) * 2017-02-28 2017-07-14 华为技术有限公司 A kind of data message matching process and device based on IPv6 addresses

Also Published As

Publication number Publication date
CN116634435A (en) 2023-08-22

Similar Documents

Publication Publication Date Title
US7613193B2 (en) Apparatus, method and computer program product to reduce TCP flooding attacks while conserving wireless network bandwidth
KR100450973B1 (en) Method for authentication between home agent and mobile node in a wireless telecommunications system
CN1799241B (en) IP mobility
US8467386B2 (en) System and apparatus for local mobility anchor discovery by service name using domain name service
CN101553796B (en) System and method for redirecting requests
US8413243B2 (en) Method and apparatus for use in a communications network
US7933253B2 (en) Return routability optimisation
CN1741523B (en) A Key Exchange Protocol Method for Realizing Host Mobility and Multi-Home Function
EP2698965A1 (en) Mobile IPV6 authentication and authorization
CN101299668A (en) A communication establishment method, system and device
CN102695236A (en) Method and system of data routing
US8761007B1 (en) Method and apparatus for preventing a mobile device from creating a routing loop in a network
US12238128B2 (en) Data processing method and apparatus
CN102547609B (en) Method and device for transmitting user information to service platform
Thaler Evolution of the IP Model
EP1853031B1 (en) Method and apparatus for transmitting messages in a mobile internet protocol network
CN116634435B (en) A safety protection method, device, equipment and medium
Xiaorong et al. Security analysis for IPv6 neighbor discovery protocol
US20060107310A1 (en) Method for authorization of service requests to service hosts within a network
CN101702727B (en) Method for defending against DDos in address disjunction mapping network
Zhang et al. A comparison of migration and multihoming support in IPv6 and XIA
CN116208369A (en) Gateway spoofing prevention transmission method and device in IPv6
Tschofenig et al. Traversing middleboxes with the host identity protocol
Phoomikiattisak Mobility as first class functionality: ILNPv6 in the Linux kernel
Abley et al. Considerations on the application of the level 3 multihoming shim protocol for ipv6 (shim6)

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Country or region after: China

Address after: No. 9 Mozhou East Road, Nanjing City, Jiangsu Province, 211111

Applicant after: Zijinshan Laboratory

Address before: No. 9 Mozhou East Road, Jiangning Economic Development Zone, Jiangning District, Nanjing City, Jiangsu Province

Applicant before: Purple Mountain Laboratories

Country or region before: China

GR01 Patent grant
GR01 Patent grant