[go: up one dir, main page]

CN117353927A - Message processing method, switching equipment, terminal and storage medium - Google Patents

Message processing method, switching equipment, terminal and storage medium Download PDF

Info

Publication number
CN117353927A
CN117353927A CN202210740116.3A CN202210740116A CN117353927A CN 117353927 A CN117353927 A CN 117353927A CN 202210740116 A CN202210740116 A CN 202210740116A CN 117353927 A CN117353927 A CN 117353927A
Authority
CN
China
Prior art keywords
terminal
arp
information
identification information
processing method
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210740116.3A
Other languages
Chinese (zh)
Inventor
吉鸿伟
闫新成
周娜
蒋志红
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN202210740116.3A priority Critical patent/CN117353927A/en
Priority to PCT/CN2023/097198 priority patent/WO2024001645A1/en
Publication of CN117353927A publication Critical patent/CN117353927A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a message processing method, a switching device, a terminal and a storage medium. The message processing method is applied to the switching equipment and comprises the following steps: receiving an ARP broadcast message sent by a terminal, wherein the ARP broadcast message carries authentication signature information and identity information of the terminal, and the authentication signature information is generated by signing source information of the terminal according to the acquired private key by the terminal; when the ARP broadcast message is successfully checked and signed according to the obtained public key, an ARP enhanced control table associated with the identity information is established; and when receiving the service message carrying the identity information sent by the terminal, processing the service message according to the identity information and the ARP enhancement control table. In the embodiment of the application, the ARP enhancement control table and the identity identification information are associated to increase the difficulty of an attacker in modifying the routing table of the switching equipment, so that near-source defense can be realized, safer terminal access control can be realized, and the attacker can be traced accurately.

Description

报文处理方法、交换设备、终端及存储介质Message processing method, switching equipment, terminal and storage medium

技术领域Technical field

本申请涉及网络安全技术领域,尤其是一种报文处理方法、交换设备、终端及计算机可读存储介质。This application relates to the field of network security technology, especially a message processing method, switching equipment, terminal and computer-readable storage medium.

背景技术Background technique

现有的地址解析协议(Address Resolution Protocol,ARP)技术,主要用于解决路由寻址问题,在行业内应用较为广泛。但是,由于ARP协议不存在确认机制,即任何网络设备都可以发起ARP请求或响应,这存在着很大的安全隐患,例如,攻击者通过伪造合法主机的IP 地址或MAC地址,可以随意修改交换设备的路由表以对其进行网络攻击,从而可能导致ARP 欺骗、反射DoS攻击以及域名系统(Domain Name System,DNS)挟持等问题,使得终端无法实现安全接入。The existing Address Resolution Protocol (ARP) technology is mainly used to solve routing addressing problems and is widely used in the industry. However, since the ARP protocol does not have a confirmation mechanism, that is, any network device can initiate an ARP request or response, this poses a great security risk. For example, an attacker can modify the exchange at will by forging the IP address or MAC address of a legitimate host. The routing table of the device can be used to conduct network attacks on it, which may lead to problems such as ARP spoofing, reflection DoS attacks, and Domain Name System (DNS) hijacking, making it impossible for terminals to achieve secure access.

发明内容Contents of the invention

以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics described in detail in this article. This summary is not intended to limit the scope of the claims.

本申请实施例提供了一种报文处理方法、交换设备、终端及计算机可读存储介质,能够实现安全的终端接入控制。Embodiments of the present application provide a message processing method, switching device, terminal and computer-readable storage medium, which can realize secure terminal access control.

第一方面,本申请实施例提供了一种报文处理方法,应用于交换设备,所述报文处理方法包括:In the first aspect, embodiments of the present application provide a packet processing method, which is applied to switching equipment. The packet processing method includes:

接收由终端发送的ARP广播报文,其中,所述ARP广播报文携带有认证签名信息和所述终端的身份标识信息,所述认证签名信息由所述终端根据获取到的私钥对所述终端的源端信息进行签名而生成,所述私钥与所述身份标识信息对应;Receive an ARP broadcast message sent by the terminal, wherein the ARP broadcast message carries authentication signature information and the identity identification information of the terminal, and the authentication signature information is generated by the terminal according to the obtained private key. The source information of the terminal is signed and generated, and the private key corresponds to the identity identification information;

当根据获取到的公钥对所述ARP广播报文验签成功,建立与所述身份标识信息关联的ARP 增强控制表,其中,所述公钥与所述身份标识信息对应;When the signature verification of the ARP broadcast message is successful based on the obtained public key, establish an ARP enhanced control table associated with the identity identification information, where the public key corresponds to the identity identification information;

当接收到由所述终端发送的携带所述身份标识信息的业务报文,根据所述身份标识信息与所述ARP增强控制表对所述业务报文进行处理。When a service message carrying the identity identification information sent by the terminal is received, the service message is processed according to the identity identification information and the ARP enhanced control table.

第二方面,本申请实施例还提供了一种报文处理方法,应用于终端,所述方法包括:In the second aspect, embodiments of the present application also provide a message processing method, which is applied to a terminal. The method includes:

根据获取到的私钥对所述终端的源端信息进行签名生成认证签名信息;Sign the source information of the terminal according to the obtained private key to generate authentication signature information;

向交换设备发送ARP广播报文,使得所述交换设备在根据获取到的公钥对所述ARP广播报文验签成功的情况下,建立与所述终端的身份标识信息关联的ARP增强控制表,其中,所述ARP广播报文携带有所述认证签名信息和所述身份标识信息,所述私钥与所述身份标识信息对应,所述公钥与所述身份标识信息对应;Send an ARP broadcast message to the switching device, so that when the switching device successfully verifies the signature of the ARP broadcast message based on the obtained public key, it can establish an ARP enhanced control table associated with the identity information of the terminal. , wherein the ARP broadcast message carries the authentication signature information and the identity identification information, the private key corresponds to the identity identification information, and the public key corresponds to the identity identification information;

向所述交换设备发送携带所述身份标识信息的业务报文,使得所述交换设备根据所述身份标识信息与所述ARP增强控制表对所述业务报文进行处理。Send a service packet carrying the identity identification information to the switching device, so that the switching device processes the service packet according to the identity identification information and the ARP enhanced control table.

第三方面,本申请实施例还提供了一种交换设备,包括:至少一个处理器;至少一个存储器,用于存储至少一个程序;当至少一个所述程序被至少一个所述处理器执行时实现如第一方面所述的报文处理方法。In a third aspect, embodiments of the present application further provide a switching device, including: at least one processor; at least one memory for storing at least one program; when at least one of the programs is executed by at least one of the processors, The message processing method described in the first aspect.

第四方面,本申请实施例还提供了一种终端,包括:至少一个处理器;至少一个存储器,用于存储至少一个程序;当至少一个所述程序被至少一个所述处理器执行时实现如第二方面所述的报文处理方法。In a fourth aspect, embodiments of the present application further provide a terminal, including: at least one processor; at least one memory for storing at least one program; when at least one of the programs is executed by at least one of the processors, the following is implemented: The message processing method described in the second aspect.

第五方面,本申请实施例还提供了一种计算机可读存储介质,其中存储有处理器可执行的程序,所述处理器可执行的程序被处理器执行时用于实现如前面所述的报文处理方法。In a fifth aspect, embodiments of the present application further provide a computer-readable storage medium in which a processor-executable program is stored, and when the processor-executable program is executed by the processor, it is used to implement the aforementioned Message processing method.

本申请实施例中,由于ARP广播报文携带终端的身份标识信息和通过私钥签名生成的认证签名信息,因此当交换设备接收到由终端发送的ARP广播报文,可以通过该身份标识信息对应的公钥对ARP广播报文进行验签,并且在验签成功的情况下生成与身份标识信息关联的 ARP增强控制表,进而可以根据ARP增强控制表对终端所发送的携带身份标识信息的业务报文进行进一步地识别处理,以实现更加安全的终端接入控制,相比于相关技术,将ARP增强控制表和身份标识信息进行关联以增加攻击者修改交换设备路由表的难度,能够实现近源防御,即使在攻击发生的情况下也能够精确地溯源攻击者,从而可以弥补相关方法中的技术空白。In the embodiment of this application, since the ARP broadcast message carries the identity information of the terminal and the authentication signature information generated through the private key signature, when the switching device receives the ARP broadcast message sent by the terminal, it can correspond to the identification information through the identity information. The public key is used to verify the signature of the ARP broadcast message, and if the signature verification is successful, an ARP enhanced control table associated with the identity information is generated, and then the services sent by the terminal carrying the identity information can be processed based on the ARP enhanced control table. The packets are further identified and processed to achieve more secure terminal access control. Compared with related technologies, the ARP enhanced control table is associated with the identity information to increase the difficulty for attackers to modify the switching device routing table, which can achieve near-term Source defense can accurately trace the attacker's source even when an attack occurs, thus filling the technical gaps in related methods.

本申请的其它特征和优点将在随后的说明书中阐述,并且,部分地从说明书中变得显而易见,或者通过实施本申请而了解。本申请的目的和其他优点可通过在说明书、权利要求书以及附图中所特别指出的结构来实现和获得。Additional features and advantages of the application will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the application. The objectives and other advantages of the application may be realized and obtained by the structure particularly pointed out in the specification, claims and appended drawings.

附图说明Description of drawings

附图用来提供对本申请技术方法的进一步理解,并且构成说明书的一部分,与本申请的实施例一起用于解释本申请的技术方法,并不构成对本申请技术方法的限制。The drawings are used to provide a further understanding of the technical method of the present application, and constitute a part of the specification. Together with the embodiments of the present application, they are used to explain the technical method of the present application, and do not constitute a limitation of the technical method of the present application.

图1是本申请一个实施例提供的用于执行报文处理方法的网络系统的示意图;Figure 1 is a schematic diagram of a network system for executing a message processing method provided by an embodiment of the present application;

图2是本申请另一个实施例提供的用于执行报文处理方法的网络系统的示意图;Figure 2 is a schematic diagram of a network system for executing a message processing method provided by another embodiment of the present application;

图3是本申请一个实施例提供的报文处理方法的流程图;Figure 3 is a flow chart of a message processing method provided by an embodiment of the present application;

图4是本申请一个实施例提供的ARP广播报文的结构示意图;Figure 4 is a schematic structural diagram of an ARP broadcast message provided by an embodiment of the present application;

图5是本申请一个实施例提供的报文处理方法中,对业务报文进行处理的流程图;Figure 5 is a flow chart of processing service messages in the message processing method provided by an embodiment of the present application;

图6是本申请一个实施例提供的报文处理方法的执行流程示意图;Figure 6 is a schematic execution flow diagram of a message processing method provided by an embodiment of the present application;

图7是本申请一个实施例提供的网络攻击场景的示意图;Figure 7 is a schematic diagram of a network attack scenario provided by an embodiment of the present application;

图8是本申请另一个实施例提供的报文处理方法的流程图;Figure 8 is a flow chart of a message processing method provided by another embodiment of the present application;

图9是本申请另一个实施例提供的报文处理方法的流程图;Figure 9 is a flow chart of a message processing method provided by another embodiment of the present application;

图10是本申请另一个实施例提供的网络攻击场景的示意图;Figure 10 is a schematic diagram of a network attack scenario provided by another embodiment of the present application;

图11是本申请另一个实施例提供的网络攻击场景的示意图;Figure 11 is a schematic diagram of a network attack scenario provided by another embodiment of the present application;

图12是本申请一个实施例提供的交换设备的示意图;Figure 12 is a schematic diagram of a switching device provided by an embodiment of the present application;

图13是本申请一个实施例提供的终端的示意图。Figure 13 is a schematic diagram of a terminal provided by an embodiment of the present application.

具体实施方式Detailed ways

为了使本申请的目的、技术方法及优点更加清楚明白,以下结合附图及实施例,对本申请进行进一步详细说明。应当理解,此处所描述的具体实施例仅用以解释本申请,并不用于限定本申请。In order to make the purpose, technical methods and advantages of the present application clearer, the present application will be further described in detail below with reference to the drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present application and are not used to limit the present application.

需要说明的是,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于流程图中的顺序执行所示出或描述的步骤。说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It should be noted that although a logical sequence is shown in the flowchart, in some cases, the steps shown or described may be performed in an order different from that in the flowchart. The terms "first", "second", etc. in the description, claims, and above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a specific sequence or sequence.

本申请提供了一种报文处理方法、交换设备、终端及计算机可读存储介质。其中一个实施例的报文处理方法,应用于交换设备,包括:接收由终端发送的ARP广播报文,其中,ARP 广播报文携带有认证签名信息和终端的身份标识信息,认证签名信息由终端根据获取到的私钥对终端的源端信息进行签名而生成,私钥与身份标识信息对应;当根据获取到的公钥对ARP 广播报文验签成功,建立与身份标识信息关联的ARP增强控制表,其中,公钥与身份标识信息对应;当接收到由终端发送的携带身份标识信息的业务报文,根据身份标识信息与ARP增强控制表对业务报文进行处理。该实施例中,由于ARP广播报文携带终端的身份标识信息和通过私钥签名生成的认证签名信息,因此当交换设备接收到由终端发送的ARP广播报文,可以通过该身份标识信息对应的公钥对ARP广播报文进行验签,并且在验签成功的情况下生成与身份标识信息关联的ARP增强控制表,进而可以根据ARP增强控制表对终端所发送的携带身份标识信息的业务报文进行进一步地识别处理,以实现更加安全的终端接入控制,相比于相关技术,将ARP增强控制表和身份标识信息进行关联以增加攻击者修改交换设备路由表的难度,能够实现近源防御,即使在攻击发生的情况下也能够精确地溯源攻击者,从而可以弥补相关方法中的技术空白。This application provides a message processing method, switching equipment, terminal and computer-readable storage medium. The message processing method of one embodiment is applied to a switching device and includes: receiving an ARP broadcast message sent by a terminal, where the ARP broadcast message carries authentication signature information and the terminal's identity information, and the authentication signature information is sent by the terminal. It is generated by signing the source information of the terminal based on the obtained private key, and the private key corresponds to the identity information; when the signature verification of the ARP broadcast message is successful based on the obtained public key, an enhanced ARP associated with the identity information is established. Control table, in which the public key corresponds to the identity information; when a service message carrying identity information sent by the terminal is received, the service message is processed according to the identity information and the ARP enhanced control table. In this embodiment, since the ARP broadcast message carries the identity information of the terminal and the authentication signature information generated through the private key signature, when the switching device receives the ARP broadcast message sent by the terminal, it can pass the identity information corresponding to the The public key verifies the signature of the ARP broadcast message, and if the signature verification is successful, an ARP enhanced control table associated with the identity information is generated, and then the service packets sent by the terminal carrying the identity information can be processed based on the ARP enhanced control table. This paper conducts further identification processing to achieve more secure terminal access control. Compared with related technologies, the ARP enhanced control table is associated with the identity information to increase the difficulty for attackers to modify the switching device routing table, and can achieve near-source Defense, which can accurately trace the attacker even in the event of an attack, can fill the technical gaps in related methods.

下面结合附图,对本申请实施例作进一步阐述。The embodiments of the present application will be further described below with reference to the accompanying drawings.

如图1所示,图1是本申请一个实施例提供的用于执行报文处理方法的网络系统100的示意图,该网络系统100包括但不限于有交换设备110和终端120,其中,交换设备110可以为接入交换设备110的任意两个网络节点提供独享的电信号通路,交换设备110和终端120 之间能够进行信息交互,可以涉及但不限于为进行数据包的发送、报文转发等,也可以与其他相关设备或装置进行信息交互,且在具体应用场景中的信息交互形式可以相应设置或选择,此处并未限定。As shown in Figure 1, Figure 1 is a schematic diagram of a network system 100 for performing a message processing method provided by an embodiment of the present application. The network system 100 includes but is not limited to a switching device 110 and a terminal 120, where the switching device 110 can provide an exclusive electrical signal path for any two network nodes accessing the switching device 110. The switching device 110 and the terminal 120 can exchange information, which can involve but is not limited to sending data packets and forwarding messages. etc., and can also interact with other related equipment or devices, and the form of information interaction in specific application scenarios can be set or selected accordingly, which is not limited here.

在一实施例中,交换设备110和终端120的数量和对应匹配关系均不限定,也就是说,对于单个终端120或者多个终端120,均可以用一个或多个交换设备110与相应的终端120 进行匹配,即可以存在多种终端120接入控制的方式,此处并未限定,因此可以理解地是,为免冗余,下述各实施例中主要以单个终端120与对应的交换设备110之间的交互流程进行说明,但不应理解为对本申请实施例的限制。In one embodiment, the number of switching devices 110 and terminals 120 and the corresponding matching relationship are not limited. That is to say, for a single terminal 120 or multiple terminals 120, one or more switching devices 110 and corresponding terminals can be used. 120 is matched, that is, there can be multiple ways of access control of the terminal 120, which are not limited here. Therefore, it can be understood that in order to avoid redundancy, in the following embodiments, a single terminal 120 and the corresponding switching device are mainly used. The interaction process between 110 will be described, but this should not be understood as a limitation of the embodiment of the present application.

在一实施例中,终端120可以但不限于为用户设备(User Equipment,UE)、用户单元、用户站、移动站、移动台、远方站、远程终端、移动设备、用户终端、无线通信设备、用户代理或用户装置等,且在具体应用场景中的呈现形式可以为不同的,也就是说,终端在不同应用场景中可以为不同的,此处并未限定。In an embodiment, the terminal 120 may be, but is not limited to, a user equipment (User Equipment, UE), a user unit, a user station, a mobile station, a mobile station, a remote station, a remote terminal, a mobile device, a user terminal, a wireless communication device, User agents or user devices, etc., and the presentation forms in specific application scenarios may be different. That is to say, the terminal may be different in different application scenarios, which is not limited here.

在一实施例中,如图2所示,该网络系统100还可以包括但不限于有认证服务器130和密钥管理中心140,其中,认证服务器130可以但不限于在终端120注册成功的情况下为终端120提供其身份标识信息,密钥管理中心140可以但不限于根据终端120的身份标识信息为终端120提供相应的私钥,以及为交换设备110提供相应的公钥等。In one embodiment, as shown in FIG. 2 , the network system 100 may also include, but is not limited to, an authentication server 130 and a key management center 140 , where the authentication server 130 may, but is not limited to, register successfully when the terminal 120 To provide the terminal 120 with its identity information, the key management center 140 may, but is not limited to, provide the terminal 120 with a corresponding private key based on the identity information of the terminal 120, and provide the switching device 110 with a corresponding public key, etc.

在一实施例中,每个身份标识信息为网络系统100中的唯一标识,也就是说,各个终端 120的身份标识信息是不会出现重复的,其具体呈现形式可以为多种,此处并未限定。例如,可以但不限于为身份标识ID,或者采用预定义的特殊符号或特殊数据等进行表示。In one embodiment, each identity identification information is a unique identification in the network system 100. That is to say, the identity identification information of each terminal 120 will not be repeated, and its specific presentation form can be in various forms, which are not included here. Unqualified. For example, it can be, but is not limited to, an identity identifier, or it can be expressed using predefined special symbols or special data.

在一实施例中,认证服务器130可以为一个具体应用,以促进试图访问网络的终端120 认证。认证服务器130可以但不限于为专用电脑、以太网Ethernet交换机、接入点(Access Point,AP)或网络访问服务器等,由于认证服务器130为认证内容中较为广泛应用的部分,为本领域技术人员所熟知,为免冗余,在此不作赘述。In one embodiment, the authentication server 130 may be a specific application to facilitate authentication of terminals 120 attempting to access the network. The authentication server 130 can be, but is not limited to, a dedicated computer, an Ethernet switch, an access point (AP), or a network access server. Since the authentication server 130 is a widely used part of authentication content, those skilled in the art It is well known and will not be described in detail here to avoid redundancy.

在一实施例中,密钥管理中心140可以为公钥基础设施中的一个组成部分,负责为证书颁发机构(Certificate Authority,CA)系统提供密钥的生成、保存、备份、更新、恢复、查询等密钥服务,以解决分布式应用环境中大规模密码技术应用所带来的密钥管理问题,由于密钥管理中心140为密钥学中较为广泛应用的技术点,为本领域技术人员所熟知,为免冗余,在此不作赘述。In one embodiment, the key management center 140 may be an integral part of the public key infrastructure, responsible for providing key generation, storage, backup, update, recovery, and query for the Certificate Authority (Certificate Authority, CA) system. and other key services to solve the key management problems caused by large-scale cryptographic technology applications in distributed application environments. Since the key management center 140 is a relatively widely used technical point in cryptography, it is understood by those skilled in the art. It is well known and will not be described in detail here to avoid redundancy.

需要说明的是,图1、图2所示的网络系统100所具有的上述功能,可以应用于不同的应用场景中,此处并未限制。It should be noted that the above functions of the network system 100 shown in Figures 1 and 2 can be applied in different application scenarios, and are not limited here.

本领域技术人员可以理解的是,图1、图2所示的网络系统100,可以应用于5G、6G通信网络系统以及后续演进的移动通信网络系统等,本实施例对此并不作具体限定。Those skilled in the art can understand that the network system 100 shown in Figures 1 and 2 can be applied to 5G, 6G communication network systems and subsequently evolved mobile communication network systems, etc. This embodiment does not specifically limit this.

本领域技术人员可以理解的是,图1、图2所示的网络系统100,并不构成对本申请实施例的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。Those skilled in the art can understand that the network system 100 shown in Figures 1 and 2 does not limit the embodiments of the present application, and may include more or less components than shown in the figures, or some components may be combined. Or a different component arrangement.

基于上述网络系统100的实施例,下面提出本申请的报文处理方法的各个实施例。Based on the above embodiment of the network system 100, various embodiments of the packet processing method of the present application are proposed below.

如图3所示,图3是本申请一个实施例提供的报文处理方法的流程图,该报文处理方法可以但不限于应用于图1或图2所示实施例的网络系统中的交换设备。该报文处理方法可以包括但不限于步骤S110至S130。As shown in Figure 3, Figure 3 is a flow chart of a packet processing method provided by an embodiment of the present application. The packet processing method can be, but is not limited to, applied to switching in the network system of the embodiment shown in Figure 1 or Figure 2. equipment. The message processing method may include but is not limited to steps S110 to S130.

步骤S110:接收由终端发送的ARP广播报文,其中,ARP广播报文携带有认证签名信息和终端的身份标识信息,认证签名信息由终端根据获取到的私钥对终端的源端信息进行签名而生成,私钥与身份标识信息对应。Step S110: Receive an ARP broadcast message sent by the terminal. The ARP broadcast message carries authentication signature information and the terminal's identity information. The authentication signature information is signed by the terminal based on the obtained private key to the terminal's source information. When generated, the private key corresponds to the identity information.

本步骤中,由于ARP广播报文携带终端的身份标识信息和通过私钥签名生成的认证签名信息,因此通过接收由终端发送的ARP广播报文,以便于在后续步骤中通过该身份标识信息对应的公钥对ARP广播报文进行进一步地验签,以确定是否需要生成与身份标识信息关联的 ARP增强控制表。In this step, since the ARP broadcast message carries the identity information of the terminal and the authentication signature information generated through the private key signature, the ARP broadcast message sent by the terminal is received so that in subsequent steps, the identity information can be used to correspond to The public key is used to further verify the signature of the ARP broadcast message to determine whether it is necessary to generate an ARP enhanced control table associated with the identity information.

在一实施例中,认证签名信息体现私钥对于终端的源端信息的保护,即基于密钥学签名,若存在相符合的与身份标识信息对应的私钥,那么对终端的源端信息进行签名所得到的认证签名信息则是符合要求的。In one embodiment, the authentication signature information reflects the protection of the source information of the terminal by the private key, that is, based on the cryptographic signature. If there is a consistent private key corresponding to the identity information, then the source information of the terminal is The certified signature information obtained by the signature meets the requirements.

在一实施例中,源端信息可以但不限于包括如下之一:In one embodiment, the source information may include, but is not limited to, one of the following:

终端的IP地址信息;Terminal IP address information;

终端的IP地址信息、身份标识信息;The terminal’s IP address information and identity information;

终端的IP地址信息、MAC地址信息;The terminal’s IP address information and MAC address information;

终端的IP地址信息、身份标识信息、MAC地址信息。The terminal’s IP address information, identity information, and MAC address information.

需要说明的是,由于具体应用场景之间可能存在的差异,源端信息还可以有更多或更少的组成形式以具体适配于相关的应用场景中,此处并未限定。It should be noted that due to possible differences between specific application scenarios, the source information may also have more or fewer components to specifically adapt to relevant application scenarios, which is not limited here.

在一实施例中,ARP广播报文可以为终端发送的ARP请求报文,也可以为终端响应于接收到的ARP请求报文而发送的ARP响应报文,参照图4,在相关技术中的原ARP请求/响应报文头部的格式的基础上,也就是说,相关技术中的ARP报文的字段可以包括:硬件类型、协议类型、硬件地址长度、协议地址长度、操作类型、发送方MAC地址、源IP地址(包含ID 可选)、目标MAC地址以及目的IP地址,在此基础上,本实施例中通过修改ARP协议,在相关技术中的ARP报文中添加了签名字段(对应认证签名信息)和ID字段(可选,对应身份标识信息),形成了本实施例区别于相关技术的ARP广播报文,其中,ID字段的长度为4字节,可以放在源IP地址的后4字节,也可以放在原ARP协议新增字段;签名字段,表示使用私钥对源端信息的签名值,字节长度为4字节,放在原ARP协议新增字段;针对业务报文,ID字段存放位置可以在IP地址中,也可以在IP地址的可选字段中;需要说明的是,ID字段和签名字段的长度以及存放的位置并不局限于上述实施方式,还可以根据用户需求自定义,在此并未限定。In one embodiment, the ARP broadcast message may be an ARP request message sent by the terminal, or may be an ARP response message sent by the terminal in response to the received ARP request message. Refer to Figure 4. In related art, Based on the format of the original ARP request/response message header, that is to say, the fields of the ARP message in related technologies may include: hardware type, protocol type, hardware address length, protocol address length, operation type, sender MAC address, source IP address (including ID optional), target MAC address and destination IP address. On this basis, in this embodiment, by modifying the ARP protocol, a signature field (corresponding to Authentication signature information) and ID field (optional, corresponding to identity information), form an ARP broadcast message that is different from related technologies in this embodiment. The length of the ID field is 4 bytes and can be placed at the end of the source IP address. The last 4 bytes can also be placed in the new field of the original ARP protocol; the signature field represents the signature value of the source information using the private key. The byte length is 4 bytes and can be placed in the new field of the original ARP protocol; for business messages , the storage location of the ID field can be in the IP address, or in the optional field of the IP address; it should be noted that the length and storage location of the ID field and the signature field are not limited to the above implementation method, and can also be based on the user Customization is required and is not limited here.

步骤S120:当根据获取到的公钥对ARP广播报文验签成功,建立与身份标识信息关联的 ARP增强控制表,其中,公钥与身份标识信息对应。Step S120: When the signature verification of the ARP broadcast message is successful based on the obtained public key, an ARP enhanced control table associated with the identity information is established, where the public key corresponds to the identity information.

本步骤中,当交换设备接收到由终端发送的ARP广播报文,可以通过该身份标识信息对应的公钥对ARP广播报文进行验签,并且在验签成功的情况下生成与身份标识信息关联的ARP 增强控制表,以便于在后续步骤中根据ARP增强控制表对终端所发送的携带身份标识信息的业务报文进行进一步地识别处理。In this step, when the switching device receives the ARP broadcast message sent by the terminal, it can verify the signature of the ARP broadcast message through the public key corresponding to the identity identification information, and if the signature verification is successful, generate the identity identification information The associated ARP enhanced control table is used to facilitate further identification and processing of service packets carrying identity information sent by the terminal according to the ARP enhanced control table in subsequent steps.

在一实施例中,验签作为一种加密匹配手段,由于ARP广播报文携带通过私钥签名生成的认证签名信息,因此通过验签相当于将获取到的公钥与认证签名信息对应的私钥进行对比,以确定两者是否匹配,若匹配成功,则说明验签成功,否则验签失败;至于具体的验签方式及手段,可以根据具体应用场景进行选择设置,此处并未限定。In one embodiment, signature verification is an encryption matching method. Since the ARP broadcast message carries authentication signature information generated through private key signature, signature verification is equivalent to combining the obtained public key with the private key corresponding to the authentication signature information. Keys are compared to determine whether the two match. If the match is successful, the signature verification is successful, otherwise the signature verification fails. As for the specific signature verification methods and means, they can be selected and set according to the specific application scenarios, and are not limited here.

在一实施例中,ARP增强控制表可以包括但不限于有:该终端的身份标识信息、该终端的IP地址信息、该终端的MAC地址信息以及该终端接入到交换设备的对应端口,其中,由于终端可能同时需求接入到不同的交换设备,也就是说,不同的交换设备可能生成各自的ARP 增强控制表,因此为了区分终端接入情况,可以将终端接入到交换设备的对应端口的信息填入到ARP增强控制表中,即利用交换设备的端口接入情况区分不同的终端,可以取得较好的终端控制效果。In one embodiment, the ARP enhanced control table may include, but is not limited to: the identity information of the terminal, the IP address information of the terminal, the MAC address information of the terminal, and the corresponding port that the terminal accesses to the switching device, where , since the terminal may need to access different switching devices at the same time, that is to say, different switching devices may generate their own ARP enhanced control tables, so in order to distinguish the terminal access status, the terminal can be connected to the corresponding port of the switching device The information is filled into the ARP enhanced control table, that is, the port access status of the switching device is used to distinguish different terminals, which can achieve better terminal control effects.

本申请的一个实施例,对步骤S110至S130之外的步骤进行进一步说明,还包括但不限于步骤S140。An embodiment of the present application further describes steps other than steps S110 to S130, including but not limited to step S140.

步骤S140:当根据获取到的公钥对ARP广播报文验签失败,丢弃ARP广播报文。Step S140: When the signature verification of the ARP broadcast message based on the obtained public key fails, the ARP broadcast message is discarded.

本步骤中,若根据获取到的公钥对ARP广播报文验签失败,则说明ARP广播报文并未关联与公钥对应的私钥,因此不会对交换设备的路由表产生实质性的影响,所以不需要建立与身份标识信息关联的ARP增强控制表,而是直接丢弃ARP广播报文即可。In this step, if the signature verification of the ARP broadcast message based on the obtained public key fails, it means that the ARP broadcast message is not associated with the private key corresponding to the public key, so it will not have any substantial impact on the routing table of the switching device. Therefore, there is no need to establish an ARP enhanced control table associated with the identity information, but simply discard the ARP broadcast messages.

本申请的一个实施例,对步骤S120中的“根据获取到的公钥对ARP广播报文验签成功”之前的步骤进行进一步说明,还包括但不限于步骤S150。An embodiment of the present application further explains the steps before "successfully verifying the signature of the ARP broadcast message based on the obtained public key" in step S120, which also includes but is not limited to step S150.

步骤S150:根据身份标识信息从密钥管理中心获取公钥。Step S150: Obtain the public key from the key management center according to the identity identification information.

本步骤中,交换设备根据身份标识信息预先从密钥管理中心获取公钥,以便于在接收到由终端发送的ARP广播报文时,可以直接基于获取到的公钥对ARP广播报文进行验签,可以确保交换设备对ARP广播报文进行的验签流程能够顺利进行。In this step, the switching device obtains the public key from the key management center in advance based on the identity information, so that when receiving the ARP broadcast message sent by the terminal, it can directly verify the ARP broadcast message based on the obtained public key. Signing ensures that the switching device's signature verification process for ARP broadcast messages can proceed smoothly.

在一实施例中,交换设备根据身份标识信息从密钥管理中心获取公钥的方式可以为多种,此处并未限定。例如,密钥管理中心可以通过预配置的安全隧道将公钥传递给交换设备,或者,交换设备可以利用请求交互的方式从密钥管理中心获取公钥等。In one embodiment, the switching device may obtain the public key from the key management center according to the identity information in a variety of ways, which are not limited here. For example, the key management center can pass the public key to the exchange device through a preconfigured secure tunnel, or the exchange device can obtain the public key from the key management center by requesting interaction.

步骤S130:当接收到由终端发送的携带身份标识信息的业务报文,根据身份标识信息与 ARP增强控制表对业务报文进行处理。Step S130: When receiving a service message carrying identity information sent by the terminal, the service message is processed according to the identity information and the ARP enhanced control table.

本步骤中,由于ARP广播报文携带终端的身份标识信息和通过私钥签名生成的认证签名信息,因此当交换设备接收到由终端发送的ARP广播报文,可以通过该身份标识信息对应的公钥对ARP广播报文进行验签,并且在验签成功的情况下生成与身份标识信息关联的ARP增强控制表,进而可以根据ARP增强控制表对终端所发送的携带身份标识信息的业务报文进行进一步地识别处理,以实现更加安全的终端接入控制,相比于相关技术,将ARP增强控制表和身份标识信息进行关联以增加攻击者修改交换设备路由表的难度,能够实现近源防御,即使在攻击发生的情况下也能够精确地溯源攻击者,从而可以弥补相关方法中的技术空白。In this step, since the ARP broadcast message carries the identity information of the terminal and the authentication signature information generated through the private key signature, when the switching device receives the ARP broadcast message sent by the terminal, it can pass the public key corresponding to the identity information. The key is used to verify the signature of the ARP broadcast message, and if the signature verification is successful, an ARP enhanced control table associated with the identity information is generated, and then the service packets sent by the terminal carrying the identity information can be processed based on the ARP enhanced control table. Further identification processing is performed to achieve more secure terminal access control. Compared with related technologies, the ARP enhanced control table is associated with the identity information to increase the difficulty for attackers to modify the switching device routing table, which can achieve near-source defense. , the attacker can be accurately traced even when an attack occurs, which can fill the technical gaps in related methods.

参照图5,本申请的一个实施例,对步骤S130进行进一步说明,步骤S130包括但不限于步骤S131至S132。Referring to Figure 5, an embodiment of the present application further explains step S130. Step S130 includes but is not limited to steps S131 to S132.

步骤S131:检测身份标识信息与ARP增强控制表是否匹配;Step S131: Check whether the identity identification information matches the ARP enhanced control table;

步骤S132:当检测到身份标识信息与ARP增强控制表匹配,转发业务报文。Step S132: When it is detected that the identity information matches the ARP enhanced control table, forward the service packet.

本步骤中,终端进行业务报文转发时,在业务报文中携带终端的身份标识信息,接入交换设备后根据ARP增强控制表对业务报文进行控制转发,即若与ARP增强控制表相匹配,则进行报文转发,使得当网络攻击发生后也能够快速进行攻击溯源,以便于进一步地精准阻断攻击源。In this step, when the terminal forwards service packets, the terminal carries the terminal's identity information in the service packets. After accessing the switching device, the service packets are controlled and forwarded according to the ARP enhanced control table. That is, if it is consistent with the ARP enhanced control table, If there is a match, the packet will be forwarded, so that when a network attack occurs, the source of the attack can be quickly traced, so as to further accurately block the source of the attack.

本申请的一个实施例,对步骤S130进行进一步说明,步骤S130还包括但不限于步骤S133。An embodiment of the present application further explains step S130, which also includes but is not limited to step S133.

步骤S133:当检测到身份标识信息与ARP增强控制表不匹配,丢弃业务报文。Step S133: When it is detected that the identity identification information does not match the ARP enhanced control table, the service packet is discarded.

本步骤中,终端进行业务报文转发时,在业务报文中携带终端的身份标识信息,接入交换设备后根据ARP增强控制表对业务报文进行控制转发,即若与ARP增强控制表不相匹配,则丢弃报文,不对其进行报文转发,使得当网络攻击发生后也能够快速进行攻击溯源,以便于进一步地精准阻断攻击源。In this step, when the terminal forwards service packets, the terminal carries the terminal's identity information in the service packets. After accessing the switching device, the service packets are controlled and forwarded according to the ARP enhanced control table. That is, if the terminal does not match the ARP enhanced control table, If they match, the packet will be discarded and not forwarded, so that when a network attack occurs, the source of the attack can be quickly traced to further accurately block the source of the attack.

本申请的一个实施例,对步骤S110至S130之外的步骤进行进一步说明,还包括但不限于步骤S160至S180。An embodiment of the present application further describes steps other than steps S110 to S130, including but not limited to steps S160 to S180.

步骤S160:当确定存在终端因接收由交换设备发送的业务响应报文而受到攻击者网络攻击的情况,查找得到与业务响应报文对应的历史业务报文;Step S160: When it is determined that the terminal is attacked by an attacker's network due to receiving the service response message sent by the switching device, search for historical service messages corresponding to the service response message;

步骤S170:根据历史业务报文查找得到目标ARP增强控制表,其中,目标ARP增强控制表用于检查历史业务报文;Step S170: Find the target ARP enhanced control table based on historical service packets, where the target ARP enhanced control table is used to check historical service packets;

步骤S180:根据目标ARP增强控制表确定攻击者的身份标识信息。Step S180: Determine the attacker's identity information according to the target ARP enhanced control table.

本步骤中,交换设备能够在确定终端受到网络攻击的情况下,通过查找与造成网络攻击的业务响应报文对应的历史业务报文,以进一步确定与攻击者的身份标识信息所关联的目标ARP增强控制表,从而能够通过目标ARP增强控制表准确地查找得到攻击者的身份标识信息,也就是说,即使在攻击发生的情况下也能够精确地溯源攻击者,从而可以弥补相关方法中的技术空白。In this step, when it is determined that the terminal is under network attack, the switching device can further determine the target ARP associated with the attacker's identity information by searching for historical service messages corresponding to the service response messages that caused the network attack. Enhance the control table, so that the attacker's identity information can be accurately found through the target ARP enhanced control table. In other words, even if an attack occurs, the attacker can be traced accurately, which can make up for the technology in related methods. blank.

需要说明的是,对于不同的终端或主机,在符合本申请实施例所描述的相关条件的情况下,交换设备均可以建立与其身份标识信息关联的ARP增强控制表,例如终端的身份标识信息关联的ARP增强控制表、攻击者的身份标识信息关联的目标ARP增强控制表,这样的好处在于即使在攻击发生的情况下也能够精确地溯源攻击者。It should be noted that for different terminals or hosts, if the relevant conditions described in the embodiments of this application are met, the switching device can establish an ARP enhanced control table associated with its identity information, such as the identity information of the terminal. The advantage of this is that even if an attack occurs, the source of the attacker can be accurately traced.

在一实施例中,攻击者进行网络攻击的场景可以为多种,相应地,历史业务报文的具体应用场景也可以为多种。例如,终端和攻击者处于同一个域内,攻击者假冒终端的地址,向交换设备发送该历史业务报文,由于终端和攻击者在交换设备上关联的端口号一致,因此交换设备会回应业务响应报文给终端,从而导致终端收到反射式DoS攻击;又如,非法DNS和合法DNS在同一个局域网内,非法DNS假冒合法DNS的地址发送ARP广播请求,进行DNS劫持以形成网络攻击。需要说明的是,下述示例一至示例三中,详细描述了交换设备阻挡网络攻击发生,或者,在攻击发生的情况下精确地溯源攻击者的详细过程,为免冗余,在此对其不作赘述。In one embodiment, there may be multiple scenarios for attackers to conduct network attacks, and accordingly, there may be multiple specific application scenarios for historical service packets. For example, the terminal and the attacker are in the same domain. The attacker forges the address of the terminal and sends the historical service packets to the switching device. Since the port numbers associated with the terminal and the attacker on the switching device are the same, the switching device will respond with a service response. message to the terminal, causing the terminal to receive a reflection DoS attack; for another example, if the illegal DNS and the legal DNS are in the same LAN, the illegal DNS fakes the address of the legal DNS and sends an ARP broadcast request to perform DNS hijacking to form a network attack. It should be noted that the following Examples 1 to 3 describe in detail the detailed process of switching equipment to prevent network attacks from occurring, or to accurately trace the source of the attacker when an attack occurs. To avoid redundancy, they are not discussed here. Repeat.

在一实施例中,交换设备查找得到历史业务报文、目标ARP增强控制表的方式不限定,本领域技术人员可以根据具体场景设置该方式。例如,当交换设备内部具有存储报文和增强控制表的能力,则交换设备可以将其进行内部存储以进行内部查找;又如,当交换设备内部不具有存储报文和增强控制表的能力,可以另外设置相应的存储装置来实现相关的报文和增强控制表的存储,当需要查找时,交换设备直接从该存储装置中进行查找。以下给出具体示例以说明上述各实施例的具体工作原理及流程。In one embodiment, the method by which the switching device searches for historical service packets and the target ARP enhanced control table is not limited, and those skilled in the art can set this method according to specific scenarios. For example, when the switching device has the internal ability to store messages and enhanced control tables, the switching device can store them internally for internal search; for another example, when the switching device does not have the internal capability to store messages and enhanced control tables, A corresponding storage device can be additionally set up to store relevant messages and enhanced control tables. When a search is required, the switching device directly searches from the storage device. Specific examples are given below to illustrate the specific working principles and processes of each of the above embodiments.

示例一:Example one:

参照图6,图6是本申请一个实施例提供的报文处理方法的执行流程示意图,其中,图6 中的接入交换机为交换设备,所示的终端身份ID为终端的身份标识信息,所示的终端为图6 中的合法主机1。Referring to Figure 6, Figure 6 is a schematic execution flow diagram of a message processing method provided by an embodiment of the present application. The access switch in Figure 6 is a switching device, and the terminal identity ID shown is the identity identification information of the terminal, so The terminal shown is the legal host 1 in Figure 6.

如图6所示,该报文处理方法按照如下步骤A100至A105执行:As shown in Figure 6, the message processing method is executed according to the following steps A100 to A105:

S100a、终端向认证服务器进行注册申请,注册成功后,分配终端身份ID;S100a. The terminal applies for registration to the authentication server. After successful registration, the terminal identity ID is assigned;

S100b、终端通过终端身份ID向密钥管理中心获取私钥SK1;S100b. The terminal obtains the private key SK1 from the key management center through the terminal identity ID;

S100c、接入交换机通过终端身份ID向密钥管理中心获取公钥PK1;S100c. The access switch obtains the public key PK1 from the key management center through the terminal identity ID;

S101、终端使用分配的私钥对源端信息(可选的源ID、可选的源MAC、源IP)进行签名,将终端身份ID及签名包含在ARP广播消息(即图6步骤中所示的“ARP响应消息”或“免费ARP请求消息”);S101. The terminal uses the assigned private key to sign the source information (optional source ID, optional source MAC, source IP), and includes the terminal identity ID and signature in the ARP broadcast message (that is, as shown in the step of Figure 6 "ARP response message" or "gratuitous ARP request message");

S102、终端向接入交换机发送携带终端身份ID和签名的ARP广播消息;S102. The terminal sends an ARP broadcast message carrying the terminal identity ID and signature to the access switch;

S103、接入交换机接收到ARP广播消息,其包含终端身份ID、源IP地址、源MAC地址及签名,接入交换机使用终端身份ID对应的公钥进行验签,若验签成功,则建立ARP增强控制表(包括源IP地址、源MAC地址、终端身份ID和接入端口PORT);若验签失败,则不建立ARP增强控制表,丢弃此报文;S103. The access switch receives the ARP broadcast message, which contains the terminal identity ID, source IP address, source MAC address and signature. The access switch uses the public key corresponding to the terminal identity ID to verify the signature. If the signature verification is successful, an ARP is established. Enhanced control table (including source IP address, source MAC address, terminal ID and access port PORT); if the signature verification fails, the ARP enhanced control table will not be established and the message will be discarded;

S104、终端进行业务数据转发时,在业务数据中携带终端身份ID的标识;S104. When the terminal forwards service data, the terminal carries the terminal identity ID in the service data;

S105、接入交换机接收该业务数据并对该业务数据进行解析,检查终端身份ID与源IP 地址、源MAC地址、接入端口PORT是否在同一个列表中,若是,则转发通过;若不是,则将该业务数据丢弃。S105. The access switch receives the service data and parses the service data, and checks whether the terminal identity ID, source IP address, source MAC address, and access port PORT are in the same list. If so, the forwarding is passed; if not, The business data will be discarded.

示例二:Example two:

参照图7,图7是本申请一个实施例提供的网络攻击场景的示意图。Referring to Figure 7, Figure 7 is a schematic diagram of a network attack scenario provided by an embodiment of the present application.

如图7所示,服务A为被攻击对象,服务A和非法主机C在同一个域内,非法主机C假冒服务A的地址,向主机B…主机n等发送ICMP请求报文,主机B、主机n等回应ICMP响应给服务A,从而导致服务A收到反射式DoS攻击。As shown in Figure 7, service A is the target of attack. Service A and illegal host C are in the same domain. Illegal host C fakes the address of service A and sends ICMP request messages to host B...host n, etc. Host B, host n and so on respond to ICMP responses to service A, causing service A to receive a reflection DoS attack.

针对图7的网络攻击场景可以有两种解决防护方式,该解决防护过程可以分为两个阶段,一是控制面阶段,二是业务面阶段,其中,控制面进行ARP流程增强,终端发送ARP广播请求时,要求携带终端身份ID和源端信息的签名;业务面转发时,要求ICMP请求报文携带终端身份ID,进行报文过滤。There are two solution and protection methods for the network attack scenario in Figure 7. The solution and protection process can be divided into two stages, one is the control plane stage, and the other is the business plane stage. Among them, the control plane performs ARP process enhancement and the terminal sends ARP When broadcasting a request, it is required to carry the terminal identity ID and the signature of the source information; when forwarding on the business plane, the ICMP request message is required to carry the terminal identity ID for packet filtering.

针对控制面阶段,ARP假冒IPa(即服务A的IP地址,下同),携带IDc(即非法主机C的身份ID,下同,不再赘述),使用自身私钥SKc进行签名的情况,其中,ID信息包含在IP 报文可选字段中,具体执行如下步骤:For the control plane stage, ARP fakes IPa (i.e., the IP address of service A, the same below), carries IDc (i.e., the identity ID of illegal host C, the same below, which will not be described again), and uses its own private key SKc for signature, where , the ID information is included in the optional field of the IP packet, and the specific steps are as follows:

步骤1、控制面建表,服务A在ARP广播请求报文中携带IDa和对源端通信信息(可选的IDa、可选的MACa、IPa)签名,并在交换机上建立增强控制表IPa<->MACa<->port1<->IDa。Step 1. Create a table on the control plane. Service A carries IDa and the signature of the source communication information (optional IDa, optional MACa, IPa) in the ARP broadcast request message, and establishes an enhanced control table IPa on the switch. ->MACa<->port1<->IDa.

步骤2、非法主机C用C的私钥SKc对源端通信信息(可选的IDc、可选的MACc、假冒IPa) 签名,若ARP广播请求报文携带IDc,则交换机使用公钥PKc能够验签成功,并更新增强控制表IPa<->MACc<->port2<->IDc。Step 2. Illegal host C uses C’s private key SKc to sign the source communication information (optional IDc, optional MACc, fake IPa). If the ARP broadcast request message carries IDc, the switch can use the public key PKc to verify The signature is successful and the enhanced control table IPa<->MACc<->port2<->IDc is updated.

步骤3、业务面转发,非法主机C假冒IPa发送ICMP请求携带IDc时,增强控制表能够检查通过,但由于ICMP响应包根据port2进行转发,故对服务A不能形成攻击。若非法主机 C假冒IPa发送ICMP请求携带IDa时,检查增强控制表失败,因为ID不一致,所以ICMP请求报文被丢弃,故不能形成攻击。Step 3. Business plane forwarding. When illegal host C pretends to be IPa and sends an ICMP request carrying IDc, the enhanced control table can pass the check. However, because the ICMP response packet is forwarded according to port2, it cannot attack service A. If illegal host C pretends to be IPa and sends an ICMP request carrying IDa, the enhanced control table check fails. Because the IDs are inconsistent, the ICMP request message is discarded, so no attack can occur.

针对业务面阶段,ARP假冒IPa,携带IDa,使用自身私钥SKc进行签名的情况,其中,ID信息包含在IP地址中或在IP地址的可选字段中,具体执行如下步骤:For the business phase stage, ARP fakes IPa, carries IDa, and uses its own private key SKc for signature. The ID information is included in the IP address or in the optional field of the IP address. Specifically, perform the following steps:

步骤1、控制面建表,服务A在ARP广播请求报文中,携带IDa和对源端通信信息(可选的Ia、可选的MACa、IPa)签名,并在交换机上建立增强控制表IPa<->MACa<->port1<->IDa。Step 1. Create a table on the control plane. Service A carries IDa and source communication information (optional Ia, optional MACa, IPa) signature in the ARP broadcast request message, and establishes an enhanced control table IPa on the switch. <->MACa<->port1<->IDa.

步骤2、非法主机C用C的私钥SKc对源端通信信息(可选的IDc、可选的MACc、假冒IPa) 签名,若ARP广播请求报文带IDa,交换机使用公钥PKc验签失败,不建表。Step 2. Illegal host C uses C’s private key SKc to sign the source communication information (optional IDc, optional MACc, fake IPa). If the ARP broadcast request message contains IDa, the switch fails to use the public key PKc to verify the signature. , do not create a table.

步骤3、业务面转发,非法主机C假冒IPa发送ICMP请求携带IDc时,检查增强控制表失败,因为ID不一致,ICMP请求报文被丢弃,故不能形成攻击。若非法主机C假冒IPa发送ICMP请求携带IDa时,检查增强控制表失败,因为port不一致,所以ICMP请求报文被丢弃,故不能形成攻击。Step 3. Business plane forwarding. When illegal host C pretends to be IPa and sends an ICMP request carrying IDc, the enhanced control table check fails. Because the IDs are inconsistent, the ICMP request message is discarded, so it cannot form an attack. If illegal host C pretends to be IPa and sends an ICMP request carrying IDa, the enhanced control table check fails. Because the port is inconsistent, the ICMP request message is discarded, so an attack cannot be formed.

如图8所示,图8是本申请另一个实施例提供的报文处理方法的流程图,该报文处理方法可以但不限于应用于图1或图2所示实施例的网络系统中的终端。该报文处理方法可以包括但不限于步骤S210至S230。As shown in Figure 8, Figure 8 is a flow chart of a message processing method provided by another embodiment of the present application. The message processing method can be, but is not limited to, applied to the network system of the embodiment shown in Figure 1 or Figure 2. terminal. The message processing method may include but is not limited to steps S210 to S230.

步骤S210:根据获取到的私钥对终端的源端信息进行签名生成认证签名信息;Step S210: Sign the source information of the terminal according to the obtained private key to generate authentication signature information;

步骤S220:向交换设备发送ARP广播报文,使得交换设备在根据获取到的公钥对ARP广播报文验签成功的情况下,建立与终端的身份标识信息关联的ARP增强控制表,其中,ARP 广播报文携带有认证签名信息和身份标识信息,私钥与身份标识信息对应,公钥与身份标识信息对应;Step S220: Send the ARP broadcast message to the switching device, so that if the switching device successfully verifies the signature of the ARP broadcast message based on the obtained public key, it can establish an ARP enhanced control table associated with the terminal's identity information, where, ARP broadcast messages carry authentication signature information and identity information. The private key corresponds to the identity information, and the public key corresponds to the identity information;

步骤S230:向交换设备发送携带身份标识信息的业务报文,使得交换设备根据身份标识信息与ARP增强控制表对业务报文进行处理。Step S230: Send the service packet carrying the identity information to the switching device, so that the switching device processes the service packet according to the identity information and the ARP enhanced control table.

本步骤中,由于ARP广播报文携带终端的身份标识信息和通过私钥签名生成的认证签名信息,因此通过向交换设备发送ARP广播报文,可以使得交换设备通过该身份标识信息对应的公钥对ARP广播报文进行验签,并且在验签成功的情况下生成与身份标识信息关联的ARP 增强控制表,进而可以使得交换设备根据ARP增强控制表对终端所发送的携带身份标识信息的业务报文进行进一步地识别处理,以实现更加安全的终端接入控制,相比于相关技术,将 ARP增强控制表和身份标识信息进行关联以增加攻击者修改交换设备路由表的难度,能够实现近源防御,即使在攻击发生的情况下也能够精确地溯源攻击者,从而可以弥补相关方法中的技术空白。In this step, since the ARP broadcast message carries the terminal's identity information and the authentication signature information generated through the private key signature, by sending the ARP broadcast message to the switching device, the switching device can pass the public key corresponding to the identity information. Verify the signature of the ARP broadcast message, and if the signature verification is successful, generate an ARP enhanced control table associated with the identity information, which in turn allows the switching device to respond to the services sent by the terminal carrying the identity information based on the ARP enhanced control table. The packets are further identified and processed to achieve more secure terminal access control. Compared with related technologies, the ARP enhanced control table is associated with the identity information to increase the difficulty for attackers to modify the switching device routing table, which can achieve near-term Source defense can accurately trace the attacker's source even when an attack occurs, thus filling the technical gaps in related methods.

在一实施例中,源端信息可以但不限于包括如下之一:In one embodiment, the source information may include, but is not limited to, one of the following:

终端的IP地址信息;Terminal IP address information;

终端的IP地址信息、身份标识信息;The terminal’s IP address information and identity information;

终端的IP地址信息、MAC地址信息;The terminal’s IP address information and MAC address information;

终端的IP地址信息、身份标识信息、MAC地址信息。The terminal’s IP address information, identity information, and MAC address information.

需要说明的是,由于具体应用场景之间可能存在的差异,源端信息还可以有更多或更少的组成形式以具体适配于相关的应用场景中,此处并未限定。It should be noted that due to possible differences between specific application scenarios, the source information may also have more or fewer components to specifically adapt to relevant application scenarios, which is not limited here.

需要说明的是,由于本实施例中的步骤S210至S230与上述报文处理方法的相关实施例属于同一发明构思,区别仅在于执行主体的不同,即上述报文处理方法的执行主体为交换设备,本实施例的执行主体为终端,因此本实施例中的步骤S210至S230的其他具体实施方式以及相关实施方式,可以参照上述实施例中的报文处理方法的相关具体实施例,为避免冗余,本实施例的步骤S210至S230的其他具体实施方式以及相关实施方式在此不再赘述。It should be noted that since steps S210 to S230 in this embodiment belong to the same inventive concept as the related embodiments of the above message processing method, the only difference lies in the execution subject, that is, the execution subject of the above message processing method is a switching device. , the execution subject of this embodiment is the terminal, so for other specific implementations and related implementations of steps S210 to S230 in this embodiment, reference can be made to the relevant specific embodiments of the message processing method in the above embodiment. In order to avoid redundancy In addition, other specific implementations and related implementations of steps S210 to S230 in this embodiment will not be described again here.

在一实施例中,身份标识信息可以但不限于基于如下步骤S310至S320得到。In an embodiment, the identity identification information may be obtained based on, but is not limited to, the following steps S310 to S320.

步骤S310:向认证服务器发送注册申请请求;Step S310: Send a registration application request to the authentication server;

步骤S320:接收由认证服务器根据注册申请请求为终端注册成功后发送的身份标识信息。Step S320: Receive the identity identification information sent by the authentication server after successfully registering the terminal according to the registration application request.

本步骤中,通过向认证服务器发送注册申请请求,以使得认证服务器根据注册申请请求为终端注册成功后发送对应的身份标识信息,由于各个终端之间的身份标识信息均是单独区分的,因此对于每个终端而言,均可以通过向认证服务器发送注册申请请求而得到相应的身份标识信息,能够适配于具体网络场景中的终端接入控制。In this step, a registration application request is sent to the authentication server, so that the authentication server sends the corresponding identity information after successfully registering the terminal according to the registration application request. Since the identity information between each terminal is separately distinguished, for Each terminal can obtain corresponding identity information by sending a registration application request to the authentication server, which can be adapted to terminal access control in specific network scenarios.

本申请的一个实施例,对步骤S210之前的步骤进行进一步说明,还包括但不限于步骤 S240。An embodiment of the present application further explains the steps before step S210, including but not limited to step S240.

步骤S240:根据身份标识信息从密钥管理中心获取私钥。Step S240: Obtain the private key from the key management center according to the identity identification information.

本步骤中,终端根据身份标识信息预先从密钥管理中心获取私钥,以便于在接收到由密钥管理中心发送的私钥时,可以直接基于获取到的私钥对终端的源端信息进行签名生成认证签名信息,可以确保能够稳定、快速地对源端信息进行签名而生成认证签名信息。In this step, the terminal obtains the private key from the key management center in advance based on the identity identification information, so that when receiving the private key sent by the key management center, the terminal's source information can be directly processed based on the obtained private key. Signature generation of authentication signature information ensures that the source information can be signed stably and quickly to generate authentication signature information.

如图9所示,图9是本申请另一个实施例提供的报文处理方法的流程图,该报文处理方法可以但不限于应用于图1或图2所示实施例中的网络系统。该报文处理方法可以包括但不限于步骤S410至S430。As shown in Figure 9, Figure 9 is a flow chart of a packet processing method provided by another embodiment of the present application. The packet processing method can be, but is not limited to, applied to the network system in the embodiment shown in Figure 1 or Figure 2. The message processing method may include but is not limited to steps S410 to S430.

步骤S410:交换设备接收由终端发送的ARP广播报文,其中,ARP广播报文携带有认证签名信息和终端的身份标识信息,认证签名信息由终端根据获取到的私钥对终端的源端信息进行签名而生成,私钥与身份标识信息对应;Step S410: The switching device receives the ARP broadcast message sent by the terminal. The ARP broadcast message carries authentication signature information and the terminal's identity information. The authentication signature information is generated by the terminal based on the obtained private key. Generated by signing, the private key corresponds to the identity information;

步骤S420:当交换设备根据获取到的公钥对ARP广播报文验签成功,交换设备建立与身份标识信息关联的ARP增强控制表,其中,公钥与身份标识信息对应;Step S420: When the switching device successfully verifies the signature of the ARP broadcast message based on the obtained public key, the switching device establishes an ARP enhanced control table associated with the identity information, where the public key corresponds to the identity information;

步骤S430:当交换设备接收到由终端发送的携带身份标识信息的业务报文,交换设备根据身份标识信息与ARP增强控制表对业务报文进行处理。Step S430: When the switching device receives the service packet carrying the identity information sent by the terminal, the switching device processes the service packet according to the identity information and the ARP enhanced control table.

本步骤中,由于ARP广播报文携带终端的身份标识信息和通过私钥签名生成的认证签名信息,因此当交换设备接收到由终端发送的ARP广播报文,可以通过该身份标识信息对应的公钥对ARP广播报文进行验签,并且在验签成功的情况下生成与身份标识信息关联的ARP增强控制表,进而交换设备可以根据ARP增强控制表对终端所发送的携带身份标识信息的业务报文进行进一步地识别处理,以实现更加安全的终端接入控制,相比于相关技术,将ARP增强控制表和身份标识信息进行关联以增加攻击者修改交换设备路由表的难度,能够实现近源防御,即使在攻击发生的情况下也能够精确地溯源攻击者,从而可以弥补相关方法中的技术空白。In this step, since the ARP broadcast message carries the identity information of the terminal and the authentication signature information generated through the private key signature, when the switching device receives the ARP broadcast message sent by the terminal, it can pass the public key corresponding to the identity information. The key is used to verify the signature of the ARP broadcast message, and if the signature verification is successful, an ARP enhanced control table associated with the identity information is generated. Then the switching device can use the ARP enhanced control table to verify the services sent by the terminal that carry the identity information. The packets are further identified and processed to achieve more secure terminal access control. Compared with related technologies, the ARP enhanced control table is associated with the identity information to increase the difficulty for attackers to modify the switching device routing table, which can achieve near-term Source defense can accurately trace the attacker's source even when an attack occurs, thus filling the technical gaps in related methods.

需要说明的是,由于本实施例中的步骤S410至S430与上述报文处理方法的相关实施例属于同一发明构思,区别仅在于执行主体的不同,即上述报文处理方法的执行主体分别为交换设备和终端,本实施例的执行主体为网络系统,因此本实施例中的步骤S410至S430的其他具体实施方式以及相关实施方式,可以参照上述实施例中的报文处理方法的相关具体实施例,为避免冗余,本实施例的步骤S410至S430的其他具体实施方式以及相关实施方式在此不再赘述。It should be noted that since steps S410 to S430 in this embodiment belong to the same inventive concept as the related embodiments of the above-mentioned message processing method, the only difference lies in the execution subject, that is, the execution subject of the above-mentioned message processing method is respectively exchange. Equipment and terminals, the execution subject of this embodiment is the network system, so for other specific implementations and related implementations of steps S410 to S430 in this embodiment, reference can be made to the relevant specific embodiments of the message processing method in the above embodiment. , in order to avoid redundancy, other specific implementations and related implementations of steps S410 to S430 in this embodiment will not be described again here.

以下给出具体示例以说明上述各实施例的具体工作原理及流程。Specific examples are given below to illustrate the specific working principles and processes of each of the above embodiments.

示例三:Example three:

参照图10,图10是本申请另一个实施例提供的网络攻击场景的示意图。Referring to Figure 10, Figure 10 is a schematic diagram of a network attack scenario provided by another embodiment of the present application.

如图10所示,服务A为被攻击对象,服务A、非法主机C、主机B分属于不同域。非法主机C向主机B…主机n等发送ICMP请求报文,主机B、主机n等回应ICMP响应给服务A,导致反射式DoS攻击。As shown in Figure 10, service A is the target of attack, and service A, illegal host C, and host B belong to different domains. Illegal host C sends ICMP request messages to host B...host n, etc., and host B, host n, etc. respond with ICMP responses to service A, resulting in a reflection DoS attack.

针对图10的网络攻击场景可以有两种解决防护方式,在交换机A和交换机C上部署防护机制。防护过程分为两个阶段,一是控制面阶段,二是业务面阶段。控制面进行ARP流程增强,终端进行ARP广播请求时,要求携带终端身份ID和源MAC地址的签名。业务面转发时,要求ICMP请求报文携带终端身份ID,进行报文过滤。There are two protection methods for the network attack scenario in Figure 10. Deploy protection mechanisms on switch A and switch C. The protection process is divided into two stages, one is the control plane stage, and the other is the business plane stage. The ARP process is enhanced on the control plane. When a terminal makes an ARP broadcast request, it is required to carry the signature of the terminal identity ID and source MAC address. When forwarding on the business plane, ICMP request messages are required to carry the terminal identity ID for message filtering.

针对控制面阶段,ARP假冒IPa,携带IDc,使用自身私钥SKc进行签名的情况,其中,ID信息包含在IP报文可选字段中,具体执行如下步骤:For the control plane stage, ARP fakes Ipa, carries IDc, and uses its own private key SKc to sign. The ID information is included in the optional field of the IP message. Specifically, perform the following steps:

步骤1、控制面建表,服务A在ARP广播请求报文中,携带IDa和对源端通信信息(可选的IDa、可选的MACa、IPa)签名,并在交换机上建立增强控制表IPa<->MACa<->port1<->IDa。Step 1. Create a table on the control plane. Service A carries IDa and source communication information (optional IDa, optional MACa, IPa) signature in the ARP broadcast request message, and establishes an enhanced control table IPa on the switch. <->MACa<->port1<->IDa.

步骤2、非法主机C用C的私钥SKc对源端通信信息(可选的IDc、可选的MACc、假冒IPa) 签名,若ARP广播请求报文带IDc,则交换机使用公钥PKc能够验签成功,并更新增强控制表IPa<->MACc<->port2<->IDc。Step 2. Illegal host C uses C’s private key SKc to sign the source communication information (optional IDc, optional MACc, fake IPa). If the ARP broadcast request message contains IDc, the switch can use the public key PKc to verify The signature is successful and the enhanced control table IPa<->MACc<->port2<->IDc is updated.

步骤3、业务面转发,非法主机C假冒IPa发送ICMP请求携带IDc时,增强控制表能够检查通过,但由于ICMP响应包根据端口进行转发,只有关联的port号恰好一致时,才能对服务A形成攻击,一旦形成攻击,由于增强控制表跟真实终端IDc相绑定,非法主机C能够被溯源。若非法主机C假冒IPa发送ICMP请求携带IDa时,检查增强控制表失败,因为ID 不一致,所以ICMP请求报文被丢弃,故不能形成攻击。Step 3. Business plane forwarding. When illegal host C pretends to be IPa and sends an ICMP request carrying IDc, the enhanced control table can pass the check. However, since the ICMP response packet is forwarded based on the port, service A can only be affected when the associated port numbers are exactly the same. Once an attack occurs, the source of the illegal host C can be traced since the enhanced control table is bound to the real terminal IDc. If illegal host C pretends to be IPa and sends an ICMP request carrying IDa, the enhanced control table check fails. Because the IDs are inconsistent, the ICMP request message is discarded, so no attack can be formed.

针对业务面阶段,ARP假冒IPa,携带IDa,使用自身私钥SKc进行签名的情况,其中,ID信息包含在IP地址中或在IP地址的可选字段中,具体执行如下步骤:For the business phase stage, ARP fakes IPa, carries IDa, and uses its own private key SKc for signature. The ID information is included in the IP address or in the optional field of the IP address. Specifically, perform the following steps:

步骤1、控制面建表,服务A在ARP广播请求报文中,携带IDa和对源端通信信息(可选的IDa、可选的MACa、IPa)签名,并在交换机上建立增强控制表IPa<->MACa<->port1<->IDa。Step 1. Create a table on the control plane. Service A carries IDa and source communication information (optional IDa, optional MACa, IPa) signature in the ARP broadcast request message, and establishes an enhanced control table IPa on the switch. <->MACa<->port1<->IDa.

步骤2、非法主机C用C的私钥SKc对源端通信信息(可选的IDc、可选的MACc、假冒IPa) 签名,若ARP广播请求报文带IDa,则交换机使用公钥PKa验签失败,不建表。Step 2. Illegal host C uses C’s private key SKc to sign the source communication information (optional IDc, optional MACc, fake IPa). If the ARP broadcast request message contains IDa, the switch uses the public key PKa to verify the signature. Failure, no table is created.

步骤3、业务面转发,非法主机C假冒IPa发送ICMP请求,无论携带IDc还是携带IDa,由于增强控制表不存在,ICMP请求报文被丢弃,故不能形成攻击。Step 3. Business plane forwarding. Illegal host C pretends to be IPa and sends an ICMP request, regardless of whether it carries IDc or IDa. Since the enhanced control table does not exist, the ICMP request message is discarded, so it cannot form an attack.

示例四:Example four:

参照图11,图11是本申请另一个实施例提供的网络攻击场景的示意图。Referring to Figure 11, Figure 11 is a schematic diagram of a network attack scenario provided by another embodiment of the present application.

如图11所示,非法DNS和合法DNS在同一个局域网内,非法DNS假冒IP1地址发送ARP广播请求,进行DNS劫持。As shown in Figure 11, the illegal DNS and the legal DNS are in the same LAN. The illegal DNS fakes the IP1 address and sends an ARP broadcast request to perform DNS hijacking.

针对图11的网络攻击场景可以有两种解决防护方式,在交换机上部署防护机制,防护过程分为两个阶段,一是控制面阶段,二是业务面阶段。There are two protection methods for the network attack scenario in Figure 11. Deploy a protection mechanism on the switch. The protection process is divided into two stages, one is the control plane stage, and the other is the business plane stage.

针对控制面阶段,ARP假冒IP1,携带ID2,使用自身私钥SK2进行签名的情况,其中,ID信息包含在IP报文可选字段中,具体执行如下步骤:For the control plane stage, ARP fakes IP1, carries ID2, and uses its own private key SK2 to sign. The ID information is included in the optional field of the IP message. Specifically, perform the following steps:

步骤1、控制面建表,合法DNS在ARP广播请求报文中,携带ID1和对源端通信信息(可选的ID1、可选的MAC1、IP1)签名,并在交换机上建立增强控制表IP1<->MAC1<->port1<->ID1。Step 1. Create a table on the control plane. The legal DNS carries ID1 and the source communication information (optional ID1, optional MAC1, IP1) signature in the ARP broadcast request message, and establishes an enhanced control table IP1 on the switch. <->MAC1<->port1<->ID1.

步骤2、非法主机DNS用自身私钥SK2对源端通信信息(可选的ID2、可选的MAC2、假冒 IP1)签名,若ARP广播请求报文携带ID2,则交换机使用公钥PK2能够验签成功,并更新增强控制表IP1<->MAC2<->port2<->ID2,并在路由器上更新控制表IP1<->MAC2<->port3<->ID2。Step 2. The illegal host DNS uses its own private key SK2 to sign the source communication information (optional ID2, optional MAC2, fake IP1). If the ARP broadcast request message carries ID2, the switch can use the public key PK2 to verify the signature. Successfully, the enhanced control table IP1<->MAC2<->port2<->ID2 is updated, and the control table IP1<->MAC2<->port3<->ID2 is updated on the router.

步骤3、业务面转发,DNS请求报文经过路由器转发时,会被非法DNS获取,但由于增强控制表与非法DNS的真实终端ID相绑定,所以能够被溯源。Step 3. Business plane forwarding. When the DNS request message is forwarded by the router, it will be obtained by the illegal DNS. However, because the enhanced control table is bound to the real terminal ID of the illegal DNS, it can be traced to the source.

针对业务面阶段,ARP假冒IP1,携带ID1,使用自身私钥SK2进行签名的情况,其中,I信息包含在IP地址中或在IP地址的可选字段中,具体执行如下步骤:For the business phase stage, ARP fakes IP1, carries ID1, and uses its own private key SK2 for signature. The I information is included in the IP address or in the optional field of the IP address. Specifically, perform the following steps:

步骤1、控制面建表,合法DNS在ARP广播请求报文中,携带ID1和对源端通信信息(可选的ID1、可选的MAC1、IP1)签名,并在交换机上建立增强控制表IP1<->MAC1<->port1<->ID1。Step 1. Create a table on the control plane. The legal DNS carries ID1 and the source communication information (optional ID1, optional MAC1, IP1) signature in the ARP broadcast request message, and establishes an enhanced control table IP1 on the switch. <->MAC1<->port1<->ID1.

步骤2、非法主机DNS用自身私钥SK2对源端通信信息(可选的ID1、可选的MAC2、假冒 IP1)签名,若ARP广播请求报文携带ID1,则交换机使用公钥PK1验签失败,不建表。Step 2. The illegal host DNS uses its own private key SK2 to sign the source communication information (optional ID1, optional MAC2, fake IP1). If the ARP broadcast request message carries ID1, the switch fails to use the public key PK1 to verify the signature. , do not create a table.

步骤3、业务面转发,由于增强控制表没有被修改,故DNS劫持不会发生。Step 3. Business plane forwarding. Since the enhanced control table has not been modified, DNS hijacking will not occur.

另外,如图12所示,本申请的一个实施例还公开了一种交换设备200,包括:至少一个第一处理器210;至少一个第一存储器220,用于存储至少一个程序;当至少一个程序被至少一个第一处理器210执行时实现如前面实施例中的报文处理方法的步骤S110至S130、步骤S140、步骤S150、步骤S160至S180、步骤S131至S132或步骤S133。In addition, as shown in Figure 12, one embodiment of the present application also discloses a switching device 200, including: at least one first processor 210; at least one first memory 220, used to store at least one program; when at least one When the program is executed by at least one first processor 210, steps S110 to S130, step S140, step S150, step S160 to S180, step S131 to S132 or step S133 of the message processing method in the previous embodiment are implemented.

另外,如图13所示,本申请的一个实施例还公开了一种终端300,包括:至少一个第二处理器310;至少一个第二存储器320,用于存储至少一个程序;当至少一个程序被至少一个第二处理器310执行时实现如前面实施例中的报文处理方法的步骤S210至S230、步骤S310 至S320或步骤S240。In addition, as shown in Figure 13, one embodiment of the present application also discloses a terminal 300, including: at least one second processor 310; at least one second memory 320, used to store at least one program; when at least one program When executed by at least one second processor 310, steps S210 to S230, steps S310 to S320 or step S240 of the message processing method in the previous embodiment are implemented.

另外,本申请的一个实施例还公开了一种计算机可读存储介质,其中存储有计算机可执行指令,计算机可执行指令用于执行如前面任意实施例中的报文处理方法。In addition, an embodiment of the present application also discloses a computer-readable storage medium in which computer-executable instructions are stored, and the computer-executable instructions are used to execute the message processing method as in any of the previous embodiments.

此外,本申请的一个实施例还公开了一种计算机程序产品,包括计算机程序或计算机指令,计算机程序或计算机指令存储在计算机可读存储介质中,计算机设备的处理器从计算机可读存储介质读取计算机程序或计算机指令,处理器执行计算机程序或计算机指令,使得计算机设备执行如前面任意实施例中的报文处理方法。In addition, an embodiment of the present application also discloses a computer program product, which includes a computer program or computer instructions. The computer program or computer instructions are stored in a computer-readable storage medium. The processor of the computer device reads the computer program from the computer-readable storage medium. The computer program or computer instructions are obtained, and the processor executes the computer program or computer instructions, so that the computer device performs the message processing method as in any of the previous embodiments.

本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、系统可以被实施为软件、固件、硬件及其适当的组合。某些物理组件或所有物理组件可以被实施为由处理器,如中央处理器、数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其他存储器技术、CD-ROM、数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。Those of ordinary skill in the art can understand that all or some steps and systems in the methods disclosed above can be implemented as software, firmware, hardware, and appropriate combinations thereof. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, a digital signal processor, or a microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit . Such software may be distributed on computer-readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). As is known to those of ordinary skill in the art, the term computer storage media includes volatile and nonvolatile media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. removable, removable and non-removable media. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disk (DVD) or other optical disk storage, magnetic cassettes, tapes, disk storage or other magnetic storage devices, or may Any other medium used to store the desired information and that can be accessed by a computer. Additionally, it is known to those of ordinary skill in the art that communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism, and may include any information delivery media .

Claims (15)

1.一种报文处理方法,应用于交换设备,所述报文处理方法包括:1. A message processing method, applied to switching equipment, the message processing method includes: 接收由终端发送的地址解析协议ARP广播报文,其中,所述ARP广播报文携带有认证签名信息和所述终端的身份标识信息,所述认证签名信息由所述终端根据获取到的私钥对所述终端的源端信息进行签名而生成,所述私钥与所述身份标识信息对应;Receive an Address Resolution Protocol ARP broadcast message sent by the terminal, wherein the ARP broadcast message carries authentication signature information and the identity identification information of the terminal, and the authentication signature information is obtained by the terminal based on the private key. Sign the source information of the terminal and generate it, and the private key corresponds to the identity identification information; 当根据获取到的公钥对所述ARP广播报文验签成功,建立与所述身份标识信息关联的ARP增强控制表,其中,所述公钥与所述身份标识信息对应;When the signature verification of the ARP broadcast message is successful based on the obtained public key, establish an ARP enhanced control table associated with the identity identification information, where the public key corresponds to the identity identification information; 当接收到由所述终端发送的携带所述身份标识信息的业务报文,根据所述身份标识信息与所述ARP增强控制表对所述业务报文进行处理。When a service message carrying the identity identification information sent by the terminal is received, the service message is processed according to the identity identification information and the ARP enhanced control table. 2.根据权利要求1所述的报文处理方法,其特征在于,所述根据所述身份标识信息与所述ARP增强控制表对所述业务报文进行处理,包括:2. The message processing method according to claim 1, characterized in that, processing the service message according to the identity identification information and the ARP enhanced control table includes: 检测所述身份标识信息与所述ARP增强控制表是否匹配;Detect whether the identity identification information matches the ARP enhanced control table; 当检测到所述身份标识信息与所述ARP增强控制表匹配,转发所述业务报文。When it is detected that the identity identification information matches the ARP enhanced control table, the service message is forwarded. 3.根据权利要求2所述的报文处理方法,其特征在于,所述根据所述身份标识信息与所述ARP增强控制表对所述业务报文进行处理,还包括:3. The message processing method according to claim 2, characterized in that, processing the service message according to the identity identification information and the ARP enhanced control table further includes: 当检测到所述身份标识信息与所述ARP增强控制表不匹配,丢弃所述业务报文。When it is detected that the identity identification information does not match the ARP enhanced control table, the service message is discarded. 4.根据权利要求1所述的报文处理方法,其特征在于,所述报文处理方法还包括:4. The message processing method according to claim 1, characterized in that the message processing method further includes: 当根据获取到的公钥对所述ARP广播报文验签失败,丢弃所述ARP广播报文。When the signature verification of the ARP broadcast message based on the obtained public key fails, the ARP broadcast message is discarded. 5.根据权利要求1所述的报文处理方法,其特征在于,所述报文处理方法还包括:5. The message processing method according to claim 1, characterized in that the message processing method further includes: 当确定存在所述终端因接收由所述交换设备发送的业务响应报文而受到攻击者网络攻击的情况,查找得到与所述业务响应报文对应的历史业务报文;When it is determined that the terminal is attacked by an attacker's network due to receiving a service response message sent by the switching device, search for historical service messages corresponding to the service response message; 根据所述历史业务报文查找得到目标ARP增强控制表,其中,所述目标ARP增强控制表用于检查所述历史业务报文;Find the target ARP enhanced control table according to the historical service packets, where the target ARP enhanced control table is used to check the historical service packets; 根据所述目标ARP增强控制表确定所述攻击者的身份标识信息。The identity information of the attacker is determined according to the target ARP enhanced control table. 6.根据权利要求1所述的报文处理方法,其特征在于,所述源端信息包括如下之一:6. The message processing method according to claim 1, characterized in that the source information includes one of the following: 所述终端的IP地址信息;The IP address information of the terminal; 所述终端的IP地址信息、所述身份标识信息;The IP address information and the identity identification information of the terminal; 所述终端的IP地址信息、MAC地址信息;The IP address information and MAC address information of the terminal; 所述终端的IP地址信息、所述身份标识信息、MAC地址信息。The terminal's IP address information, the identity information, and MAC address information. 7.根据权利要求1所述的报文处理方法,其特征在于,所述根据获取到的公钥对所述ARP广播报文验签成功之前,还包括:7. The message processing method according to claim 1, characterized in that, before successfully verifying the signature of the ARP broadcast message according to the obtained public key, it further includes: 根据所述身份标识信息从密钥管理中心获取所述公钥。Obtain the public key from the key management center according to the identity identification information. 8.一种报文处理方法,应用于终端,所述方法包括:8. A message processing method, applied to a terminal, the method includes: 根据获取到的私钥对所述终端的源端信息进行签名生成认证签名信息;Sign the source information of the terminal according to the obtained private key to generate authentication signature information; 向交换设备发送ARP广播报文,使得所述交换设备在根据获取到的公钥对所述ARP广播报文验签成功的情况下,建立与所述终端的身份标识信息关联的ARP增强控制表,其中,所述ARP广播报文携带有所述认证签名信息和所述身份标识信息,所述私钥与所述身份标识信息对应,所述公钥与所述身份标识信息对应;Send an ARP broadcast message to the switching device, so that when the switching device successfully verifies the signature of the ARP broadcast message based on the obtained public key, it can establish an ARP enhanced control table associated with the identity information of the terminal. , wherein the ARP broadcast message carries the authentication signature information and the identity identification information, the private key corresponds to the identity identification information, and the public key corresponds to the identity identification information; 向所述交换设备发送携带所述身份标识信息的业务报文,使得所述交换设备根据所述身份标识信息与所述ARP增强控制表对所述业务报文进行处理。Send a service packet carrying the identity identification information to the switching device, so that the switching device processes the service packet according to the identity identification information and the ARP enhanced control table. 9.根据权利要求8所述的报文处理方法,其特征在于,所述源端信息包括如下之一:9. The message processing method according to claim 8, characterized in that the source information includes one of the following: 所述终端的IP地址信息;The IP address information of the terminal; 所述终端的IP地址信息、所述身份标识信息;The IP address information and the identity identification information of the terminal; 所述终端的IP地址信息、MAC地址信息;The IP address information and MAC address information of the terminal; 所述终端的IP地址信息、所述身份标识信息、MAC地址信息。The terminal's IP address information, the identity information, and MAC address information. 10.根据权利要求8所述的报文处理方法,其特征在于,所述身份标识信息基于如下步骤得到:10. The message processing method according to claim 8, characterized in that the identity identification information is obtained based on the following steps: 向认证服务器发送注册申请请求;Send a registration application request to the authentication server; 接收由所述认证服务器根据所述注册申请请求为所述终端注册成功后发送的所述身份标识信息。Receive the identity identification information sent by the authentication server after successfully registering the terminal according to the registration application request. 11.根据权利要求8所述的报文处理方法,其特征在于,所述根据获取到的私钥对所述终端的源端信息进行签名生成认证签名信息之前,还包括:11. The message processing method according to claim 8, characterized in that before signing the source information of the terminal according to the obtained private key to generate authentication signature information, it further includes: 根据所述身份标识信息从密钥管理中心获取所述私钥。Obtain the private key from the key management center according to the identity identification information. 12.一种报文处理方法,应用于网络系统,所述网络系统包括交换设备和终端,所述报文处理方法包括:12. A message processing method, applied to a network system, the network system includes switching equipment and terminals, the message processing method includes: 所述交换设备接收由所述终端发送的ARP广播报文,其中,所述ARP广播报文携带有认证签名信息和所述终端的身份标识信息,所述认证签名信息由所述终端根据获取到的私钥对所述终端的源端信息进行签名而生成,所述私钥与所述身份标识信息对应;The switching device receives an ARP broadcast message sent by the terminal, wherein the ARP broadcast message carries authentication signature information and the identity identification information of the terminal, and the authentication signature information is obtained by the terminal according to The private key is generated by signing the source information of the terminal, and the private key corresponds to the identity identification information; 当所述交换设备根据获取到的公钥对所述ARP广播报文验签成功,所述交换设备建立与所述身份标识信息关联的ARP增强控制表,其中,所述公钥与所述身份标识信息对应;When the switching device successfully verifies the signature of the ARP broadcast message based on the obtained public key, the switching device establishes an ARP enhanced control table associated with the identity identification information, wherein the public key and the identity Corresponding identification information; 当所述交换设备接收到由所述终端发送的携带所述身份标识信息的业务报文,所述交换设备根据所述身份标识信息与所述ARP增强控制表对所述业务报文进行处理。When the switching device receives the service packet carrying the identity identification information sent by the terminal, the switching device processes the service packet according to the identity identification information and the ARP enhanced control table. 13.一种交换设备,其特征在于,包括:13. A switching device, characterized in that it includes: 至少一个处理器;at least one processor; 至少一个存储器,用于存储至少一个程序;At least one memory for storing at least one program; 当至少一个所述程序被至少一个所述处理器执行时实现如权利要求1至7任意一项所述的报文处理方法。The message processing method according to any one of claims 1 to 7 is implemented when at least one of the programs is executed by at least one of the processors. 14.一种终端,其特征在于,包括:14. A terminal, characterized in that it includes: 至少一个处理器;at least one processor; 至少一个存储器,用于存储至少一个程序;At least one memory for storing at least one program; 当至少一个所述程序被至少一个所述处理器执行时实现如权利要求8至11任意一项所述的报文处理方法。The message processing method according to any one of claims 8 to 11 is implemented when at least one of the programs is executed by at least one of the processors. 15.一种计算机可读存储介质,其特征在于,其中存储有处理器可执行的程序,所述处理器可执行的程序被处理器执行时用于实现如权利要求1至11任意一项所述的报文处理方法。15. A computer-readable storage medium, characterized in that a processor-executable program is stored therein, and when the processor-executable program is executed by the processor, it is used to implement the method of any one of claims 1 to 11. The message processing method described above.
CN202210740116.3A 2022-06-28 2022-06-28 Message processing method, switching equipment, terminal and storage medium Pending CN117353927A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202210740116.3A CN117353927A (en) 2022-06-28 2022-06-28 Message processing method, switching equipment, terminal and storage medium
PCT/CN2023/097198 WO2024001645A1 (en) 2022-06-28 2023-05-30 Packet processing method, switching device, terminal, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210740116.3A CN117353927A (en) 2022-06-28 2022-06-28 Message processing method, switching equipment, terminal and storage medium

Publications (1)

Publication Number Publication Date
CN117353927A true CN117353927A (en) 2024-01-05

Family

ID=89369703

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210740116.3A Pending CN117353927A (en) 2022-06-28 2022-06-28 Message processing method, switching equipment, terminal and storage medium

Country Status (2)

Country Link
CN (1) CN117353927A (en)
WO (1) WO2024001645A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118585357A (en) * 2024-08-02 2024-09-03 北京开源芯片研究院 Component communication method, device, equipment and storage medium in verification environment

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104243413A (en) * 2013-06-14 2014-12-24 航天信息股份有限公司 Method and system for preventing ARP man-in-the-middle attacks in local area network
CN105207778B (en) * 2014-07-03 2019-04-16 清华大学深圳研究生院 A method of realizing packet identity and digital signature on accessing gateway equipment
CN105939332B (en) * 2016-03-03 2019-09-17 杭州迪普科技股份有限公司 Defend the method and device of ARP attack message
US10250636B2 (en) * 2016-07-07 2019-04-02 Attivo Networks Inc Detecting man-in-the-middle attacks
CN107948124A (en) * 2016-10-13 2018-04-20 中兴通讯股份有限公司 A kind of arp entry renewal management method, apparatus and system
CN108234522B (en) * 2018-03-01 2021-01-22 深圳市共进电子股份有限公司 Method and device for preventing Address Resolution Protocol (ARP) attack, computer equipment and storage medium
CN113347155A (en) * 2021-05-10 2021-09-03 西安交大捷普网络科技有限公司 Method, system and device for defending ARP spoofing
CN113905012B (en) * 2021-09-08 2024-07-23 北京世纪互联宽带数据中心有限公司 Communication method, device, equipment and medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118585357A (en) * 2024-08-02 2024-09-03 北京开源芯片研究院 Component communication method, device, equipment and storage medium in verification environment

Also Published As

Publication number Publication date
WO2024001645A1 (en) 2024-01-04

Similar Documents

Publication Publication Date Title
US10469513B2 (en) Encrypted network addresses
US10469532B2 (en) Preventing DNS cache poisoning
US11521205B2 (en) Method for certificate transaction validation of blockchain-based resource public key infrastructure
CN101179566B (en) Method and apparatus for preventing ARP packet attack
US20090016343A1 (en) Communication system, router, method of communication, method of routing, and computer program product
US20210160067A1 (en) Method for bidirectional authorization of blockchain-based resource public key infrastructure
US20090070474A1 (en) Dynamic Host Configuration Protocol
US8566584B2 (en) Method, apparatus, and system for processing dynamic host configuration protocol message
EP3442195B1 (en) Reliable and secure parsing of packets
CN115943603B (en) Blockchain enhanced routing authorization
CN102255916A (en) Access authentication method, device, server and system
CN115208600A (en) Method, device, equipment and storage medium for route verification and data transmission
US20180295162A1 (en) Communications methods, apparatus and systems for correlating registrations, service requests and calls
CN105207778A (en) Method of realizing package identity identification and digital signature on access gateway equipment
CN101808097B (en) Method and equipment for preventing ARP attack
CN106302384A (en) DNS message processing method and device
WO2024001645A1 (en) Packet processing method, switching device, terminal, and storage medium
WO2023179656A1 (en) Srv6 message processing method and apparatus, communication device, and storage medium
CN113905012B (en) Communication method, device, equipment and medium
EP4229822B1 (en) Network security from host and network impersonation
CN105282112A (en) Terminal and method for detecting security of data interaction in terminal
US20240022602A1 (en) Method and Apparatus for Route Verification and Data Sending, Device, and Storage Medium
CN118449736A (en) Anti-attack message processing method, device, electronic device and storage medium
CN111416887A (en) Address detection method, device, switch and storage medium
CN116743453A (en) DHCPv6 security authentication method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination