[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN1878061A - Bridge protocol data unit message verification method and device therefor - Google Patents

Bridge protocol data unit message verification method and device therefor Download PDF

Info

Publication number
CN1878061A
CN1878061A CN 200610090266 CN200610090266A CN1878061A CN 1878061 A CN1878061 A CN 1878061A CN 200610090266 CN200610090266 CN 200610090266 CN 200610090266 A CN200610090266 A CN 200610090266A CN 1878061 A CN1878061 A CN 1878061A
Authority
CN
China
Prior art keywords
message
bpdu
bpdu message
authentication information
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN 200610090266
Other languages
Chinese (zh)
Inventor
汪政
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou H3C Technologies Co Ltd
Original Assignee
Hangzhou Huawei 3Com Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Huawei 3Com Technology Co Ltd filed Critical Hangzhou Huawei 3Com Technology Co Ltd
Priority to CN 200610090266 priority Critical patent/CN1878061A/en
Publication of CN1878061A publication Critical patent/CN1878061A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Small-Scale Networks (AREA)

Abstract

The invention discloses a BPDU report detecting device with BPDU report receiving disposal mode and detecting mode and detecting method, which comprises the following steps: allocating detecting information on the legal STP equipment; discarding the report if legal STP equipment detects the report without confirming information; otherwise, detecting self-detecting information according to allocation; receiving the report if passing the detecting; discarding the report if failure. The invention can avoid network vibration and interruption due to frequent changing, which guarantees reliability and safety for Ethernet of calculation generating tree based on BPDU report.

Description

Network bridge protocol data unit message verification method and device
Technical field
The present invention relates to the Spanning-Tree Protocol technical field, be specifically related to a kind of network bridge protocol data unit message verification method and device.
Background technology
Along with development of Ethernet technology, switch is widely used gradually, and the major function of switch is that the Ethernet message is carried out two layers of forwarding.But, in network application, because the needs of redundancy backup, perhaps because incorrect link, can cause forming between the switch loop, as shown in Figure 1, three switches link to each other and form loop, if broadcasting packet enters network, the forwarding that will constantly circulate in this loop forms broadcast storm gradually, and broadcast storm can take the network bandwidth in a large number, and expend the resource of all receiving equipments, cause network performance sharply to descend.
In order to solve the broadcast storm problem, produced Spanning-Tree Protocol (STP) technology, this technology in loop, select a switch as: can be in Fig. 1 with switch 1 as the root bridge, then, set up a loop-free tree based on this root bridge, to so just avoid the existence of loop, thereby avoid broadcast storm as certain port block of certain switch of treetop.
After this, international electric engineer (IEEE) association has released rapid STP (RSTP) again on the basis of STP, and many STP standards such as (MSTP) is to remedy the some shortcomings of original STP agreement.No matter be STP, RSTP or MSTP, all be to safeguard that by the mutual exchange bridge protocol data cell of each inter-exchange (BPDU) message the generation tree of this each inter-exchange concerns, the STP information of carrying this switch in the BPDU message that each switch sends, the BPDU message format as shown in Figure 2, wherein, other data of BPDU data field comprise: information such as root bridge ID, root path cost, Designated Bridge ID, designated port ID, time parameter.By between switch, transmitting the BPDU message, and according to the allocation optimum message election mechanism of STP, determine which platform switch in the network is that root bridge, which platform switch are that port status on Designated Bridge, the switch is that forwarding state still is a blocked state etc.That the BPDU message will be in will be open, the switch in the distributed network connects, and carry out unified generation tree and calculate.
Since do not formulate the relevant authentication mechanism of BPDU message in the present standard, therefore, if the BPDU message that has illegal STP equipment to send enters network, can disturb normal generation tree to calculate, cause the generation tree of generation error, perhaps cause concussion, bring to network to seriously influence.This situation abbreviates the BPDU deception as.
The BPDU deception can cause the wrong choice of root bridge.Because only being the bridge ID that carries in the BPDU message according to each switch, the election of root bridge determines, so the switch on the path of the equipment of the poor-performing of user side or poor-performing may become the root bridge owing to bridge ID is very little in the network.Like this, if the root bridge will cause reselecting of root bridge because performance reason can not regularly be sent the BPDU message, cause the concussion of forwarded state; Simultaneously,, can force the switch that generates in the tree frequently to delete MAC Address list item and ARP list item, expend the resource of switch if not method STP equipment frequently sends the BPDU message of topology change.
In order to prevent the BPDU deception influence to switch, prior art provides some salvos outside the STP standard, comprising: the root bridge manually is set, and the protection of root bridge, Loop Protection, the protection of TC attack protection, BPDU filters etc., below describes respectively:
One, manual configuration root bridge
The bridge ID of switch is made up of preorder (Priority) position of 4bit, system (System) position of 12bit and 48 of the medium access controls (MAC) of 48bit.When selecting the root bridge, relatively preceding 32 and back 32 of the bridge ID of each switch respectively, the switch of bridge ID minimum is chosen to be the root bridge.Manual configuration root bridge is exactly to force the preamble bits of the bridge ID of the switch of better performances is made as 0, so that this switch can be chosen to be the root bridge.
Two, root bridge protection
The root bridge will not be re-used as the root bridge after receiving the BPDU message of sending than the littler switch of self bridge ID, can make like this network topology change to cause data forwarding to be interrupted.Root bridge defencive function; exactly after the root bridge is received the BPDU message of sending than the littler switch of self bridge ID, self port become listen attentively to (listenning) state, no longer E-Packet; be automatically brought to normal condition after 30 seconds, to avoid the frequent switching of root bridge.
Three, the protection of topology change (TC) attack protection
Switch (was generally 10 seconds) in a period of time after receiving the TC-BPDU message, only once delete the operation of MAC Address list item and ARP list item, monitor simultaneously and whether also receive the TC-BPDU message in this time period, if then switch is once deleted the operation of MAC Address list item and ARP list item again after this time period.To avoid frequently deleting MAC Address list item and ARP list item.
Four, BPDU protection
Because the edge port of access layer equipment under normal circumstances can not received the BPDU message, therefore if edge port receives the BPDU message, system's edge port automatically is set to non-edge port, recomputates and generates tree, causes the concussion of network topology.The BPDU defencive function that RSTP provides refers to, if edge port has been received the BPDU message, system just closes this edge port, notifies webmaster simultaneously, and pent edge port can only be recovered by webmaster
Five, BPDU filters
That is: provide the filtering function of a kind of similar access control lists (ACL),, the BPDU message of receiving is abandoned by hardware filtering by this function not participating in the port that STP calculates.
Perhaps, also the STP function of the port of the switch that directly links to each other with subscriber equipment can be closed, filter with the BPDU message that subscriber equipment is sent and abandon.
As can be seen, above-mentioned each scheme does not have complete safe all at certain specific demand.Simultaneously, each scheme all has shortcoming separately, wherein:
Manual configuration root bridge can't be avoided the attack of the less illegal STP equipment of bridge ID, for example: behind the BPDU message arrival root bridge that the bridge ID illegal STP equipment littler than the bridge ID of current root bridge sends, still can cause the reselection procedure of root bridge, cause the network concussion;
In the root bridge protection, the port of root bridge changed into do not transmit data mode, can cause the interruption of regular traffic;
Though the protection of TC attack protection can avoid deleting continually in a period of time MAC Address list item and ARP list item, can't fundamentally avoid the attack of malice TC-BPDU message;
The BPDU protection is primarily aimed at edge port, and the BPDU message of some malice is not to enter from edge port, and simultaneously direct close port also can cause the flow interrupt on these ports;
BPDU filters generally need be in conjunction with ACL, and uses on concrete port, realizes having relatively high expectations for chip, and not every equipment can both be realized well; When not supporting the STP function, can't filter by the BPDU message that the STP function of closing this switch is sent subscriber equipment with the switch that subscriber equipment directly links to each other.
Summary of the invention
In view of this, the invention provides a kind of BPDU message verification method and system, effectively to avoid of the attack of illegal STP equipment to legal STP equipment.
Technical scheme of the present invention is achieved in that
A kind of BPDU message verification method, configuration verification information on legal STP equipment in advance, this method comprises:
Legal STP equipment is received the BPDU message, judges whether this message carries authentication information, if not, abandons this message; If, according to the authorization information that is configured in self this authentication information is verified, if checking is passed through, accept this message, if authentication failed abandons this message.
Described BPDU message is: the message that the legal STP equipment of transmit leg is sent;
This method further comprises: dispose authentication information in advance on the legal STP equipment of transmit leg;
Described legal STP equipment further comprises before receiving the BPDU message: the legal STP equipment of transmit leg will be configured in the authentication information of self and put into the BPDU message.
This method further comprises: increase authentication field in advance in the BPDU message;
The authentication information that the legal STP equipment of described transmit leg will be configured in self is put into the BPDU message and is: the authentication field of described authentication information being put into the BPDU message.
Described authentication field is between the protocol identification field and protocol version identification field of BPDU message.
This method further comprises: set one for described protocol-identifier in advance and identify the different value of value with prior protocols;
Described legal STP equipment judges whether the BPDU message carries authentication information and comprise: legal STP equipment judges whether the value of the protocol-identifier that this message carries is described predefined value, if judge that this BPDU message carries authentication information; Otherwise, judge that this BPDU message does not carry authentication information.
Described authentication information and authorization information are: preset parameters is carried out the enciphered message that cryptographic calculation obtains.
Describedly preset parameters is carried out cryptographic calculation be: preset parameters is carried out cryptographic calculation according to informative abstract MD5 algorithm.
A kind of BPDU authentication of message device, this device comprises: BPDU message receiving processing module and authentication module, wherein:
BPDU message receiving processing module is used for after receiving the BPDU message that send the outside, if detecting this message does not carry authentication information, then abandons this message; Otherwise the authentication information that this message is carried sends to authentication module, and passes through indication if receive the checking that authentication module returns, and then accepts this BPDU message, if receive the authentication failed indication that authentication module returns, then abandons this BPDU message;
Authentication module, the authorization information that is used to preserve the BPDU message is verified according to the authentication information that this authorization information is sent BPDU message receiving processing module, if checking is passed through, returns checking by indication to BPDU message receiving processing module; If authentication failed is then returned the authentication failed indication to BPDU message receiving processing module.
This device further comprises: authentication information memory module and BPDU message sending module, wherein:
The authentication information memory module is used to preserve the authentication information of BPDU message, according to the request of BPDU message sending module, described authentication information is sent to BPDU message sending module;
BPDU message sending module is used for when determining to send the BPDU message, to authentication information memory module request authentication information, and the authentication information that the authentication information memory module is returned added to sends to BPDU message receiving processing module in the BPDU message.
Compared with prior art, the present invention is by configuration verification information on legal STP equipment in advance, and after legal STP equipment receives the BPDU message, if detecting this message does not carry authentication information, then abandons this message; Otherwise, according to the authorization information that is configured in self this authentication information is verified, if checking is passed through, accept this message, if authentication failed abandons this message.Wherein, authentication information is carried in the authentication field of BPDU message increase.Owing to do not dispose authentication information on the illegal STP equipment, so the BPDU message that illegal STP equipment sends can not accepted by legal STP equipment, thereby has avoided illegal STP equipment because the less situation that is selected as the root bridge of bridge ID; And avoided because the root bridge is received the BPDU message that bridge ID sends than self little illegal STP equipment, and change self port into situation about listening attentively to, avoided the interruption of data forwarding; Also avoided having avoided the short interruption of data forwarding, reduced the complexity that the software and hardware of STP equipment is realized because illegal STP equipment frequently sends the frequent deletion MAC Address list item that the TC-BPDU message causes and the situation of ARP list item; Simultaneously, the edge port of the legal STP equipment of Access Layer only needs judge whether this BPDU message is verified passes through, and need not directly to close this port after receiving the BPDU message, avoided the interruption of flow on the edge port; Simultaneously, need not also not support that the equipment of STP carries out the BPDU filtration of similar ACL, reduced equipment complexity and chip cost; In addition, because legal STP equipment can be verified the BPDU message that user side equipment sends, therefore, even do not support STP with the switch that user side STP equipment directly links to each other, perhaps support STP but do not close the STP function that the BPDU message that user side equipment sends also can't impact network.
In a word; the present invention can fundamentally solve the BPDU fraud problem, make that relying on the BPDU message to calculate the network that generates tree obtains reliable fail safe protection, and the present invention realizes simply; has versatility, for ethernet technology provides safety guarantee to the metropolitan area network development.
Description of drawings
Fig. 1 is connected to form the schematic diagram of loop for switch;
Fig. 2 is the form schematic diagram of existing BPDU message;
The flow chart of the BPDU authentication of message that Fig. 3 provides for the embodiment of the invention;
The form schematic diagram of the BPDU message that Fig. 4 provides for the embodiment of the invention;
The device block diagram of the BPDU authentication of message that Fig. 5 provides for the embodiment of the invention.
Embodiment
Core concept of the present invention is: the authentication information and the authorization information of configuration bpdu message on all legal STP equipment, and legal STP equipment is put into the BPDU message with authentication information before sending the BPDU message; Simultaneously, after legal STP equipment is received the BPDU message, if detecting this message does not carry authentication information, then with this packet loss; Otherwise, according to the authorization information that is configured in self authentication information in this message is verified, if checking is passed through, then accept this BPDU message and carry out respective handling, if authentication failed then abandons this message.Particularly, authentication information is carried in the authentication field that the BPDU message increases newly.
Legal STP equipment among the present invention refers to when the network planning, planning go into network and via the network planner as the equipment of the support STP that operator etc. confirm.Because the equipment of user side etc. also may be supported STP, therefore, when the network planning, must confirm one by one supporting the equipment of STP in the network, in order to avoid with the equipment of user side etc. as legal STP equipment.
The present invention is further described in more detail below in conjunction with drawings and the specific embodiments.
Fig. 3 is the flow chart of the BPDU message verification method that provides of the embodiment of the invention, and as shown in Figure 3, its concrete steps are as follows:
Step 301: on legal STP equipment, dispose authentication information and authorization information in advance.
Step 302: transmit leg STP equipment is determined to send the BPDU message, judges whether self disposes authentication information, if, execution in step 303; Otherwise, execution in step 304.
Step 303: transmit leg STP equipment will be configured in the authentication information of self and put into the BPDU message.
The present invention needs to increase the authentication field that is used to deposit authentication information in the BPDU message.Authentication field can be positioned at any position of BPDU message.Consider the factors such as reading efficiency of BPDU message, as shown in Figure 4, authentication field can be placed between the protocol identification field and protocol version identification field of BPDU message.
Simultaneously, the present invention also needs the authentication field station location marker is set in the BPDU message, to show the position of authentication field in the BPDU message.For example: if authentication field is placed between the protocol identification field and protocol version identification field of BPDU message, then the value of protocol-identifier can be set at different with the value of prior protocols sign, being authentication field after the presentation protocol identification field, to avoid legal STP equipment after receiving the BPDU message that does not carry authentication information that illegal STP equipment is sent, the version identifier field is used as the situation of authentication field.
Step 304: transmit leg STP equipment sends to recipient STP equipment with the BPDU message.
Step 305: after recipient STP equipment is received the BPDU message, judge whether self disposes authorization information, if, execution in step 306; Otherwise, execution in step 309.
Step 306: recipient STP equipment judges whether this BPDU message carries authentication information, if, execution in step 307; Otherwise, execution in step 310.
Particularly, recipient STP equipment can be according to authentication field station location marker in the BPDU message as the value of protocol-identifier, judge whether the BPDU message carries authentication information, as: if the value of protocol-identifier is same as the prior art, judge that then the BPDU message does not carry authentication information; If the value of setting among the value of protocol-identifier and the present invention is identical, judge that then the BPDU message carries authentication information.
Step 307: recipient STP equipment is verified the authentication information in this BPDU message according to the authorization information that is configured in self.
Step 308: whether recipient STP equipment judges this BPDU message by checking, if, execution in step 309; Otherwise, execution in step 310.
Step 309: recipient STP equipment is accepted this BPDU message, carries out respective handling according to this BPDU message, and this flow process finishes.
Step 310: recipient STP equipment abandons this BPDU message.
It is to be noted, among the present invention, also the authentication field station location marker can be set in the BPDU message, legal STP equipment is promptly: dispose all BPDU messages that the STP equipment acquiescence of authorization information receives and all carry authentication information, after receiving the BPDU message, in preassigned authentication field position as: directly read authentication information in the next field of protocol identification field, according to the authorization information that is configured in self this authentication information verified then.
By flow process shown in Figure 3 as can be seen: owing to do not dispose authentication information on the illegal STP equipment, so the BPDU message that illegal STP equipment sends can not accepted by legal STP equipment, therefore:
Even the illegal STP equipment that a bridge ID is very little has sent the BPDU message, this BPDU message can be abandoned by the root bridge, thereby can not cause re-electing of root bridge, has avoided the frequent change of root bridge; Also need not simultaneously to have avoided the interruption of data forwarding to change port status into listening attentively to state by configuration root bridge defencive function on the root bridge;
Even two illegal STP equipment have sent the TC-BPDU message, because this message does not carry authentication information, legal STP equipment can abandon this message, thereby can not carry out deletion MAC Address list item and ARP list item, avoid the short interruption of data forwarding, saved CPU (CPU) resource;
Three, the edge port of the legal STP equipment of Access Layer is after receiving the BPDU message that illegal STP equipment is sent, need not directly to close this port, only need by judging whether this BPDU message carries authentication information and checking by determining whether transmitting this message, thereby avoided the interruption of flow on the edge port;
Four, because whether legal STP equipment can by passing through checking to the BPDU message, determine that acceptance still abandons the BPDU message, therefore, need not legal STP equipment self the port that STP calculates that do not participate in is carried out the setting of BPDU filtering function separately, reduced the complexity that software and hardware is realized; Simultaneously, owing to legal STP equipment can be verified the BPDU message that user side equipment sends, therefore, even do not support STP with the switch that user side equipment directly links to each other, perhaps support STP but do not close the STP function that the BPDU message that user side equipment sends also can't impact network.
Fig. 5 is the device block diagram of BPDU authentication of message provided by the invention, and as shown in Figure 5, it mainly comprises: authentication information memory module 51, BPDU message sending module 52, BPDU message receiving processing module 53 and authentication module 54, wherein:
Authentication information memory module 51: be used to preserve the authentication information of BPDU message, after receiving that authentication information that BPDU message sending module 52 is sent obtains request, authentication information sent to BPDU message sending module 52.
BPDU message sending module 52: be used for when determining to send the BPDU message, send authentication informations to authentication information memory module 51 and obtain request, and the authentication information that authentication information memory module 51 is returned is added in the authentication field of BPDU message and send to BPDU message receiving processing module 53.
BPDU message receiving processing module 53: be used for after receiving the BPDU message that BPDU message sending module 52 is sent,, then abandon this message if detecting this message does not carry authentication information; Carry authentication information if detect this message, then this authentication information is sent to authentication module 54, after this pass through indication if receive the checking that authentication module 54 returns, then accept this BPDU message and carry out respective handling, if receive the authentication failed indication that authentication module 54 returns, then abandon this BPDU message.
Authentication module 54: the authorization information that is used to preserve the BPDU message, and after receiving the authentication information that BPDU message receiving processing module 53 is sent, according to the authorization information of self preserving described authentication information is verified, if checking is passed through, then return checking by indication to BPDU message receiving processing module 53; If authentication failed is then returned the authentication failed indication to BPDU message receiving processing module 53.
Authentication-authentication mechanism of mentioning among the present invention can be used the authentication-authentication mechanism of maturation of the prior art, for example: authentication information among the present invention and authorization information can be predefined key, whether STP device just checking is configured in the authorization information of self identical with authentication information in the BPDU message, can learn whether this BPDU message should be accepted; Perhaps, authentication information among the present invention and authorization information can by preset parameters is moved cryptographic algorithm of the prior art as: informative abstract (MD) 5 algorithms obtain, the STP device just relatively is configured in the authorization information of self and whether the authentication information of BPDU message mates, and can learn whether this BPDU message should be accepted.
The above only is process of the present invention and method embodiment, in order to restriction the present invention, all any modifications of being made within the spirit and principles in the present invention, is not equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (9)

1, a kind of BPDU BPDU message verification method is characterized in that, configuration verification information on legal Spanning-Tree Protocol STP equipment in advance, and this method comprises:
Legal STP equipment is received the BPDU message, judges whether this message carries authentication information, if not, abandons this message; If, according to the authorization information that is configured in self this authentication information is verified, if checking is passed through, accept this message, if authentication failed abandons this message.
2, the method for claim 1 is characterized in that, described BPDU message is: the message that the legal STP equipment of transmit leg is sent;
This method further comprises: dispose authentication information in advance on the legal STP equipment of transmit leg;
Described legal STP equipment further comprises before receiving the BPDU message: the legal STP equipment of transmit leg will be configured in the authentication information of self and put into the BPDU message.
3, method as claimed in claim 2 is characterized in that, this method further comprises: increase authentication field in advance in the BPDU message;
The authentication information that the legal STP equipment of described transmit leg will be configured in self is put into the BPDU message and is: the authentication field of described authentication information being put into the BPDU message.
4, method as claimed in claim 3 is characterized in that, described authentication field is between the protocol identification field and protocol version identification field of BPDU message.
5, method as claimed in claim 4 is characterized in that, this method further comprises: set one for described protocol-identifier in advance and identify the different value of value with prior protocols;
Described legal STP equipment judges whether the BPDU message carries authentication information and comprise: legal STP equipment judges whether the value of the protocol-identifier that this message carries is described predefined value, if judge that this BPDU message carries authentication information; Otherwise, judge that this BPDU message does not carry authentication information.
6, as each described method in the claim 2,3,4,5, it is characterized in that described authentication information and authorization information are: preset parameters is carried out the enciphered message that cryptographic calculation obtains.
7, method as claimed in claim 6 is characterized in that, describedly preset parameters is carried out cryptographic calculation is: according to informative abstract MD5 algorithm preset parameters is carried out cryptographic calculation.
8, a kind of BPDU authentication of message device is characterized in that this device comprises: BPDU message receiving processing module and authentication module, wherein:
BPDU message receiving processing module is used for after receiving the BPDU message that send the outside, if detecting this message does not carry authentication information, then abandons this message; Otherwise the authentication information that this message is carried sends to authentication module, and passes through indication if receive the checking that authentication module returns, and then accepts this BPDU message, if receive the authentication failed indication that authentication module returns, then abandons this BPDU message;
Authentication module, the authorization information that is used to preserve the BPDU message is verified according to the authentication information that this authorization information is sent BPDU message receiving processing module, if checking is passed through, returns checking by indication to BPDU message receiving processing module; If authentication failed is then returned the authentication failed indication to BPDU message receiving processing module.
9, device as claimed in claim 8 is characterized in that, this device further comprises: authentication information memory module and BPDU message sending module, wherein:
The authentication information memory module is used to preserve the authentication information of BPDU message, according to the request of BPDU message sending module, described authentication information is sent to BPDU message sending module;
BPDU message sending module is used for when determining to send the BPDU message, to authentication information memory module request authentication information, and the authentication information that the authentication information memory module is returned added to sends to BPDU message receiving processing module in the BPDU message.
CN 200610090266 2006-07-11 2006-07-11 Bridge protocol data unit message verification method and device therefor Pending CN1878061A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200610090266 CN1878061A (en) 2006-07-11 2006-07-11 Bridge protocol data unit message verification method and device therefor

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200610090266 CN1878061A (en) 2006-07-11 2006-07-11 Bridge protocol data unit message verification method and device therefor

Publications (1)

Publication Number Publication Date
CN1878061A true CN1878061A (en) 2006-12-13

Family

ID=37510374

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200610090266 Pending CN1878061A (en) 2006-07-11 2006-07-11 Bridge protocol data unit message verification method and device therefor

Country Status (1)

Country Link
CN (1) CN1878061A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101848085A (en) * 2009-03-25 2010-09-29 华为技术有限公司 Communication system, verification device, and verification and signature method for message identity
CN102158394A (en) * 2011-01-30 2011-08-17 福建星网锐捷网络有限公司 Attack prevention method for virtual router redundancy protocol router and access equipment
CN101547158B (en) * 2009-05-13 2013-04-10 杭州华三通信技术有限公司 PADT message interaction method and device in PPPoE session
WO2019137554A1 (en) * 2018-01-15 2019-07-18 中兴通讯股份有限公司 Method and device for ensuring operation security of ring network protocol
CN111478896A (en) * 2020-04-03 2020-07-31 中电科航空电子有限公司 Method for solving RSTP fake root bridge attack
CN114978939A (en) * 2022-06-10 2022-08-30 中煤科工重庆设计研究院(集团)有限公司 Method for detecting network link quality

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101848085A (en) * 2009-03-25 2010-09-29 华为技术有限公司 Communication system, verification device, and verification and signature method for message identity
CN101848085B (en) * 2009-03-25 2013-12-18 华为技术有限公司 Communication system, verification device, and verification and signature method for message identity
CN101547158B (en) * 2009-05-13 2013-04-10 杭州华三通信技术有限公司 PADT message interaction method and device in PPPoE session
CN102158394A (en) * 2011-01-30 2011-08-17 福建星网锐捷网络有限公司 Attack prevention method for virtual router redundancy protocol router and access equipment
CN102158394B (en) * 2011-01-30 2013-11-20 福建星网锐捷网络有限公司 Attack prevention method for virtual router redundancy protocol router and access equipment
WO2019137554A1 (en) * 2018-01-15 2019-07-18 中兴通讯股份有限公司 Method and device for ensuring operation security of ring network protocol
CN111478896A (en) * 2020-04-03 2020-07-31 中电科航空电子有限公司 Method for solving RSTP fake root bridge attack
CN114978939A (en) * 2022-06-10 2022-08-30 中煤科工重庆设计研究院(集团)有限公司 Method for detecting network link quality

Similar Documents

Publication Publication Date Title
CN1265593C (en) Detecting method of reachability among IP network equipments and its application in public dialing network platform accessing backup
EP2725749B1 (en) Method, apparatus and system for processing service flow
CN1878061A (en) Bridge protocol data unit message verification method and device therefor
CN1863069A (en) Method for implementing fast switching of virtual special LAN service
CN1640090A (en) An apparatus and method for secure, automated response to distributed denial of service attacks
CN1679277A (en) Test method for message paths in communication networks, and network element
CN1845512A (en) Method and apparatus for detecting loop
CN101060485A (en) Topology changed messages processing method and processing device
CN1885839A (en) Method for realizing active/standby gateway apparatus in network
CN101079746A (en) Secure implementation method and device of broadband access device
CN1791064A (en) Stack manager protocol with automatic set up mechanism
CN1175621C (en) Method of detecting and monitoring malicious user host machine attack
CN101030912A (en) Fast ring network method against attack based on RRPP, apparatus and system
JP5134141B2 (en) Unauthorized access blocking control method
CN101068376A (en) Short message system, flow control configurating method and flow controlling method
CN101056191A (en) Multicast processing method in the GPON system
CN1747439A (en) Fault treating method for phase switching loop of automatic protection system of Ethernet
CN1946060A (en) Method for realizing re-oriented message correctly repeat and first-part and second-part
CN1889501A (en) Method and system for deciding bridge role
CN101039167A (en) Multicasting network system and method for detecting link fault of multicasting network
CN1866886A (en) Network monitoring system and method for realizing monitoring
CN1812340A (en) Realizing method for preventing point-to point protocol recognization from being attacked in wideband cut-in network
CN100518142C (en) Method for preventing network interruption caused by address aging and time inconformity
CN100352210C (en) Method for managing network device
CN101771575B (en) Method, device and system for processing IP partitioned message

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Open date: 20061213