[go: up one dir, main page]

CN105376346A - Method and system for improving safety of dynamic host configuration protocol (DHCP) - Google Patents

Method and system for improving safety of dynamic host configuration protocol (DHCP) Download PDF

Info

Publication number
CN105376346A
CN105376346A CN201510900317.5A CN201510900317A CN105376346A CN 105376346 A CN105376346 A CN 105376346A CN 201510900317 A CN201510900317 A CN 201510900317A CN 105376346 A CN105376346 A CN 105376346A
Authority
CN
China
Prior art keywords
dhcp
client
message
discover
host configuration
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510900317.5A
Other languages
Chinese (zh)
Other versions
CN105376346B (en
Inventor
宁辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING ACK NETWORKS Inc
Original Assignee
Zhejiang Acknetworks Technology Co Ltd
BEIJING AIKE NETWORK COMMUNICATIONS TECHNOLOGY CO LTD
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Acknetworks Technology Co Ltd, BEIJING AIKE NETWORK COMMUNICATIONS TECHNOLOGY CO LTD filed Critical Zhejiang Acknetworks Technology Co Ltd
Priority to CN201510900317.5A priority Critical patent/CN105376346B/en
Publication of CN105376346A publication Critical patent/CN105376346A/en
Application granted granted Critical
Publication of CN105376346B publication Critical patent/CN105376346B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)

Abstract

本发明涉及一种提高DHCP协议安全性的方法与系统,DHCP客户端首先发起DHCP请求,发送DHCP-DISCOVER广播报文,并且不附加任何敏感信息;DHCP服务器响应该客户端的请求;DHCP客户端接收到服务器的响应报文后,提取响应报文中的源MAC地址,重构DHCP-DISCOVER单播报文,同时按DHCP协议的定义在该报文中附加上任何需要的DHCP选项,构成新报文并发出。本发明所述的提高DHCP协议安全性的方法与系统,通过重新构造DHCP-DISCOVER单播报文,上传敏感信息,解决DHCP客户端上传敏感信息过程中信息泄露的问题。

The invention relates to a method and system for improving the security of the DHCP protocol. A DHCP client first initiates a DHCP request, sends a DHCP-DISCOVER broadcast message, and does not attach any sensitive information; the DHCP server responds to the client's request; the DHCP client receives After receiving the response message from the server, extract the source MAC address in the response message, reconstruct the DHCP-DISCOVER unicast message, and add any required DHCP options to the message according to the definition of the DHCP protocol to form a new message and issue. The method and system for improving the security of the DHCP protocol described in the present invention solve the problem of information leakage in the process of uploading sensitive information by a DHCP client by reconstructing DHCP-DISCOVER unicast messages and uploading sensitive information.

Description

一种提高DHCP协议安全性的方法与系统A Method and System for Improving the Security of DHCP Protocol

技术领域technical field

本发明涉及通信技术领域,具体说是一种提高DHCP协议安全性的方法与系统。The invention relates to the technical field of communication, in particular to a method and system for improving the security of the DHCP protocol.

背景技术Background technique

在RFC2131中详细定义了DHCP协议(DynamicHostConfigurationProtocol,动态主机配置协议),DHCP协议采用客户端/服务器模式,提供了一种为客户端动态分配IP地址及其网络配置的机制。The DHCP protocol (DynamicHostConfigurationProtocol, Dynamic Host Configuration Protocol) is defined in RFC2131 in detail. The DHCP protocol adopts the client/server mode and provides a mechanism for dynamically assigning IP addresses and network configurations to clients.

DHCP协议系统的典型组网方式见图1和图2。The typical networking mode of the DHCP protocol system is shown in Figure 1 and Figure 2.

图1中只有一个网段,DHCP服务器可以直接接收到从DHCP客户端发出的广播报文。In Figure 1, there is only one network segment, and the DHCP server can directly receive the broadcast packets sent from the DHCP client.

图2中有多个网段,通过接入设备(路由器等)进行路由转换,由于DHCP客户端发出的广播报文无法直接跨过子网传播,因此需要接入设备中启动DHCP代理,当DHCP代理侦听到DHCP客户端发出的广播报文后,可以转发给已预先配置的DHCP服务器。In Figure 2, there are multiple network segments, and routing conversion is performed through the access device (router, etc.). Since the broadcast message sent by the DHCP client cannot directly spread across the subnet, it is necessary to start the DHCP agent on the access device. When the DHCP After the agent listens to the broadcast message sent by the DHCP client, it can forward it to the pre-configured DHCP server.

DHCP客户端发起IP地址的申请过程,如图3所示,DHCP客户端通过DHCP-DISCOVER广播报文向网络上的DHCP服务器申请IP地址以及配置信息,DHCP服务器根据自身的配置响应DHCP客户端的请求。The DHCP client initiates the IP address application process, as shown in Figure 3, the DHCP client applies for an IP address and configuration information to the DHCP server on the network through the DHCP-DISCOVER broadcast message, and the DHCP server responds to the request of the DHCP client according to its own configuration .

DHCP客户端可以将自身的具体信息,如上次使用的IP地址等信息,附加在DHCP-DISCOVER广播报文中传送给DHCP服务器,作为配置建议。The DHCP client can attach its own specific information, such as the IP address used last time, to the DHCP-DISCOVER broadcast message and send it to the DHCP server as a configuration suggestion.

由于DHCP客户端本身不知道DHCP服务器的地址,因此,其发出的DHCP-DISCOVER广播报文的目的MAC地址为广播地址,该广播报文可以被与该DHCP客户端所处相同子网内的所有主机侦听到。如果通过此DHCP-DISCOVER广播报文附带与该DHCP客户端有关的敏感信息,则该DHCP客户端的信息很容易被泄露,造成网络安全问题。Since the DHCP client itself does not know the address of the DHCP server, the destination MAC address of the DHCP-DISCOVER broadcast message sent by it is the broadcast address. The host listens. If sensitive information related to the DHCP client is attached to the DHCP-DISCOVER broadcast message, the information of the DHCP client is easily leaked, causing network security problems.

发明内容Contents of the invention

针对现有技术中存在的缺陷,本发明的目的在于提供一种提高DHCP协议安全性的方法与系统,通过重新构造DHCP-DISCOVER单播报文,上传敏感信息,解决DHCP客户端上传敏感信息过程中信息泄露的问题。Aiming at the defects existing in the prior art, the purpose of the present invention is to provide a method and system for improving the security of the DHCP protocol, by reconstructing the DHCP-DISCOVER unicast message, uploading sensitive information, and solving the problem of the DHCP client uploading sensitive information. The problem of information leakage.

为达到以上目的,本发明采取的技术方案是:For achieving above object, the technical scheme that the present invention takes is:

一种提高DHCP协议安全性的方法,其特征在于,包括如下步骤:A method for improving the security of the DHCP protocol is characterized in that it comprises the steps:

步骤1,DHCP客户端发送DHCP-DISCOVER广播报文,然后等待来自DHCP服务器的响应;Step 1, the DHCP client sends a DHCP-DISCOVER broadcast message, and then waits for a response from the DHCP server;

步骤2,DHCP服务器收到DHCP-DISCOVER广播报文,然后向DHCP客户端发送应答报文,所述应答报文包括但不限于DHCP-OFFER响应报文;Step 2, the DHCP server receives the DHCP-DISCOVER broadcast message, and then sends a response message to the DHCP client, and the response message includes but is not limited to a DHCP-OFFER response message;

步骤3,DHCP客户端收到应答报文,然后从应答报文中提取DHCP服务器的MAC地址;Step 3, the DHCP client receives the response message, and then extracts the MAC address of the DHCP server from the response message;

步骤4,DHCP客户端将步骤3中获得的DHCP服务器的MAC地址,替换步骤1中所述DHCP-DISCOVER广播报文中的目的MAC地址,得到DHCP-DISCOVER单播报文;Step 4, the DHCP client replaces the destination MAC address in the DHCP-DISCOVER broadcast message described in step 1 with the MAC address of the DHCP server obtained in step 3, to obtain a DHCP-DISCOVER unicast message;

步骤5,根据需要传送的敏感信息,DHCP客户端按DHCP协议的定义在DHCP-DISCOVER单播报文中附加上需要的DHCP选项,构成含有敏感信息的DHCP-DISCOVER单播报文;Step 5, according to the sensitive information that needs to be transmitted, the DHCP client adds the required DHCP options in the DHCP-DISCOVER unicast message according to the definition of the DHCP protocol to form a DHCP-DISCOVER unicast message containing sensitive information;

步骤6,DHCP客户端将含有敏感信息的DHCP-DISCOVER单播报文发出;Step 6, the DHCP client sends a DHCP-DISCOVER unicast message containing sensitive information;

步骤7,DHCP服务器收到含有敏感信息的DHCP-DISCOVER单播报文,然后再次向DHCP客户端发送应答报文。In step 7, the DHCP server receives the DHCP-DISCOVER unicast message containing sensitive information, and then sends a response message to the DHCP client again.

在上述技术方案的基础上,DHCP客户端和DHCP服务器位于同一个子网中,DHCP客户端和DHCP服务器间的报文直接收发。On the basis of the above technical solution, the DHCP client and the DHCP server are located in the same subnet, and messages between the DHCP client and the DHCP server are directly sent and received.

在上述技术方案的基础上,DHCP客户端和DHCP服务器位于不同子网中,两个子网间设有接入设备,所述接入设备具备DHCP代理功能,DHCP客户端和DHCP服务器间的报文通过DHCP代理转发。On the basis of the above-mentioned technical scheme, the DHCP client and the DHCP server are located in different subnets, and an access device is provided between the two subnets. The access device has a DHCP proxy function, and the message between the DHCP client and the DHCP server Forwarded via DHCP proxy.

一种采用上述方法的提高DHCP协议安全性的系统,其特征在于,包括:DHCP客户端,DHCP服务器,A system for improving the security of the DHCP protocol adopting the above-mentioned method is characterized in that, comprising: a DHCP client, a DHCP server,

所述DHCP服务器为所述DHCP客户端分配IP地址,The DHCP server assigns an IP address to the DHCP client,

DHCP客户端从对DHCP-DISCOVER广播报文的应答报文中获得所述DHCP服务器的MAC地址,并重构目的MAC地址为DHCP服务器的MAC地址的DHCP-DISCOVER单播报文,DHCP客户端利用DHCP-DISCOVER单播报文向DHCP服务器发送敏感信息。The DHCP client obtains the MAC address of the DHCP server from the response message to the DHCP-DISCOVER broadcast message, and reconstructs the DHCP-DISCOVER unicast message whose destination MAC address is the MAC address of the DHCP server. -DISCOVER unicast packets send sensitive information to the DHCP server.

在上述技术方案的基础上,接入设备,所述接入设备中启动DHCP代理,所述DHCP代理起到转发报文的作用,DHCP代理在多网段的网络系统中按照DHCP协议对DHCP数据包进行转发。On the basis of the above-mentioned technical scheme, the access device starts a DHCP agent in the access device, and the DHCP agent plays the role of forwarding messages, and the DHCP agent performs the DHCP data processing according to the DHCP protocol in a multi-network segment network system. The packet is forwarded.

在上述技术方案的基础上,所述接入设备为路由器。On the basis of the above technical solution, the access device is a router.

本发明所述的提高DHCP协议安全性的方法与系统,通过重新构造DHCP-DISCOVER单播报文,上传敏感信息,解决DHCP客户端上传敏感信息过程中信息泄露的问题。The method and system for improving the security of the DHCP protocol described in the present invention solve the problem of information leakage in the process of uploading sensitive information by a DHCP client by reconstructing DHCP-DISCOVER unicast messages and uploading sensitive information.

本发明通过对DHCP协议的功能增强,将DHCP广播报文转换为单播报文,通过单播报文上传敏感信息,可以增强DHCP报文的安全性,防止用户的信息泄露,提高网络信息传输的安全性。The present invention converts DHCP broadcast messages into unicast messages by enhancing the functions of the DHCP protocol, uploads sensitive information through unicast messages, can enhance the security of DHCP messages, prevent user information from leaking, and improve the security of network information transmission sex.

附图说明Description of drawings

本发明有如下附图:The present invention has following accompanying drawing:

图1现有DHCP协议系统的典型组网方式一,Typical networking mode 1 of the existing DHCP protocol system in Fig. 1,

图2现有DHCP协议系统的典型组网方式二,Figure 2 Typical networking mode of the existing DHCP protocol system II,

图3现有DHCP客户端发起IP地址的申请过程示意图,Figure 3 is a schematic diagram of the process of applying for an IP address initiated by an existing DHCP client,

图4本发明的DHCP客户端发起IP地址的申请过程示意图,The DHCP client of the present invention initiates the application process schematic diagram of IP address of Fig. 4,

图5本发明的组网方式示意图一,Figure 5 is a schematic diagram of a networking mode of the present invention,

图6本发明的组网方式示意图二,Fig. 6 is the second schematic diagram of the networking mode of the present invention,

图7本发明在单网段的情况下报文交互示意图,Figure 7 is a schematic diagram of message interaction in the case of a single network segment in the present invention,

图8本发明在多网段的情况下报文交互示意图。FIG. 8 is a schematic diagram of message interaction in the case of multiple network segments in the present invention.

具体实施方式detailed description

以下结合附图对本发明作进一步详细说明。The present invention will be described in further detail below in conjunction with the accompanying drawings.

如图4~8所示,本发明所述的提高DHCP协议安全性的方法,包括如下步骤:As shown in Figures 4-8, the method for improving the security of the DHCP protocol of the present invention comprises the steps:

步骤1,DHCP客户端发送DHCP-DISCOVER广播报文,然后等待来自DHCP服务器的响应;Step 1, the DHCP client sends a DHCP-DISCOVER broadcast message, and then waits for a response from the DHCP server;

广播报文是指IP报文中目的MAC地址为广播地址的报文,该报文可以被相同子网内的所有计算机接收到;换一种说法,可以是:该报文可以被同一广播域内的所有计算机或网络设备接收到;A broadcast message refers to a message whose destination MAC address is the broadcast address in the IP message, and the message can be received by all computers in the same subnet; in other words, it can be: the message can be received by all computers in the same broadcast domain received by all computers or network devices;

步骤2,DHCP服务器收到DHCP-DISCOVER广播报文,然后向DHCP客户端发送应答报文,所述应答报文包括但不限于DHCP-OFFER响应报文;Step 2, the DHCP server receives the DHCP-DISCOVER broadcast message, and then sends a response message to the DHCP client, and the response message includes but is not limited to a DHCP-OFFER response message;

DHCP服务器的应答报文可以是DHCP-OFFER响应报文,也可以是DHCP服务器响应的其它任何类型的报文;The response message of the DHCP server can be a DHCP-OFFER response message, or any other type of message responded by the DHCP server;

步骤3,DHCP客户端收到应答报文,然后从应答报文中提取DHCP服务器的MAC地址;Step 3, the DHCP client receives the response message, and then extracts the MAC address of the DHCP server from the response message;

步骤4,DHCP客户端将步骤3中获得的DHCP服务器的MAC地址,替换步骤1中所述DHCP-DISCOVER广播报文中的目的MAC地址,得到DHCP-DISCOVER单播报文;Step 4, the DHCP client replaces the destination MAC address in the DHCP-DISCOVER broadcast message described in step 1 with the MAC address of the DHCP server obtained in step 3, to obtain a DHCP-DISCOVER unicast message;

单播报文是指IP报文中目的MAC地址为所述DHCP服务器的MAC地址的报文,只有与该MAC地址匹配的设备才能接收;A unicast message refers to a message whose destination MAC address in the IP message is the MAC address of the DHCP server, and only devices matching the MAC address can receive it;

步骤5,根据需要传送的敏感信息,DHCP客户端按DHCP协议的定义在DHCP-DISCOVER单播报文中附加上需要的DHCP选项,构成含有敏感信息的DHCP-DISCOVER单播报文;Step 5, according to the sensitive information that needs to be transmitted, the DHCP client adds the required DHCP options in the DHCP-DISCOVER unicast message according to the definition of the DHCP protocol to form a DHCP-DISCOVER unicast message containing sensitive information;

步骤6,DHCP客户端将含有敏感信息的DHCP-DISCOVER单播报文发出;Step 6, the DHCP client sends a DHCP-DISCOVER unicast message containing sensitive information;

步骤7,DHCP服务器收到含有敏感信息的DHCP-DISCOVER单播报文,然后再次向DHCP客户端发送应答报文。In step 7, the DHCP server receives the DHCP-DISCOVER unicast message containing sensitive information, and then sends a response message to the DHCP client again.

本发明中,为了提高并确保DHCP协议的安全性,DHCP客户端从对DHCP-DISCOVER广播报文的应答报文中获得所述DHCP服务器的MAC地址,然后据此重构DHCP-DISCOVER单播报文,DHCP客户端利用DHCP-DISCOVER单播报文向服务器发送敏感信息,只有与该MAC地址匹配的设备(DHCP服务器)才能接收,可以防止用户的信息泄露,提高网络信息传输的安全性。In the present invention, in order to improve and ensure the security of the DHCP protocol, the DHCP client obtains the MAC address of the DHCP server from the response message to the DHCP-DISCOVER broadcast message, and then reconstructs the DHCP-DISCOVER unicast message accordingly , the DHCP client uses the DHCP-DISCOVER unicast message to send sensitive information to the server, and only the device (DHCP server) that matches the MAC address can receive it, which can prevent user information from leaking and improve the security of network information transmission.

在上述技术方案的基础上,DHCP客户端和DHCP服务器位于同一个子网中,DHCP客户端和DHCP服务器间的报文直接收发。On the basis of the above technical solution, the DHCP client and the DHCP server are located in the same subnet, and messages between the DHCP client and the DHCP server are directly sent and received.

在上述技术方案的基础上,DHCP客户端和DHCP服务器位于不同子网中,两个子网间设有接入设备,所述接入设备具备DHCP代理功能,DHCP客户端和DHCP服务器间的报文通过DHCP代理转发。On the basis of the above-mentioned technical scheme, the DHCP client and the DHCP server are located in different subnets, and an access device is provided between the two subnets, and the access device has a DHCP agent function, and the message between the DHCP client and the DHCP server Forwarded via DHCP proxy.

结合上述方法,本发明还给出了一种提高DHCP协议安全性的系统,包括:DHCP客户端,DHCP服务器,In combination with the above method, the present invention also provides a system for improving the security of the DHCP protocol, including: a DHCP client, a DHCP server,

所述DHCP服务器为所述DHCP客户端分配IP地址,The DHCP server assigns an IP address to the DHCP client,

DHCP客户端从对DHCP-DISCOVER广播报文的应答报文中获得所述DHCP服务器的MAC地址,并重构目的MAC地址为DHCP服务器的MAC地址的DHCP-DISCOVER单播报文,DHCP客户端利用DHCP-DISCOVER单播报文向DHCP服务器发送敏感信息。The DHCP client obtains the MAC address of the DHCP server from the response message to the DHCP-DISCOVER broadcast message, and reconstructs the DHCP-DISCOVER unicast message whose destination MAC address is the MAC address of the DHCP server. -DISCOVER unicast packets send sensitive information to the DHCP server.

在上述技术方案的基础上,还包括:接入设备,所述接入设备中启动DHCP代理,所述DHCP代理起到转发报文的作用,DHCP代理在多网段的网络系统中按照DHCP协议对DHCP数据包进行转发。On the basis of the above technical solution, it also includes: an access device, a DHCP agent is started in the access device, and the DHCP agent plays the role of forwarding messages, and the DHCP agent follows the DHCP protocol in a multi-network segment network system Forward DHCP packets.

在上述技术方案的基础上,所述接入设备为路由器。On the basis of the above technical solution, the access device is a router.

本发明的组网方式一如图5所示,该系统中包括:DHCP服务器和DHCP客户端,其中DHCP服务器和DHCP客户端中均采用了本发明中介绍的方法,对安全性进行了增强,其报文交互步骤如图7中所示:Networking mode one of the present invention is as shown in Figure 5, and comprises in this system: DHCP server and DHCP client, wherein all adopted the method that introduces in the present invention in DHCP server and DHCP client, security has been strengthened, The message interaction steps are shown in Figure 7:

步骤601,DHCP客户端首先发起DHCP请求,发送DHCP-DISCOVER广播报文,由于DHCP客户端并不知道网络上的DHCP服务器的MAC地址,因此,此报文中的目的MAC地址为广播地址,并且不附加任何敏感信息;Step 601, the DHCP client first initiates a DHCP request and sends a DHCP-DISCOVER broadcast message. Since the DHCP client does not know the MAC address of the DHCP server on the network, the destination MAC address in this message is the broadcast address, and Do not attach any sensitive information;

步骤602,与DHCP客户端处于相同子网的DHCP服务器接收到DHCP客户端发出的广播报文并响应该客户端的请求;Step 602, the DHCP server in the same subnet as the DHCP client receives the broadcast message sent by the DHCP client and responds to the client's request;

步骤603,DHCP客户端接收到服务器的响应报文后,提取响应报文中的源MAC地址,即DHCP服务器的MAC地址,以此MAC地址作为目的MAC地址重构DHCP-DISCOVER单播报文,同时按DHCP协议的定义在该报文中附加上任何需要的DHCP选项,构成新报文并发出。Step 603, after the DHCP client receives the response message from the server, extract the source MAC address in the response message, i.e. the MAC address of the DHCP server, use this MAC address as the destination MAC address to reconstruct the DHCP-DISCOVER unicast message, and simultaneously According to the definition of the DHCP protocol, add any required DHCP options to the message to form a new message and send it out.

本发明的组网方式二如图6所示,该系统中包括:DHCP服务器、DHCP客户端以及启动了DHCP代理的路由设备(接入设备),其中DHCP服务器和DHCP客户端中均采用了本发明中介绍的方法,对安全性进行了增强,而DHCP代理则不需要任何改动。此例中的DHCP代理中配置了DHCP服务器的IP地址,因此,DHCP代理可以转发DHCP请求到DHCP服务器。其报文交互步骤如图8中所示:The second networking mode of the present invention is shown in Figure 6, and the system includes: a DHCP server, a DHCP client, and a routing device (access device) that has started a DHCP agent, wherein both the DHCP server and the DHCP client have adopted the present invention. The method described in the invention enhances the security without requiring any modification to the DHCP agent. The DHCP agent in this example is configured with the IP address of the DHCP server, so the DHCP agent can forward the DHCP request to the DHCP server. The message interaction steps are shown in Figure 8:

步骤701,DHCP客户端首先发起DHCP请求,发送DHCP-DISCOVER广播报文,由于DHCP客户端并不知道网络上的DHCP服务器的MAC地址,因此,此报文中的目的MAC地址为广播地址,并且不附加任何敏感信息;Step 701, the DHCP client first initiates a DHCP request and sends a DHCP-DISCOVER broadcast message. Since the DHCP client does not know the MAC address of the DHCP server on the network, the destination MAC address in this message is the broadcast address, and Do not attach any sensitive information;

步骤702,根据路由转发原理,在默认情况下,路由器不对广播包进行转发。路由器中启动了DHCP代理,DHCP代理可以侦听到DHCP-DISCOVER广播报文。由于DHCP代理中已经预先配置了DHCP服务器的IP地址,因此DHCP代理可以以单播方式将DHCP-DISCOVER包转发给DHCP服务器;Step 702, according to the principle of routing and forwarding, the router does not forward the broadcast packet by default. The DHCP agent is started in the router, and the DHCP agent can listen to the DHCP-DISCOVER broadcast message. Since the IP address of the DHCP server has been pre-configured in the DHCP agent, the DHCP agent can forward the DHCP-DISCOVER packet to the DHCP server in unicast mode;

步骤703,DHCP服务器对上述报文进行响应,发送DHCP-OFFER给DHCP代理;Step 703, the DHCP server responds to the above message and sends a DHCP-OFFER to the DHCP agent;

步骤704,DHCP代理转发DHCP-OFFER报文给DHCP客户端;Step 704, the DHCP agent forwards the DHCP-OFFER message to the DHCP client;

步骤705,DHCP客户端接收到DHCP代理的响应报文后,提取响应报文中的源MAC地址,即DHCP代理的MAC地址,以此MAC地址做为目的MAC地址重构DHCP-DISCOVER单播报文,同时按DHCP协议的定义在该报文中附加上任何需要的DHCP选项,构成新报文并发出。Step 705, after the DHCP client receives the response message from the DHCP agent, it extracts the source MAC address in the response message, that is, the MAC address of the DHCP agent, and uses this MAC address as the destination MAC address to reconstruct the DHCP-DISCOVER unicast message , and at the same time add any required DHCP options to the message according to the definition of the DHCP protocol to form a new message and send it out.

以上所描述的是本发明的示意性实施方式,用于解释本发明,但并不能以此来限定本发明的权利范围,因此依本发明申请专利范围所作的等同变化,仍属本发明所涵盖的范围。The above description is a schematic embodiment of the present invention, which is used to explain the present invention, but it cannot limit the scope of rights of the present invention. Therefore, the equivalent changes made according to the patent scope of the present invention are still covered by the present invention. range.

本说明书中未作详细描述的内容属于本领域专业技术人员公知的现有技术。The content not described in detail in this specification belongs to the prior art known to those skilled in the art.

Claims (6)

1. improve a method for DHCP protocol safety, it is characterized in that, comprise the steps:
Step 1, dhcp client sends DHCP-DISCOVER broadcasting packet, then waits for the response from Dynamic Host Configuration Protocol server;
Step 2, Dynamic Host Configuration Protocol server receives DHCP-DISCOVER broadcasting packet, and then send response message to dhcp client, described response message includes but not limited to DHCP-OFFER response message;
Step 3, dhcp client receives response message, from response message, then extract the MAC Address of Dynamic Host Configuration Protocol server;
Step 4, dhcp client is by the MAC Address of the Dynamic Host Configuration Protocol server of acquisition in step 3, and the target MAC (Media Access Control) address in DHCP-DISCOVER broadcasting packet described in replacement step 1, obtains DHCP-DISCOVER unicast message;
Step 5, the sensitive information transmitted as required, dhcp client, by the DHCP option being defined in affix needs in DHCP-DISCOVER unicast message of DHCP agreement, forms the DHCP-DISCOVER unicast message containing sensitive information;
Step 6, the DHCP-DISCOVER unicast message containing sensitive information sends by dhcp client;
Step 7, Dynamic Host Configuration Protocol server receives the DHCP-DISCOVER unicast message containing sensitive information, and then sends response message to dhcp client.
2. the method improving DHCP protocol safety as claimed in claim 1, it is characterized in that: dhcp client and Dynamic Host Configuration Protocol server are arranged in same subnet, the message between dhcp client and Dynamic Host Configuration Protocol server is is directly received and dispatched.
3. the method improving DHCP protocol safety as claimed in claim 1, it is characterized in that: dhcp client and Dynamic Host Configuration Protocol server are arranged in different sub-network, access device is provided with between two subnets, described access device possesses DHCP proxy function, and the message between dhcp client and Dynamic Host Configuration Protocol server is forwarded by DHCP proxy.
4. adopt a system for the raising DHCP protocol safety of method described in claim 1 or 2 or 3, it is characterized in that, comprising: dhcp client, Dynamic Host Configuration Protocol server,
Described Dynamic Host Configuration Protocol server is described dhcp client distributing IP address,
Dhcp client obtains the MAC Address of described Dynamic Host Configuration Protocol server from the response message to DHCP-DISCOVER broadcasting packet, and reconstructing the DHCP-DISCOVER unicast message that target MAC (Media Access Control) address is the MAC Address of Dynamic Host Configuration Protocol server, dhcp client utilizes DHCP-DISCOVER unicast message to send sensitive information to Dynamic Host Configuration Protocol server.
5. the system improving DHCP protocol safety as claimed in claim 4, it is characterized in that, also comprise: access device, DHCP proxy is started in described access device, described DHCP proxy plays the effect E-Packeted, and DHCP proxy forwards DHCP packet according to DHCP agreement in the network system of multisegment.
6. the system improving DHCP protocol safety as claimed in claim 5, is characterized in that: described access device is router.
CN201510900317.5A 2015-12-09 2015-12-09 A kind of method and system improving DHCP protocol safety Active CN105376346B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510900317.5A CN105376346B (en) 2015-12-09 2015-12-09 A kind of method and system improving DHCP protocol safety

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510900317.5A CN105376346B (en) 2015-12-09 2015-12-09 A kind of method and system improving DHCP protocol safety

Publications (2)

Publication Number Publication Date
CN105376346A true CN105376346A (en) 2016-03-02
CN105376346B CN105376346B (en) 2018-12-14

Family

ID=55378140

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510900317.5A Active CN105376346B (en) 2015-12-09 2015-12-09 A kind of method and system improving DHCP protocol safety

Country Status (1)

Country Link
CN (1) CN105376346B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109818955A (en) * 2019-01-22 2019-05-28 上海鹰信智能技术有限公司 A kind of control coding method of transmitted in both directions and its system
CN110351399A (en) * 2019-07-04 2019-10-18 四川天邑康和通信股份有限公司 A kind of gateway terminal LAN side address dynamic allocation management method and managing device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070192858A1 (en) * 2006-02-16 2007-08-16 Infoexpress, Inc. Peer based network access control
CN101098288A (en) * 2006-06-30 2008-01-02 中兴通讯股份有限公司 Method for Realizing Anti-Spoofing of Service Server Address in Access Mode
CN102055642A (en) * 2009-11-02 2011-05-11 中兴通讯股份有限公司 Data message conversion method
CN103079229A (en) * 2012-12-28 2013-05-01 上海寰创通信科技股份有限公司 Directional broadcast transmission method for access controller
CN103944867A (en) * 2013-01-23 2014-07-23 华为技术有限公司 Dynamic host configuration protocol (DHCP) message processing method, device and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070192858A1 (en) * 2006-02-16 2007-08-16 Infoexpress, Inc. Peer based network access control
CN101098288A (en) * 2006-06-30 2008-01-02 中兴通讯股份有限公司 Method for Realizing Anti-Spoofing of Service Server Address in Access Mode
CN102055642A (en) * 2009-11-02 2011-05-11 中兴通讯股份有限公司 Data message conversion method
CN103079229A (en) * 2012-12-28 2013-05-01 上海寰创通信科技股份有限公司 Directional broadcast transmission method for access controller
CN103944867A (en) * 2013-01-23 2014-07-23 华为技术有限公司 Dynamic host configuration protocol (DHCP) message processing method, device and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109818955A (en) * 2019-01-22 2019-05-28 上海鹰信智能技术有限公司 A kind of control coding method of transmitted in both directions and its system
CN110351399A (en) * 2019-07-04 2019-10-18 四川天邑康和通信股份有限公司 A kind of gateway terminal LAN side address dynamic allocation management method and managing device

Also Published As

Publication number Publication date
CN105376346B (en) 2018-12-14

Similar Documents

Publication Publication Date Title
CN102594635B (en) Based on the terminal access method of home gateway and system and home gateway
CN101729500B (en) Method, device and system for identifying IP session
CN103944867B (en) Processing method, the device and system of dynamic host configuration protocol message
CN105100299A (en) Message sending method, NAT (Network Address Translation) table entry establishment method and NAT device
CN106101617B (en) Message transmission method, device and system
US9769113B1 (en) Socket-based internet protocol for wireless networks
CN103227787B (en) Automatic 4over6 tunnel establishment method based on ARP proxy
CN104935564B (en) Make the equipment based on mDNS agreements and service the method found mutually in a local network
US11483283B1 (en) DHCP resource optimization for randomized and changing MAC address
CN101873320A (en) Client information verification method based on DHCPv6 relay and device thereof
US20160080315A1 (en) Enhanced dynamic host configuration protocol (dhcp)
CN105376346B (en) A kind of method and system improving DHCP protocol safety
CN104065656B (en) A kind of media stream data recognition methods
CN104243454A (en) IPv6 message filtering method and device
US8995429B1 (en) Socket-based internet protocol for wired networks
US10164937B2 (en) Method for processing raw IP packet and device thereof
CN103780494A (en) User information obtaining method and device
CN101588357A (en) Router and method for indentifying user identity applying same
CN107547667A (en) A kind of message processing method and device
CN102244689A (en) Method and equipment for obtaining remote IP address
CN104935677B (en) A NAT64 resource acquisition method and acquisition/allocation device
WO2016177185A1 (en) Method and apparatus for processing media access control (mac) address
US20120047271A1 (en) Network address translation device and method of passing data packets through the network address translation device
US12341749B2 (en) Proxy address resolution protocol for distributed local area network communications
CN106211141B (en) A kind of retransmission method and device of the stream of WLAN roaming stations

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20190320

Address after: Room 302, Block B, International Pioneer Park, No. 1 Information Road, Haidian District, Beijing, 100871

Patentee after: BEIJING ACK NETWORKS, Inc.

Address before: Room 302, Block B, International Pioneer Park, No. 1 Information Road, Haidian District, Beijing, 100871

Co-patentee before: ZHEJIANG AIZE NETWORK TECHNOLOGY CO.,LTD.

Patentee before: BEIJING ACK NETWORKS, Inc.

CP03 Change of name, title or address

Address after: 100871 Room 505, Section A, 5th Floor, Building 1, Sanjie Street, Shangdi Information Industrial Base, Haidian District, Beijing

Patentee after: BEIJING ACK NETWORKS, Inc.

Country or region after: China

Address before: Room 302, Block B, International Pioneer Park, No. 1 Information Road, Haidian District, Beijing, 100871

Patentee before: BEIJING ACK NETWORKS, Inc.

Country or region before: China