Safe access method based on dynamic host configuration protocol (DHCP) SNOOPING

Abstract

The invention discloses a safe access method based on a dynamic host configuration protocol (DHCP) SNOOPING. The method is characterized by: adding a definition or default-arranged OPTION 82 to a user DHCP request message received by a switchboard; configuring a binding quantity on a port; issuing binding information (IP, MAC, VLAN, PORT) of the user to hardware by using the switchboard; uploading the binding information which is encrypted to a background server. Once the switchboard restarts, the binding information is acquired from the background server and the downloaded binding information needs to send an ARP request so as to confirm the binding. And the binding information can be determined whether to be effective or not. By using a technical scheme of the invention, safety and reliability brought by distributing addresses through the DHCP can be guaranteed; a security problem of accessing network through the DHCP mode can be effectively controlled and managed.

Description

technical field [0001] The invention relates to a computer network access security technology, in particular to a DHCPSNOOPING-based security access method. Background technique [0002] Dynamic Host Configuration Protocol (DHCP) is a LAN network protocol, using UDP protocol to work, mainly for two purposes: to automatically assign IP addresses to users for internal networks or network service providers to internal network administrators as A means of centrally managing all computers. [0003] The DHCP SNOOPING function refers to the process that the switch monitors the DHCP CLIENT to obtain IP through the DHCP protocol. It prevents DHCP attacks and private DHCPSERVER by setting trusted ports and untrusted ports. DHCP messages received from trusted ports can be forwarded without verification. A typical setting is to connect the trusted port to DHCP SERVE or DHCP RELAY agent. If the untrusted port is connected to DHCP CLIENT, the switch will forward the DHCP request messa...

AI Technical Summary

Problems solved by technology

[0006] If the number of DHCP bindings for each switch port is not limited, malicious users will forge a large number of DHCP requests, thus exhausting the resources of the switch and the address space of the DHCP server

[0007] Since the general access switch itself does not have a large-capacity non-volatile storage medium (such as flash), once the switch restarts abnormally, or after it is shut down and restarted, the DHCPSNOOPING binding table stored in the switch memory will disappear, and because the user may If the switch is connected to the switch through other network devices (such as a hub, etc.), the user cannot perceive that the switch is restarted, and the user's DHCP CLIENT will not re-apply for an address or renew the lease. In this case, because there is no user binding information , which will cause users to be unable to access the network, which will cause great inconvenience to users

Images