To solve the user side MAC address spoofing, there are the following solutions:
(1) VMAC allocates or generates a unique VMAC address for each < physical port, MAC> in the upstream direction at the access node. The interpreted MAC address is credible because it is generated by the device itself, and ensures that there is no duplication of user-side MAC addresses. Use VMAC address instead of the source MAC address of the message. In the downstream direction, the corresponding original MAC address is found according to VMAC, and then the original MAC address is used instead of the VMAC address. VMAC can be used not only to prevent user MAC address spoofing, but also to prevent service server MAC address spoofing, and also to identify user ports. The disadvantage is that it affects the protocol related to MAC address and the processing is complex.
(2) MAC address binding. The MAC address is statically bound to the user port. If the source MAC address of the data message is different from the bound MAC address, the address is discarded. This method is simple, but its usability is poor. The MAC addresses of user ad hoc networks vary greatly, and the number of MAC addresses is uncertain. If static binding is used, it is difficult to manage.
(3) Data packet forwarding based on PPPoE session perception is applied to PPPoE access environment. Each user corresponds to a unique PPPoE session ID. A table can be recorded on the access node, which can be aggregated directly on the upstream and forwarded on the downstream. In this way, the forwarding of data packets can completely avoid using MAC addresses, and there is no need to learn, so there is no problem of MAC address duplication.
(4) Data packet forwarding based on IP awareness. Broadband access network environment applied to IPoE. On the access node, a table is established, because IP is the only one, there will be no IP duplication, and downlink forwarding of data packets is not a problem. Like data packet forwarding based on PPPoE Session, MAC address learning is not required on access nodes.
The above three and four processing methods have certain requirements for VLAN belonging to access nodes. If an access node belongs to a unique VLAN, then only the access node forwards the data message according to the above requirements. If multiple access nodes belong to a VLAN, it is necessary to ensure that the switches that aggregate these access nodes also forward downlink data packets in accordance with the above requirements. There is a qualitative difference between PPPoE Session or IP-aware mode and traditional forwarding mechanism of Layer 2 switch. It is difficult to implement general switching chips, and only solves the problem of MAC address duplication for specific types of access. The advantage is that it does not need to modify the data message and does not affect other protocols. MAC address spoofing of service servers will migrate the learning of MAC addresses of service servers of network devices, thus causing some users under the devices to be unable to access the Internet.
