CN112565253B - Method and device for verifying inter-domain source address, electronic equipment and storage medium - Google Patents

Method and device for verifying inter-domain source address, electronic equipment and storage medium Download PDF

Info

Publication number
CN112565253B
CN112565253B CN202011406286.5A CN202011406286A CN112565253B CN 112565253 B CN112565253 B CN 112565253B CN 202011406286 A CN202011406286 A CN 202011406286A CN 112565253 B CN112565253 B CN 112565253B
Authority
CN
China
Prior art keywords
source
address
data packet
identifier
destination
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011406286.5A
Other languages
Chinese (zh)
Other versions
CN112565253A (en
Inventor
何林
刘莹
任罡
杨家海
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN202011406286.5A priority Critical patent/CN112565253B/en
Publication of CN112565253A publication Critical patent/CN112565253A/en
Application granted granted Critical
Publication of CN112565253B publication Critical patent/CN112565253B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a method and a device for verifying an inter-domain source address, a live broadcast server and a storage medium, wherein the method for verifying the inter-domain source address comprises the following steps: under the condition of acquiring a first data packet sent by a host in a source AS, determining a first address prefix of a destination address of the first data packet, wherein a source address of the first data packet comprises an interface identifier, and a first source AS identifier of the source AS is embedded in the interface identifier; determining a shared key between the source AS and a destination AS corresponding to the destination address based on the first address prefix; encrypting the interface identifier based on the shared secret key to obtain a second data packet; and sending the second data packet to the destination address so that the boundary router of the destination AS carries out verification of the source address based on the second data packet.

Description

Method and device for verifying inter-domain source address, electronic equipment and storage medium
Technical Field
The present application relates to the field of internet technologies, and in particular, to a method and an apparatus for verifying an inter-domain source address, an electronic device, and a storage medium.
Background
IP address forgery is commonly used for anonymous and reflective attacks, such as: distributed Denial of Service (DDoS) is extremely damaging to the internet and causes significant economic loss. The root cause is that the current internet does not verify the source address of the packet. Today, the accelerated deployment of IPv6 networks may exacerbate the harm of DDoS attacks, and in recent years the number of IPv 6-based DDoS attacks has shown a growing trend. Therefore, it is important to design a method for preventing DDoS attacks for the IPv6 internet.
In order to prevent Source Address forgery, a Source Address Validation Architecture (SAVA) is proposed in the related art, and a set of systematic solution is provided for solving the problem of Source Address forgery. The SAVA divides source address validation into three levels: each hierarchy presents a loose coupling defense form which is not overlapped with each other in an access sub-network, an Autonomous System (AS) and between Autonomous domains. Current inter-domain source address verification schemes can be divided into two categories: label-based schemes and route-based schemes. The label-based scheme is to add a label related to a source address to a data packet and use the label for subsequent verification, and a typical scheme includes: SPM, DISCS, Pasport, etc. The problem with this type of scheme is that additional tags need to be added to the packet, which has a large impact on the bandwidth-limited autonomous domain. And the label is often placed in the extension header, the router tends to discard the packet carrying the extension header that it does not recognize. The routing-based scheme is to construct a filtering rule by using routing information, and then perform source address verification, and a typical scheme includes: RBF, IDPF, uRPF, SAVE, etc., which have the problem that the asymmetry of inter-domain routing will cause the solution to fail.
Disclosure of Invention
In view of the foregoing problems, the present application provides a method and an apparatus for verifying an inter-domain source address, an electronic device, and a storage medium.
The application provides a verification method of an inter-domain source address, which is applied to a boundary router in an autonomous domain AS and comprises the following steps:
under the condition of acquiring a first data packet sent by a host in a source AS, determining a first address prefix of a destination address of the first data packet, wherein a source address of the first data packet comprises an interface identifier, and a first source AS identifier of the source AS is embedded in the interface identifier;
determining a shared key between the source AS and a destination AS corresponding to the destination address based on the first address prefix;
encrypting the interface identifier based on the shared secret key to obtain a second data packet;
and sending the second data packet to the destination address so that the boundary router of the destination AS carries out verification of the source address based on the second data packet.
In some embodiments, the determining, based on the first address prefix, a shared key between the source AS and a destination AS corresponding to the destination address includes:
inquiring a pre-stored first corresponding relation table based on the first address prefix, wherein the first corresponding relation table comprises the corresponding relation between the first address prefix and a target AS mark;
determining a target AS identification based on the first corresponding relation table;
and determining a shared secret key between the source AS and the target AS based on the target AS identification.
In some embodiments, the determining, based on the destination AS, a shared key between the source AS and the destination AS includes:
inquiring a pre-stored second corresponding relation table based on the target AS identification, wherein the second corresponding relation table comprises the corresponding relation between the target AS identification and the shared secret key;
and determining a shared key between the source AS and the destination AS based on the second corresponding relation table.
In some embodiments, the method further comprises:
acquiring the first corresponding relation table and the second corresponding relation table;
and storing the first corresponding relation table and the second corresponding relation table.
In some embodiments, the method further comprises:
and distributing the source AS identification for the host in the source AS, so that the source AS identification of the source AS is embedded in the interface identifier in the source address in the first data packet generated by the host.
The embodiment of the application provides a method for verifying an inter-domain source address, which is applied to a boundary router in a destination AS and comprises the following steps:
under the condition of acquiring a second data packet, determining a second address prefix of a source address in the second data packet; the second data packet is obtained by encrypting an interface identifier of the source address by a boundary router in the source AS based on a shared secret key, and a first source AS identifier of the source AS is embedded in the interface identifier;
determining the second AS identifier corresponding to the second address prefix;
determining a shared key between the source AS and the destination AS based on the second source AS identity;
decrypting the encrypted interface identifier based on the shared secret key to obtain a first source AS identifier;
verifying the source address based on the first source AS identification and the second AS identification.
In some embodiments, said validating said source address based on said first source AS identification and said second AS identification comprises;
comparing the first source AS identification with the second AS identification to obtain a comparison result;
determining whether the source address is verified based on the comparison result.
In some embodiments, said determining whether the source address is validated based on the comparison result comprises:
determining that the source address verification fails when the comparison result indicates that the first source AS identifier is not equal to the second AS identifier;
and determining that the source address passes verification under the condition that the comparison result represents that the first source AS identification is equal to the second AS identification.
In some embodiments, the method further comprises:
in the event that the source address verification is determined not to pass, discarding the second packet;
and under the condition that the source address is determined to pass the verification, obtaining a third data packet based on the interface identifier, and sending the third data packet to a destination address.
An embodiment of the present application provides an apparatus for verifying an inter-domain source address, including:
a first determining module, configured to determine, when a first data packet sent by a host in a source AS is acquired, a first address prefix of a destination address of the first data packet, where a source address of the first data packet includes an interface identifier, and a first source AS identifier of the source AS is embedded in the interface identifier;
a second determining module, configured to determine, based on the first address prefix, a shared key between the source AS and a destination AS corresponding to the destination address;
the encryption module is used for encrypting the interface identifier based on the shared secret key to obtain a second data packet;
and the first sending module is used for sending the second data packet to the destination address so AS to enable the boundary router of the destination AS to verify the source address based on the second data packet.
An embodiment of the present application provides an apparatus for verifying an inter-domain source address, including:
a third determining module, configured to determine a second address prefix of the source address in the second data packet when the second data packet is acquired; the second data packet is obtained by encrypting an interface identifier of the source address by a boundary router in the source AS based on a shared secret key, and a first source AS identifier of the source AS is embedded in the interface identifier;
a fourth determining module, configured to determine the second AS identifier corresponding to the second address prefix;
a fifth determining module, configured to determine, based on the second source AS identifier, a shared key between the source AS and the destination AS;
the decryption module is used for decrypting the encrypted interface identifier based on the shared secret key to obtain a first source AS identifier;
and the verification module is used for verifying the source address based on the first source AS identification and the second AS identification.
An embodiment of the present application provides an electronic device, which includes a memory and a processor, where the memory stores a computer program, and when the computer program is executed by the processor, the method performs any one of the above methods for verifying an inter-domain source address.
An embodiment of the present application provides a storage medium storing a computer program, which is executable by one or more processors and is operable to implement any one of the above methods for verifying an inter-domain source address.
The application provides a verification method, a device, an electronic device and a storage medium for an inter-domain source address, embedding a first source AS identification in a first data packet sent by a host, after a border router in a source AS receives the first data packet, encrypting the interface identifier by a shared secret key between the source AS and the destination AS to obtain a second data packet, the second packet is then forwarded to a border router within the destination AS, the border router within the destination AS decrypts the encrypted interface identifier with the shared key, and verifies the decrypted first source AS identifier to complete verification of the source address, thereby effectively avoiding forgery of the source address, furthermore, the attack by the DDoS can be avoided, and in addition, the corresponding source AS identification is embedded into the source address, so that extra bandwidth cannot be occupied during data transmission, and the extra bandwidth cannot be discarded by the router.
Drawings
The present application will be described in more detail below on the basis of embodiments and with reference to the accompanying drawings.
Fig. 1 is a schematic flowchart illustrating an implementation flow of a method for verifying an inter-domain source address according to an embodiment of the present application;
fig. 2 is a schematic diagram illustrating an implementation flow of another inter-domain source address verification method according to an embodiment of the present application;
fig. 3 is a schematic flowchart illustrating an implementation flow of another method for verifying an inter-domain source address according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an apparatus for verifying an inter-domain source address according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
In the drawings, like parts are designated with like reference numerals, and the drawings are not drawn to scale.
Detailed Description
In order to make the objectives, technical solutions and advantages of the present application clearer, the present application will be described in further detail with reference to the attached drawings, the described embodiments should not be considered as limiting the present application, and all other embodiments obtained by a person of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is understood that "some embodiments" may be the same subset or different subsets of all possible embodiments, and may be combined with each other without conflict.
The following description will be added if a similar description of "first \ second \ third" appears in the application file, and in the following description, the terms "first \ second \ third" merely distinguish similar objects and do not represent a specific ordering for the objects, and it should be understood that "first \ second \ third" may be interchanged under certain circumstances in a specific order or sequence, so that the embodiments of the application described herein can be implemented in an order other than that shown or described herein.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the present application only and is not intended to be limiting of the application.
The embodiment of the application provides a method for verifying an inter-domain source address, which applies a boundary router in an autonomous domain AS. The function implemented by the inter-domain source address verification method provided in the embodiment of the present application may be implemented by calling a program code by a processor in a border router in an AS, where the program code may be stored in a computer storage medium. An embodiment of the present application provides a method for verifying an inter-domain source address, and fig. 1 is a schematic flow chart illustrating an implementation of the method for verifying an inter-domain source address provided in the embodiment of the present application, and as shown in fig. 1, the method includes:
step S101, in a case of acquiring a first data packet sent by a host in a source AS, determining a first address prefix of a destination address of the first data packet, where a source address of the first data packet includes an interface identifier, and a first source AS identifier of the source AS is embedded in the interface identifier.
In this embodiment, the host may be a computer, a mobile terminal, or the like, and in this embodiment, the first data packet carries a destination address and a source address. The border router may first assign each host within its AS an embedded AS identification. The source address is an IPv6 address. The first data packet sent by each host carries the AS identifier of the autonomous domain, which can be used AS a label for inter-domain source address verification. Including an interface identifier in a source address, the interface identifier having embedded therein a first source AS identification of the source AS. Illustratively, the interface identifier is represented as follows: IID | | | ASN | | | nonce | ts; the first source AS identification is represented by ASN, the nonce is a random number, and ts is a time stamp when an address is allocated.
In the embodiment of the present application, the source address is expressed as follows:
IPv6=prefix||IID;
where prefix represents the prefix allocated within each AS for each subnet.
In this embodiment of the present application, after the boundary router receives the first data packet, the first address prefix of the destination address of the first data packet may be extracted, and the above example is carried out, so as to extract prefix.
Step S102, determining a shared key between the source AS and a destination AS corresponding to the destination address based on the first address prefix.
In the embodiment of the application, a first corresponding relation table is stored in a boundary router, and the first corresponding relation table comprises a corresponding relation between the first address prefix and a target AS identifier; after the border router determines the first address prefix, the border router may query a first mapping table stored in advance based on the first address prefix, determine a destination AS identifier, and determine a shared key between the source AS and the destination AS based on the destination AS identifier. Storing a second corresponding relation table in the boundary router, wherein the second corresponding relation table comprises the corresponding relation between the target AS identification and the shared secret key; and inquiring a pre-stored second corresponding relation table based on the target AS identification, wherein a shared secret key between the source AS and the target AS is determined based on the second corresponding relation table. In the embodiment of the present application, the shared key is a symmetric key.
Step S103, encrypt the interface identifier based on the shared key, to obtain a second data packet.
Step S104, sending the second data packet to the destination address, so that the border router of the destination AS performs verification of the source address based on the second data packet.
In this embodiment of the present application, the border router of the destination AS may determine a second address prefix of the source address in the second data packet under the condition of acquiring the second data packet; the second data packet is obtained by encrypting an interface identifier of the source address by a boundary router in the source AS based on a shared secret key, and a first source AS identifier of the source AS is embedded in the interface identifier; determining the second AS identifier corresponding to the second address prefix; determining a shared key between the source AS and the destination AS based on the second source AS identity; decrypting the encrypted interface identifier based on the shared secret key to obtain a first source AS identifier; verifying the source address based on the first source AS identification and the second AS identification.
According to the verification method for the inter-domain source address, the first source AS identification is embedded in the first data packet sent by the host, after the first data packet is received by the border router in the source AS, the interface identifier is encrypted through the shared secret key between the source AS and the target AS to obtain the second data packet, the second data packet is forwarded to the border router in the target AS, the border router in the target AS decrypts the encrypted interface identifier through the shared secret key and verifies the decrypted first source AS identification to complete verification of the source address, the problem of counterfeiting of the source address can be effectively avoided, in addition, the corresponding source AS identification is embedded in the source address, and extra bandwidth can not be occupied during data transmission.
In some embodiments, the step S102 "determining a shared key between the source AS and a destination AS corresponding to the destination address based on the first address prefix" may be implemented by:
step S1021, based on the first address prefix, inquiring a first pre-stored corresponding relation table, wherein the first corresponding relation table comprises a corresponding relation between the first address prefix and a target AS mark;
step S1022, determining a destination AS identifier based on the first mapping table;
step S1023, determining a shared key between the source AS and the destination AS based on the destination AS identifier.
In this embodiment of the present application, determining, based on the destination AS identifier, a shared key between the source AS and the destination AS may be implemented by the following steps:
step S1, querying a pre-stored second correspondence table based on the destination AS identifier, where the second correspondence table includes a correspondence between the destination AS identifier and a shared key;
step S2, determining a shared key between the source AS and the destination AS based on the second mapping table.
Before step S102, the method further comprises:
step S10, acquiring the first corresponding relationship table and the second corresponding relationship table.
Step S20, storing the first correspondence table and the second correspondence table.
Before step S101, the method further comprises:
step S100, allocating the source AS identifier to the host in the source AS, so that the source AS identifier is embedded in the interface identifier of the source address in the first data packet generated by the host.
Based on the foregoing embodiments, the present application provides a method for verifying an inter-domain source address, which is applied to a border router in a destination AS, and functions implemented by the method for verifying an inter-domain source address provided in the present application may be implemented by invoking program codes by a processor in the border router in the destination AS, where the program codes may be stored in a computer storage medium. An embodiment of the present application provides a method for verifying an inter-domain source address, and fig. 2 is a schematic diagram illustrating an implementation flow of another method for verifying an inter-domain source address provided in the embodiment of the present application, and as shown in fig. 2, the method includes:
step S201, in the case of acquiring the second data packet, determining a second address prefix of the source address in the second data packet.
In this embodiment of the present application, the second packet is obtained by encrypting, by a border router in the source AS, an interface identifier of the source address based on a shared key, where the first source AS identifier of the source AS is embedded in the interface identifier.
Step S202, determining the second AS identifier corresponding to the second address prefix.
In the embodiment of the application, a pre-stored third correspondence table may be queried through a second address prefix, where the third correspondence table includes a correspondence between the second address prefix and a source AS identifier; determining a second AS identifier based on the third corresponding relation table;
step S203, determining a shared key between the source AS and the destination AS based on the second AS identifier.
In the embodiment of the application, a pre-stored fourth correspondence table is queried based on the second AS identifier, where the fourth correspondence table includes a correspondence between the second AS identifier and a shared key; and determining a shared secret key between the source AS and the destination AS based on the fourth corresponding relation table.
Step S204, decrypting the encrypted interface identifier based on the shared key to obtain a first source AS identifier.
Step S205, verifying the source address based on the first source AS identifier and the second AS identifier.
According to the verification method for the inter-domain source address, the first source AS identification is embedded in the first data packet sent by the host, after the first data packet is received by the border router in the source AS, the interface identifier is encrypted through the shared secret key between the source AS and the target AS to obtain the second data packet, the second data packet is forwarded to the border router in the target AS, the border router in the target AS decrypts the encrypted interface identifier through the shared secret key to obtain the first source AS identification, the first source AS identification is verified, verification of the source address is completed, the problem of counterfeiting of the source address can be effectively avoided, in addition, the corresponding source AS identification is embedded in the source address, and extra bandwidth can not be occupied during data transmission.
In some embodiments, the step S205 "verifying the source address based on the first source AS identification and the second AS identification" may be implemented by:
step S2051, comparing the first source AS identifier with the second AS identifier to obtain a comparison result.
In this embodiment of the present application, it may be compared whether the first source AS identifier and the second AS identifier are the same, so that the obtained comparison result includes: the first source AS identification is the same AS the second AS identification, or the first source AS identification is different from the second AS identification.
Step S2052, determining whether the source address passes verification based on the comparison result.
In the embodiment of the present application, determining whether the source address passes the verification based on the comparison result includes: determining that the source address verification fails when the comparison result indicates that the first source AS identifier is not equal to the second AS identifier; and determining that the source address passes verification under the condition that the comparison result represents that the first source AS identification is equal to the second AS identification.
After step S2052, in case it is determined that the source address verification does not pass, discarding the second packet; and under the condition that the source address is determined to pass the verification, obtaining a third data packet based on the interface identifier, and sending the third data packet to a destination address.
An embodiment of the present application provides a method for verifying an inter-domain source address, and fig. 3 is a schematic flow chart illustrating an implementation of another method for verifying an inter-domain source address provided in the embodiment of the present application, as shown in fig. 3,
step S301, a border router in a source autonomous domain AS determines a first address prefix of a destination address of a first data packet when acquiring the first data packet sent by a host in a source AS, wherein a source address of the first data packet includes an interface identifier, and a first source AS identifier of the source AS is embedded in the interface identifier;
step S302, a border router in a source autonomous domain AS determines a shared secret key between the source AS and a destination AS corresponding to the destination address based on the first address prefix;
step S303, the boundary router in the source autonomous domain AS encrypts the interface identifier based on the shared secret key to obtain a second data packet;
step S304, the border router in the source autonomous domain AS sends the second packet to the destination address.
Step S305, the border router in the destination AS determines the second address prefix of the source address in the second data packet under the condition of acquiring the second data packet; the second data packet is obtained by encrypting an interface identifier of the source address by a border router in the source AS based on a shared secret key, and a first source AS identifier of the source AS is embedded in the interface identifier.
Step S306, the border router in the destination AS determines the second AS identification corresponding to the second address prefix;
step S307, the border router in the destination AS determines the shared key between the source AS and the destination AS based on the second source AS identifier;
step S308, the boundary router in the target AS decrypts the encrypted interface identifier based on the shared secret key to obtain a first source AS identifier;
step S309, the border router in the destination AS verifies the source address based on the first source AS identifier and the second AS identifier.
The embodiment of the present application further provides a method for verifying an inter-domain source address, where an address generation manner embedded with an Autonomous System Number (ASN) (the same AS the AS identifier in the above embodiment) is designed, so that source and destination ases of two communicating parties can verify the source address through a negotiated key (the same AS the shared key in the above embodiment). But at the same time does not take up additional bandwidth.
In the embodiment of the application, each AS firstly allocates the IPv6 address embedded in the ASN to its internal host:
IID=ASN||nonce||ts
IPv6=prefix||IID
where prefix represents a prefix allocated to each subnet in each AS, ASN represents a number of the AS, nonce is a random number, and ts is a time stamp when an address is allocated.
Therefore, the traffic sent by each host carries the ASN of the autonomous domain, which can be used as a label for inter-domain source address verification.
First, every two ASs need to share a symmetric key, and each AS maintains two tables: prefix _ as and as _ key. The prefix _ AS records the correspondence between the IPv6 prefix and the ASN, and the AS _ key records the symmetric key shared by other ASs.
When the verification is carried out, the traffic sent by the source host reaches the boundary router R of the source ASsWhen R issExtracting prefix in destination address from data packet (same as first data packet in the above-described embodiment)dAnd querying prefix _ as to obtain ASNdThen use ASNdQuerying the AS _ key to obtain the key shared with the destination AS. The IID in the source IPv6 address is then encrypted using the keysAnd forwards the packet (the second packet in the above embodiment).
When the border router Rd of the destination AS receives the data packet and the second data packet in the above embodiment), Rd extracts prefix in the source address from the data packet and the second data packet in the above embodiment), and queries prefix _ AS to obtain ASNs, and then queries AS _ key using ASNs to obtain the key shared with the source AS. And the Rd decrypts the IIDs in the source IPv6 address by using the key to obtain the ASN in the IIDs. Whether the source address is forged is determined by comparing whether the ASN (same AS the first source AS identifier in the above embodiment) is equal to the ASNs (same AS the second AS identifier in the above embodiment). If the two are not equal, the source address in the data packet is forged, and the data packet is discarded; if the two are equal, the result of decrypting the IIDs is used to replace the IIDs, and then the data packet is forwarded.
In the embodiment of the application, each AS needs to establish a shared key with other ASs, needs to be able to allocate an address embedded into the ASN for the host, and the border router needs to be upgraded to support encryption and decryption of the source address IID. In the embodiment of the application, an IPv6 address generation method embedded into an ASN is designed, and inter-domain source address verification is realized on the basis of the IPv6 address generation method. Because the label to be verified is embedded in the source address, extra bandwidth cannot be occupied, the label cannot be discarded by the forwarding router, the problem of source address forgery between domains can be solved, and the existing network structure is not changed.
Based on the foregoing embodiments, the present application provides an apparatus for verifying an inter-domain source address, where each module included in the apparatus and each unit included in each module may be implemented by a processor in a computer device; of course, the implementation can also be realized through a specific logic circuit; in the implementation process, the processor may be a Central Processing Unit (CPU), a Microprocessor Unit (MPU), a Digital Signal Processor (DSP), a Field Programmable Gate Array (FPGA), or the like.
An inter-domain source address verifying device provided in an embodiment of the present application is shown in fig. 4, which is a schematic structural diagram of the inter-domain source address verifying device provided in the embodiment of the present application, and as shown in fig. 4, the inter-domain source address verifying device 400 includes:
a first determining module 401, configured to determine, when a first data packet sent by a host in a source AS is acquired, a first address prefix of a destination address of the first data packet, where a source address of the first data packet includes an interface identifier, and a first source AS identifier of the source AS is embedded in the interface identifier;
a second determining module 402, configured to determine, based on the first address prefix, a shared key between the source AS and a destination AS corresponding to the destination address;
an encrypting module 403, configured to encrypt the interface identifier based on the shared key to obtain a second data packet;
a first sending module 404, configured to send the second data packet to the destination address, so that a border router of the destination AS performs verification of the source address based on the second data packet.
In some embodiments, the second determining module 402 comprises:
a query unit, configured to query a first mapping table stored in advance based on the first address prefix, where the first mapping table includes a mapping relationship between the first address prefix and a destination AS identifier;
a first determining unit, configured to determine a destination AS identifier based on the first mapping table;
a second determining unit, configured to determine, based on the destination AS identifier, a shared key between the source AS and the destination AS.
In some embodiments, the second determining unit comprises:
the first query subunit is configured to query a second correspondence table stored in advance based on the destination AS identifier, where the second correspondence table includes a correspondence between the destination AS identifier and a shared key;
a first determining subunit, configured to determine, based on the second correspondence table, a shared key between the source AS and the destination AS.
In some embodiments, the apparatus 400 for verifying interdomain source address further comprises:
an obtaining module, configured to obtain the first corresponding relationship table and the second corresponding relationship table;
and the storage module is used for storing the first corresponding relation table and the second corresponding relation table.
In some embodiments, the apparatus 400 for verifying interdomain source address further comprises:
and the distribution module is used for distributing the source AS identification for the host in the source AS so AS to embed the source AS identification of the source AS in the interface identifier of the source address in the first data packet generated by the host.
An embodiment of the present application further provides an apparatus for verifying an inter-domain source address, including:
a third determining module, configured to determine a second address prefix of the source address in the second data packet when the second data packet is acquired; the second data packet is obtained by encrypting an interface identifier of the source address by a boundary router in the source AS based on a shared secret key, and a first source AS identifier of the source AS is embedded in the interface identifier;
a fourth determining module, configured to determine the second AS identifier corresponding to the second address prefix;
a fifth determining module, configured to determine, based on the second source AS identifier, a shared key between the source AS and the destination AS;
the decryption module is used for decrypting the encrypted interface identifier based on the shared secret key to obtain a first source AS identifier;
and the verification module is used for verifying the source address based on the first source AS identification and the second AS identification.
In some embodiments, a verification module, comprising;
the comparison unit is used for comparing the first source AS identification with the second AS identification to obtain a comparison result;
a third determination unit configured to determine whether the source address is verified based on the comparison result.
In some embodiments, the third determining unit comprises:
a second determining subunit, configured to determine that the source address verification fails when the comparison result indicates that the first source AS identifier is not equal to the second AS identifier;
and the third determining subunit is configured to determine that the source address passes verification when the comparison result indicates that the first source AS identifier is equal to the second AS identifier.
In some embodiments, the means for verifying an interdomain source address further comprises:
a discarding module, configured to discard the second packet if it is determined that the source address verification fails;
and the second sending module is used for obtaining a third data packet based on the interface identifier and sending the third data packet to a destination address under the condition that the source address is determined to be verified.
It should be noted that, in the embodiment of the present application, if the above method for verifying an inter-domain source address is implemented in the form of a software function module, and is sold or used as an independent product, it may also be stored in a computer-readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially implemented or portions thereof contributing to the prior art may be embodied in the form of a software product stored in a storage medium, and including several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read Only Memory (ROM), a magnetic disk, or an optical disk. Thus, embodiments of the present application are not limited to any specific combination of hardware and software.
Accordingly, an embodiment of the present application provides a storage medium having a computer program stored thereon, where the computer program is executed by a processor to implement the steps in the method for verifying an inter-domain source address provided in the above-mentioned embodiment.
The embodiment of the application provides an electronic device, which can be a boundary router in an Autonomous System (AS) and a boundary router in a destination AS; fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application, and as shown in fig. 5, the electronic device 500 includes: a processor 501, at least one communication bus 502, a user interface 503, at least one external communication interface 504, and a memory 505. Wherein the communication bus 502 is configured to enable connective communication between these components. The user interface 503 may include a display screen, and the external communication interface 504 may include a standard wired interface and a wireless interface, among others. The processor 501 is configured to execute a program of the interdomain source address verification method stored in the memory to implement the steps in the interdomain source address verification method provided in the above embodiments.
The above description of the display device and storage medium embodiments is similar to the description of the method embodiments above, with similar beneficial effects as the method embodiments. For technical details not disclosed in the embodiments of the computer device and the storage medium of the present application, reference is made to the description of the embodiments of the method of the present application for understanding.
Here, it should be noted that: the above description of the storage medium and device embodiments is similar to the description of the method embodiments above, with similar advantageous effects as the method embodiments. For technical details not disclosed in the embodiments of the storage medium and apparatus of the present application, reference is made to the description of the embodiments of the method of the present application for understanding.
It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that, in the various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application. The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units; can be located in one place or distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as a removable Memory device, a Read Only Memory (ROM), a magnetic disk, or an optical disk.
Alternatively, the integrated units described above in the present application may be stored in a computer-readable storage medium if they are implemented in the form of software functional modules and sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present application may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a controller to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, a ROM, a magnetic or optical disk, or other various media that can store program code.
The above description is only for the embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (12)

1. A verification method of source address between domains is applied to a border router in an AS (autonomous System), and is characterized by comprising the following steps:
under the condition of acquiring a first data packet sent by a host in a source AS, determining a first address prefix of a destination address of the first data packet, wherein a source address of the first data packet comprises an interface identifier, and a first source AS identifier of the source AS is embedded in the interface identifier;
inquiring a pre-stored first corresponding relation table based on the first address prefix, wherein the first corresponding relation table comprises the corresponding relation between the first address prefix and a target AS mark; determining a target AS identification based on the first corresponding relation table; determining a shared secret key between the source AS and the target AS based on the target AS identification;
encrypting the interface identifier based on the shared secret key to obtain a second data packet;
and sending the second data packet to the destination address so that the boundary router of the destination AS carries out verification of the source address based on the second data packet.
2. The method of claim 1, wherein the determining the shared key between the source AS and the destination AS based on the destination AS comprises:
inquiring a pre-stored second corresponding relation table based on the target AS identification, wherein the second corresponding relation table comprises the corresponding relation between the target AS identification and the shared secret key;
and determining a shared secret key between the source AS and the destination AS based on the second corresponding relation table.
3. The method for verifying interdomain source addresses of claim 2, further comprising:
acquiring the first corresponding relation table and the second corresponding relation table;
and storing the first corresponding relation table and the second corresponding relation table.
4. The method for verifying interdomain source addresses of claim 1, further comprising:
and distributing the source AS identification for the host in the source AS, so that the source AS identification of the source AS is embedded in the interface identifier of the source address in the first data packet generated by the host.
5. A method for validating an inter-domain source address, applied to a border router within a destination AS,
under the condition of acquiring a second data packet, determining a second address prefix of a source address in the second data packet; the second data packet is obtained by encrypting an interface identifier of the source address by a boundary router in a source AS based on a shared secret key, and a first source AS identifier of the source AS is embedded in the interface identifier;
determining a second AS identifier corresponding to the second address prefix;
determining a shared key between the source AS and the destination AS based on the second AS identity;
decrypting the encrypted interface identifier based on the shared secret key to obtain a first source AS identifier;
verifying the source address based on the first source AS identification and the second AS identification.
6. The method of validating an interdomain source address AS claimed in claim 5, wherein the validating the source address based on the first source AS identity and the second AS identity comprises;
comparing the first source AS identification with the second AS identification to obtain a comparison result;
determining whether the source address is verified based on the comparison result.
7. The method of claim 6, wherein the determining whether the source address is verified based on the comparison comprises:
determining that the source address verification fails when the comparison result indicates that the first source AS identifier is not equal to the second AS identifier;
and determining that the source address passes verification under the condition that the comparison result represents that the first source AS identification is equal to the second AS identification.
8. The method for verifying interdomain source addresses of claim 7, further comprising:
in the event that the source address verification is determined not to pass, discarding the second packet;
and under the condition that the source address is determined to pass the verification, obtaining a third data packet based on the interface identifier, and sending the third data packet to a destination address.
9. An apparatus for verifying an inter-domain source address, comprising:
a first determining module, configured to determine, when a first data packet sent by a host in a source AS is acquired, a first address prefix of a destination address of the first data packet, where a source address of the first data packet includes an interface identifier, and a first source AS identifier of the source AS is embedded in the interface identifier;
a second determining module, configured to query a first pre-stored correspondence table based on the first address prefix, where the first correspondence table includes a correspondence between the first address prefix and a destination AS identifier; determining a target AS identification based on the first corresponding relation table; determining a shared secret key between the source AS and the target AS based on the target AS identification;
the encryption module is used for encrypting the interface identifier based on the shared secret key to obtain a second data packet;
and the first sending module is used for sending the second data packet to the destination address so AS to enable the boundary router of the destination AS to verify the source address based on the second data packet.
10. An apparatus for validating an inter-domain source address, applied to a border router within a destination AS, comprising:
a third determining module, configured to determine a second address prefix of the source address in the second data packet when the second data packet is acquired; the second data packet is obtained by encrypting an interface identifier of the source address by a boundary router in a source AS based on a shared secret key, and a first source AS identifier of the source AS is embedded in the interface identifier;
a fourth determining module, configured to determine a second AS identifier corresponding to the second address prefix;
a fifth determining module, configured to determine, based on the second AS identifier, a shared key between the source AS and the destination AS;
the decryption module is used for decrypting the encrypted interface identifier based on the shared secret key to obtain a first source AS identifier;
and the verification module is used for verifying the source address based on the first source AS identification and the second AS identification.
11. An electronic device, comprising a memory and a processor, the memory having stored thereon a computer program which, when executed by the processor, performs the method of authenticating an interdomain source address according to any one of claims 1 to 8.
12. A storage medium storing a computer program executable by one or more processors for implementing a method for verifying an interdomain source address according to any one of claims 1 to 8.
CN202011406286.5A 2020-12-02 2020-12-02 Method and device for verifying inter-domain source address, electronic equipment and storage medium Active CN112565253B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011406286.5A CN112565253B (en) 2020-12-02 2020-12-02 Method and device for verifying inter-domain source address, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011406286.5A CN112565253B (en) 2020-12-02 2020-12-02 Method and device for verifying inter-domain source address, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN112565253A CN112565253A (en) 2021-03-26
CN112565253B true CN112565253B (en) 2021-11-30

Family

ID=75048199

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011406286.5A Active CN112565253B (en) 2020-12-02 2020-12-02 Method and device for verifying inter-domain source address, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112565253B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114172731A (en) * 2021-12-09 2022-03-11 赛尔网络有限公司 Method, device, equipment and medium for quickly verifying and tracing IPv6 address

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105847034A (en) * 2016-03-16 2016-08-10 清华大学 Source verification and path authentication method and device
CN111314285A (en) * 2019-12-18 2020-06-19 北京邮电大学 Method and device for detecting route prefix attack

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008113405A1 (en) * 2007-03-16 2008-09-25 Telefonaktiebolaget Lm Ericsson (Publ) Securing ip traffic
CN101304407A (en) * 2007-05-09 2008-11-12 华为技术有限公司 Method, system and apparatus for authentication of source address
CN105207778B (en) * 2014-07-03 2019-04-16 清华大学深圳研究生院 A method of realizing packet identity and digital signature on accessing gateway equipment
US10523450B2 (en) * 2018-02-28 2019-12-31 Oracle International Corporation Overlay network billing

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105847034A (en) * 2016-03-16 2016-08-10 清华大学 Source verification and path authentication method and device
CN111314285A (en) * 2019-12-18 2020-06-19 北京邮电大学 Method and device for detecting route prefix attack

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
SEC: Secure, Efficient, and Compatible;Xinyu Yang;《2020 IEEE 39th International Performance Computing and Communications Conference (IPCCC)》;20201108;全文 *
互联网自治域间IP源地址验证技术综述;贾溢豪等;《软件学报》;20170712;全文 *

Also Published As

Publication number Publication date
CN112565253A (en) 2021-03-26

Similar Documents

Publication Publication Date Title
US11330008B2 (en) Network addresses with encoded DNS-level information
US8661252B2 (en) Secure network address provisioning
CN108471432B (en) Method for preventing network application program interface from being attacked maliciously
CN108476246B (en) Secure domain name resolution in computer networks
US8843751B2 (en) IP address delegation
US8171085B1 (en) Methods and apparatuses for authenticating electronic messages
US8832727B2 (en) Method and authentication server for verifying access identity of set-top box
US6961783B1 (en) DNS server access control system and method
US7383434B2 (en) System and method of looking up and validating a digital certificate in one pass
US8856525B2 (en) Authentication of email servers and personal computers
US9768967B2 (en) Numeric pattern normalization for cryptographic signatures
KR20130031660A (en) Network apparatus based contents name and method for generate and authenticate contents name
CN1422399A (en) System and process for storing securely secret information, apparatus and server to be used in such a system and method for distribution of a digital content
CN104135471A (en) Anti-hijack communication method of DNS (Domain Name System)
CN112565253B (en) Method and device for verifying inter-domain source address, electronic equipment and storage medium
CN111314269B (en) Address automatic allocation protocol security authentication method and equipment
CN115941192A (en) IPv6 address prefix coding method and device, storage medium and electronic equipment
JP2020510356A (en) Transmitters that send signals and receivers that receive signals
CN114006724A (en) Method and system for discovering and authenticating encrypted DNS (Domain name Server) resolver
KR102457620B1 (en) Network security system and operation method thereof
Kent An infrastructure supporting secure internet routing
CN114257437B (en) Remote access method, device, computing equipment and storage medium
Chandramouli et al. Open issues in secure DNS deployment
JP2011205451A (en) Unauthorized terminal interruption system, and unauthorized terminal interruption apparatus used therefor
CA2374195C (en) System and method of looking up and validating a digital certificate in one pass

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant