CN112615851A - Boundary router combining multiple safety inspection mechanisms under CoLoR architecture - Google Patents

Boundary router combining multiple safety inspection mechanisms under CoLoR architecture Download PDF

Info

Publication number
CN112615851A
CN112615851A CN202011484103.1A CN202011484103A CN112615851A CN 112615851 A CN112615851 A CN 112615851A CN 202011484103 A CN202011484103 A CN 202011484103A CN 112615851 A CN112615851 A CN 112615851A
Authority
CN
China
Prior art keywords
pid
packet
data packet
domain
router
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011484103.1A
Other languages
Chinese (zh)
Inventor
王春风
郑周
王明辉
卢静
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yancheng Institute of Technology
Original Assignee
Yancheng Institute of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yancheng Institute of Technology filed Critical Yancheng Institute of Technology
Priority to CN202011484103.1A priority Critical patent/CN112615851A/en
Publication of CN112615851A publication Critical patent/CN112615851A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/561Adding application-functional data or data for application control, e.g. adding metadata

Abstract

The invention discloses a boundary router combining multiple safety inspection mechanisms under a CoLoR framework, which separates the routing between network domains, distributes local path identification between the domains, adopts autonomous domain numbers to identify the path between the domains, introduces Path Identification (PID) between the domains, and realizes the data packet encapsulation, the decapsulation, the forwarding and the rapid convergence when the routing fails through a router kernel protocol stack. The functions of the boundary router are mainly embodied in two parts, namely a control layer and a forwarding layer.

Description

Boundary router combining multiple safety inspection mechanisms under CoLoR architecture
Technical Field
The invention belongs to the field of network boundary routers, and particularly relates to a boundary router combining multiple security inspection mechanisms under a CoLoR architecture.
Background
In recent years, with the rapid development of the internet, the popularity of the network is continuously increased, and data transmission between autonomous domains of different networks cannot leave a boundary router. The traditional border router has the defects of expandability, safety, mobility and the like, and cannot meet the increasing network requirements in a patch mode. Therefore, it is necessary to design a new type of network border router. The invention relates to a boundary router combining multiple safety inspection mechanisms under a CoLoR framework, wherein the CoLoR framework can be better compatible with heterogeneous networks, autonomous domain networks using different protocols and routing mechanisms are allowed to realize data circulation, PID verification and TOKEN verification are combined, and the cache structure of the boundary router is optimally designed, so that the compatibility and the functionality of the boundary router are improved, and the network safety and the network efficiency are better ensured.
Existing border routers can be divided into three classes. The first type is a boundary router based on IP and state information, and as the IP related technology is mature, the boundary router can well solve the expandability of the route in an IP network, and the data packet state information (PIT) recorded in a routing system can effectively locate the path of a data packet, so that the network security is basically guaranteed. The second type is a boundary router based on a bloom filter system structure, the router transmits information that data packets all contain LinkID and are subjected to hash encryption, and the LinkID encryption information is used for verifying data validity and forwarding rationality. The third type is a boundary router of a multi-path inter-domain routing mechanism based on path identification, which can realize data packet transmission based on the path identification PID and realize re-convergence when a link fails, and different network autonomous domains can use different routing systems and mechanisms, and the boundary router supports the connection of the original route and the multi-path and can well connect different networks.
Disclosure of Invention
The technical problem to be solved is as follows: aiming at the technical problems that the existing router generally adopts Pathlet Routing architecture or FII architecture, if some safety protection facilities are not added, DDOS attack is still easily encountered, the existing router adopts local path identification, autonomous domain number, inter-domain path identification, kernel protocol stack and the like to realize encapsulation, decapsulation and forwarding of Routing data packets, so that additional field information of the data packets is more, but the cache function of the data packets is weaker, cache overflow problem sometimes occurs due to overload of the data packets, the forwarding success rate of the data packets is influenced and the like, the invention provides a boundary router combining various safety inspection mechanisms under the CoLoR architecture, and the core idea of the boundary router is to separate Routing in a network domain from inter-domain, distribute local path identification in the domain, adopt the autonomous domain number to carry out path identification among domains, and introduce Path Identification (PID) among the domains, and the encapsulation, the decapsulation, the forwarding and the rapid convergence when the data packet of the route fails are realized through the router kernel protocol stack. The functions of the boundary router are mainly embodied in two parts, namely a control layer and a forwarding layer.
The technical scheme is as follows:
the border router is a CoLoR architecture and comprises a control plane part and a data plane part, wherein the control plane part is responsible for password, routing table item, verification and cache management in the border router, and the data plane part is responsible for protocol conversion and receiving and sending of data packets; the CoLoR data packet enters the boundary router from the network port, and the data packet is decapsulated according to the intra-domain protocol; analyzing and judging the specific type of the CoLoR data packet, and enabling different types of data packets to enter different processing flows; the method comprises the steps of separating routing in a network domain from routing between domains, distributing local path identification in the domain, adopting an autonomous domain number to carry out path identification between the domains, introducing path identification PID between the domains, and realizing data packet encapsulation, decapsulation, forwarding and rapid convergence when the routing fails through a router kernel protocol stack; the function of the border router combining multiple security check mechanisms under the CoLoR architecture comprises a control layer and a forwarding layer.
Further, the control layer avoids forming a loop by checking an AS _ PATH attribute in a PATH vector protocol (BGP protocol), introduces a PATH Identifier (PID) and a NEXT PATH identifier (NEXT _ PID) to announce a plurality of PATHs; wherein, the PID identifier is a hash value of all AS numbers passing between the source AS and the destination AS.
Further, the forwarding layer is a network layer of the kernel protocol stack, and the transmitted data packet header is composed of a traditional data packet header, a PID, an AS, and a Local Identifier.
Further, when the border router combining multiple security check mechanisms under the clor architecture receives a request packet (Get packet), whether the packet is from the domain is judged; for the request packet (Get packet) in the domain, whether cache service is performed or not is judged again, and if the cache service is performed, the cache service can directly enter a cache reading module; if the data is not cached, PIDn in the CoLoR data packet header is analyzed, the target IP and the outlet NIC are searched according to the prefix, the IP packet header is modified, and the IP packet header is forwarded to a corresponding outlet; for the request packet (Get packet) outside the domain, it is determined whether Token is correct, if not, it is discarded, and then cache determination and subsequent forwarding processing are performed. Further, after receiving a Data packet (Data packet), the border router combining multiple security inspection mechanisms under the clor architecture first determines whether the Data is from within the domain; if the packet is an intra-domain Data packet (Data packet), inquiring the path identifier according to the PIDs field, inquiring a destination IP and an outlet NIC according to the prefix, modifying an IP packet header, and finally forwarding the Data packet (Data packet); if the packet is an out-of-domain Data packet (Data packet), judging the validity of the PID, and if the packet is illegal, directly discarding the packet; and for legal Data packets (Data packets), firstly judging whether caching is needed, if so, entering a cache writing module, then performing subsequent processing of inquiring the signposts and the mapping tables, and forwarding.
Further, after receiving a PID-IP Control packet (Control packet), the border router in which multiple security check mechanisms are combined under the clor architecture first determines whether its MAC is correct; if the prefix and the time table are correct, the prefix and the time table are read, insertion processing is carried out, and then confirmation information is sent to the RM.
Furthermore, the design of the safety mechanism combining PID inspection and TOKEN verification in the boundary router combining multiple safety inspection mechanisms under the CoLoR architecture is that the boundary router adopts the CoLoR architecture which is also a routing system based on path identification; before obtaining the routing service, the user must generate a data packet to the routing resource manager of the local domain, wherein the data packet contains the service SID and the NID; requesting each packet to pass through an inter-domain link, namely generating a path identifier and filling the path identifier into a relevant field in the packet, and generating an inter-domain path identifier PID (PID ═ PX (n bits)) + HASH (32-nbits)) by adopting PID verification; when the boundary router of each domain receives the data packet sent to the domain outside the domain, PID verification is carried out on the path identifier, and if the data packet cannot pass the PID verification, the data packet is discarded.
Further, the design and working principle of the router control layer are as follows:
step1, AS80 calculates and generates local routing information <80, HASH (80) and HASH (80) >, establishes a neighbor relation and then directly sends the routing information to a peer border router, and AS150 performs the same processing;
step2, AS80 and AS150 receive the announce routing information from autonomous domain AS220, update the neighbor relation information, replace the received AS220 routing PID information with a NEXT _ PID part, recalculate the routing information and transmit to the peer border router;
step 3: when the AS80 and the AS150 receive the advertised routing information of the autonomous domain AS220 again, the AS80 and the AS150 know that two paths can exist through analysis, and simple multi-path information forwarding is realized.
Further, the operation steps of the router forwarding layer are:
step1: checking PID fields in the data packet headers, if not, searching matched PID fields, and if the PID fields are matched, forwarding the data packets to corresponding ports according to the matched field information; if the PID field is not matched, forwarding the data packet according to the flag bit information and the set destination AS number, and discarding the data packet without the set information;
step2: checking PID fields in the data packet headers, and if the PID fields are empty, filling the empty PID fields by matching AS numbers; then, according to the PID field, the kernel routing table of the boundary router is searched, and the data packet is forwarded to the corresponding port according to the table information;
step 3: when the data packet is forwarded to the NEXT AS domain, the NEXT _ PID information is filled into the PID field; and analyzing whether the PID field is a hash value of the Local AS, if the PID field is completely matched with the hash value, indicating that the data packet is sent to the target AS, and then forwarding the data packet by using a Destination Local identifier by the boundary router.
Further, the TOKEN authentication mechanism of the border router is for the received GET packet, and the TOKEN authentication mechanism is implemented by hash encryption; firstly, a terminal sends a GET packet to a boundary router, and after the router inquires a corresponding service SID, the router generates a PID and a TOKEN, and then the router fills relevant fields of the GET packet and forwards the GET packet; the key word of the hash algorithm in the TOKEN verification mechanism and the PID verification mechanism is different; because the encryption and the verification in the PID verification process are completed in the same domain, and the encryption and the verification in the TOKEN verification process are completed in different domains, the encryption and the verification can not only defend DDOS attack, but also prevent a zombie host from masquerading other clients to send request packets.
Has the advantages that:
1. compared with the prior art, the invention adopts a CoLoR architecture, the intra-domain routers and the boundary routers are relatively separated, each autonomous domain can adopt different routing protocols, each inter-domain path is distributed with a path clan identification prefix PX, and the inter-domain routing is carried out according to the identification prefix. Before a user acquires a service, a request is sent to a resource manager of the local domain, encrypted path identification information is filled in each inter-domain link in the transmission process, when a boundary router receives a data packet sent to the inside of the domain from the outside of the domain, the encrypted path identification is verified, and if the data packet cannot pass the verification, the data packet is discarded. The mechanism based on the path identification encryption authentication can prevent attackers from learning the path identification by mutually transmitting packets, thereby effectively reducing the attack flow and effectively solving the problem of distributed denial of service attack.
2. The security verification mechanism of the boundary router of the invention combines PID verification and TOKEN verification, defends basic DDOS attack through the PID verification mechanism on the basis of a CoLoR framework, and then prevents a zombie host from impersonating other clients to send GET packets by combining TOKEN verification, thereby causing normal DATA packets to submerge the impersonated clients and improving the security and the forwarding success rate.
3. The edge network cache server is arranged in the boundary router, so that the router not only can be used as a core component for forwarding the data packet, but also has a good cache function, and the problem of cache overflow caused by data packet overload is effectively avoided.
4. The invention adopts a CoLoR framework, each autonomous domain can adopt different routing protocols, each inter-domain path is distributed with a path group identification prefix PX, inter-domain routing is carried out according to the identification prefixes, and a data packet can be filled with encrypted path identification information through an inter-domain link.
5. On the basis of the CoLoR architecture, basic DDOS attack is defended through a PID verification mechanism, and then the Token verification is combined to prevent a zombie host from impersonating other clients to send GET packets, so that the network security and the forwarding success rate are improved.
6. The edge network cache server is arranged in the boundary router, so that the router not only can be used as a core component for forwarding the data packet, but also has a good cache function, and the problem of cache overflow caused by data packet overload is well avoided.
7. The CoLoR architecture can be better compatible with heterogeneous networks, allows autonomous domain networks using different protocols and routing mechanisms to realize data circulation, combines PID verification and TOKEN verification, and optimally designs the cache structure of the boundary router, so that the compatibility and functionality of the boundary router are improved, and the network safety and efficiency are better guaranteed.
8. The CoLoR architecture has the advantages of strong expandability, compatibility with heterogeneous networks and the like, DDOS attacks can be effectively defended through a PID verification mechanism, and the safety of the network is improved.
Drawings
Fig. 1 is a topology diagram of a router control layer according to the present application.
Fig. 2 is a block diagram of a border router based on the clor architecture according to the present application.
Fig. 3 is a flowchart illustrating a process of a request packet (Get packet) according to the present application.
Fig. 4 is a flow chart of the processing design of the Data packet (Data packet) of the present application.
Fig. 5 is a flowchart illustrating a process of the Control packet (Control packet) according to the present application.
Fig. 6 is a schematic diagram of a topology of the network of the present application.
Fig. 7 is a diagram illustrating the effect of the clor architecture on the throughput of a border router according to the present application.
Fig. 8 is a test diagram of the anti-attack effect of the border router according to the present application.
Fig. 9 is a graph comparing the data message forwarding rate of the border router of the present application with that of a conventional border router based on path identification.
Fig. 10 is a graph comparing the transmission delay of data messages between the border router of the present application and a conventional border router based on path identification.
Detailed Description
The following examples illustrate specific steps of the present invention, but are not intended to limit the invention.
Terms used in the present invention generally have meanings commonly understood by those of ordinary skill in the art, unless otherwise specified.
The invention is described in further detail below with reference to specific examples and with reference to data. It will be understood that these examples are intended to illustrate the invention and are not intended to limit the scope of the invention in any way.
In the following examples, various procedures and methods not described in detail are conventional methods well known in the art.
The present invention can be better understood from the following examples and comparative examples. However, it is easily understood by those skilled in the art that the descriptions of the examples and the comparative examples are only for illustrating the present invention and should not be construed as limiting the present invention described in detail in the claims.
Example 1
A border router combining multiple security inspection mechanisms under a clor architecture, wherein the network border router adopts the clor architecture and mainly comprises a control plane part and a data plane part as shown in fig. 2, the control plane part is responsible for password, routing table entry, verification and cache management in the border router, the data plane part is responsible for protocol conversion and receiving and sending of data packets, and the clor data packets enter the border router from a network port and are unpackaged according to an intra-domain protocol; analyzing and judging the specific type of the CoLoR data packet, and enabling different types of data packets to enter different processing flows; the method comprises the steps of separating routing in a network domain from routing between domains, distributing local path identifiers in the domain, adopting autonomous domain numbers to identify paths between the domains, introducing Path Identifiers (PID) between the domains, and realizing data packet encapsulation, decapsulation, forwarding and rapid convergence when the routing fails through a router kernel protocol stack; the functions of the boundary router are mainly embodied in two parts, namely a control layer and a forwarding layer.
As shown in fig. 1, the design of the control layer: the control layer avoids forming a loop by checking AS _ PATH attributes in a PATH vector protocol (BGP protocol), introduces a PATH Identifier (PID) and a NEXT PATH identifier (NEXT _ PID) to announce a plurality of PATHs; wherein, the PID identifier is a hash value of all AS numbers passing between the source AS and the destination AS. The design and working principle of the router control layer are as follows:
step1, AS80 calculates and generates local routing information <80, HASH (80) and HASH (80) >, establishes a neighbor relation and then directly sends the routing information to a peer border router, and AS150 performs the same processing;
step2, AS80 and AS150 receive the announce routing information from autonomous domain AS220, update the neighbor relation information, replace the received AS220 routing PID information with a NEXT _ PID part, recalculate the routing information and transmit to the peer border router;
step 3: when the AS80 and the AS150 receive the advertised routing information of the autonomous domain AS220 again, the AS80 and the AS150 know that two paths can exist through analysis, and simple multi-path information forwarding is realized.
The design of the forwarding layer: the forwarding layer function is mainly concentrated in the network layer of the kernel protocol stack, and the transmitted data packet header mainly consists of a traditional data packet header, a PID, an AS and a Local Identifier. The working steps of the router forwarding layer are as follows: step1: and checking the PID field in the data packet header, and if the PID field is not empty, searching for a matched PID field. If the PID field is matched, forwarding the data packet to a corresponding port according to the matched field information; if the PID field is not matched, forwarding the data packet according to the flag bit information and the set destination AS number, and discarding the data packet without the set information;
step2: and checking a PID field in the data packet header, and if the data packet header is empty, filling the empty PID field by matching the AS number. Then, according to the PID field, the kernel routing table of the boundary router is searched, and the data packet is forwarded to the corresponding port according to the table information;
step 3: when the data packet is forwarded to the NEXT AS domain, the NEXT _ PID information is filled into the PID field; and analyzing whether the PID field is a hash value of the Local AS, if the PID field is completely matched with the hash value, indicating that the data packet is sent to the target AS, and then forwarding the data packet by using a Destination Local identifier by the boundary router.
As shown in fig. 3, the border router in the clor architecture receives a request packet (Get packet) and is designed to: when a boundary router in a CoLoR architecture receives a request packet (Get packet), judging whether the packet is from the domain; for the request packet (Get packet) in the domain, whether cache service is performed or not is judged again, and if the cache service is performed, the cache service can directly enter a cache reading module; if the data is not cached, PIDn in the CoLoR data packet header is analyzed, the target IP and the outlet NIC are searched according to the prefix, the IP packet header is modified, and the IP packet header is forwarded to a corresponding outlet; for the request packet (Get packet) outside the domain, it is determined whether Token is correct, if not, it is discarded, and then cache determination and subsequent forwarding processing are performed.
As shown in fig. 4, the border router in the clor architecture receives a Data packet (Data packet): after receiving a Data packet (Data packet), a boundary router in a CoLoR framework judges whether the Data comes from the domain or not; if the packet is an intra-domain Data packet (Data packet), inquiring the path identifier according to the PIDs field, inquiring a destination IP and an outlet NIC according to the prefix, modifying an IP packet header, and finally forwarding the Data packet (Data packet); if the packet is an out-of-domain Data packet (Data packet), judging the validity of the PID, and if the packet is illegal, directly discarding the packet; and for legal Data packets (Data packets), firstly judging whether caching is needed, if so, entering a caching write-in module, then performing subsequent processing of inquiring the signposts, the mapping tables and the like, and forwarding.
As shown in fig. 5, the boundary router in the clor architecture receives the processing design of the PID-IP Control packet (Control packet): after receiving a PID-IP Control packet (Control packet), a boundary router in a CoLoR framework judges whether the MAC is correct or not; if the result is correct, processing such as reading prefix and time table and inserting is carried out, and then confirmation information is sent to the RM.
The CoLoR architecture PID verification and TOKEN verification are combined with the security mechanism design: the border router adopts a CoLoR architecture, and the architecture is also a routing system based on path identification; before obtaining the routing service, the user must generate a data packet to the routing resource manager of the local domain, wherein the data packet contains the service SID and the NID; requesting each packet to pass through an inter-domain link, namely generating a path identifier and filling the path identifier into a relevant field in the packet, and generating an inter-domain path identifier PID (PID ═ PX (n bits)) + HASH (32-nbits)) by adopting PID verification; when the boundary router of each domain receives the data packet sent to the domain outside the domain, PID verification is carried out on the path identifier, and if the data packet cannot pass the PID verification, the data packet is discarded.
The TOKEN authentication mechanism of the border router is mainly for the received GET packet, and is similar to the PID checking mechanism of the data packet, and is also implemented by hash encryption. Firstly, a terminal sends a GET packet to a boundary router, and after the router inquires a corresponding service SID, the router generates a PID and a TOKEN, and then the router fills relevant fields of the GET packet and forwards the GET packet. The TOKEN authentication mechanism is similar to the PID verification mechanism, but the key words of the hash algorithm are slightly different, and are defined as follows:
Typedef struct{
Unit8_nid[16];
Unit8_sid[20];
Unit32_t shk;
Unit32_t px;
Unit32_t padding;
}token_hash_content_t;
because the encryption and the verification in the PID verification process are completed in the same domain, and the encryption and the verification in the TOKEN verification process are completed in different domains, the encryption and the verification can not only defend DDOS attack, but also prevent a zombie host from masquerading other clients to send request packets.
Example 2:
the experimental scheme of the invention is that after a boundary router is developed based on click software, a prototype system is built, and then performance test is carried out, wherein the topological structure of a test network is shown in figure 6:
the network topology comprises four network subdomains which are respectively as follows: the system comprises a Network1, a Network2, a Network3 and a Network4, wherein each sub-domain Network is provided with a resource service manager and a boundary router. The Network2 is a test core, and because a clor architecture is adopted, each sub-domain Network can adopt different Network protocols, such as ipv4, MPLS, ivp6 and the like. The R5 border router in the Network2 is used as a test object. The device parameters of the border router are: cpu (intel core i7-4910k, quad-core eight-thread, 8.0GHz), memory (64G), hard disk (capacity is 2T), network card (intel bandwidth 10G), and system (ubuntu).
1. The network throughput testing of the border router is shown in fig. 7. The test can show whether the border router adopts the clor architecture and can be well compatible with communication between subnets (subnets adopting different protocols).
The square marking lines represent the maximum throughput of the boundary router adopting a path identification mechanism of a CoLoR architecture, and the triangular marking lines represent the maximum throughput of the boundary router adopting a common path identification mechanism. When the data packet is less than 3KB, the throughput of the boundary router of the path identification mechanism of the CoLoR architecture is slightly lower; when the data packet is larger than 3KB, the two curves are substantially fit, increasingly close. It can be seen that the throughput of the border router of the path identification mechanism of the clor architecture of the present invention is normal.
2. And testing the anti-attack effect of the boundary router. The invention firstly defends the basic DDOS attack through a PID verification mechanism on the basis of the CoLoR architecture, and then can prevent the zombie host from imitating other clients to send GET packets by combining Token verification, thereby improving the network security and the forwarding success rate. Fig. 8 is a simulated packet attack test.
The round dot marked line represents the situation that a path identification router using a PID verification mechanism alone resists attack, the router switches the state every 21s, and the attack source can obtain the PID through about 6 s. The triangle mark line represents the situation that the path identification router combined by PID and Token check mechanism is used for defending the attack, and the number of attack packets is almost 0. It can be seen that, by using PID verification alone, although the attack can be resisted to a certain extent through the dynamic change of PID, the attack source still can easily obtain PID through mutual learning, thereby implementing the attack. In contrast, the path identification router using the combination of the PID and Token checking mechanism can protect against network attacks more effectively.
Experiment:
the experimental analysis is to test the reachable condition of a data message between nodes by sending a ping message to a certain node on a linux host under the same network topology structure (only different boundary routers), so as to verify the forwarding and transmission delay performance of the boundary routers. A comparison of the border router of the present invention with a conventional border router based on path identification in terms of data packet forwarding rate is shown in fig. 9.
A comparison of the boundary router of the present invention with a conventional boundary router based on path identification in terms of data packet transmission delay is shown in fig. 10.
The data message forwarding rate refers to a ratio of the number of echo messages received by the host to the number of ping messages sent, and the data message transmission delay refers to a time difference between a message sent by the host and a received echo message. The diamond lines in the figure indicate the data packet forwarding rate (data packet transmission delay) in the network topology environment where the border router combined with multiple security check mechanisms under the clor architecture is located, and the square lines indicate the data packet forwarding rate (data packet transmission delay) in the network topology environment where the conventional border router based on the path identifier is located. The graph analysis shows that the router has better data forwarding success rate and smaller data message transmission delay.
The above description is only a preferred embodiment of the present invention, and the scope of the present invention is not limited thereto, and any simple modifications or equivalent substitutions of the technical solutions that can be obviously obtained by those skilled in the art within the technical scope of the present invention are within the scope of the present invention.

Claims (10)

  1. A border router combining multiple security inspection mechanisms under a CoLoR architecture is characterized in that: the border router adopts a CoLoR architecture and comprises a control plane part and a data plane part, wherein the control plane part is responsible for passwords, routing table items, verification and cache management in the border router, and the data plane part is responsible for protocol conversion and receiving and sending of data packets; the CoLoR data packet enters the boundary router from the network port, and the data packet is decapsulated according to the intra-domain protocol; analyzing and judging the specific type of the CoLoR data packet, and enabling different types of data packets to enter different processing flows; the method comprises the steps of separating routing in a network domain from routing between domains, distributing local path identification in the domain, adopting an autonomous domain number to carry out path identification between the domains, introducing path identification PID between the domains, and realizing data packet encapsulation, decapsulation, forwarding and rapid convergence when the routing fails through a router kernel protocol stack; the function of the border router combining multiple security check mechanisms under the CoLoR architecture comprises a control layer and a forwarding layer.
  2. 2. The border router combining multiple security check mechanisms under the clor architecture according to claim 1, wherein: the control layer avoids forming a loop by checking an AS _ PATH attribute in a PATH vector protocol (BGP protocol), introduces a PATH Identifier (PID) and a NEXT PATH identifier (NEXT _ PID) to announce a plurality of PATHs; wherein, the PID identifier is a hash value of all AS numbers passing between the source AS and the destination AS.
  3. 3. The border router combining multiple security check mechanisms under the clor architecture according to claim 1, wherein: the forwarding layer is a network layer of a kernel protocol stack, and a transmitted data packet header consists of a traditional data packet header, a PID, an AS and a Local Identifier.
  4. 4. The border router combining multiple security check mechanisms under the clor architecture according to claim 1, wherein: when a border router combining multiple safety inspection mechanisms under the CoLoR architecture receives a request packet (Get packet), judging whether the packet is from the domain; for the request packet (Get packet) in the domain, whether cache service is performed or not is judged again, and if the cache service is performed, the cache service can directly enter a cache reading module; if the data is not cached, PIDn in the CoLoR data packet header is analyzed, the target IP and the outlet NIC are searched according to the prefix, the IP packet header is modified, and the IP packet header is forwarded to a corresponding outlet; for the request packet (Get packet) outside the domain, it is determined whether Token is correct, if not, it is discarded, and then cache determination and subsequent forwarding processing are performed.
  5. 5. The border router combining multiple security check mechanisms under the clor architecture according to claim 1, wherein: after receiving a Data packet (Data packet), a boundary router combining multiple security inspection mechanisms under the CoLoR architecture first judges whether the Data comes from the domain; if the packet is an intra-domain Data packet (Data packet), inquiring the path identifier according to the PIDs field, inquiring a destination IP and an outlet NIC according to the prefix, modifying an IP packet header, and finally forwarding the Data packet (Data packet); if the packet is an out-of-domain Data packet (Data packet), judging the validity of the PID, and if the packet is illegal, directly discarding the packet; and for legal Data packets (Data packets), firstly judging whether caching is needed, if so, entering a cache writing module, then performing subsequent processing of inquiring the signposts and the mapping tables, and forwarding.
  6. 6. The border router combining multiple security check mechanisms under the clor architecture according to claim 1, wherein: after receiving a PID-IP Control packet (Control packet), a boundary router combining multiple security inspection mechanisms under the CoLoR architecture judges whether the MAC is correct or not; if the prefix and the time table are correct, the prefix and the time table are read, insertion processing is carried out, and then confirmation information is sent to the RM.
  7. 7. The border router combining multiple security check mechanisms under the clor architecture according to claim 1, wherein: the design of the safety mechanism combining PID (proportion integration differentiation) inspection and TOKEN (TOKEN authentication) in the boundary router combining a plurality of safety inspection mechanisms under the CoLoR architecture is that the boundary router adopts the CoLoR architecture which is also a routing system based on path identification; before obtaining the routing service, the user must generate a data packet to the routing resource manager of the local domain, wherein the data packet contains the service SID and the NID; requesting each packet to pass through an inter-domain link, namely generating a path identifier and filling the path identifier into a related field in the packet, and generating the inter-domain path identifier PID (PID = PX (n bits)) + HASH (32-nbits)) by adopting PID verification; when the boundary router of each domain receives the data packet sent to the domain outside the domain, PID verification is carried out on the path identifier, and if the data packet cannot pass the PID verification, the data packet is discarded.
  8. 8. The border router combining multiple security check mechanisms under the clor architecture according to claim 2, wherein: the design and working principle of the router control layer are as follows:
    step1, AS80 calculates and generates local routing information <80, HASH (80) and HASH (80) >, establishes a neighbor relation and then directly sends the routing information to a peer border router, and AS150 performs the same processing;
    step2, AS80 and AS150 receive the announce routing information from autonomous domain AS220, update the neighbor relation information, replace the received AS220 routing PID information with a NEXT _ PID part, recalculate the routing information and transmit to the peer border router;
    step 3: when the AS80 and the AS150 receive the advertised routing information of the autonomous domain AS220 again, the AS80 and the AS150 know that two paths can exist through analysis, and simple multi-path information forwarding is realized.
  9. 9. The border router combining multiple security check mechanisms under the clor architecture according to claim 3, wherein: the working steps of the router forwarding layer are as follows:
    step1: checking PID fields in the data packet headers, if not, searching matched PID fields, and if the PID fields are matched, forwarding the data packets to corresponding ports according to the matched field information; if the PID field is not matched, forwarding the data packet according to the flag bit information and the set destination AS number, and discarding the data packet without the set information;
    step2: checking PID fields in the data packet headers, and if the PID fields are empty, filling the empty PID fields by matching AS numbers; then, according to the PID field, the kernel routing table of the boundary router is searched, and the data packet is forwarded to the corresponding port according to the table information;
    step 3: when the data packet is forwarded to the NEXT AS domain, the NEXT _ PID information is filled into the PID field; and analyzing whether the PID field is a hash value of the Local AS, if the PID field is completely matched with the hash value, indicating that the data packet is sent to the target AS, and then forwarding the data packet by using a Destination Local identifier by the boundary router.
  10. 10. The border router combining multiple security check mechanisms under the clor architecture according to claim 7, wherein: the TOKEN verification mechanism of the boundary router aims at the received GET packet, and is realized by Hash encryption; firstly, a terminal sends a GET packet to a boundary router, and after the router inquires a corresponding service SID, the router generates a PID and a TOKEN, and then the router fills relevant fields of the GET packet and forwards the GET packet; the key word of the hash algorithm in the TOKEN verification mechanism and the PID verification mechanism is different; because the encryption and the verification in the PID verification process are completed in the same domain, and the encryption and the verification in the TOKEN verification process are completed in different domains, the encryption and the verification can not only defend DDOS attack, but also prevent a zombie host from masquerading other clients to send request packets.
CN202011484103.1A 2020-12-16 2020-12-16 Boundary router combining multiple safety inspection mechanisms under CoLoR architecture Pending CN112615851A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011484103.1A CN112615851A (en) 2020-12-16 2020-12-16 Boundary router combining multiple safety inspection mechanisms under CoLoR architecture

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011484103.1A CN112615851A (en) 2020-12-16 2020-12-16 Boundary router combining multiple safety inspection mechanisms under CoLoR architecture

Publications (1)

Publication Number Publication Date
CN112615851A true CN112615851A (en) 2021-04-06

Family

ID=75239627

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011484103.1A Pending CN112615851A (en) 2020-12-16 2020-12-16 Boundary router combining multiple safety inspection mechanisms under CoLoR architecture

Country Status (1)

Country Link
CN (1) CN112615851A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023082779A1 (en) * 2021-11-11 2023-05-19 中兴通讯股份有限公司 Packet forwarding method, electronic device, and storage medium
CN116866055A (en) * 2023-07-26 2023-10-10 中科驭数(北京)科技有限公司 Method, device, equipment and medium for defending data flooding attack

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040052257A1 (en) * 2002-06-24 2004-03-18 Miguel Abdo Automatic discovery of network core type
CN1514605A (en) * 2003-03-27 2004-07-21 中国科学院计算机网络信息中心 Hierarchical exchange network system
CN105812261A (en) * 2016-03-07 2016-07-27 北京交通大学 Message forwarding method and system in information center network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040052257A1 (en) * 2002-06-24 2004-03-18 Miguel Abdo Automatic discovery of network core type
CN1514605A (en) * 2003-03-27 2004-07-21 中国科学院计算机网络信息中心 Hierarchical exchange network system
CN105812261A (en) * 2016-03-07 2016-07-27 北京交通大学 Message forwarding method and system in information center network

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
段璨然: "基于路径标识的多路径域间路由的开发与实现", 现代电子技术, pages 1 - 4 *
潘刚: "智慧协同网络中边界路由器的设计与开发", 信息科技辑, pages 2 - 4 *
潘刚;罗洪斌;: "CoLoR架构中边界路由器的设计与开发", 中国科技论文, no. 02 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023082779A1 (en) * 2021-11-11 2023-05-19 中兴通讯股份有限公司 Packet forwarding method, electronic device, and storage medium
CN116866055A (en) * 2023-07-26 2023-10-10 中科驭数(北京)科技有限公司 Method, device, equipment and medium for defending data flooding attack
CN116866055B (en) * 2023-07-26 2024-02-27 中科驭数(北京)科技有限公司 Method, device, equipment and medium for defending data flooding attack

Similar Documents

Publication Publication Date Title
US9413718B1 (en) Load balancing among a cluster of firewall security devices
US9288183B2 (en) Load balancing among a cluster of firewall security devices
US7940757B2 (en) Systems and methods for access port ICMP analysis
KR100910818B1 (en) Method and system for tunneling macsec packets through non-macsec nodes
US7167922B2 (en) Method and apparatus for providing automatic ingress filtering
US8665874B2 (en) Method and apparatus for forwarding data packets using aggregating router keys
US9455995B2 (en) Identifying source of malicious network messages
US7565426B2 (en) Mechanism for tracing back anonymous network flows in autonomous systems
US8824474B2 (en) Packet routing in a network
EP1517517A1 (en) IP time to live (ttl) field used as a covert channel
US8817792B2 (en) Data forwarding method, data processing method, system and relevant devices
US11968174B2 (en) Systems and methods for blocking spoofed traffic
US20120144483A1 (en) Method and apparatus for preventing network attack
CN112615851A (en) Boundary router combining multiple safety inspection mechanisms under CoLoR architecture
Ghali et al. Living in a pit-less world: A case against stateful forwarding in content-centric networking
Ghali et al. Closing the floodgate with stateless content-centric networking
Chen et al. Preventing DRDoS attacks in 5G networks: a new source IP address validation approach
US20060225141A1 (en) Unauthorized access searching method and device
JP2021170772A (en) Packet detection method and first network apparatus
Zhang et al. A secure and scalable Internet routing architecture (SIRA)
Feng et al. A Blockchain-enabled Multi-domain DDoS Collaborative Defense Mechanism.
CN117201199A (en) Route safety protection method and system based on link aggregation
Tang et al. Blocking DoS attack traffic in network with locator/identifier separation
KR20040001026A (en) Device to prevent IP address spoofing and method thereof
Adcock et al. NAI LABS

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination