CN115086105A

CN115086105A - Message transmission method and device

Info

Publication number: CN115086105A
Application number: CN202110553974.2A
Authority: CN
Inventors: 胡志波; 杨平安; 韩涛; 董杰
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2021-03-02
Filing date: 2021-05-20
Publication date: 2022-09-20

Abstract

The embodiment of the application provides a message transmission method and a message transmission device, which can add a global identifier to a message according to a port for transmitting the message, so that other network equipment can check the message according to the global identifier and the port for transmitting the message. Therefore, a logically independent private network is established on the premise of not establishing a VPN routing table, and the burden of network equipment is reduced. The message transmission method comprises the following steps: a first network device receives a first data message; the first network equipment updates the first data message to obtain a second data message, wherein the second data message comprises a global identifier; and the first network device sends the second data message to a second network device, wherein the global identifier is used for the second network device to check the second data message according to a corresponding relationship, and the corresponding relationship is the corresponding relationship between the global identifier and an output port of the second network device for transmitting the second data message.

Description

Message transmission method and device

The present application claims priority of chinese patent application entitled "a method, apparatus and system for implementing VPN" filed by the national intellectual property office at 3/2/2021 under the application number 202110229661.1, the entire contents of which are incorporated herein by reference.

Technical Field

The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for transmitting a packet.

Background

A Virtual Private Network (VPN) technology is a common technology for establishing a Private communication Network, and a Private communication Network can be established in a public Network. Data transmitted in these private communication networks is logically isolated from other data transmitted in the public network. Therefore, only through the special communication network, the specific data can be accessed, and the data security is guaranteed.

In order to establish a private communication network in a public network, a VPN routing table may be generally deployed on a Provider Edge (PE) device, where the VPN routing table includes a correspondence between an Internet Protocol (IP) address of one or more Customer Edge (CE) devices and an egress port of the PE device, and is independent from a public network routing table. Thus, when receiving a message with a VPN identifier, the PE device may determine, according to the VPN identifier in the message, that the message needs to be transmitted through a VPN, thereby determining, according to a destination address of the message, an egress port from the VPN routing table, and sending the message through the egress port. Therefore, the isolation of the VPN flow and the public network flow is realized by arranging the relatively independent public network routing table and the VPN routing table.

In order to establish the VPN routing table, usually, the PE device records identifiers of multiple CE devices connected to the PE device, and sends the identifiers to other PE devices through a network Protocol such as Border Gateway Protocol (BGP), so that the other PE devices know IP addresses of the CE devices, and then establish the VPN routing table. Thus, when the number of CE devices is large, the amount of data that the PE device needs to learn is large, and the performance requirement on the PE device is high.

Disclosure of Invention

The embodiment of the application provides a message transmission method and a message transmission device, which can add a global identifier to a message according to a port for transmitting the message, so that other network equipment can check the message according to the global identifier and the port for transmitting the message. Therefore, a logically independent private network is established on the premise of not establishing a VPN routing table, and the burden of network equipment is reduced.

In a first aspect, an embodiment of the present application provides a message transmission method, where the method may be applied to a first network device in a network system, and the first network device may be a Customer-premise Equipment (CPE) or a PE device. After the first network device receives the first data packet, the first data packet may be updated according to the global identifier, so as to obtain a second data packet including the global identifier, and send the second data packet to the second network device. The global identifier is an identifier of a private network in the network system, and is used for the second network device to check the second data message according to a corresponding relationship, where the corresponding relationship is a corresponding relationship between the global identifier and an output port of the second network device for transmitting the second data message. That is, the first network device may add the global identifier in the first data packet transmitted through the private network, so that the second network device can check the second data packet according to the egress port transmitting the second data packet after receiving the second data packet. Thus, the establishment of the corresponding relationship between the network port and the global identifier is equivalent to binding the network port to the private network corresponding to the global identifier, so that other messages in the public network cannot be transmitted through the network ports bound to the private network. Therefore, under the condition of not establishing a VPN routing table, the isolation of the target network flow and the public network flow is realized, which is equivalent to that a logically independent target network is established in the public network. According to the method provided by the embodiment of the application, the VPN routing table does not need to be established, and the PE equipment does not need to inform other PE equipment in the VPN of the IP address of the CE equipment connected with the PE equipment, so that the burden of network equipment is reduced.

Before the first network device updates the first data packet, the first network device may determine the global identifier first, which may specifically include the following three implementation manners.

In a first possible implementation, the first network device is a PE device, and then the first network device may determine the global identifier according to an ingress port that receives the first data packet. Specifically, the PE device may pre-store a correspondence between the ingress port and the global identifier, where the packet received by the ingress port recorded in the correspondence is a packet transmitted through a private network. Thus, after receiving the first data packet, if the ingress port receiving the first data packet is the ingress port recorded in the corresponding relationship, the PE device may determine the global identifier corresponding to the ingress port according to the corresponding relationship, so as to update the first data packet according to the global identifier, and obtain the second data packet.

When the first network device is a PE device, the first network device may determine an egress port that transmits the second data packet before transmitting the second data packet. In particular, the first network device may determine a destination address from the first data packet, where the destination address indicates a location of the destination device of the first data packet in the network system. After determining the destination address of the first data packet, the PE device may look up an egress port corresponding to the destination address from the public network routing table, so as to send the second data packet through the egress port. Therefore, in the message transmission method provided by the embodiment of the application, the message can be transmitted through the private network only by the public network routing table without establishing the VPN routing table.

In a second possible implementation, the first network device is a CPE device, and the first network device may determine the global identifier according to an egress port that sends the second data packet. Specifically, the CPE may pre-store a correspondence between the egress port and the global identifier, and the transmission received from the egress port recorded in the correspondence is a packet transmitted through the private network. Therefore, the CPE can determine an output port for sending the second data packet according to the destination address of the first data packet and the public network routing table, determine a global identifier corresponding to the output port according to the correspondence, and update the first data packet according to the global identifier to obtain the second data packet.

In a third possible implementation, the first network device is a CPE device, and the first network device may determine the global identifier according to a packet feature of the first data packet. The message feature may be, for example, feature information such as a destination address or a quintuple. Specifically, the first network device may store a correspondence between the packet feature and the global identifier in advance. After receiving the first data packet, the first network device may determine whether the packet characteristics of the first data packet match the packet characteristics recorded in the correspondence. If the first data message is matched with the second data message, the first network device can determine a global identifier according to the corresponding relation and the message characteristics, and then update the first data message according to the global identifier to obtain the second data message.

In some possible implementations, the global identifier may be configured for the first network device by the control device, and the first network device may receive the global identifier sent by the control device. For example, a technician may configure a private network on the control device, and the control device may establish a correspondence between the network port and the global identifier according to the private network set by the user, and send the correspondence to the network device, so that the network device adds the global identifier to the packet according to the correspondence, or verifies the packet according to the global identifier.

In some possible implementations, when the first Network device is a CPE, the control device that sends the global identification to the first Network device may include a Software-defined Wide-Area Network (SD-WAN) controller.

In some possible implementations, the second datagram is an Internet Protocol Version 6 (IPv 6) datagram, and the global identifier may be carried in a flow label (low label) field and/or a destination address (destination address) field of a basic header of the second datagram.

In some possible implementations, the second data packet is an IPv6 packet, and the global identifier may be carried in a Destination Options Header (DOH) and/or a Hop-by-Hop Options Header (HBH) of the second data packet.

In some possible implementations, the second datagram is a Multi-Protocol Label Switching (MPLS) packet, and the global identity may be carried in an MPLS Label field and/or an Entropy Label (Entropy Label) field of a base header of the second datagram.

In some possible implementations, the global identification includes one or more of: slice identifier (Slice ID), Virtual Network Identifier (VNID), and preset identifier.

In some possible implementations, the first network device and the second network device belong to an Overlay network system.

In a second aspect, an embodiment of the present application provides a message transmission method, where the method may be applied to a second network device in a system, where the second network device is connected to a first network device, and may be a CPE or a PE device. The second network device may first receive a second data packet of the first network device, where the second data packet includes the first global identifier added by the first network device. After receiving the second data packet, the second network device may determine, according to a correspondence between an egress port that forwards the second data packet and the second global identifier, the second global identifier corresponding to the egress port that forwards the second data packet. After obtaining the second global identity, the second network device may compare whether the first global identity matches the second global identity. If the first global identifier is not matched with the second global identifier, the second data message is not allowed to be forwarded through an output port corresponding to the second global identifier; and if the first global identifier is matched with the second global identifier, the second data message is allowed to be forwarded through the output port corresponding to the second global identifier. The second network device may forward the second data packet according to the egress port. Thus, the establishment of the corresponding relationship between the network port and the global identifier is equivalent to binding the network port to the private network corresponding to the global identifier, so that other messages in the public network cannot be transmitted through the network ports bound to the private network. Therefore, under the condition of not establishing a VPN routing table, the isolation of the target network flow and the public network flow is realized, which is equivalent to that a logically independent target network is established in the public network. According to the method provided by the embodiment of the application, the VPN routing table does not need to be established, and the PE equipment does not need to inform other PE equipment in the VPN of the IP address of the CE equipment connected with the PE equipment, so that the burden of network equipment is reduced.

In some possible implementations, the second network device may determine, before checking the second data packet, an egress port that forwards the second data packet, so as to determine, according to the correspondence, a second global identifier corresponding to the egress port. Specifically, the second network device may search, according to the destination address of the second data packet, an egress port corresponding to the destination address from the routing table of the public network, and determine, according to the correspondence, a second global identifier corresponding to the egress port.

In some possible implementations, the second network device may also check the second data packet according to an ingress port that receives the second data packet. Specifically, the second network device may store in advance a correspondence between the ingress port and the global identifier. After receiving the second data packet through the ingress port, the second network device may determine, according to the correspondence, a third global identifier corresponding to the ingress port that receives the second data packet, and check the second data packet by determining whether the third global identifier matches the first global identifier. If the third global identifier matches the first global identifier, it indicates that the second data packet is allowed to be received by the second network device through the egress port corresponding to the third global identifier, and the second network device may continue the subsequent verification process.

In some possible implementations, the first network device may be a customer premises equipment, CPE, and the second network device may be an operator edge, PE, device.

In some possible implementations, the first network device and the second network device may both be PE devices.

In some possible implementations, the output port through which the second network device forwards the second data packet is connected to the third network device, so that the second network device can forward the second data packet to the third network device through the output port when forwarding the second data packet. Optionally, the third network device may be a CPE. Before forwarding the second data message, the second network device may adjust the second data message, for example, may strip off a partial header of the second data message.

In some possible implementations, the second network device may first receive the second global identifier sent by the control device.

In some possible implementations, the second data packet is an IPv6 packet, and the first global identifier may be carried in a flow label field and/or a destination address field of a basic header of the second data packet.

In some possible implementations, the second data packet is an IPv6 packet, and then the first global identifier may be carried in a DOH and/or an HBH of the second data packet.

In some possible implementations, the second data packet is an MPLS packet, and then the first global identifier may be carried in an MPLS label field and/or an entropy label field of a base header of the second data packet.

In a third aspect, an embodiment of the present application provides a packet transmission apparatus, where the apparatus is applied to a first network device, and includes: the receiving unit receives the first data message; the processing unit is configured to update the first data packet to obtain a second data packet, where the second data packet includes a global identifier, the global identifier is used by the second network device to check the second data packet according to a corresponding relationship, and the corresponding relationship is a corresponding relationship between the global identifier and an output port of the second network device for transmitting the second data packet; and the sending unit is used for sending the second data message to the second network equipment.

In some possible implementations, the first network device is an operator edge PE device; the processing unit is further configured to determine the global identifier corresponding to the ingress port according to the stored correspondence between the ingress port, through which the PE device receives the first data packet, and the global identifier.

In some possible implementations, the processing unit is further configured to search a public network routing table according to a destination address of the first data packet, and determine an egress port matched with the destination address; the sending unit is configured to send the second data packet to the second network device through the egress port matched with the destination address.

In some possible implementations, the first network device is a customer premises equipment, CPE; the processing unit is further configured to determine the global identifier corresponding to the egress port of the first data packet sent by the CPE according to the stored correspondence between the egress port of the first data packet sent by the CPE and the global identifier.

In some possible implementations, the first network device is a customer premises equipment, CPE; the processing unit is further configured to determine the global identifier corresponding to the message feature according to a correspondence between the message feature of the first data message and the global identifier.

In some possible implementations, the receiving unit is further configured to receive the global identifier from a control device.

In some possible implementations, the first network device is a CPE and the control device includes a software defined wide area network SD-WAN controller.

In some possible implementations, the second data packet is an IPv6 packet, and the global identifier may be carried in a field of a basic header of the second data packet, for example, may be carried in a flow label field and/or a destination address field.

In some possible implementations, the second data packet is an IPv6 packet, and the global identifier may be carried in an extension header of the second data packet, for example, in a DOH and/or an HBH.

In some possible implementations, the second data message is an MPLS packet, and the global identifier may be carried in a segment of a basic header of the second data message, for example, may be carried in an MPLS label field and/or an entropy label field.

In some possible implementations, the global identification includes one or more of: slice identification Slice ID, virtual network identification VNID and preset identification.

In a fourth aspect, an embodiment of the present application provides a packet transmission apparatus, where the apparatus is applied to a second network device, and the apparatus includes: a receiving unit, configured to receive a second data packet from a first network device, where the second data packet includes a first global identifier; a processing unit, configured to determine, according to a correspondence between an egress port that forwards the second data packet and a second global identifier, the second global identifier corresponding to the egress port; and the forwarding unit is used for responding to the matching of the first global identifier and the second global identifier and forwarding the second data message according to the output port.

In some possible implementations, the processing unit is further configured to search a public network routing table according to a destination address of the second data packet, and determine the egress port matching the destination address.

In some possible implementations, the processing unit is further configured to discard the second data packet in response to the first global identifier not matching the second global identifier.

In some possible implementations, the processing unit is configured to determine, according to a correspondence between an ingress port that receives the second data packet and a third global identifier, the third global identifier corresponding to the ingress port; and the forwarding unit is configured to determine, in response to matching between the first global identifier and the third global identifier, the second global identifier corresponding to the egress port according to a correspondence between the egress port that sends the second data packet and the second global identifier.

In some possible implementations, the first network device is a Customer Premises Equipment (CPE) and the second network device is an operator edge (PE) device.

In some possible implementations, the first network device and the second network device are both PE devices.

In some possible implementations, the forwarding unit is configured to forward the second data packet to a third network device according to the egress port, where the third network device is a CPE.

In some possible implementations, the receiving unit is further configured to receive the second global identifier from a control device.

In some possible implementations, the second data packet is an IPv6 packet, and the second global identifier may be carried in a field of a basic header of the second data packet, for example, may be carried in a flow label field and/or a destination address field.

In some possible implementations, the second data packet is an IPv6 packet, and the second global identifier may be carried in an extension header of the second data packet, for example, in a DOH and/or an HBH.

In some possible implementations, the second data message is an MPLS packet, and the second global identifier may be carried in a segment of a basic header of the second data message, for example, may be carried in an MPLS label field and/or an entropy label field.

In some possible implementations, the first global identification includes one or more of: slice identification Slice ID, virtual network identification VNID and preset identification.

In a fifth aspect, an embodiment of the present application provides a network device, where the network device includes a processor chip and a memory, where the memory is used to store instructions or program codes, and the processor chip is used to call and execute the instructions or program codes from the memory to execute the message transmission method according to the foregoing first aspect.

In a sixth aspect, an embodiment of the present application provides a network device, where the network device includes a processor chip and a memory, where the memory is used to store instructions or program codes, and the processor chip is used to call and execute the instructions or program codes from the memory to execute the message transmission method according to the foregoing second aspect.

In a seventh aspect, an embodiment of the present application provides a computer-readable storage medium, which includes instructions, a program, or code, and when executed on a computer, causes the computer to execute the message transmission method according to the foregoing first aspect or second aspect.

Drawings

Fig. 1 is a schematic structural diagram of a network system 100 according to an embodiment of the present application;

fig. 2 is a schematic structural diagram of a network system 200 according to an embodiment of the present application;

fig. 3 is an interactive signaling diagram of a message transmission method according to an embodiment of the present application;

fig. 4 is another interactive signaling diagram of a message transmission method according to an embodiment of the present application;

fig. 5 is a schematic structural diagram of a message transmission apparatus 500 according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of a message transmission apparatus 600 according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of a network device 700 according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of a network device 800 according to an embodiment of the present application.

Detailed Description

The following describes a message transmission method provided by the embodiments of the present application and the related art with reference to the accompanying drawings.

Referring to fig. 1, a schematic structural diagram of a system 100 according to an embodiment of the present application is provided. In the network system 100, a terminal device 111, a terminal device 112, a terminal device 113, a terminal device 114, a CE device 121, a CE device 122, a CE device 123, a CE device 124, a PE device 131, a PE device 132, a PE device 133, a Provider (P) device 141, and a P device 142 are included. CE device 121 is connected to terminal device 111 and PE device 131, CE device 122 is connected to terminal device 112 and PE device 131, CE device 123 is connected to terminal device 113 and PE device 132, CE device 124 is connected to terminal device 114 and PE device 133, P device 141 is connected to PE device 131 and PE device 132, and P device 142 is connected to PE device 132 and PE device 133. PE device 132 has two ports, network port a and network port B, and is connected to P device 141 through network port a and P device 142 through network port B.

Assume that PE device 132 has a public network routing table that records the correspondence between the IP address of CE device 124 and network port B and a VPN routing table that records the correspondence between the IP address of CE device 121 and network port a and the correspondence between the IP address of CE device 122 and network port a. Then, in the case where terminal device 113 does not use a VPN, the destination address of message M transmitted by terminal device 113 may be the IP address of CE device 124. Because the message M does not include the VPN identifier, the PE device 132 may determine, according to the public network routing table, that the output port corresponding to the message is the network port B, and send the message to the P device 142 through the network port B, so as to forward the message to the terminal device 114 through the P device 142.

When the terminal device 113 accesses the terminal device 111 or the terminal device 112 through the VPN, the message N sent by the terminal device 113 may include a VPN identifier, and a destination address of the message may be an IP address of the CE device 121 or an IP address of the CE device 122. Accordingly, after receiving the message, the PE device 132 may determine, according to the VPN identifier carried in the message, that the message N needs to be transmitted through a VPN, and determine that an output port of the message N needs to be obtained according to a VPN routing table. Then, PE device 132 may determine, according to the VPN routing table and the destination address of the packet N, that the egress port corresponding to the packet N is a network port a, and send the packet N to P device 141 through the network port a, so as to forward the packet N to terminal device 111 or terminal device 112 through P device 141. Therefore, by distinguishing the VPN routing table and the public network routing table, the isolation between the public network flow and the VPN flow is realized, which is equivalent to isolating a virtual private network in a public network.

The VPN routing table records the IP addresses of the CE devices reachable by the VPN. Therefore, the PE device that deploys the VPN needs to collect IP addresses of CE devices that are connected to itself and access the VPN, and send these IP addresses to other PE devices that deploy the VPN. For example, in the embodiment shown in fig. 1, the VPN routing table of the PE device 132 records the respective IP addresses of the CE device 121 and the CE device 122 that are reachable by the VPN. Thus, in establishing the VPN routing table, PE device 131 needs to collect the IP address of CE device 121 and the IP address of CE device 122 and send these two IP addresses to PE device 132. Thus, the PE device 132 can establish a corresponding relationship between the network port a and the IP addresses of the CE device 121 and the CE device 122, respectively, to obtain the VPN routing table.

However, as the VPN scale increases, the IP addresses of the CE devices recorded in the VPN routing table increase, which greatly increases the burden on the PE devices. In addition, when a new CE device accesses a VPN, the PE device connected to the new CE device needs to notify other PE devices in the VPN of the IP address of the CE device, and this notification process also increases the burden of the network device.

In order to solve the above problem, an embodiment of the present application provides a packet transmission method, where a network device may add a global identifier to a packet according to a port through which the packet is transmitted, so that other network devices check the packet according to the global identifier and the port through which the packet is transmitted. Thus, by establishing the corresponding relationship between the global identifier and the port, the message transmitted from the specific port can be isolated from other messages, which is equivalent to a relatively independent private network divided in a public network. Therefore, the function of the VPN is realized on the premise of not establishing a VPN routing table, the PE equipment is not required to collect the IP address of the CE equipment, routing information is not required to be transmitted through protocols such as BGP (border gateway protocol), and the like, so that the burden of network equipment is reduced.

The message transmission method provided by the embodiment of the application can be applied to the network architecture shown in fig. 2.

Referring to fig. 2, a schematic diagram of a system 200 according to an embodiment of the present disclosure is shown. In system 200, device 211, device 212, device 213, client terminal device 221, client terminal device 222, client terminal device 223, PE device 231, PE device 232, and P device 241 are included. The client terminal device 221 is connected to the device 211 and the PE device 231, the client terminal device 222 is connected to the device 212 and the PE device 231, the client terminal device 223 is connected to the device 213 and the PE device 232, and the P device 241 is connected to the PE device 231 and the PE device 232. Alternatively, the client terminal device 221, the client terminal device 222, the client terminal device 223, the PE device 231, the PE device 232, and the P device 241 may belong to an Overlay network system.

In the embodiment of the present application, the PE device 231 is connected to the network port a2 of the client terminal device 221 through the network port a1, connected to the client terminal device 222 through the network port B2, and connected to the network device 241 through the network port C. PE device 232 is connected to network device 241 through network port D.

In the embodiment of the present application, the device 211, the device 212, and the device 213 may be terminal devices, or may be devices such as a server or a database. The terminal device, which may also be referred to as a User Equipment (UE), a Mobile Station (MS), a Mobile Terminal (MT), a terminal, etc., is a device that provides voice and/or data connectivity for a user, or a chip disposed in the device, such as a handheld device with a wireless connection function, a vehicle-mounted device, etc. Currently, some examples of terminal devices are: a mobile phone, a desktop computer, a tablet computer, a notebook computer, a palm computer, a Mobile Internet Device (MID), a wearable device, a Virtual Reality (VR) device, an Augmented Reality (AR) device, a wireless terminal in industrial control (industrial control), a wireless terminal in self driving (self driving), a wireless terminal in remote surgery (remote medical supply), a wireless terminal in smart grid (smart grid), a wireless terminal in transportation safety, a wireless terminal in smart city (smart city), a wireless terminal in smart home (smart home), a home gateway device (5G → smart gateway, 5G → RG) supporting 5G access, and the like.

The client terminal device 221, the client terminal device 222, the client terminal device 233, the PE device 231, the PE device 232, and the P device 233 may be, for example, entity devices such as a router (router) and a switch (switch) that support a routing function, or may be a server that deploys a virtual router or a virtual switch and is used to transmit packets.

It should be noted that, in the embodiment of the present application, a packet may pass through a relay of one network device in a transmission process between two PE devices (as shown in fig. 2, a PE device 231 and a PE device 232 are connected through a P device 233), may also pass through a relay of multiple network devices, and may also be directly transmitted from one PE device to another PE device through a tunnel. The embodiment of the present application does not limit the process of transmitting a message from one PE device to another PE device.

Referring to fig. 3, which is a signaling interaction diagram of a message transmission method provided in the embodiment of the present application, the message transmission method provided in the embodiment of the present application may include the following steps:

s301: the first CPE, the first PE equipment, the second PE equipment and the second CPE respectively acquire corresponding relations.

In the embodiment of the present application, the first CPE, the first PE device, the second PE device, and the second CPE are devices deployed with a private network, and the private network is referred to as a target network. It should be noted that the target network is not a virtual private network implemented through a VPN routing table in the conventional sense, or a private network physically isolated from a public network implemented through hardware, but a virtual private network established by executing the message transmission method provided in the embodiment of the present application.

The first CPE is respectively connected with the first PE equipment and the first terminal equipment, and the second CPE is respectively connected with the second PE equipment and the second terminal equipment. Then, the message from the first terminal device may be sent to the second terminal device through the target network. The message passes through the first CPE, the first PE equipment, the second PE equipment and the second CPE in sequence in the transmission process. Taking the embodiment shown in fig. 2 as an example, if the first end device is the device 211 and the second end device is the device 213, the first CPE may be the customer end device 221, the second CPE may be the customer end device 223, the first PE device may be the PE device 231, and the second PE device may be the PE device 232. In some possible implementations, the first CPE, the first PE device, the second PE device, and the second CPE may belong to an Overlay (Overlay) network system.

Before transmitting the data packet, the first CPE, the first PE device, the second PE device, and the second CPE may first obtain the corresponding relationship, respectively. The correspondence may include a correspondence between a network port and a global identifier, and/or a correspondence between a packet characteristic and a global identifier. The global identifier is used for identifying a target network and distinguishing a data message transmitted through the target network from a data message transmitted through a public network. Optionally, the global identifier may include any one or more of a Slice ID, a VNID, and a preset identifier.

In this embodiment, a network port is a port where a device is connected to other devices, and may be divided into an egress port and an ingress port. The input port is a network port for receiving data messages by the equipment, and the output port is a network port for sending data messages by the equipment. Accordingly, the correspondence relationship may be divided into a correspondence relationship between an egress port and a global identifier, and a correspondence relationship between an ingress port and a global identifier. Wherein, the corresponding relation between the output port and the global mark represents the condition satisfied by the message sent by the output port; the correspondence between the ingress port and the global identifier indicates the conditions that are met by the message received through the ingress port. For a detailed description of the corresponding relationship, reference may be made to the following description of S305, which is not described herein again.

In this embodiment of the present application, the corresponding relationship may be obtained according to a connection relationship between devices, and is used to indicate which network ports are bound to the target network. Specifically, in the process of deploying the target network between the first CPE and the second CPE, it may be determined which network ports the data transmitted in the target network needs to pass through, and then the corresponding relationship between the network ports and the global identifier is established. Thus, since the target network is deployed between the first CPE and the second CPE, and passes through the first PE device, the second PE device and the second CPE device, the corresponding relationship may include a corresponding relationship between an output port of the network port of the first CPE, which is connected to the first PE device, and the global identifier, a corresponding relationship between an input port of the network port of the first PE device, which is connected to the first CPE, and the global identifier, a corresponding relationship between an output port of the network port of the first PE device, which is connected to the second PE device, and the global identifier, a corresponding relationship between an input port of the network port of the second PE device, which is connected to the first PE device, and the global identifier, a corresponding relationship between an output port of the network port of the second PE device, which is connected to the second CPE, and the global identifier, and the corresponding relation between the input port connected with the second PE equipment in the network port of the second CPE and the global identification.

Still using fig. 2 as an example. Assume that the first CPE is customer premises equipment 221, the second CPE is customer premises equipment 223, the first PE device is PE device 231, the second PE device is PE device 232, and the global identifier is X. Then, in establishing the target network from the client terminal device 221 to the client terminal device 223, it may be determined that the data packet from the client terminal device 211 may pass through the network port a2, the network port a1, the network port C, and the network port D in sequence. Thus, a correspondence between the global identity X and network port a2, network port a1, network port C, and network port D, respectively, may be established.

After determining the correspondence between the network port and the global identifier, the control device may send the correspondence to the first CPE, the first PE device, the second PE device, and the second CPE, respectively. It should be noted that the control device corresponding to the PE device and the control device corresponding to the CPE device may be different. For example, the control device may comprise, for the first CPE and the second CPE, for example, an SD-WAN controller.

S302: the first CPE acquires a first data message.

In this embodiment, the first data packet may be a service packet generated by a terminal device or a server. The terminal device or the server generating the first data packet is directly connected to the first CPE. The first CPE may obtain the first data packet through a connection with the terminal device or the server.

The destination device of the first data message is a terminal device connected with the second CPE. For example, assuming that the first CPE is the client device 221 in fig. 2, the device generating the first datagram may be the device 211, and the destination device of the first datagram may be the device 213. Optionally, the first datagram may include a destination address indicating a location of a destination device of the first datagram in the network. As can be seen from the foregoing description, a target network is deployed between the first CPE and the second CPE, and then the first datagram may be a datagram transmitted through the target network.

S303: and the first CPE determines the global identification and obtains a second data message according to the first data message and the global identification.

As can be known from the foregoing description, the mapping relationship obtained by the first CPE in step S301 may include a mapping relationship between the global identifier and the egress port, and/or a mapping relationship between the packet feature and the global identifier. In this embodiment of the application, the first CPE may determine the global identifier according to the corresponding relationship after acquiring the first data packet.

As can be seen from the foregoing description, the corresponding relationship may be a corresponding relationship between a network port and a global identifier, or a corresponding relationship between a packet feature and a global identifier. Two cases will be described below.

In a first possible implementation, the corresponding relationship may include a corresponding relationship between the network port and the global identifier, that is, the first CPE may determine the global identifier corresponding to the first data packet according to the network port and the corresponding relationship. Specifically, the first CPE may determine an egress port corresponding to the first data packet, and then determine the global identifier according to the egress port corresponding to the first data packet and the corresponding relationship. The output port is a network port corresponding to the first data message in the network ports of the first CPE.

As can be seen from the foregoing description, the first datagram may include a destination address, and then the first CPE may determine an egress port corresponding to the first datagram according to the public network routing table and the destination address. The public network routing table includes a correspondence between an address of at least one network device and an output port of the first device CPE, and indicates through which output port of the first CPE a message sent to a certain network device needs to be sent. Then, after receiving the first data packet, the first CPE may search the public network routing table for an egress port matched with the destination address of the first data packet, and determine the egress port as the egress port corresponding to the first data packet.

After determining the egress port corresponding to the first data packet, the first CPE may determine the global identifier corresponding to the egress port according to a correspondence between the egress port and the global identifier. The corresponding relationship between the egress port and the global identifier includes a corresponding relationship between the egress port corresponding to the first data packet and the global identifier, and indicates that data carried in the target network corresponding to the global identifier needs to be transmitted through the egress port.

In a second possible implementation, the correspondence may include a correspondence between the packet characteristic and the global identifier, that is, the first CPE may determine the global identifier according to the packet characteristic and the correspondence of the first data packet. The message characteristics are attributes that the first datagram has, and may be, for example, a flow identifier, a quintuple, and other characteristics of the first datagram. The quintuple includes a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol of the first data packet. The source port is a port for sending the first data message by the terminal device generating the first data message, and the destination port is a port for receiving the first data message by the destination device of the first data message. For example. The correspondence is assumed to include a correspondence between the destination IP address and the global identification. Then, after receiving the first data packet, if the destination IP address of the first data packet is the same as the destination IP address included in the corresponding relationship, the first CPE may determine, according to the corresponding relationship, the global identifier corresponding to the destination IP address.

After determining the first data packet, the first CPE may obtain a second data packet according to the first data packet and the global identifier. Wherein the second data message includes a global identification. For example, the first CPE may add the global identifier to a header of the first data packet, thereby obtaining a second data packet including the global identifier.

In some possible implementations, the second data message may be an IPv6 message, and the global identifier may be carried in an IPv6 message header of the second data message, for example, may be carried in a flow label (flow label) field and/or a destination address (destination address) field of an IPv6 header of the second data message. Of course, the global identifier may also be carried in an extension header of the second data packet, for example, in a DOH and/or an HBH of the second data packet. Optionally, the first CPE may carry multiple global identifiers in the second data packet, for example, the global identifier may be carried in an IPv6 header of the second data packet, and the global identifier is also carried in a DOH header of the first data packet.

In some other possible implementations, the second data packet may also be an MPLS packet, and the global identifier may be carried in a basic header of the second data packet, for example, the global identifier may be carried in an MPLS label field and/or an Entropy label (Entropy label) field of the basic header of the second data packet.

S304: and the first CPE sends a second data message to the first PE equipment.

After obtaining the second data message, the first CPE may send the second data message to the first PE device. Specifically, the first CPE may determine, according to the destination address of the first data packet, that the next hop device of the second data packet is the first PE device, and determine an egress port for sending the second data packet, so as to send the second data packet to the first PE device through the egress port. For a detailed description of determining the egress port, reference is made to the above description and no further description is provided herein.

S305: the first PE device verifies the second data message.

After receiving the second data packet sent by the first CPE, the first PE device may check the second data packet according to the global identifier carried in the second data packet. In this embodiment, the first PE device may determine an egress port that sends the second data packet, and then check the second data packet according to the egress port that sends the second data packet.

In the process of checking the second data message according to the output port receiving the second data message, the first PE device may determine the output port according to the destination address of the second data message, determine the global identifier according to the output port sending the second data message, and finally determine whether the global identifier carried in the first data message matches the global identifier determined according to the output port.

As can be seen from the introduction in S301, the control device may generate a corresponding relationship between the egress port of the first PE device and the global identifier when deploying the target network, and indicate that the packet sent by the first PE device through the egress port is a packet transmitted through the target network. Therefore, after determining the egress port that sends the first data packet, the first PE device may know that the data packet is a packet transmitted through the target network according to the egress port, and determine the global identifier corresponding to the egress port according to the corresponding relationship. After determining the global identifier corresponding to the egress port, the first PE device may compare whether the global identifier corresponding to the egress port matches the global identifier carried in the second data packet. If the first data message is matched with the second data message, the second data message can be output from the output port so as to be forwarded in the target network.

And if the data packet to be sent by the first PE device does not include the global identifier, or the global identifier carried in the data packet does not match the global identifier determined according to the egress port, the data packet does not satisfy the condition for sending through the egress port even if the destination address of the data packet corresponds to the egress port. The first PE device may discard the data packet.

Still using fig. 2 as an example. Assume that the first PE device is PE device 231, the first CPE device is customer end device 221, the target network corresponds to global identifier X, and the second data packet is a packet sent by end device 211 to end device 213. Since the client terminal device 221 and the client terminal device 223 are connected through the target network, the network port a2 and the network port C each correspond to the global identification X. The second data message received by PE device 231 may include global identification X determined and added by client terminal device 221 according to network port a 2.

After the PE device 231 receives the second data packet, the PE device 231 may determine, according to the destination address of the second data packet, that the output port corresponding to the second data packet is a network port C, and determine, according to the correspondence, that the global identifier corresponding to the network port C is a global identifier X. Then, the PE device 231 may determine that the global identifier X determined according to the network port C matches with the global identifier X carried in the second data packet, so that the second data packet is a secure data packet. If the PE device 231 receives the message whose destination device is the terminal device 213 and the message does not include the global identifier X, the PE device may determine that the message is insecure, and discard the message.

As can be seen, in the data transmission method provided in the embodiment of the present application, the first PE device may check the second data message according to the egress port of the sending message before sending the second data message. In this way, if the output port sending the second data packet is bound to the target network, the PE device may check the second data packet according to the global identifier corresponding to the target network, thereby ensuring that the packets sent through the output port are all packets having the global identifier corresponding to the target network. Therefore, only specific messages can be sent through the output port bound with the target network, and isolation between the target network and the public network is achieved.

In some possible implementations, after receiving the second data packet, the first PE device may also check the second data packet according to an ingress port that receives the second data packet. Specifically, after receiving the second data packet, the first PE device may determine, according to the ingress port receiving the second data packet and the corresponding relationship, a global identifier corresponding to the ingress port of the second data packet, and compare whether the global identifier determined according to the ingress port matches the global identifier carried in the first data packet.

According to the introduction in S301, the control device may generate a corresponding relationship between the ingress port of the first PE device and the global identifier when deploying the target network, and indicate that the packet received by the first PE device through the ingress port is transmitted through the target network corresponding to the global identifier. Therefore, after receiving the data packet through the ingress port, the first PE device may know that the data packet is a packet transmitted through the target network according to the ingress port receiving the data packet, and determine the global identifier corresponding to the ingress port according to the corresponding relationship. After determining the global identifier corresponding to the ingress port, the first PE device may compare whether the global identifier determined according to the ingress port matches the global identifier carried in the second data packet. If the first data message is matched with the second data message, the second data message is safe, and the subsequent steps can be continuously executed.

Taking the data packet received by the first PE device as the second data packet sent by the first CPE, since the network port a2 of the first CPE is connected to the network port a1 of the first PE device and both correspond to the target network, the global identifier corresponding to the network port a1 is the same as the global identifier corresponding to the network port a 2. Therefore, the first PE device may determine that the global identifier carried in the second data packet matches the global identifier determined according to the ingress port of the second data packet, which indicates that the second data packet is a normal data packet, and may continue to perform the subsequent steps. Optionally, after the second data packet is verified according to the ingress port, the first PE device may determine the egress port according to the destination address of the second data packet, and verify the second data packet again according to the egress port.

If the data packet received by the first PE device does not include the global identifier, or the global identifier carried in the data packet received by the first PE device is not matched with the global identifier corresponding to the ingress port, which indicates that the first PE device receives an erroneous packet from the ingress port corresponding to the global identifier, the first PE device may discard the packet. For example, it is assumed that the second data message is tampered during transmission, so that the global identifier carried in the second data message is deleted. Then, since the tampered second data packet does not include the global identifier, the first PE device may discard the tampered second data packet, thereby avoiding continuing to transmit an unsecured packet.

Still using fig. 2 as an example. Assume that the first PE device is PE device 231, the first CPE device is customer end device 221, the target network corresponds to global identifier X, and the second data packet is a packet sent by end device 211 to end device 213. Since the client terminal device 221 and the client terminal device 223 are connected through the target network, the network port a1 and the network port a2 each correspond to the global identification X. The second data message received by PE device 231 includes global identification X determined and added by client terminal device 221 according to network port a 2. In addition, the PE device 231 may determine the global identifier X according to the network port a1 and the corresponding relationship for receiving the second data packet, and determine that the global identifier X determined according to the network port a1 matches with the global identifier X carried in the second data packet, so that the second data packet is a secure data packet. If the PE device 231 receives the data packet carrying the global identifier X through the network port B1, the PE device 231 cannot obtain the global identifier X according to the network port B1 because the network port B1 does not have a correspondence with the global identifier X. Based on this, the PE device 231 may determine that the data packet is an unsecured data packet, and thus discard the data packet.

S306: and the first PE equipment sends a second data message to the second PE equipment.

After the first PE device passes the verification of the second data message, the first PE device determines that the second data message is a safe message, and thus continues to send the second data message. Specifically, the first PE device may determine an egress port for sending the second data packet according to a destination address of the second data packet, so as to send the packet to a next hop (nexthop) device through the egress port. For the description of determining the ports, reference is made to the above, and the description is omitted here.

The second data packet sent by the first PE device may reach the second PE device via forwarding by one or more network devices in the network system. For example, in the embodiment shown in fig. 2, the second data packet sent by PE device 231 may be forwarded by network device 241 and received by PE device 232 through network port D. Certainly, in some possible implementations, the first PE device may be directly connected to the second PE device, and then the next-hop device of the second data packet sent by the first PE device is the second PE device, and the first PE device may directly send the second data packet to the second PE device, without forwarding the second data packet through other network devices in the network system. Optionally, the first PE device may also send the second data packet to the second PE device through a tunnel with the second PE device.

S307: the second PE device checks the second data packet.

After receiving the second data packet sent by the first PE device, the second PE device may check the second data packet according to the global identifier carried in the second data packet. Optionally, the second PE device may determine the global identifier corresponding to the second data packet according to an output port to be used when sending the second data packet and/or an input port that receives the second data packet, so as to determine whether the global identifier is matched with the second data packet carried in the second data packet. The method for determining the global identifier by the second PE device is similar to the method for determining the global identifier by the first PE device according to the ingress port or the egress port in S305, and is not described herein again.

S308: the second PE device forwards the second data message to the second CPE.

If the result of the second PE device verifying the second data message is that the verification fails, it indicates that the second data message does not correspond to the target network transmitting the second data message, and the second data message cannot be sent to the next hop device through the output port corresponding to the destination address, and the second PE device may discard the second data message. If the result of the second PE device verifying the second data packet is that the verification is passed, the second PE device may determine an egress port according to the destination address of the second data packet, so as to forward the second data packet through the egress port.

In some possible implementations, before the second PE device forwards the second data packet to the second CPE, the second PE device may adjust the second PE device, for example, may remove a part of a header of the second data packet, and then send the adjusted second data packet to the second CPE.

As can be seen from the foregoing description, a target network is deployed between the first CPE and the second CPE, the target network corresponds to the global identifier through the first PE device and the second PE device, and the destination device of the second data packet is a terminal device connected to the second CPE, so that the egress port determined according to the destination address of the second data packet is a network port connected to the second CPE in the network port of the second PE device. Therefore, the next-hop device of the egress port determined according to the destination address of the second data packet is the second CPE, and the second PE device may send the second data packet to the second CPE through the egress port.

After receiving the second data packet, the second CPE may check the second data packet according to the correspondence and the ingress port receiving the second data packet. The checking process is similar to the process of checking the second data message by the first PE device and the second PE device, and is not described herein again. After the second data packet is verified, the second CPE may forward the second data packet to a destination device of the second data packet, thereby completing transmission of the packet.

Alternatively, the message sent by the second CPE to the destination device may be referred to as a third data message. Before sending the third data packet, the second CPE may first remove the global identifier carried in the second data packet to obtain the third data packet.

As can be seen from the above description, the control device may deploy, on the CPE or PE device, a corresponding relationship between a global identifier and a network port, where the global identifier is used to check a data packet transmitted through the target network, which is equivalent to binding the network port of the CPE or PE device to the target network. In the process of transmitting the data packet, the CPE first receiving the data packet in the network architecture may add a global identifier corresponding to the target network to the data packet under the condition that the egress port corresponding to the destination address of the data packet is a network port to which the target network is bound, so that the first PE device, the second PE device, and the second CPE device that transmit the packet check the data packet according to the global identifier. If the CPE or PE equipment receives the data message through the input port bound to the target network, the CPE or PE equipment can check the data message according to the global identification carried in the data message; if the output port corresponding to the destination address of the data message is the output port bound to the target network, the CPE or PE device may check the data message according to the global identifier. It can be seen that, on one hand, the data packet with the global identifier can be received by the CPE and the PE device through the ingress port bound to the target network, and the data packet without the global identifier cannot be received by the CPE and the PE device through the ingress port bound to the target network; on the other hand, the data packet with the global identifier can be sent by the CPE and the PE device through the egress port bound to the target network, while the data packet without the global identifier is not sent through the egress port bound to the target network. Thus, the network port bound with the target network can only be used for transmitting the message transmitted through the target network, and other messages in the public network cannot be transmitted through the network ports bound with the target network. Therefore, under the condition of not establishing a VPN routing table, the isolation of the target network flow and the public network flow is realized, which is equivalent to that a logically independent target network is established in the public network. According to the method provided by the embodiment of the application, the VPN routing table does not need to be established, and the PE equipment does not need to inform other PE equipment in the VPN of the IP address of the CE equipment connected with the PE equipment, so that the burden of network equipment is reduced.

In the above embodiment, the global identity is added to the first data message by the first CPE. In some other possible implementations, the global identifier may be that a PE device (e.g., the aforementioned first PE device) that first receives the first data packet in the network architecture is added to the first data packet. This will be described in detail below.

Referring to fig. 4, which is another signaling interaction diagram of the message transmission method provided in the embodiment of the present application, the message transmission method provided in the embodiment of the present application may include the following steps:

s401: the first PE device, the second PE device and the second CPE respectively acquire corresponding relations.

In this embodiment, the first PE device, the second PE device, and the second CPE may respectively obtain a corresponding relationship, where the corresponding relationship is a corresponding relationship between a global identifier of the private network and a network port. The network ports included in the corresponding relationships are network ports bound to the private network, that is, the messages transmitted through the network ports of the private network can be transmitted through the network ports included in the corresponding relationships.

As can be seen from the foregoing description, the network ports may include an egress port and an ingress port. In this embodiment, the corresponding relationship obtained by the first PE device at least includes a corresponding relationship between an ingress port of the first device and the global identifier. When determining the corresponding relationship between the ingress port of the first PE device and the global identifier, the ingress port may be determined according to the network topology, and the ingress port is a network port where the first PE device receives the data packet transmitted by the private network corresponding to the global identifier. For example, a network port to which the first PE device is connected to the first CPE may be determined as an ingress port, and a connection relationship between the ingress port and the global identifier may be established.

S402: the first CPE acquires the first data message and sends the first data message to the first PE equipment.

In this embodiment of the present application, the first CPE may obtain the first data packet from the device that generates the first data packet, and forward the first data packet to the first PE device. Similar to the embodiment shown in fig. 3, the first data packet is a data packet that needs to be transmitted through a private network (hereinafter referred to as a target network) corresponding to the global identifier.

In this embodiment, after acquiring the first data packet, the first CPE may determine an egress port according to a destination address of the first data packet, so as to send the first data packet to the first PE device through the egress port.

S403: the first PE equipment determines the global identification and obtains a second data message according to the first data message and the global identification.

After receiving the first data packet, the first PE device may determine the global identifier according to the correspondence obtained in S401. As can be seen from the foregoing description, the correspondence obtained by the first PE device may include a correspondence between an ingress port and a global identifier. If the first PE device receives the first data packet through the ingress port recorded in the corresponding relationship, it indicates that the first data packet is a data packet that needs to be transmitted through the target network. Then, the first PE device may determine a global identifier corresponding to the ingress port according to the corresponding relationship, and add the global identifier to the first data packet to obtain a second data packet.

In this embodiment, the location carried by the second data message may be the same as in the embodiment shown in fig. 3. And will not be described in detail herein.

S404: and the first PE equipment sends a second data message to the second PE equipment.

After obtaining the second data packet, the first device may determine, according to the destination address of the second data packet, an egress port for sending the second data packet, so as to send the second data packet to the second PE device through the egress port.

Since the target network is a dedicated network deployed between the first CPE and the second CPE, the data packets sent from the first CPE to the second CPE are all transmitted through the target network, and therefore, paths from the first CPE to the second CPE all belong to paths in the target network. The second data message may reach the second PE device via transmission by one or more network devices in the path.

S405: the second PE device verifies the second data message.

After receiving the second data packet, the second PE device may check the second data packet according to the global identifier. For a description of this part, reference may be made to the description of S305 and S307 in the embodiment shown in fig. 3, and details are not repeated here.

S406: the second PE device forwards the second data packet to the second CPE.

After the second PE device passes the verification of the second data packet, the second PE device may send the second data packet to the second CPE, and the second CPE forwards the second data packet to the target device, thereby completing the transmission process of the data packet.

As can be seen, in this embodiment, the first PE device that receives the first data packet from the devices that obtain the corresponding relationship adds the global identifier to the first data packet, so that a device that subsequently transmits the second data packet can check the second data packet according to the global identifier, thereby ensuring that the packet can be normally transmitted in the target network and the target network is not interfered by other packets. Therefore, under the condition of not establishing a VPN routing table, the isolation of the target network flow and the public network flow is realized, and the method is equivalent to the establishment of a logically independent target network in a public network. Because the method used by the embodiment of the application does not need to establish the VPN routing table, the PE device does not need to inform other PE devices in the VPN of the IP address of the CE device connected with the PE device, and the burden of network equipment is reduced.

Referring to fig. 5, an embodiment of the present application further provides a message transmission apparatus 500, where the model establishing apparatus 500 may implement a function of the first CPE in the embodiment shown in fig. 3, or implement a function of the first PE device in the embodiment shown in fig. 4. The message transmission apparatus 500 includes a receiving unit 501, a processing unit 502, and a sending unit 503. The receiving unit 501 is configured to implement S301 and S302 in the embodiment shown in fig. 3, or implement S401 in the embodiment shown in fig. 4, and receive a first data packet sent by a first CPE; the processing unit 502 is configured to implement S303 in the embodiment shown in fig. 3, or to implement S403 in the embodiment shown in fig. 4; the sending unit 503 is configured to implement S304 in the embodiment shown in fig. 3, or is configured to implement S404 in the embodiment shown in fig. 4.

Specifically, the receiving unit 501 is configured to receive a first data packet.

A processing unit 502, configured to update the first data packet to obtain a second data packet, where the second data packet includes a global identifier.

A sending unit 503, configured to send the second data packet to a second network device, where the global identifier is used for the second network device to check the second data packet according to a corresponding relationship, and the corresponding relationship is a corresponding relationship between the global identifier and a second output port of the second network device, where the second data packet is transmitted by the second network device.

For a specific execution process, please refer to the detailed description of the corresponding steps in the embodiments shown in fig. 3 or fig. 4, which is not repeated here.

Referring to fig. 6, an embodiment of the present application further provides a message transmission apparatus 600, where the message transmission apparatus 600 may implement the functions of the first PE device and the second PE device in the embodiment shown in fig. 3, or implement the function of the second PE device in the embodiment shown in fig. 4. The message transmission apparatus 600 includes a receiving unit 601, a processing unit 602, and a transmitting unit 603. The receiving unit 601 is configured to implement S301 in the embodiment shown in fig. 3 and receive the second data packet, or is configured to implement S401 in the embodiment shown in fig. 4 and receive the second data packet; the processing unit 602 is configured to implement S305 or S307 in the embodiment shown in fig. 3, or to implement S405 in the embodiment shown in fig. 4; the forwarding unit 603 is configured to implement S306 or S308 in the embodiment shown in fig. 3, or to implement S406 in the embodiment shown in fig. 4.

Specifically, the receiving unit 601 is configured to receive a second data packet from the first network device, where the second data packet includes a first global identifier.

A processing unit 602, configured to determine, according to a correspondence between an egress port that sends the second data packet and a second global identifier, the second global identifier corresponding to the egress port.

A forwarding unit 603, configured to, in response to that the first global identifier matches the second global identifier, forward, by the second network device, the second data packet according to the egress port.

It should be noted that the division of the unit in the embodiment of the present application is schematic, and is only a logic function division, and there may be another division manner in actual implementation. Each functional unit in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. For example, in the above embodiments, the acquiring unit and the processing unit may be the same unit or different units. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

Fig. 7 is a schematic structural diagram of an apparatus 700 according to an embodiment of the present disclosure. The message transmission apparatus 500 or the message transmission apparatus 600 in the above may be implemented by the device shown in fig. 7. Referring to fig. 7, the device 700 comprises at least one processor 701, a communication bus 702 and at least one network interface 704, optionally the device 700 may further comprise a memory 703.

The processor 701 may be a Central Processing Unit (CPU), a Network Processor (NP), or a combination of a CPU and an NP. In one implementation, the processor 101 may also be a Traffic Management (TM) chip or hardware integrating NP and TM chips, and the TM chip or the hardware integrating NP and TM chips may execute the method for scheduling queues in the TM chip according to the embodiment of the present disclosure. The processor 1010 may further include a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof. The processor may be configured to update or check the data packet, so as to implement the packet transmission method provided in the embodiment of the present application.

For example, when the first CPE in fig. 3 or the first PE device in fig. 4 is implemented by the device shown in fig. 7, the processor may be configured to: receiving a first data message; updating the first data message to obtain a second data message, wherein the second data message comprises a global identifier; and sending the second data message to a second network device, wherein the global identifier is used for the second network device to check the second data message according to a corresponding relationship, and the corresponding relationship is the corresponding relationship between the global identifier and an output port of the second network device for transmitting the second data message. When any one of the first PE device in fig. 3, the second PE device in fig. 3, and the second PE device in fig. 4 is implemented by the device shown in fig. 7, the processor may be configured to: receiving a second data message from a first network device, wherein the second data message comprises a first global identifier; determining a second global identifier corresponding to the output port according to the corresponding relation between the output port for sending the second data message and the second global identifier; and responding to the matching of the first global identification and the second global identification, and forwarding the second data message according to the output port.

The communication bus 702 is used to transfer information between the processor 701, the network interface 704, and the memory 703. The bus system 702 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus system 702 may be divided into an address bus, a data bus, a control bus, etc., which are indicated in fig. 7 by only one thick line, but which do not indicate that there is only one bus or one type of bus.

The Memory 703 may be, but is not limited to, a read-only Memory (ROM) or other type of static storage device that may store static information and instructions, the Memory 703 may also be a Random Access Memory (RAM) or other type of dynamic storage device that may store information and instructions, a compact disk read-only Memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disk, laser disk, optical disk, digital versatile disk, blu-ray disk, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory 703, which may be separate, is coupled to the processor 701 by a communication bus 702. The memory 703 may also be integrated with the processor 701.

Optionally, the memory 703 is used for storing program codes or instructions for executing the present application, and is controlled by the processor 701 to execute. The processor 701 is used to execute program code or instructions stored in the memory 703. One or more software modules may be included in the program code. Alternatively, the processor 701 may also store program code or instructions for performing aspects of the present application, in which case the processor 701 need not read the program code or instructions into the memory 703.

The network interface 704 may be a transceiver or the like for communicating with other devices or a communication network, such as an ethernet, a Radio Access Network (RAN), a Wireless Local Area Network (WLAN), or the like. In this embodiment, the network interface 704 may be configured to receive messages sent by other nodes in the segment routing network, and may also send messages to other nodes in the segment routing network. The network interface 704 may be an ethernet (ethernet) interface, a Fast Ethernet (FE) interface, or a Gigabit Ethernet (GE) interface.

In particular implementations, device 700 may include multiple processors, such as processor 701 and processor 407 shown in FIG. 7, for one embodiment. Each of these processors may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).

Fig. 8 is a schematic structural diagram of an apparatus 800 according to an embodiment of the present disclosure. Any one or more of the first CPE, the first PE device, the second PE device, and the second CPE in fig. 3 or fig. 4 may be implemented by the device shown in fig. 8.

Referring to the device architecture diagram shown in fig. 8, a device 800 includes a main control board and one or more interface boards. The main control board is in communication connection with the interface board. The main control board, also referred to as a Main Processing Unit (MPU) or a route processor card (route processor card), includes a CPU and a memory, and is responsible for controlling and managing various components in the device 800, including routing computation, device management, and maintenance functions. An interface board is also called a Line Processing Unit (LPU) or a line card (line card) and is used for receiving and transmitting messages. In some embodiments, the master control board communicates with the interface board or the interface board communicates with the interface board through a bus. In some embodiments, the interface boards communicate with each other through a switch board, in which case the device 800 also includes a switch board, the switch board is communicatively connected to the main control board and the interface boards, the switch board is used for forwarding data between the interface boards, and the switch board may also be referred to as a Switch Fabric Unit (SFU). The interface board includes a CPU, memory, a forwarding engine, and Interface Cards (ICs), which may include one or more network interfaces. The network interface can be an Ethernet interface, an FE interface or a GE interface. The CPU is in communication connection with the memory, the forwarding engine and the interface card respectively. The memory is used for storing a forwarding table. The forwarding engine is configured to forward the received packet based on a forwarding table stored in the memory, and if a destination address of the received packet is an IP address of the device 700, send the packet to a CPU of the main control board or the interface board for processing; if the destination address of the received message is not the IP address of the device 800, the forwarding table is searched according to the destination, and if the next hop and the outbound interface corresponding to the destination address are found from the forwarding table, the message is forwarded to the outbound interface corresponding to the destination address. The forwarding engine may be a Network Processor (NP). The interface card is also called a daughter card and can be installed on an interface board and is responsible for converting photoelectric signals into data frames, and forwarding the data frames to a forwarding engine for processing or an interface board CPU after validity check is carried out on the data frames. In some embodiments, the CPU may also perform the functions of a forwarding engine, such as implementing soft forwarding based on a general purpose CPU, so that no forwarding engine is needed in the interface board. In some embodiments, the forwarding engine may be implemented by an ASIC or a Field Programmable Gate Array (FPGA). In some embodiments, the memory storing the forwarding table may also be integrated into the forwarding engine as part of the forwarding engine.

An embodiment of the present application further provides a chip system, including: a processor coupled to a memory, the memory being configured to store a program or instructions, which when executed by the processor, cause the system-on-chip to implement the message transmission method provided in the embodiment shown in fig. 3 or fig. 4.

Optionally, the number of processors in the system on chip may be one or more. The processor may be implemented by hardware or by software. When implemented in hardware, the processor may be a logic circuit, an integrated circuit, or the like. When implemented in software, the processor may be a general-purpose processor implemented by reading software code stored in a memory. Optionally, the memory in the system-on-chip may also be one or more. The memory may be integrated with the processor or may be separate from the processor, which is not limited in this application. For example, the memory may be a non-transitory processor, such as a read only memory ROM, which may be integrated with the processor on the same chip or separately disposed on different chips, and the type of the memory and the arrangement of the memory and the processor are not particularly limited in this application.

The system on chip may be, for example, an FPGA, an ASIC, a system on chip (SoC), a CPU, an NP, a digital signal processing circuit (DSP), a Micro Controller Unit (MCU), a Programmable Logic Device (PLD) or other integrated chips.

It will be appreciated that the steps of the above described method embodiments may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in a processor.

An embodiment of the present application further provides a computer-readable storage medium, which includes instructions, and when the computer-readable storage medium runs on a computer, the computer is enabled to execute the message transmission method, provided in the foregoing method embodiment, executed by any one of the first CPE, the first PE device, the second PE device, and the second CPE.

The present application further provides a computer program product including instructions, which when run on a computer, causes the computer to execute the message transmission method executed by any one of the first CPE, the first PE device, the second PE device, and the second CPE, which is provided in the above method embodiments.

The terms "first," "second," "third," "fourth," and the like in the description and claims of this application and in the above-described drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one type of logical module division, and other division manners may be available in actual implementation, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be obtained according to actual needs to achieve the purpose of the solution of the present embodiment.

In addition, each module unit in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a hardware form, and can also be realized in a software module unit form.

The integrated unit, if implemented as a software module unit and sold or used as a separate product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solutions of the present application, which are essential or part of the technical solutions contributing to the prior art, or all or part of the technical solutions, may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

Those skilled in the art will recognize that the functionality described in this disclosure may be implemented in hardware, software, firmware, or any combination thereof, in one or more of the examples described above. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.

The above-described embodiments are intended to explain the objects, aspects and advantages of the present invention in further detail, and it should be understood that the above-described embodiments are merely exemplary embodiments of the present invention.

The above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.

Claims

1. A method for packet transmission, the method comprising:

a first network device receives a first data message;

the first network equipment updates the first data message to obtain a second data message, wherein the second data message comprises a global identifier;

the first network device sends the second data message to a second network device, the global identifier is used for the second network device to check the second data message according to a corresponding relationship, and the corresponding relationship is the corresponding relationship between the global identifier and an output port of the second network device for transmitting the second data message.

2. The method of claim 1, wherein the first network device is an operator edge (PE) device, and wherein before the first network device updates the first data packet, the method further comprises:

and the PE equipment determines the global identification corresponding to the input port according to the corresponding relation between the stored input port of the PE equipment for receiving the first data message and the global identification.

3. The method of claim 2, wherein sending, by the first network device, the second data message to a second network device comprises:

the first network equipment searches a public network routing table according to the destination address of the first data message and determines an output port matched with the destination address;

and the first network equipment sends the second data message to the second network equipment through the output port matched with the destination address.

4. The method of claim 1, wherein the first network device is a Customer Premises Equipment (CPE), and wherein before the first network device updates the first datagram, the method further comprises:

and the CPE determines the global identification corresponding to the output port of the first data message sent by the CPE according to the stored corresponding relation between the output port of the first data message sent by the CPE and the global identification.

5. The method of claim 1, wherein the first network device is a Customer Premises Equipment (CPE), and wherein before the first network device updates the first datagram, the method further comprises:

and the CPE determines the global identification corresponding to the message characteristics according to the corresponding relation between the message characteristics of the first data message and the global identification.

6. The method according to any of claims 1-5, wherein before the first network device updates the first data packet, the method further comprises:

the first network device receives the global identity from a control device.

7. The method of claim 6, wherein the first network device is a CPE and the control device comprises a software defined wide area network (SD-WAN) controller.

8. The method according to any of claims 1-7, wherein the second data packet is an IPv6 packet, and the global identifier is carried in one or more of the following fields of a basic header of the IPv6 packet:

a flow label flow field and a destination address field.

9. The method according to any of claims 1-7, wherein the second data packet is an IPv6 packet, and the global identifier is carried in one or more of the following extension headers of the IPv6 packet:

a destination option header DOH and a hop-by-hop option header HBH.

10. The method according to any of claims 1-7, wherein the second data packet is an MPLS packet, and the global identifier is carried in one or more of the following fields of a basic header of the MPLS packet:

MPLS Label field and Entropy Label control Label field.

11. The method according to any of claims 1-10, wherein the global identity comprises one or more of:

slice identification SliceID, virtual network identification VNID and preset identification.

12. The method of any of claims 1-11, wherein the first network device and the second network device belong to an Overlay network system.

13. A method for packet transmission, the method comprising:

a second network device receives a second data message from a first network device, wherein the second data message comprises a first global identifier;

the second network device determines a second global identifier corresponding to the output port according to a corresponding relationship between the output port for sending the second data packet and the second global identifier;

and in response to the first global identifier being matched with the second global identifier, the second network device forwards the second data packet according to the output port.

14. The method of claim 13, wherein prior to the second network device determining the second global identification corresponding to the egress port, the method further comprises:

and the second network equipment searches a public network routing table according to the destination address of the second data message and determines the output port matched with the destination address.

15. The method according to claim 13 or 14, characterized in that the method further comprises:

and in response to the first global identifier not matching the second global identifier, the second network device discards the second data packet.

16. The method according to any one of claims 13 to 15, wherein before the second network device determines the second global identifier corresponding to the egress port according to a correspondence between the egress port that transmits the second data packet and the second global identifier, the method further comprises:

the second network device determines a third global identifier corresponding to the ingress port according to a corresponding relationship between the ingress port for receiving the second data packet and the third global identifier;

and in response to the first global identifier being matched with the third global identifier, the second network device determines the second global identifier corresponding to the egress port according to a correspondence between the egress port sending the second data packet and the second global identifier.

17. The method according to any of claims 13-16, wherein the first network device is a customer premises equipment, CPE, and the second network device is an operator edge, PE, device.

18. The method of any of claims 13-16, wherein the first network device and the second network device are both PE devices.

19. The method of any of claims 13-18, wherein the second network device forwarding the second data message according to the egress port comprises:

and the second network equipment forwards the second data message to third network equipment according to the output port, wherein the third network equipment is CPE.

20. The method of any of claims 13-19, wherein prior to the second network device forwarding the second data message according to the egress port, the method further comprises:

the first network device receives the second global identity from a control device.

21. The method according to any of claims 13-20, wherein the second data packet is an IPv6 packet, and wherein the first global identity is carried in one or more of the following fields of a basic header of the IPv6 packet:

a flow label flow field and a destination address field.

22. The method according to any of claims 13-20, wherein the second data packet is an IPv6 packet, and wherein the first global identity is carried in one or more of the following extension headers of the IPv6 packet:

a destination option header DOH and a hop-by-hop option header HBH.

23. The method according to any of claims 13-20, wherein the second data packet is an MPLS packet, and the first global identifier is carried in one or more of the following fields of a basic header of the MPLS packet:

MPLS Label field and Entropy Label control Label field.

24. The method according to any of claims 13-23, wherein the first global identity comprises one or more of:

25. The method of any of claims 13-24, wherein the first network device and the second network device belong to an Overlay network system.

26. A message transmission apparatus, wherein the apparatus is applied to a first network device, and comprises:

the receiving unit receives the first data message;

the processing unit is configured to update the first data packet to obtain a second data packet, where the second data packet includes a global identifier, the global identifier is used by the second network device to check the second data packet according to a corresponding relationship, and the corresponding relationship is a corresponding relationship between the global identifier and an output port of the second network device for transmitting the second data packet;

and the forwarding unit is used for forwarding the second data message to the second network equipment.

27. The apparatus of claim 26, wherein the first network device is an operator edge (PE) device;

the processing unit is further configured to determine the global identifier corresponding to the ingress port according to the stored correspondence between the ingress port, through which the PE device receives the first data packet, and the global identifier.

28. The apparatus of claim 27,

the processing unit is further configured to search a public network routing table according to the destination address of the first data packet, and determine an output port matched with the destination address;

the sending unit is configured to send the second data packet to the second network device through the egress port matched with the destination address.

29. The apparatus of claim 26, wherein the first network device is a Customer Premises Equipment (CPE);

the processing unit is further configured to determine, according to the stored correspondence between the output port of the first data packet sent by the CPE and the global identifier, the global identifier corresponding to the output port of the first data packet sent by the CPE.

30. The apparatus of claim 26, wherein the first network device is a Customer Premises Equipment (CPE);

the processing unit is further configured to determine the global identifier corresponding to the message feature according to a correspondence between the message feature of the first data message and the global identifier.

31. The apparatus of any one of claims 26-30,

the receiving unit is further configured to receive the global identifier from the control device.

32. The apparatus of claim 31, wherein the first network device is a CPE and wherein the control device comprises a software defined wide area network (SD-WAN) controller.

33. The apparatus of any of claims 26-32, wherein the second data packet is an IPv6 packet, and wherein the global identifier is carried in one or more of the following fields of a basic header of the IPv6 packet:

a flow label flow field and a destination address field.

34. The apparatus of any of claims 26-32, wherein the second data packet is an IPv6 packet, and wherein the global identifier is carried in one or more of the following extension headers of the IPv6 packet:

a destination option header DOH and a hop-by-hop option header HBH.

35. The apparatus according to any of claims 26-32, wherein the second data packet is an MPLS packet, and the global identifier is carried in one or more of the following fields of a basic header of the MPLS packet:

MPLS Label field and Entropy Label control Label field.

36. The apparatus according to any of claims 26-35, wherein the global identity comprises one or more of:

37. The apparatus of any of claims 26-36, wherein the first network device and the second network device belong to an Overlay network system.

38. A message transmission apparatus, wherein the apparatus is applied to a second network device, and comprises:

a receiving unit, configured to receive a second data packet from a first network device, where the second data packet includes a first global identifier;

a processing unit, configured to determine, according to a correspondence between an egress port that forwards the second data packet and a second global identifier, the second global identifier corresponding to the egress port;

and the forwarding unit is used for responding to the matching of the first global identifier and the second global identifier and forwarding the second data message according to the output port.

39. The apparatus of claim 38,

the processing unit is further configured to search a public network routing table according to the destination address of the second data packet, and determine the egress port matched with the destination address.

40. The apparatus of claim 38 or 39,

the processing unit is further configured to discard the second data packet in response to a mismatch between the first global identifier and the second global identifier.

41. The apparatus of any one of claims 38-40,

the processing unit is configured to determine, according to a correspondence between an ingress port that receives the second data packet and a third global identifier, the third global identifier corresponding to the ingress port;

and the forwarding unit is configured to determine, in response to matching between the first global identifier and the third global identifier, the second global identifier corresponding to the egress port according to a correspondence between an egress port that forwards the second data packet and the second global identifier.

42. The apparatus according to any of claims 38-41, wherein the first network device is a Customer Premises Equipment (CPE) and the second network device is a Provider Edge (PE) device.

43. The apparatus of any one of claims 38-41, wherein the first network device and the second network device are both PE devices.

44. The apparatus of any one of claims 38-43,

the forwarding unit is configured to forward the second data packet to a third network device according to the egress port, where the third network device is a CPE.

45. The apparatus of any one of claims 38-44,

the receiving unit is further configured to receive the second global identifier from the control device.

46. The apparatus of any of claims 38-45, wherein the second data packet is an IPv6 packet, and wherein the first global identity is carried in one or more of the following fields of a basic header of the IPv6 packet:

a flow label flowabel field and a destination address field.

47. The apparatus of any of claims 38-45, wherein the second data packet is an IPv6 packet, and wherein the first global identity is carried in one or more of the following extension headers of the IPv6 packet:

a destination option header DOH and a hop-by-hop option header HBH.

48. The apparatus according to any of claims 38-45, wherein the second data packet is an MPLS packet, and the first global identifier is carried in one or more of the following fields of a basic header of the MPLS packet:

MPLS Label field and Entropy Label control Label field.

49. The apparatus according to any of claims 38-48, wherein the first global identity comprises one or more of:

50. The apparatus of any of claims 38-49, wherein the first network device and the second network device belong to an Overlay network system.

51. A network device comprising a processor chip and a memory for storing instructions or program code, the processor chip being configured to retrieve from the memory and execute the instructions or program code to perform the messaging method of any of claims 1-12.

52. A network device, characterized in that it comprises a processor chip and a memory for storing instructions or program code, the processor chip being adapted to recall from the memory and to execute said instructions or program code in order to carry out the messaging method according to any one of claims 13 to 25.

53. A computer-readable storage medium comprising instructions, programs, or code which, when executed on a computer, cause the computer to perform the message transmission method according to any one of claims 1-25.