CN116319539A - Message processing method, device, equipment and readable storage medium - Google Patents

Message processing method, device, equipment and readable storage medium Download PDF

Info

Publication number
CN116319539A
CN116319539A CN202211708823.0A CN202211708823A CN116319539A CN 116319539 A CN116319539 A CN 116319539A CN 202211708823 A CN202211708823 A CN 202211708823A CN 116319539 A CN116319539 A CN 116319539A
Authority
CN
China
Prior art keywords
message
slave
communication connection
bgp
neighbor
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211708823.0A
Other languages
Chinese (zh)
Inventor
朱绪全
包婉宁
张思绮
张进
江逸茗
马海龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Network Communication and Security Zijinshan Laboratory
Original Assignee
Information Engineering University of PLA Strategic Support Force
Network Communication and Security Zijinshan Laboratory
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force , Network Communication and Security Zijinshan Laboratory filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN202211708823.0A priority Critical patent/CN116319539A/en
Publication of CN116319539A publication Critical patent/CN116319539A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/30Routing of multiclass traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/143Termination or inactivation of sessions, e.g. event-controlled end of session
    • H04L67/145Termination or inactivation of sessions, e.g. event-controlled end of session avoiding end of session, e.g. keep-alive, heartbeats, resumption message or wake-up for inactive or interrupted session
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Cardiology (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses a message processing method, a device, equipment and a readable storage medium in the technical field of network communication. According to the method, the BGP proxy end is arranged in the network equipment, and can calculate the verification data of the message carrying the verification option and sent by the neighbor equipment under the condition that the neighbor equipment and the main executive body in the current network equipment are in communication connection and the secret key of the neighbor equipment is recorded locally, and then the message is sent to at least one slave executive body which is in communication connection with the BGP proxy end based on the verification data. In the scheme, the BGP proxy end simulates neighbor equipment to forward messages to each slave executive body, and can conveniently manage messages transmitted by each route under the condition of multiple and complicated route connection, thereby reducing the probability of occurrence of problems such as message transmission errors, inconsistent data and the like. The message processing device, the message processing equipment and the readable storage medium have the technical effects.

Description

Message processing method, device, equipment and readable storage medium
Technical Field
The present invention relates to the field of network communications technologies, and in particular, to a method, an apparatus, a device, and a readable storage medium for processing a message.
Background
Currently, with the continuous development of internet communication technology, communication applications have been unprecedented. The route is the brain of information interaction between network devices, and the routing protocol is the protocol used for path selection, and can realize data packet forwarding through the route. Under the condition of complex routing connection, the messages transmitted by each route are difficult to manage, and the problems of message transmission errors, inconsistent data and the like can occur.
Therefore, how to solve the message transmission errors and data inconsistencies of different routes is a problem that needs to be solved by those skilled in the art.
Disclosure of Invention
In view of the foregoing, an object of the present application is to provide a method, apparatus, device and readable storage medium for processing a message, so as to solve the problem of message transmission errors and data inconsistencies of different routes. The specific scheme is as follows:
in a first aspect, the present application provides a method for processing a packet, which is applied to a BGP proxy in a network device, including:
receiving a first message sent by neighbor equipment of the network equipment;
if the first message carries a check option, communication connection is established between the neighbor device and a main executive body in the network device, and a first key of the neighbor device is recorded locally, calculating first check data of the first message;
And sending the first message to at least one slave executing body with communication connection with the BGP proxy end based on the first check data so that the at least one slave executing body processes the first message.
Optionally, the calculating the first check data of the first packet includes:
constructing a pseudo header based on a source IP address, a destination IP address, a protocol number and a TCP length of the first message;
acquiring the first secret key from local preset configuration information;
determining a TCP header field and a message load of the first message;
and processing the pseudo header, the first key, the TCP header field and the message load by using an MD5 algorithm, and taking the obtained MD5 value as the first check data.
Optionally, the establishing a communication connection between the neighbor device and the master executive and the establishing a communication connection between the BGP proxy and the at least one slave executive include:
receiving a link establishment message sent by the neighbor equipment;
and storing the link establishment message, and constructing communication connection between the neighbor device and the master execution body based on the link establishment message, and then constructing communication connection between the BGP proxy end and the at least one slave execution body based on the link establishment message.
Optionally, the disconnecting the neighbor device from the master executor and the BGP proxy from the at least one slave executor includes:
receiving a link disassembly message sent by the neighbor equipment;
and storing the de-linking message, and disconnecting the communication connection between the neighbor device and the master execution body based on the de-linking message and then disconnecting the communication connection between the BGP proxy and the at least one slave execution body based on the de-linking message.
Optionally, the sending the first packet to at least one slave executable with a communication connection with the BGP proxy based on the first check data includes:
checking the check options by using the first check data;
if the check option passes the check, modifying part of TCP header fields of the first message to obtain a first forwarding message, calculating forwarding check data of the first forwarding message, packaging the forwarding check data into the first forwarding message, and then sending the first forwarding message packaged with the forwarding check data to the at least one slave executing body;
and if the check option is not checked, modifying part of TCP header fields of the first message to obtain a second forwarding message, packaging the check option into the second forwarding message, and then sending the second forwarding message packaged with the check option to the at least one slave executing body.
Optionally, the method further comprises:
receiving a second message sent by any slave executing body in the at least one slave executing body;
calculating second check data of the second message;
if the check options in the second message pass the check by utilizing the second check data, reading and processing the second message; otherwise, the communication connection with the current slave executable is disconnected.
Optionally, the method further comprises:
receiving and storing a third message sent by the main executive body;
if the third message is a link establishment message and communication connection exists between the neighbor device and the main execution body, reserving communication connection initiated by the party with the largest route ID based on the third message, and deleting other communication connection;
and if the third message is a link-breaking message, disconnecting the communication connection between the neighbor device and the master execution body based on the third message, and disconnecting the communication connection between the BGP proxy and the at least one slave execution body based on the third message.
In a second aspect, the present application provides a packet processing device, applied to a BGP proxy in a network device, including:
a receiving module, configured to receive a first packet sent by a neighbor device of the network device;
A calculation module, configured to calculate first check data of the first packet if the first packet carries a check option, the neighbor device and a main execution body in the network device have established communication connection, and a first key of the neighbor device is locally recorded;
and the processing module is used for sending the first message to at least one slave executive body which is in communication connection with the BGP proxy end based on the first check data so as to enable the at least one slave executive body to process the first message.
In a third aspect, the present application provides an electronic device, including:
a memory for storing a computer program;
and the processor is used for executing the computer program to realize the message processing method disclosed by the prior art.
In a fourth aspect, the present application provides an electronic device, including: the message processing method comprises a BGP proxy end, a master execution body and at least one slave execution body, wherein the BGP proxy end is used for realizing the message processing method disclosed by the prior art.
In a fifth aspect, the present application provides a readable storage medium for storing a computer program, where the computer program when executed by a processor implements the foregoing disclosed method for processing a message.
As can be seen from the above solutions, the present application provides a message processing method, which is applied to a BGP proxy in a network device, and includes: receiving a first message sent by neighbor equipment of the network equipment; if the first message carries a check option, communication connection is established between the neighbor device and a main executive body in the network device, and a first key of the neighbor device is recorded locally, calculating first check data of the first message; and sending the first message to at least one slave executing body with communication connection with the BGP proxy end based on the first check data so that the at least one slave executing body processes the first message.
As can be seen, in the present application, a BGP proxy is set in a network device, where the BGP proxy can calculate corresponding first check data for a first packet sent by a neighbor device and carrying a check option, where the neighbor device has been connected to a master executing body in a current network device in a communication manner and a key of the neighbor device is recorded locally, and then send the first packet to at least one slave executing body having a communication connection with the BGP proxy based on the first check data, so that the at least one slave executing body processes the first packet. In the scheme, the BGP proxy simulates neighbor devices to forward messages to each slave executive body, and can carry out route management on the messages sent to the current network device by the neighbor devices, so that the messages sent to the current network device by the neighbor devices can be smoothly processed by the corresponding slave executive body. Under the condition of complex routing connection, the messages transmitted by each route can be managed conveniently, and the probability of occurrence of the problems of message transmission errors, inconsistent data and the like is reduced.
Correspondingly, the message processing device, the message processing equipment and the readable storage medium have the technical effects.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings may be obtained according to the provided drawings without inventive effort to a person skilled in the art.
FIG. 1 is a flow chart of a message processing method disclosed in the present application;
FIG. 2 is a schematic diagram of an information recording disclosed in the present application;
FIG. 3 is a schematic diagram of an MD5 value calculation process disclosed herein;
FIG. 4 is a flow chart of another message processing method disclosed in the present application;
FIG. 5 is a flow chart of another message processing method disclosed in the present application;
FIG. 6 is a flow chart of another message processing method disclosed in the present application;
FIG. 7 is a schematic diagram of a data flow process and direction disclosed in the present application;
fig. 8 is a schematic diagram of a network device disclosed in the present application;
FIG. 9 is a schematic diagram of a message processing apparatus disclosed in the present application;
Fig. 10 is a schematic diagram of an electronic device disclosed in the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
At present, under the condition that the route connection is many and complicated, the messages transmitted by each route are difficult to manage, and the problems of message transmission errors, inconsistent data and the like can occur. Therefore, the application provides a message processing scheme, which can enable the BGP proxy in the network equipment to simulate the neighbor equipment to forward the message to each slave executive body, so that the message sent to the current network equipment by the neighbor equipment is subjected to route management, and under the condition of a plurality of complicated route connections, the message transmitted by each route can be conveniently managed, and the probability of occurrence of the problems of message transmission errors, inconsistent data and the like is reduced.
Referring to fig. 1, an embodiment of the present application discloses a message processing method, which is applied to a BGP (Border Gateway Protocol ) proxy in a network device, and includes:
S101, receiving a first message sent by neighbor equipment of network equipment.
In this embodiment, the current network device may be a device such as a switch or a router, and the neighbor devices thereof are: devices that have a topological connection with the current network device, and thus neighbor devices may be switches, routers, servers, terminals, etc.
S102, if the first message carries a check option, communication connection is established between the neighbor device and a main executive body in the network device, and a first key of the neighbor device is recorded locally, calculating first check data of the first message.
In this embodiment, if it is determined that the first message sent by the neighbor device carries a check option, the neighbor device and a main execution body in the network device have established communication connection, and the network device locally records a first key of the neighbor device, the BGP proxy considers that a check step needs to be performed on the first message. The BGP proxy calculates the first check data of the first packet. Referring specifically to fig. 4, as shown in fig. 4, if the first message sent by the neighbor device carries a check option, but the neighbor device does not establish communication connection with a main execution body in the network device or does not record the first key of the neighbor device locally, then no message check is performed. Correspondingly, if the message comes from the slave executing body, normally processing the message after checking the message under the condition that the secret key of the neighbor equipment related to the message is locally recorded; otherwise, the communication connection between the related neighbor device and the main execution body is disconnected, and the communication connection between the slave execution body and the BDP proxy end is disconnected. If the message received by the BDP agent has no MD5 checking option, message checking is not needed, and the message is processed according to the established rule.
In general, the neighbor device may also send a handshake message or a heartbeat message that does not carry the check option to the network device, where the embodiment refers to a message that does not carry specific network data (such as image data, etc.) as a notification message. For example: the open message and the keep message of the BGP can belong to notification messages. Communication connection relation between BGP peers can be established through open message; and the keepalive message is used to confirm the status of two communication parties who have established a communication connection, similar to heartbeat detection. From this, it can be determined that the message not belonging to the notification class message is: and a message, such as a first message, which is sent by the communication initiator and carries specific network data.
The verification data of a certain Message can be calculated by adopting an MD5 (Message-Digest Algorithm 5) Algorithm and the like, and fields processed by the related Algorithm can be defined by themselves. For example: the MD5 algorithm is enabled to process the custom field, the first key of the neighbor device, the TCP (Transmission Control Protocol ) header field of the original message and the message load of the original message, and the obtained MD5 value is used as the verification data of the original message. Thus, in one embodiment, calculating first check data of a first message includes: constructing a pseudo header based on the source IP address, the destination IP address, the protocol number and the TCP length of the first message; acquiring a first secret key from local preset configuration information; determining a TCP header field and a message load of a first message; and processing the pseudo header, the first key, the TCP header field and the message load by using an MD5 algorithm, and taking the obtained MD5 value as first check data. Wherein, the protocol number and TCP length in the pseudo header occupy two bytes, and the protocol number is represented by two bytes of all-zero data. The length of the TCP in the pseudo header is the length of the first message except the IP header, so that the length of the IP header of the first message is subtracted from the total length of the first message to obtain the length of the TCP in the pseudo header.
In one example, the BGP proxy may invoke a preset MD5 module to calculate first check data of the first packet.
S103, the first message is sent to at least one slave executive body which is in communication connection with the BGP proxy end based on the first check data, so that the at least one slave executive body processes the first message.
In one embodiment, the sending the first packet to at least one slave executable having a communication connection with the BGP proxy based on the first check data includes: checking the check options by using the first check data; if the check option passes the check, modifying part of TCP header fields of the first message to obtain a first forwarding message, calculating forwarding check data of the first forwarding message, packaging the forwarding check data into the first forwarding message, and then sending the first forwarding message packaged with the forwarding check data to the at least one slave executing body; and if the check option is not checked, modifying part of TCP header fields of the first message to obtain a second forwarding message, and after the check option is packaged into the second forwarding message, sending the second forwarding message packaged with the check option to the at least one slave executing body. When checking the check options in the first message, the BGP proxy calculates first check data according to the same manner in step S102, and then compares whether the first check data is consistent with the check options in the first message, and if so, confirms that the check options in the first message pass the check; otherwise, confirming that the check option check in the first message fails.
Considering that the BGP proxy needs to forward a plurality of messages sent by the same neighbor device, in order to avoid message forwarding errors, the BGP proxy does not forward according to the seq fields of the messages, but forwards according to the arrival sequence of the messages, so that the BGP proxy modifies the fields such as the seq fields in the original message into fields indicating the arrival sequence of the messages, and simultaneously, the BGP proxy also modifies the fields such as source/destination MAC address, TCP port number, ack, tsecr, and the like, so that the BGP proxy needs to modify the first message to obtain a forwarded message, and also needs to recalculate the check value of the forwarded message. When the check option in the first message fails to pass the check, the BGP proxy does not need to purposely modify the check option in the first message, so as to avoid that the originally erroneous check data in the first message is changed to be correct, and deception the slave executable is performed.
In one embodiment, if the first message belongs to a notification message (e.g., the first message is an open message or a keep alive message), the first message is stored, and a communication connection between the BGP proxy and at least one slave executing body is constructed based on the first message. If the communication connection between the neighbor device and the main execution body is not established, the first message is stored, and the communication connection between the neighbor device and the main execution body is constructed based on the first message, wherein the first message may be a handshake message. Specifically, the method for establishing communication connection between the neighbor device and the master executive body and between the BGP proxy end and at least one slave executive body includes: receiving a link establishment message sent by neighbor equipment; and storing a link establishment message, and constructing communication connection between the neighbor equipment and the master execution body based on the link establishment message, and then constructing communication connection between the BGP proxy end and at least one slave execution body based on the link establishment message. Specifically, the disconnection of communication between the neighbor device and the master executor and the disconnection of communication between the BGP proxy and at least one slave executor include: receiving a link disassembly message sent by neighbor equipment; and storing the de-linking message, and disconnecting the communication connection between the neighbor device and the master execution body based on the de-linking message, and then disconnecting the communication connection between the BGP proxy end and at least one slave execution body based on the de-linking message.
As shown in fig. 5, if it is confirmed that the neighbor device sends a link establishment message or a link detachment message, the BGP proxy changes the communication connection relationship between the main execution body and the neighbor device based on the message, and changes the communication connection relationship between the corresponding secondary execution body and the BGP proxy. For example: under the condition that the neighbor device is confirmed to send the link disassembly message, the communication connection between the neighbor device and the main executive body is deleted, and meanwhile, each slave executive body and the BGP proxy end for processing the message sent by the neighbor device are correspondingly deleted. It can be seen that the connection between the slave and BGP proxy exists depending on the existence of the connection between the neighbor device and the master, the former exists, and the latter eliminates the former.
In one implementation mode, under the condition that the main execution body is in communication connection with the neighbor equipment, the BGP proxy end also receives a second message sent by any slave execution body in at least one slave execution body; calculating second check data of the second message; if the check options in the second message pass the check by using the second check data, reading and processing the second message; otherwise, the communication connection with the current slave executable is disconnected. The calculation method of the second verification data of the second message is the same as that in step S102, and the corresponding verification method is also the same, so that the description thereof is omitted. In this example, the second message may be: response data returned after the first message is processed by the executive body.
In one implementation, the BGP proxy also receives and stores a third packet sent by the main execution body; if the third message is a link establishment message and communication connection exists between the neighbor equipment and the main execution body, reserving communication connection initiated by the party with the largest route ID based on the third message, and deleting other communication connection; if the third message is a link-breaking message, after the communication connection between the neighbor device and the master execution body is broken based on the third message, the communication connection between the BGP proxy end and at least one slave execution body is broken based on the third message.
It should be noted that, the BGP proxy in the network device can manage: the connection state between the main execution body and the neighbor device, the connection state between the main execution body and other slave execution bodies, and the messages sent by the neighbor device, the main execution body or other slave execution bodies can be processed according to the related connection, so that the messages transmitted by each route can be managed conveniently, and the probability of occurrence of the problems of message transmission errors, inconsistent data and the like is reduced. The master executive body and other slave executive bodies in the network equipment are software or hardware with different network protection functions. Namely: different executors not only can process the message, but also have different network protection capabilities, such as: one slave has strong protection against zombie viruses, and the other slave has strong protection against route spoofing. Therefore, the probability that different executors in the network equipment are attacked simultaneously can be reduced, and the effect of multiparty safety protection is achieved. And, all slave executives in the network device may be used on-line at different times, for example: and after the network equipment is started, 3 slave execution bodies are selected from the 6 slave execution bodies for use, if one or more slave execution bodies on the line fail, the corresponding number of slave execution bodies are selected from the remaining 3 unused slave execution bodies for online repair, so that the network equipment always has 3 slave execution bodies in online use states.
According to the principle, a plurality of dynamic heterogeneous redundant execution bodies are introduced into the network mimicry device, and various uncertainty changes can be dealt with through scheduling and using of different execution bodies. On the premise of differential design, the probability that different executors have identical loopholes or backdoors is extremely low, and even if an attacker controls part of executors, other executors can also recognize malicious behaviors of the executors, so that the capability of the mimicry device for coping with network attacks can be improved. The BGP proxy end in the network equipment can process various messages reaching the current network equipment, and can realize orderly and efficient processing of the messages.
As can be seen, in the embodiment of the present application, a BGP proxy is set in a network device, where the BGP proxy can calculate corresponding first check data for a first packet sent by a neighbor device and carrying a check option, where the neighbor device has been in communication connection with a master executing body in a current network device and a key of the neighbor device is recorded locally, and then send the first packet to at least one slave executing body having communication connection with the BGP proxy based on the first check data, so that the at least one slave executing body processes the first packet. In the scheme, the BGP proxy simulates neighbor devices to forward messages to each slave executive body, and can carry out route management on the messages sent to the current network device by the neighbor devices, so that the messages sent to the current network device by the neighbor devices can be smoothly processed by the corresponding slave executive body. Under the condition of complex routing connection, the messages transmitted by each route can be managed conveniently, and the probability of occurrence of the problems of message transmission errors, inconsistent data and the like is reduced.
According to the embodiment, a BGP proxy end can be set in the network equipment, and a configuration management module, an executable scheduling module, an MD5 module, a link state management module and a message processing module are set in the BGP proxy end. The configuration management module is used for storing the secret keys of the neighbor devices and supporting the operations of adding, deleting, modifying and the like of the secret keys. The execution body scheduling module is used for managing the on-line state and the off-line state of the execution body. The MD5 module may sign or verify the message according to the key of the neighboring device. The link state management module is responsible for managing the TCP session state of the master executive and the neighbor devices and the connection state of the BGP proxy and each slave executive. The message processing module is responsible for forwarding and processing the message.
Referring to fig. 2, the configuration management module records the keys of the neighboring devices using a peer_password_dic data structure. For each neighbor device, a key value pair is formed by the IP address and the password (the secret key of the neighbor device), and the key value pair is stored as one piece of data. As shown in fig. 2, the configuration management module may record key value pairs corresponding to N neighbor devices.
Specifically, when the network device is initialized, the password of all neighbors of the current network device may be recorded and stored in the peer_password_dic structure. A sub-thread may then be created, with which to receive the password modification information of a certain neighbor, namely: when a key is configured for a certain neighbor or a key of a certain neighbor is deleted, the child thread captures the event and performs deletion or addition of the neighbor key according to the current operation.
The MD5 module carries out MD5 decryption processing on the received message according to the neighbor secret key; and carrying out MD5 encryption processing on the message sent outwards according to the neighbor secret key. And during encryption processing, the calculated MD5 value is used as one option of the TCP message to be inserted into the message.
Referring to fig. 3, the md5 value calculation process includes:
1. and constructing a TCP pseudo header according to the input message. The TCP pseudo header consists of partial fields of the IP header of the input message, and the forming sequence is the source IP address, the destination IP address, the protocol number and the TCP length of the input message in turn. Wherein the protocol number is filled with all zero data. Both the TCP length and the protocol number occupy 2 bytes. The TCP length is obtained by subtracting the IP header length of the input message from the total length of the input message.
2. Extracting a part of fields of a TCP header of an input message, wherein the extracted fields comprise: source port, destination port, sequence number, acknowledgement number, TCP header length, FLAG identification, window size, checksum (set to zero) and emergency pointer. The extracted fields are, as follows: other fields than the options in the TCP header.
3. And extracting the TCP load of the input message.
4. The key value of the neighbor device that sent the current input message is determined.
The above 4 parts are sequentially input to an MD5 algorithm, and an MD5 value can be obtained.
Referring to fig. 4, the md5 module first determines whether a TCP link is established between a neighbor device sending a current message and a main execution body for a message sent by the neighbor device, and if the link is not established, the current message may be a notification message such as a handshake message, etc., and the MD5 value verification may not be performed, so that the verification of the MD5 value is completed by protocol stacks at both ends. If the link between the neighbor device and the main execution body is established and the link between the slave execution body and the BGP proxy is also established, checking the MD5 value, modifying the current message to obtain a forwarding message, calculating a new MD5 value according to the process, packaging the forwarding message, and transmitting the forwarding message to the slave execution body. Under the condition of verification failure, the MD5 value option in the original message is not specially modified, so that the slave executive body can take the MD5 value which is not changed but fails to be verified, and the slave executive body is prevented from being deceived. If the verification is successful, the fields such as the seq and the like of the current message are modified to obtain a forwarding message, the MD5 value is regenerated, and the forwarding message is packaged in the option of forwarding the forwarding message and forwarded to the slave executing body. And the MD5 module searches the corresponding password in the peer_password_dic structure by using the destination address in the current TCP message for the TCP message sent from the executing body, calculates the MD5 value according to the steps, and if the current calculated MD5 value is consistent with the MD5 value in the current TCP message, the authentication is passed, and the TCP message passing the authentication can be stored at the moment. If the current calculated MD5 value is inconsistent with the MD5 value in the current TCP message, the link between the current BGP agent and the current slave executable is disconnected. And the MD5 module does not perform MD5 verification or modification on the message sent by the main execution body, and extracts and stores useful information.
The link state management module is responsible for managing the TCP session state between the executive body and the neighbor equipment, initializing the buffer management of the message, generating TCP connection information and the like. Considering that when the BGP protocol is applied under RFC standard, both the neighbor device and the main executor may initiate TCP links to each other, so that 2 TCP links may exist between the two simultaneously, and the link state management module closes one TCP link with a smaller initiator routing ID according to the protocol rule, and reserves one TCP link with a larger initiator routing ID. In the early stage of link establishment, the TCP connection information of the two TCP links is recorded in a port-list, and after one of the TCP connection information is closed, the closed TCP connection information is deleted from the port-list. Wherein, a binary group formed by an actor-IP (IP address of the current network device) and a peer-IP (IP address of the neighbor device) may be used as a KEY, and a binary group formed by an actor-port (port number of the current network device) and a peer-port (port number of the neighbor device) may be used as a value of the KEY, thereby obtaining one TCP connection information in the port-list.
The connection direction between different executors and neighbors may be different. Such as: the connection initiated by the current network device to the neighbor device and the source port in the five-tuple of the connection initiated by the neighbor device to the current network device are different, and the different time of connection initiation also results in different states. Wherein the five-tuple comprises: source IP, destination IP, source port, destination port, and connection direction. A TCP connection message may further include: the message when the connection is established is specifically: messages from TCP syn to before BGP update.
It should be noted that, the master executable and the neighbors, and the master executable and each slave executable can find the corresponding TCP connection information in the port-list. The establishment of connection is triggered by syn message of the main execution body or the neighbor, and the direction of connection is determined by the link establishment direction between the main execution body and the neighbor.
The link state management module processes the message, see fig. 5 and fig. 6. Referring to fig. 5, because the port number of the BGP protocol is 179, the link state management module captures the TCP packet of 179 ports of the ingress direction on the interface of the neighbor device through the scapy function. If the current TCP message is a link establishment or link detachment message, the message is stored, and can be used for the following steps: and performing association analysis on the TCP link establishment or link disconnection operation of the slave execution body and the link establishment or link disconnection message of the master execution body to determine the connection state of the TCP. If the current TCP message is an open/keep alive message of the BGP protocol, the current TCP message is stored and used for constructing open and keep alive of the BGP protocol when the BGP proxy builds a chain to the slave execution body. Other messages need to be checked whether the link establishment of the slave execution body is completed, if not, the BGP proxy end does not process the messages and directly discards the messages; if so, these messages are distributed to other slave executives.
Referring to fig. 6, if the message comes from the main execution body, the BGP proxy end only concerns the TCP link establishment or disconnection message, and does not process other messages, and the BGP proxy end can comprehensively analyze the TCP link establishment or disconnection message sent by the main execution body and the TCP link establishment or disconnection message sent by the neighbor to obtain a TCP connection state between the two messages; if the link establishment is successful, the BGP proxy terminal judges whether TCP connection needs to be initiated to the slave executing body according to the connection direction (initiator) of the TCP; if the connection is closed, the BGP proxy needs to initiate a broken link operation to the slave that has already established the TCP connection, and delete an entry for the relevant connection information. Therefore, the proxy can also disconnect and establish the connection according to the link disconnection message and the link establishment message sent by the main execution body to the neighbor. If the message comes from the slave execution body, the BGP proxy end needs to judge the connection state of the neighbor and the master execution body, and if the connection establishment of the neighbor and the master execution body is completed, the message of the slave execution body is stored and is used for constructing field information such as seq, ack, stamp of the message when the message is interacted with the slave execution body subsequently; and if the connection between the neighbor and the main execution body is not established, discarding the message sent from the execution body.
Specifically, the message processing module is responsible for copying the message and distributing the message to each executive body, receiving the message sent by each executive body, and determining the source of the message according to the MAC/IP address of the message. If the message is determined to be from the neighbor, the message can be a link-building or link-disassembling message, so that the message can be stored to perform TCP link-building or link-disassembling operation on other executors, or the link-building or link-disassembling message sent by the main executor is combined to determine the connection state between the main executor and the neighbor. If the message is an open/keep alive message, performing TCP (Transmission control protocol) link establishment or link disassembly operation on other executors based on the message. If the message is a common message for transmitting specific data, copying and distributing the message to each executive body, and modifying the source and destination MAC addresses, modifying TCP port numbers according to BGP connection information, correspondingly modifying fields of ack, tsecr, seq and the like according to the seq and tsval of the original message when distributing the message. The MD5 value is then recalculated and the option filled in the message with MD5 value is modified. If the message is determined to come from the main execution body, the connection state between the main execution body and the neighbor is determined by combining the link establishment or link disconnection message sent by the neighbor with the link establishment or link disconnection message sent by the main execution body. If the message is determined to come from other executors, storing corresponding messages, wherein the messages can be used for distributing ack modification when the neighbor sends the message.
Referring to fig. 7, a message sent by a neighbor device enters a BGP proxy, the BGP proxy distributes the message to 3 slave execution bodies, after the 3 slave execution bodies process the message respectively, the BGP proxy returns response data to the BGP proxy, and then the BGP proxy replies relevant response data to the neighbor device. Specifically, two In/out storage queues may be set, where the two queues store the messages according to the sequence of the messages, and not according to the sequence of the messages seq. The BGP proxy, the master executive body and each slave executive body are respectively provided with two In/out storage queues corresponding to each other, and each queue only stores the messages currently transmitted and received. Referring to fig. 8, a network device may include a BGP agent, a master executable, and slaves.
In the embodiment, the BGP proxy is arranged in the mimicry device to realize message processing between the external neighbors and each execution body in the mimicry device, so that communication between each execution body and the external neighbors is realized. The BGP proxy supports the basic receiving and transmitting functions of BGP messages, and can distribute messages sent by neighbors to each executive body; and the encrypted BGP message is encrypted and decrypted through encryption and authentication functions. Meanwhile, the BGP agent supports IPv4/v6 dual stack, and can process BGP4 and BGP4+ at the same time; after the support executor is put on line alternately and any executor is put on line again, the link establishment between the neighbor and the executor can be simulated, and the route update message is sent through the configuration command to inform the neighbor of resending the route update.
Therefore, the BGP agent can ensure the diversification of BGP route data, can realize route control, and the BGP protocol uses TCP as a transmission layer protocol (port number 179), thereby improving the reliability of the protocol; each executive body with different defenses and different designs can realize higher-strength and more comprehensive network security protection.
The following describes a message processing apparatus provided in the embodiments of the present application, and the following description of a message processing apparatus and the foregoing description of a message processing method may refer to each other.
Referring to fig. 9, an embodiment of the present application discloses a message processing apparatus, which is applied to a BGP proxy in a network device, and includes:
a receiving module 901, configured to receive a first packet sent by a neighbor device of the network device;
a calculating module 902, configured to calculate first check data of the first packet if the first packet carries a check option, the neighbor device and a main execution body in the network device have established communication connection, and a first key of the neighbor device is recorded locally;
the processing module 903 is configured to send the first packet to at least one slave executing entity having a communication connection with the BGP proxy based on the first check data, so that the at least one slave executing entity processes the first packet.
In one embodiment, the computing module is specifically configured to:
constructing a pseudo header based on the source IP address, the destination IP address, the protocol number and the TCP length of the first message;
acquiring a first secret key from local preset configuration information;
determining a TCP header field and a message load of a first message;
and processing the pseudo header, the first key, the TCP header field and the message load by using an MD5 algorithm, and taking the obtained MD5 value as first check data.
In one embodiment, the communication connection establishment procedure includes: receiving a link establishment message sent by neighbor equipment; and storing a link establishment message, and constructing communication connection between the neighbor equipment and the master execution body based on the link establishment message, and then constructing communication connection between the BGP proxy end and at least one slave execution body based on the link establishment message.
In one embodiment, the communication connection disconnection process includes: receiving a link disassembly message sent by neighbor equipment; and storing the de-linking message, and disconnecting the communication connection between the neighbor device and the master execution body based on the de-linking message, and then disconnecting the communication connection between the BGP proxy end and at least one slave execution body based on the de-linking message.
In one embodiment, the processing module is specifically configured to:
Checking the check options by using the first check data;
if the check option passes the check, modifying part of TCP header fields of the first message to obtain a first forwarding message, calculating forwarding check data of the first forwarding message, packaging the forwarding check data into the first forwarding message, and then sending the first forwarding message packaged with the forwarding check data to the at least one slave executing body;
and if the check option is not checked, modifying part of TCP header fields of the first message to obtain a second forwarding message, and after the check option is packaged into the second forwarding message, sending the second forwarding message packaged with the check option to the at least one slave executing body.
In one specific embodiment, the method further comprises:
the other processing module is used for receiving a second message sent by any slave executing body in the at least one slave executing body; calculating second check data of the second message; if the check options in the second message pass the check by using the second check data, reading and processing the second message; otherwise, the communication connection with the current slave executable is disconnected.
In one specific embodiment, the method further comprises:
The processing module is used for receiving and storing a third message sent by the main executive body; if the third message is a link establishment message and communication connection exists between the neighbor equipment and the main execution body, reserving communication connection initiated by the party with the largest route ID based on the third message, and deleting other communication connection; if the third message is a link-breaking message, after the communication connection between the neighbor device and the master execution body is broken based on the third message, the communication connection between the BGP proxy end and at least one slave execution body is broken based on the third message.
The more specific working process of each module and unit in this embodiment may refer to the corresponding content disclosed in the foregoing embodiment, and will not be described herein.
Therefore, the embodiment provides a message processing device, which can conveniently manage messages transmitted by each route, and reduce the probability of occurrence of message transmission errors, inconsistent data and other problems.
The following describes an electronic device provided in an embodiment of the present application, and the electronic device described below and a method and apparatus for processing a message described above may refer to each other.
Referring to fig. 10, an embodiment of the present application discloses an electronic device, including:
A memory 1001 for storing a computer program;
a processor 1002 for executing the computer program to implement the method disclosed in any of the embodiments above.
The following describes a readable storage medium provided in the embodiments of the present application, and the following description of the readable storage medium and the foregoing method, apparatus, and device for processing a message may refer to each other.
A readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the message processing method disclosed in the foregoing embodiment. For specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and no further description is given here.
Reference to "first," "second," "third," "fourth," etc. (if present) herein is used to distinguish similar objects from each other and does not necessarily describe a particular order or sequence. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, or apparatus.
It should be noted that the description herein of "first," "second," etc. is for descriptive purposes only and is not to be construed as indicating or implying a relative importance or implying an indication of the number of technical features being indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In addition, the technical solutions of the embodiments may be combined with each other, but it is necessary to base that the technical solutions can be realized by those skilled in the art, and when the technical solutions are contradictory or cannot be realized, the combination of the technical solutions should be regarded as not exist and not within the protection scope of the present application.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of readable storage medium known in the art.
The principles and embodiments of the present application are described herein with specific examples, the above examples being provided only to assist in understanding the methods of the present application and their core ideas; meanwhile, as those skilled in the art will have modifications in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.

Claims (10)

1. The message processing method is characterized by being applied to a BGP proxy end in network equipment and comprising the following steps:
receiving a first message sent by neighbor equipment of the network equipment;
if the first message carries a check option, communication connection is established between the neighbor device and a main executive body in the network device, and a first key of the neighbor device is recorded locally, calculating first check data of the first message;
and sending the first message to at least one slave executing body with communication connection with the BGP proxy end based on the first check data so that the at least one slave executing body processes the first message.
2. The method of claim 1, wherein the calculating the first check data of the first message comprises:
Constructing a pseudo header based on a source IP address, a destination IP address, a protocol number and a TCP length of the first message;
acquiring the first secret key from local preset configuration information;
determining a TCP header field and a message load of the first message;
and processing the pseudo header, the first key, the TCP header field and the message load by using an MD5 algorithm, and taking the obtained MD5 value as the first check data.
3. The method of claim 1, wherein the neighbor device establishing a communication connection with the master executive and the BGP proxy establishing a communication connection with the at least one slave executive, comprising:
receiving a link establishment message sent by the neighbor equipment;
and storing the link establishment message, and constructing communication connection between the neighbor device and the master execution body based on the link establishment message, and then constructing communication connection between the BGP proxy end and the at least one slave execution body based on the link establishment message.
4. The method of claim 1, wherein disconnecting the neighbor device from the master executive and disconnecting the BGP proxy from the at least one slave executive comprises:
Receiving a link disassembly message sent by the neighbor equipment;
and storing the de-linking message, and disconnecting the communication connection between the neighbor device and the master execution body based on the de-linking message and then disconnecting the communication connection between the BGP proxy and the at least one slave execution body based on the de-linking message.
5. The method of claim 1, wherein the sending the first message to at least one slave executable having a communication connection with the BGP proxy based on the first check data comprises:
checking the check options by using the first check data;
if the check option passes the check, modifying part of TCP header fields of the first message to obtain a first forwarding message, calculating forwarding check data of the first forwarding message, packaging the forwarding check data into the first forwarding message, and then sending the first forwarding message packaged with the forwarding check data to the at least one slave executing body;
and if the check option is not checked, modifying part of TCP header fields of the first message to obtain a second forwarding message, packaging the check option into the second forwarding message, and then sending the second forwarding message packaged with the check option to the at least one slave executing body.
6. The method according to any one of claims 1 to 5, further comprising:
receiving a second message sent by any slave executing body in the at least one slave executing body;
calculating second check data of the second message;
if the check options in the second message pass the check by utilizing the second check data, reading and processing the second message; otherwise, the communication connection with the current slave executable is disconnected.
7. The method according to any one of claims 1 to 5, further comprising:
receiving and storing a third message sent by the main executive body;
if the third message is a link establishment message and communication connection exists between the neighbor device and the main execution body, reserving communication connection initiated by the party with the largest route ID based on the third message, and deleting other communication connection;
and if the third message is a link-breaking message, disconnecting the communication connection between the neighbor device and the master execution body based on the third message, and disconnecting the communication connection between the BGP proxy and the at least one slave execution body based on the third message.
8. The message processing device is characterized by being applied to a BGP proxy end in network equipment, and comprising:
A receiving module, configured to receive a first packet sent by a neighbor device of the network device;
a calculation module, configured to calculate first check data of the first packet if the first packet carries a check option, the neighbor device and a main execution body in the network device have established communication connection, and a first key of the neighbor device is locally recorded;
and the processing module is used for sending the first message to at least one slave executive body which is in communication connection with the BGP proxy end based on the first check data so as to enable the at least one slave executive body to process the first message.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the method of any one of claims 1 to 7.
10. A readable storage medium for storing a computer program, wherein the computer program when executed by a processor implements the method of any one of claims 1 to 7.
CN202211708823.0A 2022-12-29 2022-12-29 Message processing method, device, equipment and readable storage medium Pending CN116319539A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211708823.0A CN116319539A (en) 2022-12-29 2022-12-29 Message processing method, device, equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211708823.0A CN116319539A (en) 2022-12-29 2022-12-29 Message processing method, device, equipment and readable storage medium

Publications (1)

Publication Number Publication Date
CN116319539A true CN116319539A (en) 2023-06-23

Family

ID=86780370

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211708823.0A Pending CN116319539A (en) 2022-12-29 2022-12-29 Message processing method, device, equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN116319539A (en)

Similar Documents

Publication Publication Date Title
CN110771118B (en) Seamless mobility and session continuity with TCP mobility options
Donenfeld WireGuard: Next Generation Kernel Network Tunnel.
Moskowitz et al. Host identity protocol version 2 (HIPv2)
Moskowitz et al. Host identity protocol
US9467290B2 (en) Method and apparatus for providing secure streaming data transmission facilities using unreliable protocols
CN110832824B (en) Method for bidirectional data packet switching on node path
JP6858749B2 (en) Devices and methods for establishing connections in load balancing systems
EP1880525B1 (en) Host identity protocol method and apparatus
CN111585890B (en) SRv 6-based network path verification method and system
CN110870277A (en) Introducing middleboxes into secure communication between a client and a server
EP2329621B1 (en) Key distribution to a set of routers
García-Martínez et al. The Shim6 architecture for IPv6 multihoming
Moskowitz et al. Rfc 5201: Host identity protocol
CN113726795A (en) Message forwarding method and device, electronic equipment and readable storage medium
CN115567205A (en) Method and system for realizing encryption and decryption of network session data stream by quantum key distribution
Cao et al. 0-rtt attack and defense of quic protocol
CN113904809B (en) Communication method, device, electronic equipment and storage medium
US20210176051A1 (en) Method, devices and computer program product for examining connection parameters of a cryptographically protected communication connection during establishing of the connection
CN113395247A (en) Method and equipment for preventing replay attack on SRv6HMAC verification
CN115632963A (en) Method, device, apparatus and medium for confirming tunnel connection state
CN116319539A (en) Message processing method, device, equipment and readable storage medium
Walker Internet security
Mitchell et al. Analysis of EAP-GPSK authentication protocol
Demaria Security Evaluation of Multipath TCP: Analyzing and fixing Multipath TCP vulnerabilities, contributing to the Linus Kernel implementation of the new version of the protocol
CN117134933A (en) Encryption communication method, device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination