CN1494280A - Method of control message transmission in network equipment - Google Patents
Method of control message transmission in network equipment Download PDFInfo
- Publication number
- CN1494280A CN1494280A CNA02150119XA CN02150119A CN1494280A CN 1494280 A CN1494280 A CN 1494280A CN A02150119X A CNA02150119X A CN A02150119XA CN 02150119 A CN02150119 A CN 02150119A CN 1494280 A CN1494280 A CN 1494280A
- Authority
- CN
- China
- Prior art keywords
- message
- destination address
- list item
- network equipment
- arp
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
With message of failure addressing destination address being received, network device sends out message of learning destination address, and based on destination address of message received, a pseudo list item is created. If destination address in received message of successful addressing destination address is matched to address in the said pseudo list item, then the forwarded message is discarded directly without making any treatment, till the pseudo-list item is deleted. The invention guarantees that message with identical destination address will not generate large numbers of messages of failure addressing destination address reported to CPU so as to save valued hardware resources in network device. It also prevents that large numbers of request messages of learning destination address about same destination address are generated in network so as to influence on forwarding normal message caused by using too much network communication resources.
Description
Technical field
The present invention relates to network communications technology field, relate in particular to the method that the control message is transmitted in a kind of network equipment.
Background technology
RPR (RESILIENT PACKET RING, Resilient Packet Ring) net is a kind of new looped network, and is the radio network of similar Ethernet.Operator can forbid that for considerations such as safety some node is accessed, and the method that is adopted is to use the attribute of a kind of attribute the source refusal on the node of RPR net, and rejecting source MAC (medium access control) address is the message of particular value.As shown in Figure 1, after node C has disposed Source Reject (source refusal) to node A, for source MAC is that the message of node A will abandon in physical layer after node C receives, promptly be hung in node A and C when going up as router R1 and R2, can't normally transmit through the message of node A, C arrival router R2 successively by router R1, and can normally transmit through the message of node C, A arrival router R1 successively by router R2.
Because RPR is a broadcast type network, is obstructed so Routing Protocol can not be found R1 to the flow of R2.This moment, A was restarted or ARP list item (preserving the list item of the MAC Address of C) is worn out, the message of being given R2 by R1 will produce a large amount of ARP MISS (address analysis protocol table is searched failure) message on node A, ARP MISS message is used to produce the ARP request with transmitted to CPU.Owing to disposed source refusal attribute at node C, node C will abandon all messages from node A, so the ARP request message from node A will be abandoned by node C, can't notify node A, node A will can't learn the MAC Address of node C for a long time, to continue on the node A to produce a large amount of ARPMISS messages transmitted to CPU, and constantly send out the ARP request message by CPU.
A large amount of ARP MISS messages transmitted to CPU will cause a large amount of cpu resources occupied, simultaneously on send passage to produce very big pressure, and then influence carrying out of other regular traffics; For the bad router of Flow Control measure, very easily cause and restart or bust such as paralysed machine.Simultaneously,, cause normal a small amount of ARP MISS message may be submerged in the ARP message of a large amount of A->C, can't learn corresponding M AC address for a long time, cause the normal message packet loss because CPU constantly outwards sends the ARP request message.
Solution for the problems referred to above generally adopts following form at present: as shown in Figure 2, normally on forwarding engine, civilian upward increasing classified and flow-control mechanism to delivering newspaper on all.The generally just simple strong message of sort module is according to type classified, and for example routing protocol packet and ARPMISS message and other normal control message fields is branched away; Play different labels respectively, in order to distinguish stream.Two kinds of methods are arranged in the Flow Control module usually:
1) by speed supervision CAR (Commited Access Rate) to homogeneous turbulence not, use the token bucket algorithm of standard, the speed of each stream is limited.
2) by being gone into the different priorities formation, different messages control, between the various flows formation priority is arranged, use PQ (Priority Queue, priority query) algorithm guarantees that the message of high priority can be guaranteed, pass through RR (Round Robin simultaneously between the same priority, the repeating query algorithm) algorithm guarantees that same priority can be dispatched coequally.
Also can comprehensively use above-mentioned two kinds of methods, when ARP MISS message flow is big especially, CAR will abandon the part above configured bandwidth, and the different priorities formation has guaranteed to send on other service messages normal.
Above-mentioned prior art scheme can effectively prevent the impact of a large amount of flows to router cpu, and the important control message of the literary composition influence of avoiding delivering newspaper is one by one as sending on heartbeat message, the routing protocol packet etc., thereby has avoided the generation of paralysed machine accident.Yet existing technical scheme can not be classified the ARPMISS message again by the IP address, carries out Flow Control again according to this stream then; Therefore, other ARP MISS message is mixed in a large amount of ARP MISS messages that source refusal causes, still may be for a long time can't on give.If continue to use conventional method to solve this problem, can only when traffic classification, carry out detailed differentiation, and carry out Flow Control according to the IP address of ARP MISS message, can waste a large amount of forwarding resources like this, have influence on the flow of normal forwarding.
In addition, if router is not considered this situation,, may suffer that also the hacker uses the attack that does not have IP address, ground for general Gigabit Ethernet port or 100 m ethernet port (FE), also can produce the problems referred to above, thereby cause problem such as router paralysis to occur.
Summary of the invention
The purpose of this invention is to provide in a kind of network equipment the method that the control message is transmitted, prevent network attack and the problem that may occur, and solve the problem of the ARP MISS message storm that may occur in the RPR net.
The object of the present invention is achieved like this: the method that the control message is transmitted in the network equipment comprises:
After a, the network equipment were received and E-Packeted, whether the destination address of judging message is present in was transmitted, if exist, and execution in step c, otherwise, execution in step b;
B, the outside request message that sends this message destination address of study are simultaneously according to false list item of destination address generation of receiving message;
C, judge whether the destination address of this message is address in the false list item, if, then with this packet loss, otherwise, message is normally transmitted.
Described step b comprises:
B1, the network equipment produce ARP MISS (address analysis protocol table the is searched failure) message of this message, and report to network equipment CPU (central processing unit);
B2, network equipment CPU outwards send the request message of this message destination address of study, and generate a false ARP list item at this message.
Behind false ARP list item of destination address generation according to the message of receiving among the described step b, also comprise: for this vacation ARP list item is provided with ageing time, and when arriving ageing time, should the deletion of vacation ARP list item.
Behind false ARP list item of destination address generation according to the message of receiving among the described step b, also comprise: receive the response message of ARP request message when the network equipment after, this vacation ARP list item will be replaced by a real ARP list item.
By technique scheme as can be seen, the present invention has adopted the method for the false list item of generation of the message of the destination address addressing failure that the network equipment is received, the message that has guaranteed same destination address can not produce the message reporting of a large amount of destination address addressing failures and give CPU; Thereby a large amount of aim of learning Address requests messages have also been avoided in network, producing about same destination address.Therefore, the present invention has saved hardware resource valuable in the network equipment, and simultaneously, realization of the present invention will can not produce a large amount of aim of learning addresses again and ask message for instructions and take too much network service resource, promptly can not exert an influence to normally E-Packeting.
Description of drawings
Fig. 1 is a RPR web frame schematic diagram;
Fig. 2 transmits the principle schematic of controlling schemes for message in the existing RPR net;
Fig. 3 is the specific embodiment of the present invention flow chart;
Fig. 4 is false list item time-to-live process chart.
Embodiment
Now the specific embodiment of the present invention is described further in conjunction with the application of the present invention in the RPR net, core of the present invention is that the ARP module in network equipment CPU (central processing unit) is received an ARP MISS message and sent out after AR request, during false ARP list item of generation increases to and transmits earlier, thereby the network equipment was not learnt in time period of target MAC (Media Access Control) address of this message, receive with identical the E-Packeting of this ARP MISS message destination address and directly abandon, and no longer produce the CPU of the ARP MISS message up sending network equipment; The specific embodiment of the present invention is as shown in Figure 3:
Step 1: after the network equipment is received and E-Packeted, search the ARP table, and judge in the ARP table whether have the ARP list item that is complementary with this destination address according to the destination address that E-Packets, if there is no, execution in step 2, otherwise, execution in step 3;
Step 2: produce the CPU that ARP MISS message reporting is given the network equipment according to this message, and outwards sent by ARP request message of CPU generation of the network equipment, the destination address according to this message generates a false ARP list item simultaneously;
In the network equipment, just generated the false ARP list item of the destination address of this message like this, in the time period that this vacation ARP list item exists, E-Packet identical with this destination address that the network equipment receives will be dropped, and no longer produce the CPU that ARP MISS message reporting is given the network equipment;
Under the normal condition, the ARP request message is handed down to after the forwarding engine, be fed to the opposite end network equipment, the opposite end network equipment is received ARP request message arp response message of loopback immediately later on, this arp response message has carried the mac address information of opposite end network equipment port, the network equipment will generate a real ARP list item according to this arp response message false ARP list item will be replaced, thereby guarantee can normally transmitting of this message and the later message of receiving identical with this destination address;
In order to guarantee under abnormal conditions, normally the carrying out of network service, when the network equipment generates false ARP list item, start one should vacation ARP list item ageing timer, be provided with time-to-live of false ARP list item; Like this, after the AR request sends, return even without arp response, this vacation ARP list item still can be deleted after through after a while (time-to-live), again allow the ARPMISS message generation and on give CPU, can produce the ARP request message again, this setting-up time section can be according to the practical experience setting, as being set to several seconds; Be similar on the equipment principle of timer to ARP MISS message and added a switch, when abnormal conditions occur, in the time period of setting, only allow to produce and on send ARP MISS message one time; Detailed process comprises after generating false ARP list item as shown in Figure 4:
Step 21: pick up counting, and judge whether to satisfy the time-to-live of setting, if then execution in step 22, otherwise, execution in step 23;
Step 22: delete this vacation ARP list item;
Step 23: judge whether to receive the response message of ARP request message, if receive, execution in step 24, otherwise, execution in step 21;
Step 24: issue formal list item (i.e. real ARP list item) and replace this vacation list item, and stop timing;
Step 3: whether judgement is false ARP list item with the ARP list item of its coupling, if then execution in step 4, otherwise, execution in step 5;
Step 4: directly abandon E-Packeting of new receipts, and do not produce the CPU of the ARP MISS message reporting network equipment;
Step 5: message is normally transmitted.
The present invention can also be applied to also can expand in other the products such as fire compartment wall, utilizes the method (promptly generating the method for false list item) of inserting interim list item or flag bit that specific storm attack message is protected.
Claims (4)
1, the method that the control message is transmitted in a kind of network equipment is characterized in that comprising:
After a, the network equipment were received and E-Packeted, whether the destination address of judging message is present in was transmitted, if exist, and execution in step c, otherwise, execution in step b;
B, the outside request message that sends this message destination address of study are simultaneously according to false list item of destination address generation of receiving message;
C, judge whether the destination address of this message is address in the false list item, if, then with this packet loss, otherwise, message is normally transmitted.
2, the method that the control message is transmitted in the network equipment according to claim 1 is characterized in that described step b comprises:
B1, the network equipment produce ARP MISS (address analysis protocol table the is searched failure) message of this message, and report to network equipment CPU (central processing unit);
B2, network equipment CPU outwards send the request message of this message destination address of study, and generate a false ARP list item at this message.
3, the method that the control message is transmitted in the network equipment according to claim 2, it is characterized in that: behind the false ARP list item of destination address generation according to the message of receiving among the described step b, also comprise: for this vacation ARP list item is provided with ageing time, and when arriving ageing time, should the deletion of vacation ARP list item.
4, the method that the control message is transmitted in the network equipment according to claim 2, it is characterized in that: behind the false ARP list item of destination address generation according to the message of receiving among the described step b, also comprise: receive the response message of ARP request message when the network equipment after, this vacation ARP list item will be replaced by a real ARP list item.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB02150119XA CN1248466C (en) | 2002-11-02 | 2002-11-02 | Method of control message transmission in network equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB02150119XA CN1248466C (en) | 2002-11-02 | 2002-11-02 | Method of control message transmission in network equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1494280A true CN1494280A (en) | 2004-05-05 |
CN1248466C CN1248466C (en) | 2006-03-29 |
Family
ID=34233877
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNB02150119XA Expired - Fee Related CN1248466C (en) | 2002-11-02 | 2002-11-02 | Method of control message transmission in network equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN1248466C (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100399770C (en) * | 2004-08-18 | 2008-07-02 | 华为技术有限公司 | Sending controller channel stream limiting method |
WO2009000169A1 (en) * | 2007-06-28 | 2008-12-31 | Huawei Technologies Co., Ltd. | Message forwarding method and network device |
CN1996948B (en) * | 2006-12-28 | 2010-05-19 | 杭州华三通信技术有限公司 | Message forwarding method and device based on the media access control layer |
WO2011032405A1 (en) * | 2009-09-17 | 2011-03-24 | 中兴通讯股份有限公司 | Method and system for interaction between asn and mapping-forwarding plane, and asn |
CN101227400B (en) * | 2008-02-01 | 2011-12-28 | 中兴通讯股份有限公司 | Apparatus and method for processing Ethernet data package |
CN104796340A (en) * | 2014-01-22 | 2015-07-22 | 杭州华三通信技术有限公司 | Multicast data transmission method and device |
CN104821923A (en) * | 2015-05-15 | 2015-08-05 | 杭州华三通信技术有限公司 | Method and device for transmitting upper-supply controller protocol message in SDN network |
CN105635138A (en) * | 2015-12-28 | 2016-06-01 | 华为技术有限公司 | Method and apparatus for preventing ARP attacks |
CN107547535A (en) * | 2017-08-24 | 2018-01-05 | 新华三技术有限公司 | The MAC address learning method, apparatus and the network equipment of attack protection |
CN114157602A (en) * | 2021-11-03 | 2022-03-08 | 杭州迪普科技股份有限公司 | Method and device for processing message |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104660526B (en) * | 2013-11-22 | 2018-03-16 | 华为技术有限公司 | MAC address entries learning method and device |
-
2002
- 2002-11-02 CN CNB02150119XA patent/CN1248466C/en not_active Expired - Fee Related
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100399770C (en) * | 2004-08-18 | 2008-07-02 | 华为技术有限公司 | Sending controller channel stream limiting method |
CN1996948B (en) * | 2006-12-28 | 2010-05-19 | 杭州华三通信技术有限公司 | Message forwarding method and device based on the media access control layer |
WO2009000169A1 (en) * | 2007-06-28 | 2008-12-31 | Huawei Technologies Co., Ltd. | Message forwarding method and network device |
CN101227400B (en) * | 2008-02-01 | 2011-12-28 | 中兴通讯股份有限公司 | Apparatus and method for processing Ethernet data package |
WO2011032405A1 (en) * | 2009-09-17 | 2011-03-24 | 中兴通讯股份有限公司 | Method and system for interaction between asn and mapping-forwarding plane, and asn |
CN102025602A (en) * | 2009-09-17 | 2011-04-20 | 中兴通讯股份有限公司 | Method and system for interacting access service nodes with mapping forward plane |
CN104796340A (en) * | 2014-01-22 | 2015-07-22 | 杭州华三通信技术有限公司 | Multicast data transmission method and device |
CN104796340B (en) * | 2014-01-22 | 2018-11-27 | 新华三技术有限公司 | A kind of multicast data transmission method and equipment |
CN104821923A (en) * | 2015-05-15 | 2015-08-05 | 杭州华三通信技术有限公司 | Method and device for transmitting upper-supply controller protocol message in SDN network |
CN105635138A (en) * | 2015-12-28 | 2016-06-01 | 华为技术有限公司 | Method and apparatus for preventing ARP attacks |
CN105635138B (en) * | 2015-12-28 | 2019-02-12 | 华为技术有限公司 | A kind of method and apparatus for preventing ARP from attacking |
CN107547535A (en) * | 2017-08-24 | 2018-01-05 | 新华三技术有限公司 | The MAC address learning method, apparatus and the network equipment of attack protection |
CN107547535B (en) * | 2017-08-24 | 2021-01-01 | 新华三技术有限公司 | Anti-attack MAC address learning method and device and network equipment |
CN114157602A (en) * | 2021-11-03 | 2022-03-08 | 杭州迪普科技股份有限公司 | Method and device for processing message |
CN114157602B (en) * | 2021-11-03 | 2023-08-25 | 杭州迪普科技股份有限公司 | Method and device for processing message |
Also Published As
Publication number | Publication date |
---|---|
CN1248466C (en) | 2006-03-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6185185B1 (en) | Methods, systems and computer program products for suppressing multiple destination traffic in a computer network | |
CN101083563B (en) | Method and apparatus for preventing distributed refuse service attack | |
US7443858B1 (en) | Method for traffic management, traffic prioritization, access control, and packet forwarding in a datagram computer network | |
US8089871B2 (en) | Method and apparatus for traffic control of dynamic denial of service attacks within a communications network | |
US20020107960A1 (en) | Network traffic regulation including consistency based detection and filtering of packets with spoof source addresses | |
EP1906591B1 (en) | Method, device, and system for detecting layer 2 loop | |
CN1248466C (en) | Method of control message transmission in network equipment | |
US20070280106A1 (en) | Method and system for intrusion detection and prevention based on packet type recognition in a network | |
US7818795B1 (en) | Per-port protection against denial-of-service and distributed denial-of-service attacks | |
EP1483874A2 (en) | System and method for detecting and eliminating ip spoofing in a data transmission network | |
Huang et al. | Countering denial-of-service attacks using congestion triggered packet sampling and filtering | |
CN106506486A (en) | A kind of intelligent industrial-control network information security monitoring method based on white list matrix | |
JPH11506288A (en) | Enhanced 802.3 media access control and associated signaling for full-duplex Ethernet | |
CN101321088A (en) | Method and device for IP data flow information statistics | |
EP2073457A1 (en) | A method and apparatus for preventing igmp message attack | |
CN108183917A (en) | DDoS attack cross-layer cooperative detection method based on software defined network | |
CN111294291A (en) | Protocol message processing method and device | |
CN101035058A (en) | Transfer method and device of the virtual router redundancy protocol message | |
CN1946040A (en) | Protective method and device for multicast service | |
CN1685662A (en) | Monitoring telecommunication network elements | |
KR20160002269A (en) | SDN-based ARP Spoofing Detection apparatus and method therefor | |
CN107135166B (en) | Flow management system and method | |
CN101883054B (en) | Multicast message processing method and device and equipment | |
JP3880052B2 (en) | Method and apparatus for classifying query originating nodes | |
CN108769055A (en) | A kind of falseness source IP detection method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20060329 Termination date: 20181102 |