CN100502352C - Method and apparatus for preventing user from obtaining operation trader network information - Google Patents

Method and apparatus for preventing user from obtaining operation trader network information Download PDF

Info

Publication number
CN100502352C
CN100502352C CN 200510082717 CN200510082717A CN100502352C CN 100502352 C CN100502352 C CN 100502352C CN 200510082717 CN200510082717 CN 200510082717 CN 200510082717 A CN200510082717 A CN 200510082717A CN 100502352 C CN100502352 C CN 100502352C
Authority
CN
China
Prior art keywords
network
icmp
user
operator
packet
Prior art date
Application number
CN 200510082717
Other languages
Chinese (zh)
Other versions
CN1893392A (en
Inventor
苗福友
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN 200510082717 priority Critical patent/CN100502352C/en
Publication of CN1893392A publication Critical patent/CN1893392A/en
Application granted granted Critical
Publication of CN100502352C publication Critical patent/CN100502352C/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

本发明提供了一种防止用户获得运营商网络信息的方法和装置。 The present invention provides a method and apparatus for preventing the user to obtain information carrier network. 本发明所述方法主要包括:确定运营商网络和用户网络之间的边缘路由器;所述边缘路由器将接收到的从运营商网络发往用户网络的互联网控制报文协议ICMP超时报文进行过滤处理。 The method of the present invention mainly comprises: determining an edge router between network users and network operators; the edge router received from the Internet Control Message Protocol operator's network to a network user's ICMP time exceeded filtration treatment . 利用本发明可以使运营商网络不将用户数据的路径信息返回给用户。 With the present invention enables a network operator does not return the user data path information to the user.

Description

防止用户获得运营商网络信息的方法和装置 The method and apparatus prevents the user's network operator information obtained

技术领域 FIELD

本发明涉及通讯领域,尤其涉及一种防止用户获得运营商网络信息的方法和装置。 The present invention relates to the field of communications, particularly to a method and apparatus for obtaining user information for preventing an operator network.

背景技术 Background technique

IP协议是因特网协议系列的核心部分,它以统一的选路机制屏蔽了底层物理网络,从而实现了异种网络的广域互联。 IP protocol is the core of the Internet protocol family, it is a unified routing mechanism shields the underlying physical network, enabling WAN interconnection of heterogeneous networks. 目前在因特网上使用的IP协议 Currently IP protocol used on the Internet

版本为IPv4协议。 Version IPv4 protocol.

IP协议虽然具有强大的传递报文的能力,但IP协议并不负责报文的丢失、重复、延迟和乱序等情况,因此,IP协议并不能保证报文一定能够投递到目的地。 IP protocol, while having the ability to deliver a strong message, but the IP protocol is not responsible for packet loss, duplication, delay and disorder, etc. Therefore, the IP protocol does not guarantee that the message will be able to deliver to the destination. 于是,为了提高IP报文交付成功的概率,准确反映报文的投递情况,IETF (因特网工程部)设计了ICMP (互联网控制报文协议)。 So, in order to improve the probability of successful delivery of IP packets, delivered accurately reflect the situation of the packet, IETF (Internet Engineering) is designed ICMP (Internet Control Message Protocol).

从因特网的结构看,因特网是由收发报文的主机和中转报文的路由器组成。 Seen from the structure of the Internet, Internet, send and receive packets by hosts and routers that relay packets composition. 鉴于IP协议本身的一些不可靠性,ICMP协议主要用于传输网络设备和结点之间的控制和差错报告报文。 In view of the IP protocol itself some unreliability, ICMP protocol is mainly used for error reporting and controlling transmission of packets between network nodes and devices. 即ICMP协议的目的仅仅是向源发主机告知网络环境中出现的问题。 That purpose is only to inform ICMP protocol network environment to the originating host arise. ICMP协议主要支持通过路由器将报文传输的结果信息反馈回源发主机。 ICMP protocol is mainly supported by the results back to the originating host router information packets transmitted feedback.

ICMP的使用者主要是路由器,接收者为IP报文的源发主机端,ICMP报文的简单传输过程如下: ICMP router main user, the recipient of the originating host IP packets, ICMP packets simple transmission process is as follows:

1、当路由器发现某份IP报文因为某种原因无法继续转发和投递时,相关的实体(一般为上层实体)便形成ICMP报文。 1, when a part of IP packets for some reason can not continue forwarding and delivery router discovery, related entities (typically upper entity) will form ICMP packets.

52、 路由器根据判断的故障类别,在该ICMP报文中分别填入报文类型、 报文代码、报文检验和以及报文的数据部分。 52, the category determination based on the fault router, the packets are filled ICMP packet type, message code, the message portion and check data and messages.

3、 路由器从出现故障的IP报文中截取源发送主机的IP地址,形成新的携带该ICMP报文的IP报文; 3, taken source router IP address from the sending host IP packet failure, to form a new ICMP message carries the IP packet;

4、 路由器利用信道通过一定的路由把该IP报文转发给源发主机; 4, using the channel through a certain router routing the IP packet to be forwarded to the originating host;

5、 源发主机端收到携带ICMP报文的IP报文后,从中提取出ICMP报文, 读取ICMP报文各字段值,进而判断出现故障的IP报文的故障类型及其故障原因。 5, the originating host receives ICMP packets carrying IP packets, extracts the ICMP packet, reads the ICMP packet field values, and then determine the type of fault and the fault cause failure of the IP packet.

携带ICMP报文的IP报文在反馈传输过程中不具有任何优先级,与正常的IP报文一样进行转发,唯一不同的是如果携带ICMP报文的IP报文在传输过程中出现故障,转发该IP报文的路由器就将不产生任何新的差错报文。 Like the IP packet carries the ICMP packet IP packet does not have any priority, and normal feedback transmission process forward, the only difference is that if the carrying ICMP packet IP packet fails during transmission, forwarding the IP packet router will not generate any new error messages.

ICMP报文主要可分为两类报文,即ICMP错误性报告报文和ICMP信息性报文。 ICMP packets can be divided into two types of messages that ICMP error reporting ICMP packets and informational messages.

ICMP错误性报告报文主要有五种,即 ICMP error report there are five main message, that is,

1、 目的站不可达才艮文:当路由器或主^L不能向目的站交付报文时,就向源站发送目的站不可达的报文。 1, only Burgundy Destination Unreachable message: When the router can not be delivered or main ^ L packet to the destination station, the destination station sends an unreachable message to the source station.

2、 源站抑制才艮文:当路由器或主机由于拥塞而丢弃报文时,就向源站发送源站抑制报文报文,使源站知道应该将报文的发送速率放慢。 2, only Burgundy source quench message: When a router or host discards packets due to congestion, the inhibition of the source packet to the packet transmitting station source station, the source station knows that the message should be slow transmission rate.

3、 超时报文:当路由器收到生存时间为零的报文时,除丢弃该报文外,还要向源站发送超时报文。 3, timeout packets: When the router receives a packet survival time is zero, except discards the packet, but also send a timeout message to the source station. 当目的站在预先规定的时间内不能收到一个报文的全部内容时,就将已收到的报文内容都丟弃,并向源站发送超过报文。 When the entire contents of which can not receive a message within a predetermined time standing object, will have received the message contents are discarded, and sends the packets over the source station.

4、 参数问题报文:当路由器或目的主机发现收到的报文的首部中有的字段的值不正确时,就丢弃该报文,并向源站发送参数问题报文。 4, packet parameters of the problem: When a router or the destination host discovery packet received by some of the header field value is not correct, it discards the packet and sends the packet parameters of the problem source station.

5、 改变路由(重定向)报文:路由器通过将改变路由报文发送给主机,让主机知道下次应将报文发给另外的路由器。 5, change the routing (redirect) messages: the router by changing the routing packets sent to the host, so the host should know that the next packet to another router.

不应发送ICMP错误性报告报文的几种情况如下: We should not send ICMP error messages several reports as follows:

1 、对ICMP错误性报告报文不再发送ICMP错误性报告报文; 1, error reporting ICMP messages not send ICMP error message reporting;

2、 对第一个分片的报文片的所有后续报文片都不发送ICMP错误性报告报文; 2, do not send an ICMP error reporting message sheet for all subsequent packets of the first packet fragment sheet;

3、 对具有多播地址的报文都不发送ICMP错误性报告报文; 3, do not send ICMP error report message on packets with a multicast address;

4、 对具有特殊地址(如127.0.0.0或0.0.0.0)的报文不发送ICMP错误性报告报文。 4, do not send an ICMP error reporting message packets having a particular address (e.g., 127.0.0.0 or 0.0.0.0) is.

ICMP信息性^艮文有四种: ICMP informational text ^ Burgundy there are four:

1 、回送请求(Echo Request)和回答报文(Echo Reply):当主机或 1, echo request (Echo Request) and reply messages (Echo Reply): When the host or

路由器向一个特定的目的主机发出回送请求报文后,收到此报文的机器必须给源发主机或路由器返回回答报文。 Sent by the router to a particular destination host echo request packet, receiving the packet machine must return a reply message sent to the source host or router.

2、 时间戳请求和回答报文:该报文主要用于请某个主机或路由器回答当前的日期和时间。 2, timestamp request and reply messages: the message is mainly used to make a host or router to answer the current date and time.

3、 掩码地址请求报文:该报文主要用于从子网掩码服务器得到某个接口的地址掩石马。 3, address mask request message: the message is mainly used to obtain an interface from the server subnet mask address mask Shima.

4、 路由器询问和通告报文:该报文主要用于了解连接在本网络上的路由器是否正常工作。 4, router advertisement message and ask: is mainly used for the packet router connected to the understanding of this network is working properly. 主机将路由器询问报文进行广播。 The host will ask the router broadcast packets. 收到询问报文的一个或多个路由器就使用路由器通告报文广播其路由选择信息。 Asks one or more routers receive messages on the use of a router advertisement message broadcast its routing information.

通过将回送请求和应答两类报文(信息性报文)和超时报文(错误报文)两种报文的功能进行组合,能够获得IP报文的网络传输路径。 By echo request and response types of messages (informational messages) and timeout packet (error message) two types of packets combination of functions, network transmission path can obtain IP packets.

下面我们以IPv4网络为例来说明traceRoute ( —种跟踪数据传输路径的方法或程序)功能。 Here we IPv4 network as an example to illustrate traceRoute (- kind of data transmission path tracking methods or procedures) function.

目前使用的traceroute包括两种:ICMP traceroute和UDP (用户数据报协议)traceroute。 Traceroute currently used includes two: ICMP traceroute and UDP (User Datagram Protocol) traceroute. 某些软件公司使用ICMP traceroute,所以,某些操作系统上发出的traceRT使用的是ICMP traceroute,其它操作系统,比如unix和某些公司的路由器都使用UDP traceroute。 Some software companies use ICMP traceroute, so some traceRT issued by the operating system using ICMP traceroute, other operating systems, such as unix and some of the company's routers using UDP traceroute.

在路由器和主机中,TraceRoute根据报文TTL (Time to Live,生存时 When routers and hosts, TraceRoute according to the packet TTL (Time to Live, survival

间)的值来决定下一步的操作: Between values) to determine the next action:

如果收到的4艮文TTL-0,则丟弃该才艮文,同时向源节点发送ICMP超时报 If the received packet Gen 4 TTL-0, it discards the packet Burgundy, ICMP timeout simultaneously transmitted to the source node

文; Wen;

如果收到的报文TTL不等于O,则将TTL减1后,将该报文转发给上层协议处理。 If you receive a message TTL not equal to O, TTL will be minus 1, the forwards the packet to the upper layer protocol processing.

一般TraceRoute都将TTL的值设置得很小,刻意让路径上的节点返回ICMP超时报文来获得路径信息。 TraceRoute generally will set the TTL value is very small, deliberately let the nodes on the path to return ICMP timeout packet to get the path information.

ICMP traceroute的工作原理如下: ICMP traceroute works as follows:

ICMP traceroute 4吏用ICMP Echo Request才艮文,ICMP Echo Reply才艮文和ICMP TTL-expired报文。 ICMP traceroute 4 officials Gen text only with ICMP Echo Request, ICMP Echo Reply before Gen text and ICMP TTL-expired messages. 源主机发出ICMP Echo Request报文,第一个request报文的TTL为1,第二个request报文的TTL为2,以后依此递增直至TTL为30;中间的路由器送回ICMP TTL-expired (ICMP type 11)报文通知源主机,packet同时因TTL超时而被drop,由此源主机知晓报文一路上经过的每一个路由器,最后的目的主机送回ICMP Echo Reply报文。 Source host sends ICMP Echo Request packet, a request packet of the first TTL of 1, the second request message TTL of 2, and so is incremented until after the TTL of 30; the intermediate router returned ICMP TTL-expired ( ICMP type 11) packet to inform the source host, while packet drop is due to the TTL expires, whereby each packet source host its way through a router, the final destination host returned ICMP Echo Reply packets.

UDP traceroute的工作原理如下: UDP traceroute works as follows:

UDP traceroute使用ICMP TTL- expired(type 11)报文,ICMP port unreachable(type 3, code 3)报文和UDP port >32768报文。 UDP traceroute use ICMP TTL- expired (type 11) packets, ICMP port unreachable (type 3, code 3) messages and UDP port> 32768 messages. 源主机发出UDP packet,源端口使用随机的任何大于32768的高段po樣destination port # 从33434开始每送个probe依此递增,直至33434+29, ( cisco router上使用extended-traceroute命令可以修改这个起始的33434 port #), 同时TTL从1 开始依此递增,直至1+29=30 (最多送30个probe)。 Source host sends UDP packet, using a random source port is greater than any of the high stage po 32768 comp destination port # 33434 from the beginning of each send a probe so incremented until 33,434 + 29, using the extended-traceroute command (cisco router can modify the starting 33434 port #), and so from the beginning while TTL is incremented until 29 + 1 = 30 (30 up to send probe). 中间的路由器送回ICMP TTL-expired报文,使得源主机得知了中间的每一个路由器,最后的目的主才几送回TTL-expired净艮文和ICMP port unreachable 4良文(因为<壬4可主才几上都没有应用使用UDP port# >32768这样的高段porW)。 Intermediate router returned ICMP TTL-expired packets, the source host so that each router in the middle, the last only a few main object back to TTL-expired Gen net above and ICMP port unreachable 4 Yoshibumi (since <4 may nonyl only a few are not on the main application uses UDP port #> 32768 such high segment porW).

根据上面所述的ICMPtraceroute和UDPtraceroute的工作原理,用户可以利用ICMP traceroute和UDP traceroute来获得网络中的节点信息和路径信息,并且可以通过改变报文的目的地址,获得多个路径信息,这些信息组合起来就能够产生网络拓朴。 According to the principle and UDPtraceroute ICMPtraceroute the above, the user can utilize ICMP traceroute and UDP traceroute to obtain node information and route information in the network, and by changing the destination address of the packet to obtain a plurality of route information, composition information They will be able to generate network topology.

从用户的角度来看,用户关心的是服务质量,用户不必关心通过哪些节点来完成报文的传输,用户获得路径信息也无益于提高用户的满意度。 From the user's point of view, users care about is quality of service, users need not be concerned by which nodes to complete packet transmission, users get the path information is also conducive to improving customer satisfaction. 但不良攻击者却可以利用路径信息来对网络发起攻击,所以,应该限制用户获得网络路径信息。 But poor attacker be able to use the path information to launch attacks on the network, so users should be restricted to obtain network path information.

现有技术中一种针对ICMP TraceRoute的安全防范方法为:通过改变路由器的报文处理规则来限制路由器返回系统信息。 One for the art security methods ICMP TraceRoute is: by changing the router packet processing rules to limit the router return system information. 该方法改变的报文处理规则主要为: The method changes the packet processing rules mainly:

1 、中间路径上任何一个路由器如果过滤ICMP Echo Request , Traceroute就不能工作; 1, any router on a path, if the intermediate filtered ICMP Echo Request, Traceroute will not work;

2、封了type 11 (Time Exceeded)报文,中间的路由器全看不到,但能看到报文到达了最后的目的地; 2, sealed type 11 (Time Exceeded) message, the whole middle of the router can not see, but to see the message arrives at the final destination;

3 、封了ICMP Echo Reply报文,中间的所有节点能够返回Time Exceeded信息,最后的目的地看不到,因此,用户仍旧能够获得路径信命 3, sealed ICMP Echo Reply packet, all of the intermediate nodes to return Time Exceeded information, see the final destination, so the user can obtain path still believe life

现有技术中一种针对UDP TraceRoute的安全防范方法为:通过改变路由器的报文处理规则来限制路由器返回系统信息。 One for the art security methods UDP TraceRoute is: by changing the router packet processing rules to limit the router return system information. 该方法改变的报文处理规则主要为: The method changes the packet processing rules mainly:

1、中间路径上任何一个路由器如果过滤掉UDP port>32768, traceroute 1, any router on a path, if the intermediate filtered UDP port> 32768, traceroute

就不能工作;2、 封掉TTL超时报文,使源主机看不到中间的路由器; It will not work; 2, sealing of TTL timeout packet, the source host can not see the middle of the router;

3、 封掉Echo R印ly报文,使源主机不能获得目的节点的反应。 3, the printing Fengdiao Echo R ly packets, the source host can not be obtained so that the reaction of the destination node. 所述现有技术中针对ICMP TraceRoute和UDP TraceRoute的安全防范方 The prior art security for ICMP TraceRoute party and the UDP TraceRoute

法的缺点为:该方法将导致运营商网络内部使用TraceRoute也受到限制,而TraceRoute功能是运营商管理和维护网络的重要工具。 Law disadvantages are: the method will result in the carrier network using TraceRoute is limited, and TraceRoute function is an important tool for operators to manage and maintain the network.

发明内容 SUMMARY

鉴于上述现有技术所存在的问题,本发明的目的是提供一种防止用户获得运营商网络信息的方法和装置,从而可以使运营商网络不将路径信息返回给用户。 In view of the above-described prior art problems, an object of the present invention is to provide a method and apparatus for preventing the user to obtain information carrier network, so that the operator network can not return to the path information to the user.

本发明的目的是通过以下技术方案实现的: 一种防止用户获得运营商网络信息的方法,包括: Object of the present invention is achieved by the following technical solution: a method for preventing the user's network operator information obtaining method, comprising:

A、 确定运营商网络和用户网络之间的边缘路由器; A, the edge router is determined between the user and the network operator's network;

B、 所述边缘路由器将接收到的从运营商网络发往用户网络的互联网控制报文协议ICMP超时报文进行过滤处理,所述过滤处理包括对所述ICMP超时报文进行丢弃;或对所述ICMP超时报文的地址进行修改;或者对所述ICMP 超时报文中包含的运营商网络信息进行删除或转换。 B, the edge router will receive the filtration treatment to a user network is the Internet Control Message Protocol ICMP timeout packets sent from the operator network, said process comprising filtering the ICMP time exceeded discards; or of their ICMP time exceeded said address modification; or to the operator of the network information contained in the ICMP time exceeded for deletion or conversion.

所述的步骤B具体包括: Said step B comprises:

所述边缘路由器将接收到的从运营商网络发往用户网络的ICMP超时报文丢弃。 The edge router received the ICMP time exceeded from the operator network to a network user discarded.

所述的步骤B具体包括: Said step B comprises:

所述边缘路由器将接收到的从运营商网络发往用户网络的ICMP超时报文的源地址进行修改,然后将报文进行正常转发。 The edge router of the source address of the received ICMP timeout packets from the operator network to a customer network is modified, then the packet will be forwarded. 所述的步骤B具体包括: Said step B comprises:

所述边缘路由器将接收到的从运营商网络发往用户网络的ICMP超时报文的源地址修改为自身的地址,然后将报文进行正常转发。 The edge router of the source address of the received ICMP timeout message sent from the service provider network to a user network modifies its own address, then the packet will be forwarded. 所迷边缘路由器将接收到的从运营商网络发往用户网络的ICMP超时报文的目的地址修改为发送所述ICMP超时报文的源主机的地址,该地址从所述ICMP超时报文的报文体中获得。 The fans edge router to the destination address received from the operator network to a network user's ICMP time exceeded modify the source host to send ICMP time exceeded an address, the address from the ICMP time exceeded message Stylistic obtained.

所述的步骤B具体包括: Said step B comprises:

所述边缘路由器将接收到的从运营商网络发往用户网络的ICMP超时报文中包含的运营商网络信息进行删除或转换处理,然后将经过删除或转换处理后的ICMP超时报文转发给目的用户网络。 The edge router received the ICMP time exceeded from the operator network to a user network comprising a carrier network information deletion or conversion process, and then forwarded to the destination user via ICMP time exceeded after deletion or conversion process The internet.

所述的步骤B具体包括: Said step B comprises:

B1、所述边缘路由器根据携带ICMP超时报文的IP报文本身的属性,判断接收到的从运营商网络发往用户网络的ICMP超时报文的源节点是来自运营商网络还是用户网络,如果是来自运营商网络,则执行步骤B2;否则,执行步骤B3; B1, the edge router according to the attribute ICMP time exceeded carrying IP packet itself, whether the received carrier from the network to a customer network source node ICMP time exceeded from the user or the network operator's network, if from the operator's network, perform step B2; otherwise, step B3;

B2、所述边缘路由器对接收到的ICMP超时报文进行丢弃或地址修改操作,或者对接收到的ICMP超时报文中包含的运营商网络信息进行删除或转换处理; B2, the edge router received the ICMP time exceeded discards or address modification operation or the received ICMP time exceeded contained carrier network information conversion processing or deleted;

B3、所述边缘路由器将接收到的ICMP超时报文转发给目的用户网络。 B3, the edge router of the received ICMP timeout packets forwarded to the destination user network. 所述的步骤B1所述的IP报文本身的属性包括IP报文的生存时间TTL或跳数P艮制Hop Limit。 Said step Bl of the IP packet attribute itself comprises IP packet or the TTL system hops P gen Hop Limit.

所述方法适用于IPv4或IPv6网络。 The method is applicable to IPv4 or IPv6 network.

一种防止用户获得运营商网络信息的装置,该装置通过路由器来实现, 所述路由器包括: Obtaining means for preventing the user's network operator information, the apparatus is achieved by a router, the router comprising:

报文过滤模块:用于将经过该路由器的,从运营商网络发往用户网络的ICMP超时报文进行过滤处理,所述过滤处理包括对所述ICMP超时报文进行丢弃;或对所述ICMP超时报文的地址进行修改;或者对所述ICMP超时报文中包含的运营商网络信息进行删除或转换。 Packet filtering module: means for processing pass filtering, ICMP time exceeded the router from the operator network to a network user, the process comprises filtering the ICMP time exceeded discards; or the ICMP timeout packets address to be modified; or on the operator's network ICMP timeout information contained herein for deletion or conversion. 所述报文过滤模块包括: The packet filter module comprises:

报文丢弃模块:用于将经过该路由器的,从运营商网络发往用户网络的ICMP超时报文进行丢弃; 和/或, Packet discarding module: for through the router, from the operator network to a network user ICMP destination unreachable packets are discarded; and / or,

运营商网络信息处理模块:用于将经过该路由器的,从运营商网络发往用户网络的ICMP超时报文中包含的运营商网络信息进行删除或转换处理; 和/或, Carrier network information processing module: for through the router, ICMP timeout packets from the operator network to a network user's network operator information comprises delete or conversion processing; and / or,

报文地址修改模块:用于对经过该路由器的,从运营商网络发往用户网络的ICMP超时报文进行地址修改。 Message address modification module: for through the router, ICMP timeout packets from the operator's network to a customer network address changes.

由上述本发明提供的技术方案可以看出,本发明通过对经过运营商网络边缘发送到用户网络的ICMP超时报文进行过滤、丢弃或修改,可以防止运营商网络将包含运营商网络路径信息的ICMP超时报文返回给用户,或返回的ICMP超时报文不能够用来生成运营商网络路径信息。 Provided by the present invention of the above it can be seen, the present invention is transmitted to the user by the network operator's network through the edge of the ICMP time exceeded filtered, discarded or modified, can be prevented operator network comprising an operator network path information ICMP timeout packet back to the user, or the return of ICMP timeout packets can not be used to generate a carrier network path information. 本发明同时保证在运营商网络内仍旧能够成功使用TraceRoute等路径跟踪程序。 The present invention is still successful use while ensuring the like TraceRoute path tracking program in the service provider network.

附图说明 BRIEF DESCRIPTION

图1为本发明所述方法妁具体处理流程图; 图2为本发明所述实施例的组网示意图; 图3为本发明所述装置的结构图。 Figure 1 is a flowchart showing the specific processing method matchmaker invention; FIG. 2 is a schematic networking diagram of the embodiment invention; configuration diagram of the apparatus of the present invention in FIG. 具体实施方式 Detailed ways

本发明提供了一种防止用户获得运营商网络信息的方法和装置。 The present invention provides a method and apparatus for preventing the user to obtain information carrier network. 本发明的核心为:在ICMP超时报文经过运营商网络边缘路由器发送到用户网络的时候,网络边缘路由器对该ICMP超时报文进行过滤操作。 The core of the present invention are: the transmission via the operator network to the user network in the edge router ICMP time exceeded when the network edge routers filtering the ICMP time exceeded.

下面结合附图来详细描述本发明,本发明所述方法的具体处理流程如图1 所示,包括如下步骤: The present invention is described in detail below in conjunction with the accompanying drawings, specific process flow of the method of the present invention shown in Figure 1, comprising the steps of:

步骤1-1、用户设备通过运营商网络向目的用户发送ICMP Echo或UDP报文,并产生ICMP超时报文。 Step 1-1, user equipment is sent through the carrier's network to the destination user ICMP Echo packets or UDP, and ICMP timeout packet is generated.

用户设备,可能是一台主机,也可能是多台主机、路由器、交换机组成的网络,通过运营商网络向目的用户发送多个ICMP TraceRoute功能中的ICMP Echo报文,或者发送多个UDPTraceRoute功能中的UDP报文。 User equipment, a host may be, it could be a network with multiple hosts, routers, switches composed of a plurality of transmitted ICMP Echo packets ICMP TraceRoute functions to the target user by the network operator, or a plurality of transmission functions UDPTraceRoute UDP packets.

一些ICMP Echo报文或UDP报文到达运营商网络中的中间路由器或边缘路由器,以及运营商网络外的其它一些用户网络中的路由器时,报文中的TTL-O,于是,根据路由器中的ICMP报文处理规则,路由器将接收到的ICMP Echo报文或UDP报文丟弃,并根据IP协议规程产生一个ICMP超时报文,将该ICMP超时报文的目的地址设置为源用户设备的地址,源地址设置为路由器自身的地址。 Some When ICMP Echo packets or UDP packets to the intermediate router or edge router operator's network, and the router user network other outside the operator's network, packets TTL-O, then, according to the router ICMP packet processing rules, the router received ICMP Echo packets or UDP packets are discarded, and generates an ICMP timeout packet according to the IP protocol procedures, set the destination address of the ICMP time exceeded the source address of the user equipment the source address is set to the address of the router itself.

步骤1 -2 、运营商网络中的中间路由器或边缘路由器接收到ICMP超时报文。 Step 1-2, the intermediate routers or edge routers in the service provider network receiving ICMP time exceeded.

所述步骤1-1产生的ICMP超时报文将通过运营商网络发送给源用户设备。 Step 1-1 The generated ICMP time exceeded will be sent to the source user equipment by the network operator. 因此,运营商网络中的中间路由器或边缘路由器将接收到该ICMP超时报文,如果是中间路由器接收到该ICMP超时报文,则执行步骤1-3;如果是边缘路由器接收到该ICMP超时报文,则执行步骤1-4。 Thus, intermediate routers or edge routers in the service provider network receives the ICMP time exceeded, if the intermediate router receives the ICMP time exceeded, step 1-3; if the edge router receives the ICMP timeout Wen, step 1-4.

步骤1-3、中间路由器对ICMP超时报文进行正常转发。 Steps 1-3, intermediate routers to ICMP timeout packets forwarded properly. 中间路由器根据正常的报文转发规则,对接收到的ICMP超时报文进行转发,不对报文做特殊处理。 Intermediate router to forward packets according to the normal rules, received ICMP timeout packet forwarding, packet do not special treatment.

步骤1-4、边缘路由器判断超时报文是否是从运营商网络发往用户网络。 Step 1-4, the edge router determines whether a timeout message from the operator network to a network user. 边缘路由器接收到ICMP超时报文后,需要判断该ICMP超时报文是否是从运营商网络发往用户网络,如果是,则执行步骤1-6;否则,执行步骤,1-5。 After receiving the edge router ICMP time exceeded, the need to determine whether the ICMP destination unreachable packets from the operator network to a network user, if yes, steps 1-6; otherwise, performing step 1-5.

步骤1-5、边缘路由器对ICMP超时报文进行正常转发。 Steps 1-5, edge router ICMP timeout packets forwarded properly.

边缘路由器根据正常的报文转发规则,对接收到的ICMP超时报文进行转发,不对报文做特殊处理。 Edge router to forward packets according to the normal rules, received ICMP timeout packet forwarding, packet do not special treatment.

步骤1-6、边缘路由器对ICMP超时报文进行过滤操作。 Step 1-6, the edge router ICMP time exceeded the filtering operation.

如果边缘路由器判断该ICMP超时报文是从运营商网络发往用户网络,则丢弃该ICMP超时报文;或者对该ICMP超时报文中包含的运营商网络信息进行删除或转换处理,使用户根据该ICMP超时报文不能生成运营商网络的路径信息,该路径是请求报文经过的路径;或者将该ICMP超时报文的源地址替换为边缘路由器自身的地址,目的地址替换为报文中原先的源地址,即将该ICMP超时报文返回。 If the edge router determines whether the ICMP time exceeded from the operator network to a user network, discards the ICMP time exceeded; or deletion or conversion processing on the service provider network of ICMP timeout packets included in the user according to the can not generate ICMP time exceeded operator network path information, the path is a path through which the request packet; or alternatively the ICMP time exceeded edge router source address replace its own address, the destination address of the original message source address, the ICMP timeout packet is about to return.

因此,经过上面所述的操作后,将可以防止用户根据ICMP超时报文获得运营商网络中的网络连接信息。 Thus, after the operation described above, the network connection can be prevented from obtaining the user's network operator information based on ICMP time exceeded.

对本发明所述方法的步骤1-6,本发明还提出了一种改进方案,具体描述如下: The method of the present invention the step 1-6, the present invention also provides an improved embodiment, described as follows:

边缘路由器利用携带ICMP超时报文的IP报文本身的一些属性,判断产生该ICMP超时报文的源节点是来自运营商网络还是用户网络。 Edge router to use some property ICMP timeout packets carrying IP packet itself, the judgments of the ICMP timeout packet source node from the network operator's network or the user. 由于在一些网络方案中,运营商网络中的节点产生的报文的TTL和用户网络中的节点产生的报文的TTL被分配了不同的范围,因此,能够根据报文TTL值来实现该判断。 Since some network schemes, the TTL and the user network operator network nodes generated in the node generates a TTL of packets being assigned a different range, it is possible to achieve this is determined according to the message TTL value .

边缘路由器在判断了ICMP超时报文的来源后,对于来自运营商网络的ICMP超时报文,不允许其从运营商网络转发到用户网络,即根据上面的描述,对ICMP超时报文进行过滤操作;对于来自用户网络的ICMP超时报文, 仍旧正常地转发给用户网络。 After determining the edge router sources ICMP timeout packets, an ICMP timeout packets from the operator network, which is not allowed to be forwarded from the user to the network operator's network, i.e., from the above description, for ICMP time exceeded the filtering operation ; for ICMP timeout packets from a user of the network, still forwarded properly to the user network.

上述改进方案对VPN (虚拟专用网)有一定的意义,因为两个在不同地理位置的多个用户网络/场所/站点属于同一个客户,这样同一个VPN内的用户都可以跟踪到属于同一个VPN的其他用户网络/场所/站点中,同时用户也不会获得运营商网络的信息。 These improvements program has some significance to the VPN (virtual private network), because the two belong to the same customer multiple users in different geographical locations of network / site / sites, so within the same VPN users can belong to the same track VPN users of other networks / sites / site, and you also will not get the information carrier network.

本发明还提供了一个本发明所述方法的实施例,该实施例的组网示意图 The present invention further provides an embodiment of the present invention, a method, according to this embodiment networking diagram

14如图2所示。 14 as shown in FIG.

在图2所示的组网中,CPN为用户设备,可能是一台主机,也可能是多台主机、路由器或交换机组成的网络,CPN可能属于同一个或不同的个人用户、家庭用户、企业用户或内容提供商、IDC(因特网数据中心)。 In the network shown in Figure 2, CPN user equipment, may be a host, it may be a network with multiple hosts, routers or switches composition, CPN may belong to the same or a different individual users, home users, businesses users or content providers, IDC (Internet data Center).

PE为运营商边缘路由器,位于用户网络同运营商网络的边界,PE需要具有两个主要功能: PE is the provider edge router, located in the user network with carrier network boundary, PE needs to have two main functions:

1、 根据需要对ICMP超时报文进行过滤操作,其中包括对报文进行丢弃或地址修改操作,或者对报文中包含的运营商网络信息进行删除或转换处理。 1, needs to be filtered according to the operation of the ICMP destination unreachable packets, including packets discards or address modification operations, operators or network information contained in the message for deletion or conversion process.

2、 根据ICMP协议规程,对报文进行正常的转发;产生ICMP超时报文。 2, according to ICMP protocol procedures, normal for packet forwarding; generate ICMP time exceeded. P为运营商核心路由器,其主要功能为:根据ICMP协议规程,对报文 P is the provider core router, its main function is: According to the ICMP protocol procedures, packets

进行正常的转发;产生ICMP超时报文。 Normal forwarding; generate ICMP time exceeded.

在图2所示的组网中,用户发起的一个路径跟踪流程如下: 1 、 CPN1内的用户Host1发送Echo报文到CPN4内的目的节点Host4, Host1从返回的Echo Reply报文中获得到目的节点的跳数N (中间需要经过的转发节点数)。 In the network shown in Figure 2, the user initiates a path tracking process is as follows: 1, the user transmits within CPN1 Host1 Echo packets to the destination node within the CPN4 Host4, Host1 available from Echo Reply packet returned to the object number of hops of nodes N (to go through intermediate nodes forwarding).

2、 CPN1内的Host1发送多个ICMPEcho或UDP报文,目的地址为CPN4 内的节点Host4的地址,并将^艮文的TTL依次设为TTL-1, 2, 3, ..., N,这里N即为到目的节点的跳数N。 2, Host1 transmitted within a plurality ICMPEcho CPN1 or UDP packets, the destination address is the address of the node in Host4 CPN4, and ^ Gen sequentially set the TTL TTL-1, 2, 3, ..., N, where N is the number of hops to the destination node N.

3、 Host1发送的某些ICMP Echo或UDP报文在到达PE1、 P1、 P2、 PE4 后,其TTL-O,于是,根据路由器中的ICMP报文处理规则,这些PE1、 P1、 P2、 PE4将接收到的ICMP Echo报文或UDP报文丢弃,并根据IP规程产生一个ICMP超时报文,将该ICMP超时报文的目的地址设置为Host1的地址,源地址设置为PE1、 P1、 P2、 PE4自身的地址。 3, some of the transmitted ICMP Echo Host1 or UDP packet after reaching PE1, P1, P2, PE4, which TTL-O, then, according to the ICMP packet processing rules router, these PE1, P1, P2, PE4 will received ICMP Echo packets or UDP packets are discarded according to the IP protocol and generates a ICMP time exceeded, provided the destination address of the ICMP time exceeded Host1's address, the source address is set to PE1, P1, P2, PE4 own address.

4, PE1、 PE2、 PE3、 PE4等运营商边缘路由器接收到ICMP超时报文后,将检查该报文,判断该报文是否是从运营商网络发往用户网络,如果 After 4, PE1, PE2, PE3, PE4 other provider edge router receives the ICMP time exceeded, checks the packet, whether the packet is sent from the operator network to a user network, if

是,则对该报文进行过滤操作;否则,继续转发该才艮文。 So, for packet filtering operation; otherwise, it continues to forward the text of Burgundy.

比如,如果PE1接收到P2发往Host1的ICMP超时报文,则对该报文进行过滤操作;如果PE4接收到Host4发往Host1的ICMP超时报文,则继续转发该报文。 For example, if the received P2 PE1 sent to Host1's ICMP time exceeded, then the packet filtering operation; if received Host4 PE4 is sent to Host1 ICMP time exceeded, then continues to forward the packet. 该报文随后将到达PE1。 Then the message will reach PE1.

如果不采用上面所述的本发明的一种改进方案,PE1接收到Host4发往Host1的ICMP超时报文后,则对该报文进行过滤操作。 If not used, an improved embodiment of the present invention described above, the received PEl Host4 sent to Host1's ICMP time exceeded, the packet is the filtering operation.

如果采用上面所述的本发明的一种改进方案,P E1接收到Host4发往Host1的ICMP超时报文后,则继续转发该报文。 If the latter embodiment of the invention described above, P E1 received Host4 sent to Host1's ICMP time exceeded, continues to forward the packet.

本发明所述装置的结构图如图3所示。 The present invention is a configuration diagram of the device shown in Fig. 该装置通过路由器来实现,并且在路由器中增加如下模块: The apparatus as routers, and add the following module in the router:

报文丟弃模块、用于将经过该路由器的,从运营商网络发往用户网络的ICMP超时报文进行丢弃。 Packet discarding module configured to be discarded after, ICMP timeout packets to the router from the carrier network to a user of the network.

报文地址修改模块、用于对经过该路由器的,从运营商网络发往用户网络的ICMP超时报文进行地址修改,使该ICMP超时报文不能到达用户网络。 Message address modification module configured through the router, ICMP timeout packets from the operator's network to a customer network address changes, so that the ICMP timeout packet network can not reach the user.

运营商网络信息处理模块:用于将经过该路由器的,从运营商网络发往用户网络的ICMP超时报文中包含的运营商网络信息进行删除或转换处理。 Operator network information processing module: used to delete or through the conversion process, contained in the operator's network ICMP timeout packets sent to the user's network operator information network of the router. 使用户不能根据处理后的ICMP超时报文获得运营商网络的路径信息。 So that users can not obtain the operator's network according to ICMP timeout packets processed path information.

以上所述,仅为本发明较佳的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。 Above, the present invention is merely preferred specific embodiments, but the scope of the present invention is not limited thereto, any skilled in the art in the art within the scope of the invention disclosed can be easily thought of the changes or Alternatively, it shall fall within the protection scope of the present invention. 因此,本发明的保护范围应该以权利要求的保护范围为准。 Accordingly, the scope of the present invention should be defined by the scope of the claims.

Claims (11)

1、一种防止用户获得运营商网络信息的方法,其特征在于,包括:A、确定运营商网络和用户网络之间的边缘路由器;B、所述边缘路由器将接收到的从运营商网络发往用户网络的互联网控制报文协议ICMP超时报文进行过滤处理,所述过滤处理包括对所述ICMP超时报文进行丢弃;或对所述ICMP超时报文的地址进行修改,使所述ICMP超时报文不能到达用户网络;或者对所述ICMP超时报文中包含的运营商网络信息进行删除或转换。 1. A method of preventing the user obtains the information service provider network, wherein, comprising: A, an edge router is determined between the user and the network operator network; B, the edge router received from the operator network hair to a user network Internet control message protocol ICMP timeout packet filtering process, the filtering process comprises the ICMP time exceeded discarded; or make changes to the ICMP time exceeded address, so that the ICMP Time Exceeded packets can not reach the user network; or delete or conversion to the carrier network ICMP timeout information contained herein.
2、 根据权利要求1所述防止用户获得运营商网络信息的方法,其特征在于,所述的步骤B具体包括:所述边缘路由器将接收到的从运营商网络发往用户网络的ICMP超时报文丟弃。 2, according to claim 1 said method prevents users from getting operator's network information, wherein said step B comprises: an edge router received the ICMP timeout from the operator network to a network user discarded.
3、 根据权利要求1所述防止用户获得运营商网络信息的方法,其特征在于,所述的步骤B具体包括:所述边缘路由器将接收到的从运营商网络发往用户网络的ICMP超时报文的源地址进行修改,然后将报文进行正常转发。 3. A method according to claim 1 to prevent the user to obtain information carrier network, wherein said step B comprises: an edge router received the ICMP timeout from the operator network to a network user modify the source address, then the packet is forwarded properly.
4、 根据权利要求3所述防止用户获得运营商网络信息的方法,其特征在于,所述的步骤B具体包括:所述边缘路由器将接收到的从运营商网络发往用户网络的ICMP超时报文的源地址修改为自身的地址,然后将报文进行正常转发。 4, according to claim 3 prevents a method of obtaining user information carrier network, wherein said step B comprises: an edge router received the ICMP timeout from the operator network to a network user modify the source address is its own address, then the packet is forwarded properly.
5、 根据权利要求4所述防止用户获得运营商网络信息的方法,其特征在于,所述的步骤B还包括:所述边缘路由器将接收到的从运营商网络发往用户网络的ICMP超时报文的目的地址修改为发送所述ICMP超时报文的源主机的地址,该地址从所述ICMP超时报文的报文体中获得。 5, according to claim 4 prevents the user for obtaining information carrier network, wherein said step B further comprises: an edge router received the ICMP timeout from the operator network to a network user modifying the destination address of the packet source host to transmit the ICMP time exceeded the address, which is obtained from the packet body in the ICMP time exceeded.
6、 根据权利要求1所述防止用户获得运营商网络信息的方法,其特征在于,所述的步骤B具体包括:所述边缘路由器将接收到的从运营商网络发往用户网络的ICMP超时报文中包含的运营商网络信息进行删除或转换处理,然后将经过删除或转换处理后的ICMP超时报文转发给目的用户网络。 6, according to the method of preventing a user to obtain information carrier network as claimed in claim wherein said step B comprises: an edge router received the ICMP timeout from the operator network to a network user the text contained in the operator's network information is deleted or conversion process, and then forwarded to the destination user network through ICMP timeout packets after deletion or conversion process.
7、 根据权利要求1所述防止用户获得运营商网络信息的方法,其特征在于,所述的步骤B具体包括:B1、所述边缘路由器根据携带ICMP超时报文的IP报文本身的属性,判断接收到的从运营商网络发往用户网络的ICMP超时报文的源节点是来自运营商网络还是用户网络,如果是来自运营商网络,则执行步骤B2;否则,执行步骤B3;B2、所述边缘路由器对接收到的ICMP超时报文进行丢弃或地址修改操作,使所述ICMP超时报文不能到达用户网络;或者对接收到的ICMP超时报文中包含的运营商网络信息进行删除或转换处理;B3、所述边缘路由器将接收到的ICMP超时报文转发给目的用户网络。 7, according to claim 1 said method prevents users from getting operator's network information, characterized in that said step B comprises: B1, according to the edge router attribute ICMP time exceeded carrying IP packet itself, the source node determines whether the received ICMP timeout packets from the operator network to a user of the network from the operator network or subscriber network, if it is from the carrier network, step B2; otherwise, step B3; B2, the said edge router received the ICMP time exceeded discards or address modification operation, the ICMP time exceeded the network can not reach the user; or a received ICMP time exceeded contained carrier network information conversion processing or delete ; B3, the edge router of the received ICMP timeout packets forwarded to the destination user network.
8、 根据权利要求7所述防止用户获得运营商网络信息的方法,其特征在于,所述的步骤B1所述的IP报文本身的属性包括IP报文的生存时间TTL或跳凄丈限制Hop Limit。 8. The method according to claim 7 prevents users from getting operator's network information, wherein the attribute of the IP packet Bl step itself includes an IP packet the TTL limitation or hop Hop Zhang sad Limit.
9、 根据权利要求1所述防止用户获得运营商网络信息的方法,其特征在于,所述方法适用于IPv4或IPv6网络。 9, according to claim 1 to prevent the user to obtain information carrier network, characterized in that the method is applicable to IPv4 or IPv6 network.
10、 一种防止用户获得运营商网络信息的装置,该装置通过路由器来实现,其特征在于,所述路由器包括:报文过滤模块:用于将经过该路由器的,从运营商网络发往用户网络的ICMP超时报文进行过滤处理,所述过滤处理包括对所述ICMP超时报文进行丟弃;或对所述ICMP超时报文的地址进行修改,使所述ICMP超时报文不能到达用户网络;或者对所述ICMP超时报文中包含的运营商网络信息进行删除或转换。 10, obtaining means for preventing the user's network operator information, the apparatus is achieved by a router, wherein said router comprising: packet filtering module: for through the router, from the operator network to a user ICMP time exceeded network filtration treatment, said process comprising filtering the ICMP time exceeded discards; or the ICMP time exceeded the address modification, the ICMP time exceeded not reach the user network ; or delete or conversion to the carrier network ICMP timeout information contained herein.
11、根据权利要求10所述防止用户获得运营商网络信息的装置,其特征在于,所述报文过滤模块包括:报文丢弃模块:用于将经过该路由器的,从运营商网络发往用户网络的ICMP超时报文进行丢弃;和/或,运营商网络信息处理模块:用于将经过该路由器的,从运营商网络发往用户网络的ICMP超时报文中包含的运营商网络信息进行删除或转换处理;和/或,报文地址修改模块:用于对经过该路由器的,从运营商网络发往用户网络的ICMP超时报文进行地址修改,使所述ICMP超时报文不能到达用户网络。 11, according to claim 10 to prevent users from obtaining the device information of the service provider network, wherein the packet filter module comprising: a packet discarding module: for through the router, from the operator network to a user ICMP time exceeded the network are discarded; and / or carrier network information processing module: used to delete through, ICMP time exceeded from the operator network to a user network comprising a carrier network information of the router or conversion processing; and / or packet address modification module: for through the router, the ICMP time exceeded operator network to a customer network address changes, the ICMP time exceeded network can not reach the user.
CN 200510082717 2005-07-07 2005-07-07 Method and apparatus for preventing user from obtaining operation trader network information CN100502352C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200510082717 CN100502352C (en) 2005-07-07 2005-07-07 Method and apparatus for preventing user from obtaining operation trader network information

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN 200510082717 CN100502352C (en) 2005-07-07 2005-07-07 Method and apparatus for preventing user from obtaining operation trader network information
PCT/CN2006/000935 WO2007006193A1 (en) 2005-07-07 2006-05-10 A method for preventing the user from obtaining the service provider network information and the equipment as well as the system thereof

Publications (2)

Publication Number Publication Date
CN1893392A CN1893392A (en) 2007-01-10
CN100502352C true CN100502352C (en) 2009-06-17

Family

ID=37597914

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200510082717 CN100502352C (en) 2005-07-07 2005-07-07 Method and apparatus for preventing user from obtaining operation trader network information

Country Status (2)

Country Link
CN (1) CN100502352C (en)
WO (1) WO2007006193A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102025483B (en) 2009-09-17 2012-07-04 国基电子(上海)有限公司 Wireless router and method for preventing malicious scanning by using same
CN101964723B (en) * 2010-07-30 2012-03-28 中国联合网络通信集团有限公司 Communication operator network information interaction management method and system
CN103986652B (en) * 2014-05-22 2017-12-08 新华三技术有限公司 A kind of method for tracing route and device
CN105828218B (en) * 2016-04-19 2019-06-11 华为技术有限公司 A kind of method, apparatus and system detecting multicast data flow transmission quality

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1536832A (en) 2003-04-04 2004-10-13 华为技术有限公司 Method for processing extra-long message in two-layer virtual special-purpose network
CN1551571A (en) 2003-04-15 2004-12-01 阿尔卡特公司 Central internet protocol/multi protocol label switching verification in communication network management environment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5892753A (en) * 1996-12-02 1999-04-06 International Business Machines Corporation System and method for dynamically refining PMTU estimates in a multimedia datastream internet system
US6339595B1 (en) * 1997-12-23 2002-01-15 Cisco Technology, Inc. Peer-model support for virtual private networks with potentially overlapping addresses
US20030236913A1 (en) * 2002-06-25 2003-12-25 Hoban Adrian C. Network address translation for internet control message protocol packets

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1536832A (en) 2003-04-04 2004-10-13 华为技术有限公司 Method for processing extra-long message in two-layer virtual special-purpose network
CN1551571A (en) 2003-04-15 2004-12-01 阿尔卡特公司 Central internet protocol/multi protocol label switching verification in communication network management environment

Also Published As

Publication number Publication date
CN1893392A (en) 2007-01-10
WO2007006193A1 (en) 2007-01-18

Similar Documents

Publication Publication Date Title
Conta et al. Generic packet tunneling in IPv6 specification
US8472346B1 (en) Failure detection for tunneled label-switched paths
US7650637B2 (en) System for ensuring quality of service in a virtual private network and method thereof
EP1999896B1 (en) Network routing apparatus that performs soft graceful restart
US8166205B2 (en) Overlay transport virtualization
DE69727447T2 (en) Transmission separation and level 3 network switching
US7917948B2 (en) Method and apparatus for dynamically securing voice and other delay-sensitive network traffic
AU720817B2 (en) Multicast switching
US8665699B2 (en) Link failure detection and traffic redirection in an OpenFlow network
US7765306B2 (en) Technique for enabling bidirectional forwarding detection between edge devices in a computer network
CA2412096C (en) Method and arrangement for handling information packets via user selectable relay nodes
US8254273B2 (en) Tracing connection paths through transparent proxies
US9264361B2 (en) System and method for implementing multiple label distribution protocol (LDP) instances in a network node
US7746796B2 (en) Directed echo requests and reverse traceroute
US7899049B2 (en) Methods and apparatus for minimizing duplicate traffic during point to multipoint tree switching in a network
US7650424B2 (en) Supporting mobile hosts on an internet protocol network
US7940698B1 (en) Point to multi-point label switched paths with label distribution protocol
Rosen et al. Multicast in mpls/bgp ip vpns
JP2005130228A (en) Communication device for path control between as and path control method therefor
EP1164754A1 (en) Methods and arrangements in a telecommunications system
US9049047B2 (en) Method for providing scalable multicast service in a virtual private LAN service
US7440438B2 (en) Refresh and filtering mechanisms for LDP based VPLS and L2VPN solutions
CN1254059C (en) Method of realizing special multiple-protocol label exchanging virtual network
Li et al. IP/ICMP translation algorithm
US7894352B2 (en) Detecting data plane liveliness of a label-switched path

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C14 Grant of patent or utility model
CF01