CN100566294C - Single broadcast reverse path repeating method - Google Patents
Single broadcast reverse path repeating method Download PDFInfo
- Publication number
- CN100566294C CN100566294C CNB2005101057489A CN200510105748A CN100566294C CN 100566294 C CN100566294 C CN 100566294C CN B2005101057489 A CNB2005101057489 A CN B2005101057489A CN 200510105748 A CN200510105748 A CN 200510105748A CN 100566294 C CN100566294 C CN 100566294C
- Authority
- CN
- China
- Prior art keywords
- urpf
- list item
- address
- traffic
- information table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 28
- 238000007689 inspection Methods 0.000 claims abstract description 9
- 230000032683 aging Effects 0.000 claims description 44
- 230000004044 response Effects 0.000 claims description 44
- 238000011144 upstream manufacturing Methods 0.000 claims description 37
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 claims description 17
- 230000008878 coupling Effects 0.000 claims description 4
- 238000010168 coupling process Methods 0.000 claims description 4
- 238000005859 coupling reaction Methods 0.000 claims description 4
- 101100513046 Neurospora crassa (strain ATCC 24698 / 74-OR23-1A / CBS 708.71 / DSM 1257 / FGSC 987) eth-1 gene Proteins 0.000 description 11
- 238000005516 engineering process Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000009471 action Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000000295 complement effect Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- RTZKZFJDLAIYFH-UHFFFAOYSA-N Diethyl ether Chemical compound CCOCC RTZKZFJDLAIYFH-UHFFFAOYSA-N 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 239000012467 final product Substances 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000013011 mating Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of single broadcast reverse path repeating method, comprise step: in the network equipment, set up reversal path of unicast and transmit the URPF information table, in this information table, be provided with whether allow to transmit mark; After the interface of the network equipment is received IP traffic, according to source IP address in the IP traffic and purpose IP address lookup URPF information table; If there is corresponding list item in the URPF information table, then transmit or abandon this IP traffic according to the forwarding mark decision of this list item correspondence; If there is not corresponding list item in the URPF information table, then source IP address in the IP traffic and purpose IP address are carried out the URPF inspection, decision is transmitted or is abandoned this IP traffic according to check result, and increases corresponding list item in the URPF information table.Utilize the present invention, not only can prevent from effectively website to be attacked, but also can guarantee normal IP message forwarding, integrate strictness and the loose test mode of traditional URPF simultaneously, made things convenient for user's configuration with the message of the source IP address of deception.
Description
Technical field
The present invention relates to network communications technology field, be specifically related to a kind of single broadcast reverse path repeating method.
Background technology
Universal day by day along with rapid development of network and network application, the disparate networks security threat is also following, and network security becomes urgent day by day demand.Such as, at http (HTML (Hypertext Markup Language)), ftp (file transfer protocol (FTP)), the attack of dns agreements such as (domain name systems) can be stolen domestic consumer even power user's authority, revises the information content arbitrarily, causes significant damage.The source IP address deception also is a kind of attack pattern common in the network, does not revise because source IP address can be sent out the person at an easy rate, and therefore many network attack persons can utilize this characteristic to carry out anonymous attack.
For example, attack model shown in Figure 1:
Cook source address is the message of 150.1.1.0/24 on website C, initiates request to website A, will send message to real " 150.1.1.0/24 " website B during website A response request, and this invalid packet all can cause attack to website A and website B.If website A is subjected to coming from ICMP (Internet Control Message Protocol) flood attack of the source IP address of 150.1.1.0/24 scope, website hereto, the position of this attack that it can be seen is the subnet (website B) that comprises 150.1.1.0/24.
The source IP address of being cheated makes the true address of following the trail of an attack become very difficult.In order to prevent this attack, adopt URPF (Unicast Reverse PathForwarding, reversal path of unicast is transmitted) technology usually based on source address spoofing.Why be called " oppositely ", because at normal route querying.Generally speaking, router receives message, obtains the destination address of message, searches route at destination address, if found, transmits normally, otherwise abandons this message.Source address and the incoming interface of URPF by obtaining message is destination address with the source address, and whether the interface of searching the source address correspondence in transmitting is complementary with incoming interface, if do not match, thinks that then source address pretends, and abandons this message.In this way, effectively in the guarding network by revising the generation of the malicious attack behavior that source address carries out.
Traditional URPF technology is when using, need to guarantee the symmetry of route, that is to say to guarantee from the client flow to bag that Internet goes up certain main frame and this host-flow to wrapping between customer rs router and ISP (the Internet service providers) router of client the link of process consistent.Owing to the diversity of network topology structure, under different networking modes, may there be the situation of asymmetric route, at this moment adopt traditional URPF not match and lose some normal message because of interface.
As shown in Figure 2, to the route of 20.20.20.0/24, its outgoing interface (.1) points to the incoming interface (.2) of router B on the router-A; Router B goes up the route of 20.20.20.0/24, and its outgoing interface (.2) points to the incoming interface (.1) of router C; And router C goes up the route of 10.10.10.0/24, and its outgoing interface (.2) then points to the incoming interface (.1) of router-A.So, normal message of outgoing interface (.10) transmission as main frame S1, its source IP is 10.10.10.10, purpose IP is 20.20.20.20, this message arrives router B through router-A, arrive router C again, when router C received this message, the outgoing interface that is found to the route of this message source IP address 10.10.10.10 pointed to router-A; Obviously, on router C, this IP message can't be checked by URPF, finally causes mistake to abandon.
Certainly, if the user can't guarantee the route symmetry, also can use the way of loose inspection, not check whether interface mates, as long as there is the route at source address, message just can pass through.But such inspection is unsafe, can not strictly take precautions against the source IP address spoofing attack.Such as, the assailant arbitrarily transmits into a message from which interface, as long as its source IP address exists in routing table, and then can both be by checking.
Summary of the invention
The purpose of this invention is to provide a kind of single broadcast reverse path repeating method, to overcome the shortcoming that existing URPF technology can abandon some normal message under the asymmetrical situation of route by mistake, preventing to guarantee normal IP message forwarding under the prerequisite of website being attacked effectively with the message of the source IP address of deception.
For this reason, the invention provides following technical scheme:
A kind of single broadcast reverse path repeating method may further comprise the steps:
A, in the network equipment, set up reversal path of unicast and transmit the URPF information table, in this information table, be provided with whether allow to transmit mark;
B, after the interface of the network equipment is received IP traffic, according to source IP address in the IP traffic and purpose IP address lookup URPF information table;
If there is corresponding list item in the C URPF information table, then transmit or abandon this IP traffic according to the forwarding mark decision of this list item correspondence;
If there is not corresponding list item in the D URPF information table, then source IP address in the IP traffic and purpose IP address are carried out the URPF inspection, when source IP address does not belong to the corresponding interface network segment of present networks equipment, check whether be the IP traffic that adjacent network device sends;
Decision is transmitted or is abandoned this IP traffic according to check result, and increases corresponding list item in the URPF information table.
Described step D comprises:
Whether D1, inspection source IP address can mate the list item in the present networks equipment routing table;
If D2 does not have the list item of coupling, then abandon this IP traffic, and in the URPF information table, increase corresponding list item, corresponding forwarding is labeled as to be forbidden transmitting;
If D3 has the list item of coupling, check further then whether source IP address belongs to the corresponding interface network segment of present networks equipment;
D4, when source IP address belongs to the corresponding interface network segment of present networks equipment, check that IP traffic is whether from the incoming interface of the interface network segment correspondence of present networks equipment;
D5 is if then determine this IP traffic of forwarding, and increase corresponding list item that in the URPF information table corresponding forwarding is labeled as and allows forwarding;
D6, if not, then abandon this IP traffic, and in the URPF information table, increase corresponding list item, corresponding forwarding is labeled as to be forbidden transmitting.
D7, when source IP address does not belong to the corresponding interface network segment of present networks equipment, check whether to be the IP traffic that adjacent network device sends, and decision is transmitted or is abandoned this IP traffic according to check result, and in the URPF information table, increase corresponding list item.
Described step D7 comprises:
D71, present networks the equipment upstream network equipment send the URPF request message;
If D72 present networks equipment is not received the response results of upstream network device in first scheduled time, then abandon this IP traffic, and in the URPF information table, increase corresponding list item, corresponding forwarding is labeled as to be forbidden transmitting;
If D73 present networks equipment is received the response results of upstream network device in the given time, then the response results according to upstream network device determines to transmit or abandon this IP traffic, and increases corresponding list item in the URPF information table.
Described step D73 comprises:
Confirm response message if receive the URPF of upstream network device, then transmit this IP traffic, and in the URPF information table, increase corresponding list item that corresponding forwarding is labeled as and allows to transmit;
Deny response message if receive the URPF of upstream network device, then abandon this IP traffic, and increase corresponding list item in the URPF information table, corresponding forwarding is labeled as to be forbidden transmitting.
Described method further comprises:
E, when setting up each list item of URPF information table, respectively each list item is provided with ageing time and stabs;
F, after arriving ageing time, delete this ageing time and stab corresponding list item.
Described step C further comprises:
C ', after present networks equipment receives IP traffic, if there is corresponding list item in the URPF information table, then mark is stabbed and transmitted to the ageing time that refreshes corresponding list item according to described IP traffic.
Described step C ' comprising:
If the source IP address of C1 ' IP traffic belongs to the corresponding interface network segment of present networks equipment, then directly refresh the ageing time of its corresponding list item and stab;
If the source IP address of C2 ' IP traffic does not belong to the corresponding interface network segment of present networks equipment, then send the URPF request message to upstream network device;
Mark is stabbed and transmitted to C3 ', the ageing time that refreshes its corresponding list item according to the response results of upstream network device.
Described step C3 ' comprising:
Confirm response message if C31 ' upstream network device in second scheduled time is returned URPF, then upgrade the ageing time of corresponding list item immediately and stab, and if the forwarding of corresponding list item be labeled as and allow to transmit, then remain unchanged; Forbid transmitting if the forwarding of corresponding list item is labeled as, then it is revised as allowing to transmit;
If C32 ' upstream network device in second scheduled time is returned URPF and is denied response message, then upgrade the ageing time of corresponding list item immediately and stab, and if the forwarding of corresponding list item be labeled as and forbid transmitting, then remain unchanged; Allow to transmit if the forwarding of corresponding list item is labeled as, then it is revised as and forbids transmitting;
If C33 ' upstream network device in second scheduled time is not returned the URPF response message, handle in the following manner:
When the forwarding of corresponding list item was labeled as the permission forwarding, the ageing time of this list item correspondence was stabbed and is continued to wear out;
When the forwarding of corresponding list item is labeled as when forbidding transmitting, then upgrade the ageing time of this list item immediately and stab.
Described URPF request message, URPF confirm that response message and URPF deny that response message comprises respectively at least: Ethernet destination address, ethernet source address, data flow next-hop ip address, data flow purpose IP address.
Alternatively, described URPF information table also comprises: source IP address, purpose IP address, incoming interface.
Alternatively, described URPF information table also comprises: source IP network section, purpose IP network section, incoming interface.
By above technical scheme provided by the invention as can be seen, the present invention is by setting up URPF (reversal path of unicast forwarding) information table in the network equipment, the IP traffic that receives is checked that decision allows to transmit and still abandons this IP traffic according to the forwarding label information in this table.When having asymmetric route, by with adjacent network device information can in the URPF information table, increase corresponding list item alternately, avoided carrying out the defective that the URPF inspection can abandon some normal message by mistake according to routing table in the prior art.The IP traffic that needs are abandoned increases corresponding list item equally, and according to the IP traffic that receives each list item in the URPF information table is carried out Dynamic Maintenance, has improved URPF and has checked speed.Utilize the present invention, not only can abandon the IP message of the source IP address of band deception, thereby guarantee the fail safe of network, and can not influence normal IP message forwarding.
Description of drawings
Fig. 1 is the source address spoofing attack model;
Fig. 2 is asymmetric group of routes net schematic diagram;
Fig. 3 is the realization flow figure of the inventive method;
Fig. 4 carries out the flow chart that URPF checks to source IP address in the IP traffic and purpose IP address.
Embodiment
Core of the present invention is to set up URPF (reversal path of unicast forwarding) information table in the network equipment, be provided with whether allow to transmit mark in this information table; After the interface of the network equipment is received IP traffic, according to source IP address in the IP traffic and purpose IP address lookup URPF information table; If there is corresponding list item in the URPF information table, then transmit or abandon this IP traffic according to the forwarding mark decision of this list item correspondence; If there is not corresponding list item in the URPF information table, then the source IP address in the IP traffic is carried out URPF and check, decision is transmitted or is abandoned this IP traffic according to check result, and increases corresponding list item in the URPF information table.
In the present invention, need in the network equipment, set up URPF (reversal path of unicast forwarding) information table.This table can be deposited in the hardware, to improve treatment effeciency.
The URPF information table includes interface message, transmits mark, also needs to comprise stream information or network segment information.
For example, can set up URPF information table as shown in table 1 below.
Table 1:
| Source IP address | Purpose IP address | Incoming interface | Transmit mark |
| 10.10.10.10 | 20.20.20.20 | eth1 | Allow |
| 100.1.1.20 | 20.20.20.20 | eth0 | Allow |
| 10.10.10.10 | 20.20.20.30 | eth0 | Forbid |
This table comprise the IP message source IP address, purpose IP address, data flow incoming interface and transmit mark.
Can also set up URPF information table as shown in table 2 below.
Table 2:
| Source IP network section | Purpose IP network section | Incoming interface | Transmit mark |
| 100.1.3.0/24 | 0.0.0.0/0 | eth1 | Allow |
| 0.0.0.0/0 | 20.20.20.0/24 | eth1 | Allow |
| 10.10.10.10/32 | 20.20.20.20/32 | eth0 | Forbid |
Whether wherein, transmit mark is used to indicate this list item corresponding IP data stream can transmit.Because along with the variation of network topology structure and the variation of the network equipment, any one list item can not be correct forever all, therefore, and in order further to improve treatment effeciency, also can an ageing time be set and stab, be used for this list item is carried out burin-in process each list item.Such as, it is 6 minutes that the ageing time stamp can be set, in 6 minutes, if timestamp is not refreshed, and the list item of then deletion correspondence.
Ageing time is stabbed and can be provided with by the order line of the network equipment, and the ageing time that the ageing time of each list item is stabbed can be identical, also can be different.
In order to make those skilled in the art person understand the present invention program better, the present invention is described in further detail below in conjunction with drawings and embodiments.
With reference to Fig. 3, Fig. 3 shows the realization flow of the inventive method, may further comprise the steps:
Step 301: in the network equipment, set up reversal path of unicast and transmit the URPF information table, in this information table, be provided with whether allow to transmit mark.
Step 302: the network equipment obtains source IP address and the purpose IP address in the IP traffic of reception.
Step 303: according to source IP address in the IP traffic and purpose IP address lookup URPF information table.
If what comprise in the URPF information table of setting up is the IP network segment information, then check whether have corresponding network segment list item to exist in the URPF information table according to the optimum Match principle, so-called optimum Match principle is promptly got the longest one of mask-length in many route table items that can mate.
If have corresponding list item in the URPF information table, then enter step 304: this IP traffic is transmitted or is abandoned in the forwarding mark decision according to this list item correspondence.
Allow to transmit if transmit to be labeled as, then transmit this IP traffic, concrete pass-through mode is same as the prior art, promptly searches routing table, obtains forward-path, and IP traffic is sent from the forward-path corresponding output port.
Forbid transmitting if transmit to be labeled as, illustrate that then this IP traffic from the source IP address of being cheated, need abandon.
For example, in the above-mentioned table 1, receive that from interface eth1 source IP is that 10.10.10.10, purpose IP are the data flow of 20.20.20.20, then transmits; And receive that from interface eth0 source IP address 10.10.10.10, purpose IP are the data flow of 20.20.20.30, then carry out discard processing.
If there is not corresponding list item in the URPF information table, then enter step 305: source IP address in the IP traffic and purpose IP address are carried out the URPF inspection, decision is transmitted or is abandoned this IP traffic according to check result, and increases corresponding list item in the URPF information table.
Flow process that URPF checks is carried out as shown in Figure 4 in source IP address in the IP traffic and purpose IP address:
At first, in step 401: obtain the source IP address in the IP traffic.
Step 402: judge whether this source IP address mates the list item in the present networks equipment routing table, that is to say to check whether have corresponding network segment list item to exist in the routing table.
When mating, mate according to the optimum Match principle, promptly get the longest one of mask-length in many route table items that can mate.
If the list item that is not complementary then enters step 403: abandon this IP traffic, and increase corresponding list item in the URPF information table, corresponding forwarding is labeled as to be forbidden transmitting.
If the list item that is complementary is arranged, then enter step 404: judge further whether this source IP address belongs to the corresponding interface network segment of present networks equipment.
The present technique field personnel know, before network equipment operation, and need be to its interface configuration address field information.Such as, the interface IP address information that disposes in the router among Fig. 2 is as follows:
Router-A connects the interface of router C: 100.1.1.1/24;
Router C connects the interface (eth0) of router-A: 100.1.1.2/24;
Router-A connects the interface of router B: 100.1.2.1/24;
Router B connects the interface of router-A: 100.1.2.2/24;
Router B connects the interface of router C: 100.1.3.2/24;
Router C connects the interface (eth1) of router B: 100.1.3.1/24.
If source IP address belongs to the corresponding interface network segment of present networks equipment, then enter step 405: judge that further IP traffic is whether from the incoming interface of the interface network segment correspondence of present networks equipment.
If then enter step 407: this IP traffic is transmitted in decision, and increases corresponding list item in the URPF information table, and corresponding forwarding mark is set to allow to transmit.
If what comprise in the URPF information table is the IP network segment information, when then increasing the URPF list item, the prefix of filling in the interface network segment in the IP network section field of source is filled in 0.0.0.0/0 in the purpose IP network section field, and the incoming interface field is filled in corresponding interface name.
For example, among Fig. 2, router C receives that from interface eth0 source IP address is that 100.1.1.10, purpose IP address are the IP traffic of 20.20.20.20, then checks by URPF, allows to transmit this IP traffic, increases corresponding list item simultaneously.
If what comprise among the URPF is the IP address information, then increase following list item:
| 100.1.1.10 | 20.20.20.20 | eth0 | Allow |
If what comprise among the URPF is the IP network segment information, then increase following list item:
| 100.1.1.0/24 | 0.0.0.0/0 | eth0 | Allow |
The implication of this list item is: from the source IP address of interface eth0 be in the 100.1.1.0/24 network segment, purpose IP address is that the IP traffic of any address can both be by checking.
If not, then enter step 403: abandon this IP traffic, and increase corresponding list item in the URPF information table, corresponding forwarding is labeled as to be forbidden transmitting.
For example, among Fig. 2, router C receives that from interface eth1 source IP address is that 100.1.1.10, purpose IP address are the IP traffic of 20.20.20.20, does not then check by URPF, abandons this IP traffic, increases corresponding list item simultaneously.
If what comprise among the URPF is the IP address information, then increase following list item:
| 100.1.1.10 | 20.20.20.20 | eth1 | Forbid |
If what comprise among the URPF is the IP network segment information, then increase following list item:
| 100.1.1.0/24 | 0.0.0.0/0 | eth1 | Forbid |
The implication of this list item is: from the source IP address of interface eth0 be in the 100.1.1.0/24 network segment, purpose IP address is that the IP traffic of any address all can not be by checking.
If source IP address does not belong to the corresponding interface network segment of present networks equipment, then enter step 406: check whether be the IP traffic that adjacent network device sends, and transmit or abandon this IP traffic, and in the URPF information table, increase corresponding list item according to check result decision.
If source IP address does not belong to the interface network segment of present networks equipment, illustrate that then this IP message may be from the forwarding of adjacent network device.Such as, when having asymmetric route in the network.At this moment, just need carry out information interaction, determine the authenticity of the source IP address of this IP traffic with adjacent network device.
In order to realize and the information interaction of adjacent network device, can increase the URPF protocol massages, specifically comprise following three kinds of messages:
URPF request message: receive that the network equipment of IP traffic sends to the message of upstream network device, be used to ask to confirm what whether this IP traffic sent for this upstream network device;
URPF confirms response message: when upstream network device is received the URPF request message of downstream network device, if this IP traffic oneself send to its really, then send URPF and confirm response message;
URPF denies response message: when upstream network device is received the URPF request message of downstream network device, oneself send to its if this IP traffic is non-, then send URPF and deny response message.
In above-mentioned these three kinds of URPF messages, comprise following information at least:
Ethernet destination address, ethernet source address, data flow next-hop ip address, data flow purpose IP address.
The URPF message format can adopt and the similar form of ARP (address resolution protocol) message.
The present technique field personnel know, ARP is a very important part of TCP/IP (transmission control protocol/Internet Protocol) protocol suite, is mainly used in an Ethernet card hardware address and IP address and ties up.Ethernet ARP message format comprises: type of hardware, protocol type, hardware address length, length of protocol address, operation field, source end ethernet address, end IP address, source, purpose ethernet address and purpose IP address.
For example, the form of setting URPF message is as shown in table 3 below:
Table 3:
| The Ethernet destination address | Ethernet source address | Frame type | Type of hardware | Protocol type | Hardware address length | Length of protocol address | Action type | Confirm or deny | The data flow next-hop ip address | Keep | Data flow purpose IP address |
| 6 | 6 | 2 | 2 | 2 | 1 | 1 | 2 | 6 | 4 | 6 | 4 |
The implication of each field is as follows:
The Ethernet destination address: 6 bytes, the MAC Address of destination device is identical with ARP;
Ethernet source address: 6 bytes, the MAC Address of transmitting apparatus is identical with ARP;
Frame type: 2 bytes, use the frame type of ARP, be worth and be 0x0806, identical with ARP;
Type of hardware: 2 bytes, value are 1, and the expression Ethernet is identical with ARP;
Protocol type: 2 bytes, be worth and be 0x0800, expression IP address, identical with ARP;
Hardware address length: 1 byte, value are 6, and be identical with ARP;
Length of protocol address: 1 byte, value are 4, and be identical with ARP;
Action type: 2 bytes, ARP agreement have been used 1,2,3,4 four value, URPF use 0 and two values of 0xffff; 0 expression URPF request, 0xffff represents that URPF replys, and is different with ARP;
Confirm or deny: 6 bytes, for the URPF response message, 0 expression denies that 1 expression is confirmed; For the URPF request message, meaningless, fill out 0, different with ARP;
The data flow next-hop ip address: 4 bytes, the IP address of the network equipment of transmission URPF request, for requested upstream network device, this IP address is exactly the next hop address of corresponding route table items, and is different with ARP;
Reserved field: usefulness not for the time being is different with ARP;
Data flow purpose IP address: the purpose IP address of IP traffic, different with ARP.
If what comprise in the URPF information table is the IP network segment information, then, can be set to prefix information by above-mentioned reserved field: the prefix length of the network segment address of 4 bytes+2 bytes in order to allow upstream network device that its network segment feedback information is returned.This field is meaningless for the URPF request message, fills out 0; Confirm response message for URPF, then fill out the route network segment of present networks equipment optimum Match.
For the different network equipments, described routing table both can be the route information table that is kept in the device software platform, also can be the hardware forwarding table that is kept in the device forwards chip.For example, the router for traditional is commonly referred to route information table, and for three-tier switch or the 5th generation router, usually routing iinformation is present in the specialized hardware of equipment, and is referred to as hardware forwarding table.
To describe present networks equipment utilization URPF message and adjacent network device below in detail and carry out mutual process.
When source IP address did not belong to the interface network segment of present networks equipment, upstream the network equipment sent the URPF request message.After upstream network device is received the URPF request message, in local routing table, seek the route table items that to use optimum Match according to the purpose IP address field in the request message; If the route table items of optimum Match is arranged, then the network prefix with route table items is placed in the prefix information of URPF affirmation response message, replys; If there is not the route table items that can mate, then sends and deny response message.
If replying the stand-by period URPF response message of not receiving upstream network device in (first scheduled time), illustrate that then adjacent network device does not exist, this IP datagram literary composition is a deception message, can directly abandon the IP traffic of reception, and in the URPF information table, increasing corresponding list item, corresponding forwarding is labeled as to be forbidden transmitting.
If what comprise among the URPF is the IP network segment information, when then increasing corresponding list item, source IP network section field is filled in the source IP address of IP traffic, mask is 32, the purpose IP address that purpose IP network section field is filled in IP traffic, mask is 32, the incoming interface field is filled in the incoming interface name of IP traffic.
If replying the stand-by period URPF response message of having received upstream network device in (first scheduled time), if what receive is to deny response message, illustrate that then the IP traffic that present networks equipment is received is not that this adjacent network device forwards, it is a deception message, then directly abandon this IP traffic, increase corresponding list item simultaneously, transmit mark and be set to forbid transmit; If what receive is to confirm response message, then explanation is the normal IP datagram literary composition of transmitting of adjacent network device, can normally transmit, and increases corresponding list item simultaneously, transmits mark and is set to allow to transmit.
For example, among Fig. 2, router C receives that from interface eth0 a source IP address is 8.8.8.8, and purpose IP address is 20.20.20.20, and source MAC is Mac0 (Mac0 is the MAC Address of router-A), and target MAC (Media Access Control) address is the IP traffic of Mac_RTC.So router C sends URPF request message as shown in table 4 below, the result does not receive that URPF replys, so directly abandon this IP traffic, increases corresponding list item simultaneously, transmits mark and is set to forbid transmit.
Table 4:
| The Ethernet destination address | Ethernet source address | Frame type | Type of hardware | Protocol type | Hardware address length | Length of protocol address | Action type | Confirm or deny | Next-hop ip address | Prefix information | Purpose IP address |
| Mac0 | Mac_RTC | 0x0806 | 1 | 0x0800 | 6 | 4 | 0 | 0 | 100.1.1.2 | 0 | 20.20.20.20 |
The corresponding list item that increases is:
| 8.8.8.8/32 | 20.20.20.20/32 | eth0 | Forbid |
The implication of this list item is: the source IP address from interface eth0 is that 8.8.8.8, purpose IP address are the IP traffic of 20.20.20.20, can't check by URPF, directly gives discard processing.
If router C receives that from interface eth0 a source IP address is that 9.9.9.9, purpose IP address are 20.20.20.20, source MAC is Mac0, and target MAC (Media Access Control) address is the IP traffic of Mac_RTC.So router C sends URPF request message as shown in table 5 below, the result receives that URPF denies response message (difference of response message and request message is: with Mac0 and Mac_RTC switch), so directly abandon this IP traffic, increase corresponding list item simultaneously, transmit mark and be set to forbid transmit.
Table 5:
| Ethernet | Ethernet source address | Frame type | Hardware classes | Protocol type | Hardware ground | Agreement ground | Class of operation | Confirm or | Next-hop ip address | The prefix letter | Purpose IP address |
| Destination address | Type | Location length | Location length | Type | The person denies | Breath | |||||
| Mac0 | Mac_RTC | 0x0806 | 1 | 0x0800 | 6 | 4 | 0 | 0 | 100.1.1.2 | 0 | 20.20.20.20 |
The corresponding list item that increases is:
| 9.9.9.9/32 | 20.20.20.20/32 | eth0 | Forbid |
The implication of this list item is: the source IP address from interface eth0 is that 9.9.9.9, purpose IP address are the IP traffic of 20.20.20.20, can't check by URPF, directly gives discard processing.
If router C receives that from interface eth1 a source IP address is that 10.10.10.20, purpose IP address are 20.20.20.20, source MAC is that Mac0, target MAC (Media Access Control) address are the IP traffic of Mac_RTC.So router C sends URPF request message as shown in table 6 below:
Table 6:
| The Ethernet destination address | Ethernet source address | Frame type | Type of hardware | Protocol type | Hardware address length | Length of protocol address | Action type | Confirm or deny | Next-hop ip address | Prefix information | Purpose IP address |
| Mac0 | Mac_RTC | 0x0806 | 1 | 0x0800 | 6 | 4 | 0 | 0 | 100.1.3.1 | 0 | 20.20.20.20 |
The result receives that URPF confirms response message, and is as shown in table 7 below.
Table 7:
| Ether | Ethernet | Frame | Firmly | Agreement | Firmly | Association | Behaviour | Really | Next jumping | Prefix information | Purpose IP |
| The address of mesh | Source address | Type | The part type | Type | The part address size | The view address size | Make type | Recognize or deny | The IP address | The address | |
| Mac0 | Mac_RTC | 0x0806 | 1 | 0x0800 | 6 | 4 | |
1 | 100.1.3.1 | 20.20.20.0/ 24 | 20.20.20 .20 |
So check by URPF, increase following corresponding list item simultaneously, transmit mark and be set to allow to transmit.
| 0.0.0.0/0 | 20.20.20.0/24 | eth1 | Allow |
The implication of this list item is: the source IP address from interface eth1 is the IP traffic that any IP address, purpose IP address belong to the 20.20.20.0/24 network segment, checks by URPF.
The front is mentioned, and in order to improve the efficient that URPF checks, a corresponding ageing time can be set each list item in the URPF information table stab, and this ageing time is stabbed when list item is set up and is provided with.The ageing time of each list item is stabbed can be identical, also can be different.
Each list item in the URPF information table is all set up when the network equipment is received its corresponding IP data stream for the first time.After the network equipment is received IP traffic, can check whether there is corresponding list item in the URPF information table,, then can increase corresponding list item if corresponding list item does not exist, and forwarding sign in the list item is set according to check result to IP traffic, start ageing time simultaneously and stab.
The mode that increases list item can have multiple, such as, the URPF information table backmost or the foremost increase delegation, in source IP field, purpose IP field, incoming interface field, write corresponding information respectively and get final product.
Ageing time is stabbed and can be provided with by the order line of the network equipment, such as, it is 4 minutes that ageing time can be set, under the default situation, ageing time is 6 minutes.If timestamp is not refreshed in ageing time, then delete corresponding list item.
Whether for any one list item in the URPF table, needing equipment periodic ground to detect has corresponding IP data to flow to.If do not flow to, then do not refresh ageing time and stab, arrive up to ageing time one, directly delete corresponding list item.
After present networks equipment received IP traffic, if there is corresponding list item in the URPF information table, mark is stabbed and transmitted to the ageing time that then needs to refresh corresponding list item according to IP traffic.
Refresh process is as follows:
(1) if the source IP address of IP traffic belongs to the corresponding interface network segment of present networks equipment, then directly refresh the ageing time of its corresponding list item and stab, transmit mark and remain unchanged.
(2) if the source IP address of IP traffic does not belong to the corresponding interface network segment of present networks equipment, then send the URPF request message to upstream network device, response results according to upstream network device refreshes the ageing time stamp of its corresponding list item and transmits mark then, has following several situation:
If a returns URPF and confirms response message replying the stand-by period in (second scheduled time) upstream network device, then upgrade the ageing time of corresponding list item immediately and stab, and if the forwarding of corresponding list item be labeled as and allow to transmit, then remain unchanged; Forbid transmitting if the forwarding of corresponding list item is labeled as, then it is revised as allowing to transmit;
If b returns URPF and denies response message replying the stand-by period in (second scheduled time) upstream network device, then upgrade the ageing time of corresponding list item immediately and stab, and if the forwarding of corresponding list item be labeled as and forbid transmitting, then remain unchanged; Allow to transmit if the forwarding of corresponding list item is labeled as, then it is revised as and forbids transmitting;
If c does not return the URPF response message replying the stand-by period in (second scheduled time) upstream network device, if being labeled as, the forwarding of corresponding list item allows to transmit, then the ageing time of this list item correspondence is stabbed and is not refreshed, and continues aging; Forbid transmitting if the forwarding of corresponding list item is labeled as, then upgrade the ageing time of this list item immediately and stab.
Need to prove, for the URPF information table that comprises network segment information, what load in the purpose IP address field of the URPF request message that is used for refreshing is network segment address in the destination network segment IP address of URPF list item correspondence, second list item in the table 2 for example, loading 20.20.20.0 is the filling value of the IP address field in the URPF request message.
For the URPF information table that comprises the IP address information, what load in the purpose IP address field of the URPF request message that is used for refreshing is the purpose IP address of URPF list item correspondence.
Can set the cycle that sends request message is 2 minutes.
In order to reduce the complexity of realization, can set IP traffic is carried out the URPF response message stand-by period (first scheduled time) of URPF when checking and ageing time stabbed the URPF response message stand-by period (first scheduled time) of refreshing when checking and be identical value.
The present invention not only can be applied on the router device, can also be applied on the switch device, the URPF information table is kept in device software or the hardware, to guarantee the network equipment any IP traffic that receives is strictly checked, the IP message of the source IP address of band deception can be abandoned, normal IP message forwarding can be guaranteed again.The present invention is applied on the routing device of whole network, can improves the security performance of whole network effectively.
Though described the present invention by embodiment, those of ordinary skills know, the present invention has many distortion and variation and do not break away from spirit of the present invention, wish that appended claim comprises these distortion and variation and do not break away from spirit of the present invention.
Claims (11)
1, a kind of single broadcast reverse path repeating method is characterized in that, may further comprise the steps:
A, in the network equipment, set up reversal path of unicast and transmit the URPF information table, in this information table, be provided with whether allow to transmit mark;
B, after the interface of the network equipment is received IP traffic, according to source IP address in the IP traffic and purpose IP address lookup URPF information table;
If there is corresponding list item in the C URPF information table, then transmit or abandon this IP traffic according to the forwarding mark decision of this list item correspondence;
If there is not corresponding list item in the D URPF information table, then source IP address in the IP traffic and purpose IP address are carried out the URPF inspection, when source IP address does not belong to the corresponding interface network segment of present networks equipment, check whether be the IP traffic that adjacent network device sends;
Decision is transmitted or is abandoned this IP traffic according to check result, and increases corresponding list item in the URPF information table.
2, method according to claim 1 is characterized in that, described step D comprises:
Whether D1, inspection source IP address can mate the list item in the present networks equipment routing table;
If D2 does not have the list item of coupling, then abandon this IP traffic, and in the URPF information table, increase corresponding list item, corresponding forwarding is labeled as to be forbidden transmitting;
If D3 has the list item of coupling, check further then whether source IP address belongs to the corresponding interface network segment of present networks equipment;
D4, when source IP address belongs to the corresponding interface network segment of present networks equipment, check that IP traffic is whether from the incoming interface of the interface network segment correspondence of present networks equipment;
D5 is if then determine this IP traffic of forwarding, and increase corresponding list item that in the URPF information table corresponding forwarding is labeled as and allows forwarding;
D6, if not, then abandon this IP traffic, and in the URPF information table, increase corresponding list item, corresponding forwarding is labeled as to be forbidden transmitting;
D7, when source IP address does not belong to the corresponding interface network segment of present networks equipment, check whether to be the IP traffic that adjacent network device sends, and decision is transmitted or is abandoned this IP traffic according to check result, and in the URPF information table, increase corresponding list item.
3, method according to claim 2 is characterized in that, described step D7 comprises:
D71, present networks the equipment upstream network equipment send the URPF request message;
If D72 present networks equipment is not received the response results of upstream network device in first scheduled time, then abandon this IP traffic, and in the URPF information table, increase corresponding list item, corresponding forwarding is labeled as to be forbidden transmitting;
If D73 present networks equipment is received the response results of upstream network device in the given time, then the response results according to upstream network device determines to transmit or abandon this IP traffic, and increases corresponding list item in the URPF information table.
4, method according to claim 3 is characterized in that, described step D73 comprises:
Confirm response message if receive the URPF of upstream network device, then transmit this IP traffic, and in the URPF information table, increase corresponding list item that corresponding forwarding is labeled as and allows to transmit;
Deny response message if receive the URPF of upstream network device, then abandon this IP traffic, and increase corresponding list item in the URPF information table, corresponding forwarding is labeled as to be forbidden transmitting.
5, according to each described method of claim 1 to 4, it is characterized in that described method further comprises:
E, when setting up each list item of URPF information table, respectively each list item is provided with ageing time and stabs;
F, after arriving ageing time, delete this ageing time and stab corresponding list item.
6, method according to claim 5 is characterized in that, described step C further comprises:
C ', after present networks equipment receives IP traffic, if there is corresponding list item in the URPF information table, then mark is stabbed and transmitted to the ageing time that refreshes corresponding list item according to described IP traffic.
7, method according to claim 6 is characterized in that, described step C ' comprising:
If the source IP address of C1 ' IP traffic belongs to the corresponding interface network segment of present networks equipment, then directly refresh the ageing time of its corresponding list item and stab;
If the source IP address of C2 ' IP traffic does not belong to the corresponding interface network segment of present networks equipment, then send the URPF request message to upstream network device;
Mark is stabbed and transmitted to C3 ', the ageing time that refreshes its corresponding list item according to the response results of upstream network device.
8, method according to claim 7 is characterized in that, described step C3 ' comprising:
Confirm response message if C31 ' upstream network device in second scheduled time is returned URPF, then upgrade the ageing time of corresponding list item immediately and stab, and if the forwarding of corresponding list item be labeled as and allow to transmit, then remain unchanged; Forbid transmitting if the forwarding of corresponding list item is labeled as, then it is revised as allowing to transmit;
If C32 ' upstream network device in second scheduled time is returned URPF and is denied response message, then upgrade the ageing time of corresponding list item immediately and stab, and if the forwarding of corresponding list item be labeled as and forbid transmitting, then remain unchanged; Allow to transmit if the forwarding of corresponding list item is labeled as, then it is revised as and forbids transmitting;
If C33 ' upstream network device in second scheduled time is not returned the URPF response message, handle in the following manner:
When the forwarding of corresponding list item was labeled as the permission forwarding, the ageing time of this list item correspondence was stabbed and is continued to wear out;
When the forwarding of corresponding list item is labeled as when forbidding transmitting, then upgrade the ageing time of this list item immediately and stab.
9, method according to claim 8 is characterized in that, described URPF request message, URPF confirm that response message and URPF deny that response message comprises respectively at least:
Ethernet destination address, ethernet source address, data flow next-hop ip address, data flow purpose IP address.
According to each described method of claim 1 to 4, it is characterized in that 10, described URPF information table also comprises: source IP address, purpose IP address, incoming interface.
According to each described method of claim 1 to 4, it is characterized in that 11, described URPF information table also comprises: source IP network section, purpose IP network section, incoming interface.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101057489A CN100566294C (en) | 2005-09-27 | 2005-09-27 | Single broadcast reverse path repeating method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005101057489A CN100566294C (en) | 2005-09-27 | 2005-09-27 | Single broadcast reverse path repeating method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1750512A CN1750512A (en) | 2006-03-22 |
| CN100566294C true CN100566294C (en) | 2009-12-02 |
Family
ID=36605777
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005101057489A Expired - Fee Related CN100566294C (en) | 2005-09-27 | 2005-09-27 | Single broadcast reverse path repeating method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100566294C (en) |
Families Citing this family (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100461823C (en) * | 2006-06-08 | 2009-02-11 | 华为技术有限公司 | Monocast addressing system and method in digital TV network |
| CN100456747C (en) * | 2006-08-02 | 2009-01-28 | 华为技术有限公司 | Method and network equipment for implementing inspection of reversal path of unicast |
| CN101146026B (en) * | 2006-09-13 | 2010-05-12 | 中兴通讯股份有限公司 | Packet filtering method, system and device |
| CN101043442B (en) * | 2006-11-17 | 2011-05-25 | 神州数码网络(北京)有限公司 | Method for realizing URPF on Ethernet switch |
| CN101572635B (en) * | 2008-04-30 | 2012-06-06 | 新奥特(北京)视频技术有限公司 | Data transmission scheduling method based on channel configuration |
| CN101662423A (en) * | 2008-08-29 | 2010-03-03 | 中兴通讯股份有限公司 | Method and device for achieving unicast reverse path forwarding |
| CN101383778B (en) * | 2008-10-27 | 2011-04-13 | 杭州华三通信技术有限公司 | Packet transmission method based on network dual exit and exit router |
| CN101945117A (en) * | 2010-09-28 | 2011-01-12 | 杭州华三通信技术有限公司 | Method and equipment for preventing source address spoofing attack |
| CN102014174B (en) * | 2010-11-16 | 2014-09-10 | 中兴通讯股份有限公司 | Network access method and network equipment |
| CN102055672B (en) * | 2010-12-27 | 2013-03-13 | 北京星网锐捷网络技术有限公司 | Control method for data flow transmission route, device and route equipment |
| CN102255804B (en) * | 2011-07-06 | 2014-07-02 | 北京星网锐捷网络技术有限公司 | Message processing method, device and network equipment |
| CN102255814A (en) * | 2011-08-02 | 2011-11-23 | 华为技术有限公司 | Method, device and system for selecting transfer path |
| CN102447597B (en) * | 2012-01-11 | 2014-11-19 | 浪潮(北京)电子信息产业有限公司 | Method and device for realizing IP (Internet Protocol) effectiveness detection |
| CN103220255B (en) * | 2012-01-18 | 2017-07-21 | 南京中兴新软件有限责任公司 | It is a kind of to realize the method and device that reversal path of unicast forwarding URPF is checked |
| CN105337746B (en) * | 2015-09-23 | 2018-11-13 | 浙江宇视科技有限公司 | A kind of transmission method and device of multicast packet |
| EP3389310B1 (en) | 2015-12-30 | 2022-06-01 | Huawei Technologies Co., Ltd. | Method for establishing routing table, electronic device and network |
| CN109150654B (en) * | 2018-07-25 | 2021-08-17 | 深圳市吉祥腾达科技有限公司 | Use case design method based on protocol consistency of path |
| CN110351193B (en) * | 2019-07-05 | 2022-02-25 | 京信网络系统股份有限公司 | Route updating method and device, computer device and readable storage medium |
| EP4014440A4 (en) * | 2019-08-16 | 2022-10-12 | Telefonaktiebolaget LM Ericsson (publ) | Method and entity for transmitting a plurality of mac addresses |
| CN110932982B (en) * | 2019-12-23 | 2022-03-18 | 锐捷网络股份有限公司 | Maintenance method and device of hardware routing table |
| CN111654485B (en) * | 2020-05-26 | 2023-04-07 | 新华三信息安全技术有限公司 | Client authentication method and device |
| CN113438101B (en) * | 2021-06-07 | 2022-11-25 | 杭州迪普科技股份有限公司 | URPF configuration method, computer program product and frame type equipment |
| CN113810398B (en) * | 2021-09-09 | 2023-09-26 | 新华三信息安全技术有限公司 | Attack protection method, device, equipment and storage medium |
| CN113660667B (en) * | 2021-10-18 | 2021-12-28 | 四川浮舟科技有限责任公司 | Method and system for rapidly monitoring illegal hijacking for operator network |
| CN115442288B (en) * | 2022-08-19 | 2023-06-27 | 中国信息通信研究院 | SRv6 network data packet inspection method and device |
| CN118074983A (en) * | 2024-02-27 | 2024-05-24 | 上海欣诺通信技术股份有限公司 | Control method, equipment, medium and program product for URPF inspection |
-
2005
- 2005-09-27 CN CNB2005101057489A patent/CN100566294C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN1750512A (en) | 2006-03-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100566294C (en) | Single broadcast reverse path repeating method | |
| Snoeren et al. | Single-packet IP traceback | |
| Dorlan | An introduction to computer networks | |
| US7773508B2 (en) | Protecting the filtering database in virtual bridges | |
| CN101816168B (en) | Vrrp and learning bridge cpe | |
| CN102132532B (en) | Method and apparatus for avoiding unwanted data packets | |
| RU2006143768A (en) | AROMATIC RESTRICTION OF THE NETWORK VIOLENT | |
| CN101662423A (en) | Method and device for achieving unicast reverse path forwarding | |
| CN100589434C (en) | Method for implementing anti-spurious business server address under access mode | |
| CN105337890A (en) | Control strategy generation method and apparatus | |
| Yao et al. | VASE: Filtering IP spoofing traffic with agility | |
| Lu et al. | A novel path‐based approach for single‐packet IP traceback | |
| CN106027491A (en) | Independent link type communication processing method and system based on isolated IP (Internet Protocol) address | |
| Lewandowski et al. | Analyzing network-aware active wardens in IPv6 | |
| Bagnulo et al. | Secure neighbor discovery (send) source address validation improvement (savi) | |
| Cisco | DECnet Commands | |
| Cisco | DECnet Commands | |
| Ibhaze et al. | A review on smart grid network security issues over 6LoWPAN | |
| US8811179B2 (en) | Method and apparatus for controlling packet flow in a packet-switched network | |
| EP3073701A1 (en) | Network protection entity and method for protecting a communication network against fraud messages | |
| Peter L | An introduction to computer networks | |
| Arjmandpanah‐Kalat et al. | Design and performance analysis of an efficient single flow IP traceback technique in the AS level | |
| US20130133060A1 (en) | Communication system, control device and control program | |
| CN1321511C (en) | Method of proxy service detection for user terminal | |
| Zhai et al. | Transparent Interconnection of Lots of Links (TRILL): Pseudo-Nickname for Active-Active Access |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20091202 |