CN101795223A - Multicast security control method, system and transmission node - Google Patents
Multicast security control method, system and transmission node Download PDFInfo
- Publication number
- CN101795223A CN101795223A CN200910249695A CN200910249695A CN101795223A CN 101795223 A CN101795223 A CN 101795223A CN 200910249695 A CN200910249695 A CN 200910249695A CN 200910249695 A CN200910249695 A CN 200910249695A CN 101795223 A CN101795223 A CN 101795223A
- Authority
- CN
- China
- Prior art keywords
- upstream port
- multicast
- data message
- list item
- transmission node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a multicast security control method, a system and a transmission node. The method includes the following steps that: the transmission node receives a multicast stream data message from an upstream port; according to multicast address information and upstream port information contained in the data message, a preestablished matched upstream port item containing the multicast address information and the upstream port information are queried; if the upstream port item exists, the data message is forwarded according to a data forwarding table of a multicast group owning the data message; if the upstream port item does not exist, whether the upstream port is a preconfigured valid upstream port is judged, if yes, a new upstream port item is created according to the multicast address information and the upstream port information, the data message is forwarded according to a data forwarding table of a forwarding path corresponding to the multicast group owning the data message, and if no, the data message is discarded. The invention effectively ensures the security of an upstream node of a multicast stream and prevents the attack of invalid multicast sources on transmission nodes.
Description
Technical field
The present invention relates to communication technical field, refer to a kind of multicast security control method, system and transmission node that the local area network (LAN) multicast traffic stream is transmitted that be used for especially.
Background technology
On the internet, the multimedia service that sends the multiple spot reception such as single-points such as video conference and Web TVs is becoming the important component part that information transmits.Multicast is exactly to send the problem that multiple spot receives in order to solve single-point effectively.When the sender when a group of recipients sends data, only need the group address of data with a reservation sent, have only the recipient of this multicast group of adding just can receive multicast packet, other user on the network then can not receive this multicast packet.The sender only needs a secondary data to send like this, just can send to all recipients, has alleviated the load of network and sender's burden greatly.
Based on the IP multicast model of RFC 1112, it is the multicast data flow of destination address that the sender of multicast data flow (multicast source) sends with the multicast group address, and multicast data flow recipient could receive this multicast data flow after must adding multicast group.The transmission of multicast and receive does not separately have inevitable logical communication link, independently carries out separately, and there is following safety issue in this loose structure:
Multicast source can arbitrarily send multicast data flow arbitrarily, may cause the diffusion of illegal multicast data flow, and the disposal ability of waste transmission node (switch or router) CPU has taken a large amount of network bandwidths simultaneously.And because the data forwarding list item limited amount of transmission node, usually need create corresponding with it data forwarding list item and handle each bar multicast data flow, if illegal multicast data flow has taken a large amount of forwarding-table item resources, also will form the denial of service formula and attack, make legal multicast services at a standstill.
IGMP Snooping is a kind of technology in local area network (LAN) inner control transmitting multicast data.On the transmission node of having enabled IGMP Snooping, when certain port of transmission node receives the adding message of certain multicast group G, just this port is considered as the member port of this multicast group G, and generates the data forwarding table.When receiving the multicast data flow data message, transmission node only can send to data message the member port of multicast group G.
For example: generated a data forwarding table as shown in table 1 below on the transmission node, then received multicast group address when being the multicast data flow data message of G1 when transmission node, can be according to the data forwarding table with data message forwarding to downstream port P1, P2 and P5; When transmission node receives multicast group address when being the multicast data flow data message of G2, can be according to the data forwarding table with data message forwarding to downstream port P2 and P3.
Table 1
| Multicast group address | The downstream port tabulation |
| ??G1 | ??P1、P2、P5 |
| ??G2 | ??P2、P3 |
By creating the data forwarding table, IGMP Snooping can realize that the recipient to multicast data message in the local area network (LAN) carries out management to a certain degree, but still can't effectively manage and security control multicast source and upstream port.
In the prior art, also there are some to solve the scheme of upstream port safety, for example: application number is 200410070693, name is called the patent application of " a kind of safety group broadcast management system and method ", a kind of safe multicasting management method is disclosed, guarantee the fail safe of multicast packet by the mode of multicast packet being signed and encrypt, have only multicast packet through safety certification to be received smoothly, thereby realized real-time monitoring and safety management the cast communication process.But this mode multicast source and all multicast members all need to participate in, and management is complicated.And the transmitted data amount of multicast is generally all bigger, and transmission rate is higher.If need before lot of data need send to encrypt, decipher during reception, for whole system, the encryption and decryption of data all will consume many resources, influence the speed and the efficient that send simultaneously.
In addition, also passing through on the transmission node in local area network (LAN) in the prior art is every multicast data flow manual configuration static rule, to realize management and the security control to upstream port.But, along with the expansion of local area network (LAN) scale, the increase of transmission node quantity, and the quantity of multicast data flow is more and more, and these regular quantity will get more and more, and configuration effort is more and more loaded down with trivial details, and later maintenance also will be quite difficult.
As seen scheme of the prior art all can not well solve the safety problem of multicast traffic stream upstream port, can not avoid the attack of illegal multicast source to transmission node in the network effectively.
Summary of the invention
The embodiment of the invention provides a kind of multicast security control method, system and transmission node, in order to the upstream node safety problem that solves the multicast traffic stream that exists in the prior art, prevent the attack of illegal multicast source to transmission node in the network.
A kind of multicast security control method comprises:
Transmission node is from upstream port receiving group flow data message;
According to multicast address information that comprises in the described data message and upstream port information, search whether there is the upstream port list item of setting up in advance that is complementary;
If exist, then transmit described data message according to the data forwarding table of the pairing forward-path of multicast group under the described data message;
If do not exist, judge then whether described upstream port is pre-configured legal upstream port, if then transmit described data message according to the data forwarding table of multicast group under the described data message; If not, then abandon described data message.
A kind of transmission node of realizing security of multicast control comprises: receiver module, search module, judge module and forwarding module;
Described receiver module is used for from upstream port receiving group flow data message;
The described module of searching is used for the multicast address information and the upstream port information that comprise according to described data message, searches whether to have the upstream port list item of setting up in advance that is complementary; If do not exist, notify described judge module; If exist, notify described forwarding module;
Described judge module is used to judge whether described upstream port is pre-configured legal upstream port, if, the notice forwarding module; If not, abandon described data message;
Described forwarding module is used for transmitting described data message according to the data forwarding table of the pairing forward-path of multicast group under the described data message.
A kind of security of multicast control system comprises: multicast source, some above-mentioned transmission nodes and receiving terminal;
Described multicast source is used to provide the multicast data flow data message to described transmission node;
Described receiving terminal is used to receive the described multicast data flow data message that described transmission node is transmitted.
The multicast security control method that the embodiment of the invention provides, system and transmission node, by in transmission node, setting up the upstream port list item, can generate the upstream port list item according to the legal upstream port that the legal upstream port that sets in advance and/or dynamic learning arrive, adopt the upstream port list item only realize to the upstream port list item in the data message that is complementary of the multicast address information that comprises and upstream port information transmit, thereby the safety to multicast data flow data message upstream port is controlled, effectively guaranteed the upstream node safety of multicast data flow, avoided of the attack of illegal multicast source, the fail safe that has improved network to transmission node.
Description of drawings
Fig. 1 is the structural representation of security of multicast control system in the embodiment of the invention;
Fig. 2 is the flow chart of multicast security control method in the embodiment of the invention;
Fig. 3 sets up the forward-path exemplary plot for security of multicast control system among Fig. 1 in the embodiment of the invention;
Fig. 4 is the structural representation of security of multicast control device in the embodiment of the invention.
Embodiment
The security of multicast control system that the embodiment of the invention provides can comprise: multicast source, transmission node and receiving terminal.Wherein, multicast source is used to provide the multicast data flow data message, sends to the transmission node that is connected with self.Transmission node is used to transmit the multicast data flow data message that receives to downstream node or receiving terminal.Receiving terminal then is used to receive the multicast data flow data message that transmission node sends.
As shown in Figure 1, be a topology example of security of multicast control system.Multicast source shown in Fig. 1 comprises: legal multicast source S1, illegal multicast source S2 and S3 etc.; Transmission node comprises: transmission node A, B, C, D, E etc.; And receiving terminal comprises: receiving terminal R1 and R2 etc.
Multicast source is used to provide the multicast data flow data message to transmission node.
Transmission node is used for from upstream port receiving group source or multicast data flow data message that the upstream transmission node sends; According to multicast address information that comprises in the message and upstream port information, search whether there is the upstream port list item of setting up in advance that is complementary that comprises multicast address information and upstream port information according to the number multicast data flow; If exist, then transmit data message to downstream node or receiving terminal according to the data forwarding table of multicast group under the multicast data flow data message; If do not exist, judge then whether upstream port is pre-configured legal upstream port, if, then according to the data forwarding table forwarding multicasting flow data message of multicast group under the multicast data flow data message that receives to downstream transmission node or receiving terminal; If not, then abandon the multicast data flow data message that receives.
Receiving terminal is used to receive the multicast data flow data message that transmission node is transmitted.
Preferable, above-mentioned transmission node also is used for: when the upstream port of judging receiving group flow data message is pre-configured legal upstream port, according to multicast address information and the new upstream port list item of upstream port information creating; And make up the upstream port installation message and send to other transmission nodes on the forward-path according to the data forwarding table of the forward-path of multicast group under the multicast data flow data message that receives, indicate other transmission nodes to create the upstream port list item; And, create the upstream port list item that comprises multicast address information and upstream port information according to the upstream port installation message that other transmission nodes that receive send.
Preferable, above-mentioned transmission node also is used for: when finding the upstream port list item that is complementary, upgrade the residue effective time of the upstream port list item that finds; And when residue is zero effective time, the upstream port list item that deletion is corresponding.
According to the connectivity port of legal multicast source, be the pre-configured legal upstream port of the transmission node that is connected with legal multicast source.Wherein the port that is connected with legal multicast source can directly connect and be connected with legal multicast source by other network entities.
Based on above-mentioned security of multicast control system, in each transmission node, realize multicast security control method, its flow chart as shown in Figure 2, execution in step is as follows:
Step S11: from upstream port receiving group flow data message.
Transmission node can be from the multicast data flow data message of upstream port receiving group source and the transmission of upstream transmission node.
Step S12: extract the multicast address information and the upstream port information that comprise in the data message that receives.
Wherein, multicast address information comprises: multicast source address and multicast group address; Upstream port information is the upstream extremity slogan.
From the data message that receives, extract multicast source address S and multicast group address G, and receiving port number P.Multicast source address S and multicast group address G generally are meant multicast source IP address and the multicast group IP address in the IP stem.
Step S13: search whether there is the upstream port list item of setting up in advance that is complementary.
Safeguard upstream port list item separately on each transmission node, this upstream port list item generally comprises: multicast address information and corresponding upstream port information.Wherein, multicast address information comprises multicast source address, multicast group address.Corresponding upstream port information is generally the upstream extremity slogan of this multicast data flow, the i.e. legal upstream receiving port of this multicast data flow.
After transmission node receives the multicast data flow data message, can search the upstream port list item of self storing of setting up in advance, when the multicast address information of the multicast address information that comprises in the upstream port list item that finds and upstream port information and the data message that receives and upstream port information are complementary, determine to have the upstream port list item that is complementary with the multicast data flow data message that receives, promptly the match is successful; Otherwise, determine not have the upstream port list item that is complementary with the multicast data flow data message that receives, promptly it fails to match.
Wherein, multicast address information and upstream port information are complementary, be specially: comprise multicast source address, multicast group address and corresponding upstream port information in the upstream port list item, identical respectively with multicast source address, multicast group address and the upstream port information of the multicast data flow data message that receives.
If do not find the upstream port list item that is complementary, then execution in step S14; If find the upstream port list item that is complementary, then execution in step S18.
Preferable, residue effective time of this upstream port list item can also be set in the upstream port list item.When finding the upstream port list item that is complementary, upgrade the residue effective time of the upstream port list item that finds at every turn; When the residue of a upstream port list item is zero effective time, delete this upstream port list item.
Step S14: whether the upstream port of judging receiving group flow data message is pre-configured legal upstream port.
Transmission node can pre-configured some legal upstream ports, for example: according to self whether directly and legal multicast source be connected, will be configured to legal upstream port with the direct connectivity port of legal multicast source.In the time of can certainly determining that certain port is legal upstream port according to other principle configuration, promptly be configured in advance.After this configuration is finished, when receiving the multicast data flow data message of this upstream port,, then will trigger the visioning procedure of upstream port list item if do not find the upstream port list item of setting up in advance follow-up.
When receiving the multicast data flow data message, upstream port according to receiving data packets, search the upstream port (searching) that whether comprises this receiving data packets in the pre-configured legal upstream port according to the port numbers P that extracts, if think that then the upstream port of receiving group flow data message is pre-configured legal upstream port; Otherwise, think that the upstream port of receiving group flow data message is not pre-configured legal upstream port.
If, execution in step S15; If not, execution in step S19.
Step S15: according to the multicast address information and the new upstream port list item of upstream port information creating of the multicast data flow data message that receives.
When the upstream port of determining receiving data packets is pre-configured legal upstream port, and during the upstream port list item that this multicast data flow data message not have to mate, then transmission node can be learnt legal upstream port information automatically and create the upstream port list item.
Preferable, after step S15, after first execution in step S16 and the S17, execution in step S18 again.
Step S16: make up the upstream port installation message.
After transmission node is created the upstream port list item of self, also can make up a upstream port installation message that comprises the multicast address information of the data message that receives, be used to instruct other transmission nodes (generally being the downstream transmission node) on the forward-path of the multicast group under the received multicast data flow data message to create the upstream port list item.
The upstream port installation message that makes up can comprise: type of message (upstream installation), multicast source address, multicast group address etc., can carry by various types of message frames or other modes that can transmit information between transmission node.
For example: the concrete frame format of a upstream port installation message can be as shown in table 2 below.
Table 2
| Purpose MAC (6 byte) |
| Source MAC (6 byte) |
| Keep (2 byte) |
| Type of message (1 byte) |
| Keep (1 byte) |
| Multicast source address (4 byte) |
| Multicast group address (4 byte) |
Wherein, purpose MAC is for receiving the MAC Address of the unique appointment of upstream port installation message transmission node; Type of message has defined this message and has belonged to the upstream node installation message; After can waiting until, use during extension of message two reserved fields; Source MAC is the MAC Address that sends the unique appointment of upstream port installation message transmission node; Multicast source address and multicast group address can be respectively multicast source IPv4 address and multicast group IPv4 address.
Step S17: send upstream port installation message other transmission nodes to affiliated forward-path.
After making up the upstream port installation message,, search corresponding data forwarding table, in turn the upstream port installation message is sent to other transmission nodes on the forward-path of this multicast group according to multicast group under the multicast data flow data message that receives.Other transmission nodes can be created the upstream port list item that comprises the upstream port information that comprises multicast address information and self reception upstream port installation message in the upstream port installation message according to the upstream port installation message that receives.
After sending the upstream port installation message, execution in step S18.
Step S18: the data forwarding table according to multicast group under the multicast data flow data message that receives is transmitted the data message that receives.
The data forwarding table is generated by the IGMP Snooping that moves on the transmission node, at each multicast group, generates the data forwarding table of the downstream port tabulation that comprises multicast group address and correspondence on each transmission node in forward-path.
Transmission node need be transmitted when receiving the multicast data flow data message, data forwarding table according to multicast group under the data message is transmitted the data message that receives, and specifically comprises: the data message that receives is transmitted data message by the downstream port that comprises in the data forwarding table give downstream transmission node or receiving terminal.
Step S19: abandon received data message.
When the upstream port list item of the data message that do not find and receive coupling, and during the upstream port of receiving data packets neither be pre-configured legal upstream port, then abandon the data message that receives.
Be example with system shown in Figure 1 below, the multicast security control method that the embodiment of the invention is provided is specifically described.As shown in Figure 3, being system shown in Figure 1 has set up from the concrete example of the forward-path (shown in the dotted line the figure) of legal multicast source to two receiving terminal.
All move IGMP Snooping among the figure on each transmission node, transmission node A connects legal multicast source S1, and the multicast source S3 that the multicast source S2 that transmission node B connects is connected with transmission node C is illegal multicast source.Legal multicast source S1 sends the multicast data flow data message to receiving terminal R1 and R2, then need two legal forward-paths as shown in phantom in FIG.: the one, by legal multicast source through the A1 of transmission node A port, A3 port, the B1 of transmission node B, B2 port, the D1 of transmission node D, D2 port are to receiving terminal R1; The 2nd, by legal multicast source through the A1 of transmission node A port, A3 port, the B1 of transmission node B, B3 port, the E1 of transmission node E, E2 port are to receiving terminal R2.
The port A1 of above-mentioned transmission node A is connected with legal multicast source, therefore, and pre-configured legal upstream port A1 in transmission node A.And the multicast group address of legal multicast source S1 is G1.Article two, all to have added this multicast group address be the multicast group of G1 to the transmission node on the forward-path.IGMPSnooping has generated data forwarding table as shown in table 3 below respectively in each transmission node by operation, and the data forwarding table of each transmission node comprises multicast group address and downstream port tabulation.
Table 3
Transmission node A:
| Multicast group address | The downstream port tabulation |
| ??G1 | ??A3 |
Transmission node B:
| Multicast group address | The downstream port tabulation |
| ??G1 | ??B2,B3 |
Transmission node D:
| Multicast group address | The downstream port tabulation |
| ??G1 | ??D2 |
Transmission node E:
When transmission node A when upstream port A1 receives first multicast data flow data message from legal multicast source S1, from data message, extract multicast source address and multicast group address, promptly (S1, G1).The upstream port list item that transmission node A inquiry is set up in advance, owing to be first data message of this forward-path, so upstream port list item that does not have discovery to be complementary, owing to judge the upstream port A1 of receiving data packets is the legal upward ports having that sets in advance, and just needs study and establishment upstream port list item this moment.The upstream port list item of creating is as shown in table 4 below.
Table 4
| Multicast source address | Multicast group address | The upstream extremity slogan |
| ??S1 | ??G1 | ??A1 |
After transmission node A creates the upstream port list item, make up the upstream port installation message, indicate downstream transmission Node B, D, E on the forward-path of this multicast group to create corresponding upstream port list item.After transmission node B, D, E receive the upstream port installation message, the upstream port list item of establishment.
Wherein, the upstream port installation message also is that each transmission node on forward-path is transmitted successively to downstream node, be that transmission node A sends the upstream port installation message of structure to transmission node B according to the data forwarding table by downstream port A3, after transmission node B receives this message, multicast source address S1 and multicast group address G1 in the upstream port B1 of this upstream port installation message of recorder, this upstream port installation message, create the upstream port list item in this locality as shown in table 5 below.
Table 5
| Multicast source address | Multicast group address | The upstream extremity slogan |
| ??S1 | ??G1 | ??B1 |
Then, transmission node B is according to the data forwarding table of this forward-path, the upstream port installation message is sent to downstream transmission node D and E through downstream port B2 and B3, after transmission node D, E receive the upstream port installation message, multicast source address S1 and multicast group address G1 in the upstream port D1 of this upstream port installation message of recorder and E1, this upstream port installation message creates the upstream port list item shown in following table 6 (the upstream port list item that transmission node D creates) and table 7 (the upstream port list item that transmission node E creates) in this locality respectively.
Table 6
| Multicast source address | Multicast group address | The upstream extremity slogan |
| ??S1 | ??G1 | ??D1 |
Table 7
| Multicast source address | Multicast group address | The upstream extremity slogan |
| ??S1 | ??G1 | ??E1 |
So far, the upstream port list item on the legal forward-path that this multicast source is relevant is created and is finished.
When legal multicast source S1 sends the multicast data flow data message again, transmission node A, B, D, E just can find the upstream port list item that is complementary, and the data forwarding table according to this multicast group of this locality storage after finding the upstream port list item that is complementary is normally transmitted data message.Receiving terminal D1 and D2 just can receive the multicast data flow data message of legal multicast source S1 transmission smoothly.After general legal multicast source stops to send the multicast data flow data message, the upstream port list item of this multicast data flow correspondence on the transmission node will because of residue be decremented to effective time zero deleted,
And as illegal multicast source S2 or the S3 multicast address information (S1 with self multicast source address or spurious multicasts source S1, when G1) in this system, sending multicast data flow, because transmission node B that it connected or the upstream port list item of C can be searched failure, and B4 or C2 neither be under it pre-configured legal upstream port in transmission node, therefore, these two multicast data flow data messages that multicast source sent will be dropped, thereby can not cause attack to each transmission node in this network system.
Be used to realize the structure of the transmission node of above-mentioned security of multicast control, specifically can comprise as shown in Figure 4: receiver module 10, search module 20, judge module 30 and forwarding module 50.
Preferable, above-mentioned transmission node, also comprise: creation module 40, be used for when judge module 30 judges that described upstream port is pre-configured legal upstream port, according to multicast address information that comprises in the multicast data flow data message that receives and the new upstream port list item of upstream port information creating.
Preferable, above-mentioned transmission node, also comprise: message construction module 60, be used for when upstream port that judge module 30 is judged receiving data packets is pre-configured legal upstream port, structure comprise the data message that receives multicast address information the upstream port installation message and send to other transmission nodes on the forward-path according to the data forwarding table of the forward-path of multicast group under the data message that receives, indicate other transmission nodes to create the upstream port list item.
Above-mentioned creation module 40 also is used for the upstream port installation message that sends according to other transmission nodes that receive, creates the multicast address information that comprises in the upstream port installation message and the upstream port list item of upstream port information.
Preferable, what the creation module that above-mentioned transmission node comprises was created self receives in the upstream port list item of upstream port installation message, also comprises: the residue effective time of upstream port list item.
Last number is searched module 20, also is used for when finding the upstream port list item that is complementary, and upgrades the residue effective time of the upstream port list item that finds; And when residue is zero effective time, notice creation module 40;
Above-mentioned creation module 40 also is used for when residue is zero effective time the upstream port list item that deletion is corresponding.
The embodiment of the invention provides above-mentioned multicast security control method, system and transmission node, is mainly used in the network of transmission node (comprising Layer 2 switch and the multi-layer switches) composition of operation IGMP Snooping.It both can be applied to support in the network system of IPv4, also can be applied to support in the network system of IPv6, and enable MLD Snooping in the IPv6 multicast network.Can also expand according to IEEE 802.1q, be applied in the Virtual Local Area Network system.
The embodiment of the invention provides above-mentioned multicast security control method, system and transmission node, by in transmission node, setting up the upstream port list item, can generate the upstream port list item according to the legal upstream port that the legal upstream port that sets in advance and/or dynamic learning arrive, and make up the upstream port installation message make under the transmission node of forward-path all can automatic dynamic study generate the upstream port list item, thereby realize management and control to legal upstream port.
Transmission node realizes reception and forwarding to multicast traffic stream according to upstream port list item and data forwarding table, by the upstream port list item only realized to the upstream port list item in the data message that is complementary of the multicast address information that comprises and upstream port information transmit.When transmission node is received the illegal multicast data flow data message of forging legal multicast source address on unauthorized port, will abandon these data messages, forbidden the diffusion of multicast data flow in network that illegal multicast source address sends.Thereby the safety to multicast data flow data message upstream port has been carried out effective control, guaranteed the upstream node safety of multicast data flow, other harmful effects of having avoided illegal multicast source that the attack of transmission node and illegal multicast data flow are caused network, the fail safe that has improved network.
Above-mentioned implementation, only need with transmission node that legal multicast source links to each other on configured port authorization message (promptly disposing legal port), all the other transmission nodes information of then can dynamic learning obtaining the authorization has reduced the workload of network management and has reduced the complexity of network operation.And the upstream port list item of multicast data flow correspondence generates along with multicast data flow is dynamic, after the multicast data flow of multicast source is sent completely, can also be deleted automatically according to remaining variation effective time, and reduced taking of memory space; Compare with static entry, enlarged the quantity of the actual treatable multicast data flow of transmission node.
The above; only be the preferable embodiment of the present invention; but protection scope of the present invention is not limited thereto; anyly be familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily, replace or be applied to other similar devices, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claims.
Claims (12)
1. a multicast security control method is characterized in that, comprising:
Transmission node is from upstream port receiving group flow data message;
According to multicast address information that comprises in the described data message and upstream port information, search whether there is the upstream port list item of setting up in advance that is complementary;
If exist, then transmit described data message according to the data forwarding table of the pairing forward-path of multicast group under the described data message;
If do not exist, judge then whether described upstream port is pre-configured legal upstream port, if then transmit described data message according to the data forwarding table of multicast group under the described data message; If not, then abandon described data message.
2. the method for claim 1 is characterized in that, judges when described upstream port is pre-configured legal upstream port, also comprises:
According to described multicast address information and the new upstream port list item of upstream port information creating.
3. the method for claim 1 is characterized in that, judges when described upstream port is pre-configured legal upstream port, also comprises:
Structure comprises the upstream port installation message of the multicast address information of described data message, and sends to other transmission nodes on the forward-path according to the data forwarding table of described forward-path, indicates described other transmission nodes to create upstream port list items;
Other transmission nodes on the described forward-path are created the upstream port list item that comprises described multicast address information and self receive the upstream port information of described upstream port installation message according to the upstream port installation message that receives.
4. the method for claim 1 is characterized in that, described multicast address information comprises multicast source address and multicast group address; Described upstream port information is the upstream extremity slogan.
5. the method for claim 1 is characterized in that, described pre-configured legal upstream port is according to the connectivity port configuration of legal multicast source and described transmission node.
6. the method for claim 1 is characterized in that, comprises multicast group address and corresponding downstream port tabulation in the described data forwarding table;
Described data forwarding table according to multicast group under the described data message is transmitted described data message, specifically comprises: described data message is transmitted described data message by the downstream port that comprises in the described data forwarding table give downstream transmission node or receiving terminal.
7. as the arbitrary described method of claim 1-6, it is characterized in that, also comprise in the described upstream port list item: the residue effective time of described upstream port list item;
When finding the upstream port list item that is complementary, upgrade the residue effective time of the described upstream port list item that finds;
When described residue is zero effective time, delete described upstream port list item.
8. a transmission node of realizing security of multicast control is characterized in that, comprising: receiver module, search module, judge module and forwarding module;
Described receiver module is used for from upstream port receiving group flow data message;
The described module of searching is used for the multicast address information and the upstream port information that comprise according to described data message, searches whether to have the upstream port list item of setting up in advance that is complementary; If do not exist, notify described judge module; If exist, notify described forwarding module;
Described judge module is used to judge whether described upstream port is pre-configured legal upstream port, if, the notice forwarding module; If not, abandon described data message;
Described forwarding module is used for transmitting described data message according to the data forwarding table of the pairing forward-path of multicast group under the described data message.
9. transmission node as claimed in claim 8, it is characterized in that, also comprise: creation module is used for when described judge module judges that described upstream port is pre-configured legal upstream port, according to described multicast address information and the new upstream port list item of upstream port information creating.
10. transmission node as claimed in claim 8 is characterized in that, also comprises:
The message construction module, be used for when described judge module when to judge described upstream port be pre-configured legal upstream port, structure comprises the upstream port installation message of the multicast address information of described data message, and send to other transmission nodes on the forward-path according to the data forwarding table of described forward-path, indicate described other transmission nodes to create upstream port list items;
Described creation module also is used for the upstream port installation message according to other transmission nodes transmissions that receive, and creates the upstream port list item of the upstream port information that comprises described multicast address information and self reception upstream port installation message.
11. as the described transmission node of claim 8-10, it is characterized in that, in the upstream port list item that described creation module is created, also comprise: the residue effective time of described upstream port list item;
The described module of searching also is used for upgrading the residue effective time of the described upstream port list item that finds when finding the upstream port list item that is complementary; And when described residue is zero effective time, notify described creation module;
Described creation module also is used for when described residue is zero effective time the described upstream port list item that deletion is corresponding.
12. a security of multicast control system is characterized in that, comprising: multicast source, some as arbitrary described transmission node of claim 8-11 and receiving terminal;
Described multicast source is used to provide the multicast data flow data message to described transmission node;
Described receiving terminal is used to receive the described multicast data flow data message that described transmission node is transmitted.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102496956A CN101795223B (en) | 2009-12-14 | 2009-12-14 | Multicast security control method, system and transmission node |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102496956A CN101795223B (en) | 2009-12-14 | 2009-12-14 | Multicast security control method, system and transmission node |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101795223A true CN101795223A (en) | 2010-08-04 |
| CN101795223B CN101795223B (en) | 2011-12-28 |
Family
ID=42587654
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009102496956A Active CN101795223B (en) | 2009-12-14 | 2009-12-14 | Multicast security control method, system and transmission node |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101795223B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102946356A (en) * | 2012-10-16 | 2013-02-27 | 杭州华三通信技术有限公司 | CB-PE (controlling bridge-port extender) network-based multicast message transmitting method and device |
| CN103684805A (en) * | 2012-09-26 | 2014-03-26 | 深圳市腾讯计算机系统有限公司 | Method, system and equipment for data link layer multicast |
| CN104954245A (en) * | 2014-03-27 | 2015-09-30 | 中兴通讯股份有限公司 | Service function chaining (SFC) processing method and device |
| WO2018121705A1 (en) * | 2016-12-30 | 2018-07-05 | 北京奇虎科技有限公司 | Stream data bidirectional transmission method and device |
| CN108600110A (en) * | 2018-04-24 | 2018-09-28 | 新华三技术有限公司 | A kind of PIM message processing methods and device |
| WO2023092498A1 (en) * | 2021-11-26 | 2023-06-01 | Oppo广东移动通信有限公司 | Multicast message processing method and related apparatus |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2002354033A (en) * | 2001-05-24 | 2002-12-06 | Fujitsu Ltd | Program, method and device for multicast data distribution |
| CN101521927B (en) * | 2009-04-03 | 2012-09-05 | 中兴通讯股份有限公司 | Method and system for restraining multicast transmitting path |
-
2009
- 2009-12-14 CN CN2009102496956A patent/CN101795223B/en active Active
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103684805A (en) * | 2012-09-26 | 2014-03-26 | 深圳市腾讯计算机系统有限公司 | Method, system and equipment for data link layer multicast |
| CN103684805B (en) * | 2012-09-26 | 2018-05-08 | 深圳市腾讯计算机系统有限公司 | Data link layer method of multicasting, system and equipment |
| CN102946356A (en) * | 2012-10-16 | 2013-02-27 | 杭州华三通信技术有限公司 | CB-PE (controlling bridge-port extender) network-based multicast message transmitting method and device |
| CN102946356B (en) * | 2012-10-16 | 2015-05-20 | 杭州华三通信技术有限公司 | CB-PE (controlling bridge-port extender) network-based multicast message transmitting method and device |
| CN104954245A (en) * | 2014-03-27 | 2015-09-30 | 中兴通讯股份有限公司 | Service function chaining (SFC) processing method and device |
| WO2015143802A1 (en) * | 2014-03-27 | 2015-10-01 | 中兴通讯股份有限公司 | Service function chaining processing method and device |
| US10084706B2 (en) | 2014-03-27 | 2018-09-25 | Zte Corporation | Method and device for processing service function chaining |
| CN104954245B (en) * | 2014-03-27 | 2019-07-16 | 中兴通讯股份有限公司 | Business function chain processing method and processing device |
| WO2018121705A1 (en) * | 2016-12-30 | 2018-07-05 | 北京奇虎科技有限公司 | Stream data bidirectional transmission method and device |
| CN108600110A (en) * | 2018-04-24 | 2018-09-28 | 新华三技术有限公司 | A kind of PIM message processing methods and device |
| WO2023092498A1 (en) * | 2021-11-26 | 2023-06-01 | Oppo广东移动通信有限公司 | Multicast message processing method and related apparatus |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101795223B (en) | 2011-12-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8085770B2 (en) | Method of transporting a multipoint stream in a local area network and device for connection implementing the method | |
| AU2004310308B2 (en) | System and method for grouping multiple VLANS into a single 802.11 IP multicast domain | |
| US7894428B2 (en) | Packet relay device | |
| CN101795223B (en) | Multicast security control method, system and transmission node | |
| CN101616014B (en) | Method for realizing cross-virtual private local area network multicast | |
| US8045461B2 (en) | Method and device for implementing virtual-switch | |
| CN101510891B (en) | Apparatus and method for implementing multicast by EPON access system | |
| CN102377578A (en) | Virtual local srea network (vlan)-based membership for multicase vlan registration | |
| CN101515859B (en) | Method for multicast transport in Internet protocol secure tunnel and device | |
| CN102598586A (en) | Method and devices for dealing multicast | |
| US8559353B2 (en) | Multicast quality of service module and method | |
| CN100550857C (en) | Realize method, system and the access device of intercommunication of two layers of local specific service | |
| CN102045250A (en) | Forwarding method for multicast message in VPLS, and service provider edge equipment | |
| CN100479371C (en) | Method of broadcast transmitting message and an exchange equipment | |
| CN101997724A (en) | Method and device for updating multicast forwarding entries | |
| CN101827037A (en) | Multicast data stream sending method, device and two-layer switching equipment | |
| JP5572848B2 (en) | Communication apparatus and communication method | |
| JP2005236698A (en) | Bridge device, and method and program for detecting loop | |
| CN101888325A (en) | Method and system for controlling multicast data | |
| Mehdizadeh et al. | Distinctive key management method to secure multicast IPv6 networks | |
| CN100563157C (en) | The controlled certification method of group transmitting service node | |
| Seo et al. | Extensible Multiple Spanning Tree Protocol for Virtual eXtensible LAN | |
| Huh et al. | An efficient bridging support mechanism using the cache table in the RPR-based metro Ethernet | |
| JP2003258898A (en) | Method for communication through multi-access network | |
| Sun et al. | The Research on Access Control for Bi-directional Multicast Routing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden Industrial Park Building No. 19 Patentee after: RUIJIE NETWORKS CO., LTD. Address before: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden Industrial Park Building No. 19 Patentee before: Fujian Xingwangruijie Network Co., Ltd. |