CN101902474B - Label replacement based verification method of IPv6 true source address between every two autonomous domains - Google Patents
Label replacement based verification method of IPv6 true source address between every two autonomous domains Download PDFInfo
- Publication number
- CN101902474B CN101902474B CN201010234850.XA CN201010234850A CN101902474B CN 101902474 B CN101902474 B CN 101902474B CN 201010234850 A CN201010234850 A CN 201010234850A CN 101902474 B CN101902474 B CN 101902474B
- Authority
- CN
- China
- Prior art keywords
- alliance
- autonomous
- source
- message
- autonomous territory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 66
- 238000012795 verification Methods 0.000 title claims abstract description 23
- 238000004891 communication Methods 0.000 claims abstract description 15
- 230000008569 process Effects 0.000 claims description 26
- 230000005540 biological transmission Effects 0.000 claims description 9
- 230000007246 mechanism Effects 0.000 abstract description 6
- 238000013517 stratification Methods 0.000 description 15
- 238000012545 processing Methods 0.000 description 11
- 238000012423 maintenance Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000009191 jumping Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 238000007689 inspection Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000001360 synchronised effect Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000005284 excitation Effects 0.000 description 2
- 238000005242 forging Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000004088 simulation Methods 0.000 description 2
- 239000012141 concentrate Substances 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000005855 radiation Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of next generation reliable Internet and provides a label replacement based verification method of IPv6 true source address between every two autonomous domains, comprising the following steps that when a source autonomous domain and a target autonomous domain belong to the same credit alliance, a border router of the source autonomous domain end and a border router of the target autonomous domain end finish source address verification of a data message transferred between every two single alliance members based on corresponding labels of the source autonomous domain and the target autonomous domain; when the source autonomous domain and the target autonomous domain respectively belong to different credit alliances, an alliance border router and a border router of the source autonomous domain end and the target autonomous domain end cooperate to finish source address verification of a data message transferred between every two alliances by replacing the labels for many times. The invention provides a true source address verification method which has simple and light-weight realization mechanism, has little influence on high-speed communication between every two autonomous domains and has hierarchical and gradual deployment to IPv6 true source address verification between every two autonomous domains.
Description
Technical field
The present invention relates to trusted Internet technical field of future generation, but the verification method of IPv 6 true source address between every two autonomous domains that particularly a kind of stratification is disposed based on the label replacement.
Background technology
Trusted is the key character of Next Generation Internet.Current the Internet, the basic foundation of IP packet forward are purpose IP addresses, generally the IP source address that divides into groups are not done authenticity examination, cause the IP source address of grouping to be prone to forged.Along with expanding day by day of internet scale and becoming increasingly abundant of commercial application; The unusual complicacy that the network user's composition becomes; Malicious attack from some advanced level user usually is to implement through forging the IP source address that divides into groups; The IP source address of forging simultaneously again for malicious attacker concealment true identity, escape sanction hotbed be provided, and caused a lot of safe, management and charging problem thus.No avoidable, the authenticity verification of IP source address has proposed lot of challenges for the safe operation and the sustainable development of the Internet.Be devoted to the long-term interest of the Internet, the Internet only provides highly believable network service, could satisfy the demand of future development.Therefore, guarantee the to divide into groups authenticity of source IP address is to realize the key problem of credible Next Generation Internet.
Current providing of internet transmission service is the pattern of doing one's best, and router mails to corresponding next jumping according to the purpose IP address of dividing into groups with it in transmitting, during packet arrives recipient, can only judge identity of the sender according to source IP address.The sender who divides into groups can distort the source IP address of grouping arbitrarily, to reach illegal purpose.The recipient can not differentiate the authenticity of the source IP address in the grouping; Whether also just can't confirm to divide into groups from real transmit leg; Therefore present network service just rests on the level of transmitting to destination of doing one's best, and do not reach do one's best guarantee the believable height of source end.Simultaneously, carry the forgery of false source IP address and divide into groups also can be forwarded to the destination, will bring security threat in various degree to the recipient.
IPv6 true source address checking between autonomous territory (AS) is the most complicated in a whole internet architecture trusty level, and its target is to realize the true source address checking of autonomous territory granularity.
In recent years, academia has made many relevant effort with industrial quarters, summarizes to get up can be divided three classes: based on the technology of encrypting and authenticating, based on the technology of filtering with based on the technology of following the trail of.Wherein introduced a kind of authentication mechanism for encrypting end to end based on the method for encrypting and authenticating; Got rid of the influence of network topology, routed path, need not the intermediate node special processing, encrypted the label that adds the certification source true identity by source AS end and accomplish; Message is forwarded to purpose AS end; Inspection divides into groups to carry label, if the label checking is correct, promptly from divide into groups, removes label and gives destination host with packet forward; If the label checking is incorrect, just grouping is abandoned.All AS that dispose encryption and authentication method form one and trust alliance, and the every couple of source AS wherein and purpose AS obtain effective unique label in some cycles through consultation.Method based on encrypting and authenticating can guarantee that the source address of trusting each AS in the alliance can not realized the real IP address visit of AS level granularity by other AS forgery.The AS that participates in encrypting and authenticating can protect the user in the present networks to a certain extent, therefore has the excitation of deployment.Yet; In existing territory verification method of IPv 6 true source address between based on label; The deployment of trusting alliance only limits to single trust alliance architecture, and promptly all are disposed and belong to a single trust alliance between the AS of source addresses checking; The architecture of this flattening makes inner all routing devices of alliance must safeguard that the huge global information of quantity could correctly implement checking work, and overburden to participate in the routing device storage of checking, and authentication of message postpones to increase, efficient reduces; By the whole alliance of the radiation scope that influences that member's variation brings, the incremental deploying that causes the trusting alliance unusual difficulty that becomes.
Summary of the invention
The present invention is intended to address the above problem, propose a kind of support hierarchical break the wall of mistrust alliance, low expense, that extensibility is strong, verification the verifying results is good, based on the verification method of IPv 6 true source address between every two autonomous domains of label replacement.
For achieving the above object; But the present invention proposes source address verification method between the autonomous territory that a kind of stratification disposes; May further comprise the steps: the multistage trust alliance of stratification is formed in the autonomous territory that will dispose this method; When the autonomous territory of source autonomous domain and purpose belongs to one together when trusting alliance, accomplish the source address checking of the data message that transmits between single allied member according to the corresponding label in source autonomous domain and the autonomous territory of purpose by the border router source autonomous domain end and the autonomous territory of purpose end; When different trusts alliance is adhered in the autonomous territory of source autonomous domain and purpose separately, verify by the source autonomous domain end and the alliance's border router autonomous territory of purpose end and the border router source address that label is repeatedly replaced the data message of accomplishing the cross-alliance transmission of cooperating; When the source autonomous domain is non-trusts allied member for trusting the autonomous territory of allied member's purpose, need not carries out source address and verify that data message is directly transmitted according to destination address.
In one embodiment of the invention; When the autonomous territory of said source autonomous domain and purpose belongs to one together when trusting alliance; Accomplish the source address checking of the data message that transmits between single allied member according to the corresponding label in source autonomous domain and the autonomous territory of purpose by the border router source autonomous domain end and the autonomous territory of purpose end; Further comprise: end border router port (Ingress Port) of network in the link field in said source autonomous domain is received data message; Judge whether this message source address belongs to this autonomous territory,, then abandon this message if not if then further check destination address; Further whether judgment data message destination address belongs to a trust alliance together with source address, if then search corresponding state machine between said source autonomous domain and the autonomous territory of purpose, generates label and is added in the message extension header, sends in the network; The autonomous territory of relaying end does not deal with the data message of process, directly according to the destination address forwarding of tabling look-up; Data message is sent to the autonomous territory of purpose end; The autonomous territory of purpose end border router is received message from the port (Egress Port) of link field outer network; Judge whether the message source address belongs to this autonomous territory,, then further check the destination address of message if not if then abandon said message; Whether the further judgment data message of the autonomous territory end border router of purpose destination address belongs to this autonomous territory, if then search said source autonomous domain end and the corresponding state machine of the autonomous territory end of purpose with checking and removal label, is sent to network in the territory.
In one embodiment of the invention; When different trust alliance is adhered in the autonomous territory of said source autonomous domain and purpose separately; Verify by the source address of label repeatedly being replaced the data message of accomplishing the cross-alliance transmission source autonomous domain end with alliance's border router and border router the cooperation autonomous territory of purpose end; Further comprise: said source autonomous domain end border router is received when autonomous territory of originating from local and purpose are the message of non-alliance at the corresponding levels address prefix; To search with autonomous territory, this locality be the source with the alliance border of the route process of leading to the destination address prefix is the state machine 1 of place, generates and also adds corresponding label 1, to local autonomous overseas forwarding; When said source autonomous domain end alliance border router receives that being derived from alliance at the corresponding levels and purpose is the message of non-alliance at the corresponding levels prefix, start handling procedure 1; The router of the autonomous territory of relaying end is that the message of non-alliance at the corresponding levels prefix is directly transmitted to said non-alliance at the corresponding levels and the purpose of being derived from; The autonomous territory of purpose end alliance border router is received said when being derived from non-alliance at the corresponding levels and purpose and being the message of alliance at the corresponding levels prefix, starts handling procedure 2; When the autonomous territory of said purpose end border router is received alliance's border router message sent, verify the authenticity of said message source address, when said message source address is true, transmit to inside, autonomous territory, this locality.
In one embodiment of the invention, said startup handling procedure 1 further comprises: search said state machine 1, checking is also removed label 1 described in the data message; Searching with said alliance at the corresponding levels is that the source is the state machine 2 of place with said purpose prefix place alliance, and corresponding label 2 is also added in generation in data message, to the outside forwarding of alliance at the corresponding levels.
In one embodiment of the invention, said startup handling procedure 2 further comprises: search said state machine 2, checking is also removed label 2 described in the data message; Searching with autonomous territory, said this locality is that the source is the state machine 3 of place with the autonomous territory that said purpose prefix belongs to, and generates and also in data message, adds corresponding label 3, to the inner forwarding of alliance at the corresponding levels.
In one embodiment of the invention; When the autonomous territory of said purpose end border router is received alliance's border router message sent; Verify the authenticity of said data message source address; When said data message source address is true,, further comprise: when the autonomous territory of said purpose end border router is received affiliated alliance border router data sent message, search corresponding said state machine 3 to the inner forwarding in autonomous territory, this locality; Checking is also removed said label 3, E-Packets to inside, autonomous territory, said this locality.
In one embodiment of the invention; When said source autonomous domain is non-trust allied member for trusting the autonomous territory of the said purpose of allied member; Do not do source address checking, directly transmit data message, further comprise according to destination address: when communication message between the said trust user of alliance and the non-trust user of alliance when leading to the path transmission of purpose prefix; By way of the inner boundary router to the autonomous territory of non-originating from local, and the message that purpose is pointed to autonomous territory, non-this locality prefix is directly transmitted; When communication message between the said trust user of alliance and the non-trust user of alliance when leading to the path transmission of purpose prefix, by way of alliance's border router be derived from alliance at the corresponding levels to non-, and the message that purpose is pointed to non-alliance at the corresponding levels prefix is directly transmitted.
Compare with existing territory verification method of IPv 6 true source address between based on label; The distinguishing feature of this method is: first; Application scenarios is polynary; Promptly all are disposed and belong to single a trusts alliance between the AS of source addresses checking both to have can be applicable to single trust alliance architecture, and the trust alliance architecture that also can be applicable to stratification is that each grade trust alliance can member's identity adds higher one-level trust alliance's (multistage trust alliance also deposits); Second; Reduced the routing device administration overhead; Alliance's inner boundary router at the corresponding levels (AER) is only grasped member's situation at the corresponding levels (information about firms, state machine information etc.) and needn't be known global information, can realize that still the overall situation can reach, and global information only needs alliance's border router (TAER) to grasp; The 3rd, shortened the message processing time, shortened the time delays that source, destination address inspection and state machine searching and message label are handled to a certain extent; The 4th, be independent of each other between the alliance of stratification, make the variation of alliance of lower floor and more high-rise alliance internal network environment, invisible mutually, mutual each other nothing influence helps incremental deploying.
Through the present invention propose based on IPv6 source address verification method between the autonomous territory of label replacement; The internet can make up the stratification of top-down pyramid and trust alliance's architecture; Can effectively avoid because the autonomous territory interconnecting relation that the expansion of trust alliance scale brings and the influence of network topology change; Reduce encrypting and authenticating tag control, negotiation and synchronous difficulty simultaneously, reduced the expense of plant maintenance and processing label greatly, guaranteed the efficient and accurate of source address authenticity checking; Strengthened and trusted flexibility, redundancy and the controllability that alliance makes up, and made it can effectively support incremental deploying.
Aspect that the present invention adds and advantage part in the following description provide, and part will become obviously from the following description, or recognize through practice of the present invention.
Description of drawings
Above-mentioned and/or additional aspect of the present invention and advantage are from obviously with easily understanding becoming the description of embodiment below in conjunction with accompanying drawing, wherein:
Fig. 1 is the trust alliance system assumption diagram of the stratification of the embodiment of the invention;
Fig. 2 is the Authentication devices control aspect process chart of the embodiment of the invention;
Fig. 3 is the AER data plane process chart of the embodiment of the invention;
Fig. 4 is the TAER data plane process chart of the embodiment of the invention;
Fig. 5 is an application example figure involved in the present invention;
Fig. 6~12nd, the data plane process chart of one embodiment of the invention; With
Figure 13 is that CERNET2 three levels of the embodiment of the invention are trusted alliance's simulation deployment design sketch.
Embodiment
Describe embodiments of the invention below in detail, the example of said embodiment is shown in the drawings, and wherein identical from start to finish or similar label is represented identical or similar elements or the element with identical or similar functions.Be exemplary through the embodiment that is described with reference to the drawings below, only be used to explain the present invention, and can not be interpreted as limitation of the present invention.
The present invention proposes that but stratification disposes based on IPv6 source address verification method between the autonomous territory of label replacement.The core concept of this method is to introduce alliance border (TAE); All autonomous territories (AS) through disposing authentication mechanism for encrypting are divided into multistage alliance; Each grade trusted alliance and can be used as the trust alliance that member's (abstract is an entire system) participates in higher level; And but the network architecture of the pyramid of guaranteeing source address authenticity that a kind of stratification from bottom to top disposes is provided; Make and invisible mutually, the mutual each other nothing influence of the variation of internal network environment of alliance of lower floor and more high-rise alliance can effectively realize gradual deployment, even in hierarchical structure in large scale, still can guarantee validity and the simplification verified.
But below stratification that the present invention the is proposed integral body based on IPv6 source address verification method between the autonomous territory of label replacement of disposing describe; The authentication mechanism of this method is a kind of end to end based on the authentication mechanism for encrypting of label; In the trust alliance architecture of multilayer level; This method makes data communication be divided into three types through judging the similarities and differences of the trust alliance that the autonomous territory of source autonomous domain and purpose is affiliated.
First; When the autonomous territory of said source autonomous domain and purpose belongs to one together when trusting alliance, accomplish the source address checking of the data message that transmits between single allied member according to the corresponding label in source autonomous domain and the autonomous territory of purpose by the border router source autonomous domain end and the autonomous territory of purpose end.In enforcement of the present invention; Claim that this type of communication is data communication in the alliance (being that data message is trusted between the inner member of alliance mutual in a certain level); Under this type of network service scene; Member AS Correspondent Node each other in this level alliance only needs the state machine ordered pair of the maintenance alliance at the corresponding levels scope of dynamic, secret between AS, one generates when being used in as the source end and guarantees the real label of own identity; Label is added in the message extension header by alliance's inner boundary router at the corresponding levels (AER), and AER carried out the label inspection to the message that receives when another was used in as destination.Because this type of data communication is carried out in same alliance, so this type of data message processing procedure does not relate to the label replacement.
More particularly; Said source autonomous domain end border router at first in the link field port (Ingress Port) of network receive said data message; Judge whether said message source address belongs to said source autonomous domain,, then abandon said message if not if then further check destination address; Then further judge that institute's message states destination address and whether belong to one together with said source address and trust alliance, if then search the said state machine corresponding between allied member of trusting at the corresponding levels, the generation label is added in the message extension header, sends in the network; Then the autonomous territory of relaying end is not done the label checking to the said message of process, directly according to the destination address forwarding of tabling look-up; After said message is sent to destination; The autonomous territory of purpose end border router is received message from the port (Egress Port) of link field external network; Judge whether said message source address belongs to said source autonomous domain,, then further check destination address if not if then abandon said message; Last judge further whether said destination address belongs to one with said source address and trust alliance,, be sent to network in the territory if then search said source autonomous domain end and the corresponding state machine of the autonomous territory end of purpose to verify and the removal label.
Second; When different trusts alliance is adhered in the autonomous territory of source autonomous domain and purpose separately, verify by the source autonomous domain end and the alliance's border router autonomous territory of purpose end and the border router source address that label is repeatedly replaced the data message of accomplishing the cross-alliance transmission of cooperating.In an embodiment of the present invention; Claim that this type of is to stride alliance's data communication (being that different levels are trusted the data communication between allied member); Under this type of network service scene, the technical staff is through introducing TAE, logically with each level alliance and extraneous Network Isolation; All source addresses are belonged to alliance at the corresponding levels purpose be forwarded to first TAE on the routed path in the data message unification of other level alliances; By alliance's border router (TAER) at this place with label replace to data message forwarding by way of the label of alliance of more high-level, make TAER form mutual " relay agent " of internal-external network data message of alliance, if data message passes through the alliance of a plurality of more high-levels; Then repeatedly carry out said process and accomplish replacement step by step from bottom to top; And intermediate nodes all on routed path are not done any processing to the data message label, just normally transmit according to destination address, when data message is sent to purpose AS end place alliance; Correspondingly the TAER of each level carries out the top-down replacement process of label step by step to message, till data message is sent to the destination.
More particularly; Source AS end AER is when receiving that originating from local AS purpose is pointed to the message of non-alliance at the corresponding levels prefix; To search with local AS be the source with the alliance border of the route process of leading to the purpose prefix is the state machine (state machine 1) of place; Generate and interpolation corresponding label (label 1), to the outside forwarding of local AS; Source AS end TAER can start 2 handling processes in succession when receiving that being derived from alliance at the corresponding levels purpose points to the message of non-alliance at the corresponding levels prefix:
(1) search state machine 1, checking is also removed label 1;
(2) searching with alliance at the corresponding levels is that the source is the state machine (state machine 2) of place with purpose prefix place alliance, generates and interpolation corresponding label (label 2), to the outside forwarding of alliance at the corresponding levels.
Subsequently, at relaying AS end, when message when transmit in the path that leads to the purpose prefix, by way of routing device point to the message of non-alliance at the corresponding levels prefix and do not carry out any checking and handle directly and transmit being derived from non-alliance at the corresponding levels purpose; Purpose AS end TAER correspondingly, can start 2 handling processes equally in succession when receiving that being derived from non-alliance at the corresponding levels purpose points to the message of alliance at the corresponding levels prefix:
(1) search state machine 2, checking is also removed label 2;
(2) searching with local AS is that the source is the state machine (state machine 3) of place with the AS that the purpose prefix belongs to, and adds also generating corresponding label (label 3), to the inner forwarding of alliance at the corresponding levels.
At last, purpose AS end AER searches corresponding state machine 3 when receiving the TAER message sent, and label 3 is also removed in checking, to the inner forwarding of local AS.
The 3rd, when said source autonomous domain is non-trusts allied member for trusting the autonomous territory of the said purpose of allied member, need not do any processing to message label, directly press destination address forwarding data message.In an embodiment of the present invention, be called and non-trust alliance's data communication (promptly trusting alliance and non-data communication of trusting between alliance), under this type of network service scene, do not relate to any operation of relevant label, only need transmit according to destination address.
More particularly; When trusting between the user of alliance and the non-trust user of alliance communication message when transmit in the path that leads to the purpose prefix, by way of AER message that the autonomous territory of non-originating from local purpose is pointed to autonomous territory, non-this locality prefix do not carry out any checking and handle directly forwarding; When trusting between the user of alliance and the non-trust user of alliance communication message when transmit in the path that leads to the purpose prefix, by way of TAER the non-alliance at the corresponding levels purpose that is derived from is pointed to the message of non-alliance at the corresponding levels prefix and is not carried out any checking and handle directly forwarding.
Source address Authentication devices and maintenance list item thereof that this method relates to mainly contain: registrar (REG); Alliance's inner boundary router (AER) at the corresponding levels, alliance's border router (TAER), Control Server (ACS); Alliance's state machine table (LAST) at the corresponding levels; Global state machine table (GAST), global address prefix and corresponding alliance mapping table (coarseness) (GA-TA-1), global address prefix and corresponding alliance mapping table (fine granularity) are (GA-TA-2); Alliance's boundary information table (LAEIT) at the corresponding levels specifically describes referring to table 1:
Table 1
In the trust alliance architecture of stratification, the checking of the source address of data message mainly concentrates on AER and the TAER, and this checking is accomplished by control aspect and data plane cooperation.The control aspect mainly comprises: the registration of information about firms and reception and registration, the negotiation of state machine, change is with synchronously, and to configuration of AER and TAER or the like, its participation main body is REG, ACS and AER/TAER.Data plane mainly comprises: on the AER of source end AS, add label; On the TAER of source end TAE, accomplish phase I source address checking and accomplish label replacement for the first time; On the TAER of destination TAE, accomplish the checking of second stage source address and accomplish label replacement for the second time; On the AER of destination AS, label has been checked phase III source address checking, it participates in main body is AER and TAER.Wherein, for the architecture that adapts to stratification reduces to dispose cost and operation cost simultaneously, the outfit of REG, ACS is used all can be multiplexing by multistage alliance.
The source address proof procedure of data message is mainly realized following function in the control aspect, and its handling process is as shown in Figure 2:
(1) REG accepts member's registration and the modification information from ACS, safeguards that the member tabulates;
(2) REG is each member's time service as alliance's time reference, passes on information about firms to all members' of alliance ACS;
(3) ACS obtains member's tabulation from REG, and keeps dynamic, synchronous maintenance to member's tabulation with it;
(4) carry out the collection and the exchange of address prefix information between ACS;
(5) carry out the generation and the declaration of state machine information between ACS;
(6) ACS generates strategy and disposes to AER/TAER;
(7) ACS accepts the running status report of AER/TAER;
(8) AER/TAER receives the state machine that ACS disposes, and with its application;
(9) AER/TAER receives the strategy that ACS disposes, and with its application.
In conjunction with instance shown in Figure 5, the source address proof procedure of data message in the trust alliance architecture of stratification is elaborated, the handling process of the data plane of the AER/TAER that wherein relates to is like Fig. 3, shown in 4.
Step (1): when AS X_AER (source end AER) received the message of the autonomous territory AS X of originating from local, the GA-TA-1 that tables look-up found that the ownership AS Y of this message purpose prefix does not belong to the Sub-TA2 of alliance at the corresponding levels, can start two handling processes in succession:
Step (1.1): it is ASZ along the TAE that routed path goes out the Sub-TA2 of alliance at the corresponding levels that the LAEIT that tables look-up finds this message;
Step (1.2): it is that the source is state machine < the AS X of place with the border AS Z of first alliance that leads on the path of purpose prefix that the LAST that tables look-up finds with autonomous territory, this locality AS X; AS Z >; Generate and interpolation corresponding label (label 1), transmit to autonomous territory, this locality AS X external network.Handling process is as shown in Figure 6.
Step (2): when AS K_AER (intermediate ends AER) receives the message of forwarded; The GA-TA-1 that tables look-up find this message source from autonomous territory, non-this locality purpose point to autonomous territory, non-this locality; This message label is not done any processing, directly be forwarded to next jumping according to the purpose prefix.Handling process is as shown in Figure 7.
Step (3): as AS Z_TAER (source alliance end TAER) when receiving the message that is derived from alliance at the corresponding levels; The GA-TA-2 that tables look-up finds that the ownership AS Y of this message purpose prefix does not belong to the Sub-TA2 of alliance at the corresponding levels and belongs to the reciprocity Sub-TA3 of alliance, can start 2 handling processes in succession:
Step (3.1): the LAST that tables look-up finds state machine < AS X, AS Z >, and checking is also removed label 1;
Step (3.2): it is that the source is the state machine < Sub-TA2, Sub-TA3>of place with the opposite end alliance that the purpose prefix belongs to that the GAST that tables look-up looks for alliance at the corresponding levels, generates and also adds corresponding label (label 2), transmits to alliance at the corresponding levels external network; Accomplish phase I checking and label replacement for the first time.Handling process is as shown in Figure 8.
Step (4): when AS W_TAER (intermediate ends TAER) receives the message of forwarded; The GA-TA-2 that tables look-up finds that this message source points to the non-Sub-TA3 of alliance prefix at the corresponding levels from the non-Sub-TA2 of alliance purpose at the corresponding levels; This message label is not done any processing, directly be forwarded to next jumping according to the purpose prefix.Handling process is as shown in Figure 9.
Step (5): as AS U_TAER (purpose alliance end TAER) when receiving the network message sent, the GA-TA-2 that tables look-up finds that the ownership AS Y of this message purpose prefix belongs to the Sub-TA3 of alliance at the corresponding levels, can start 2 handling processes in succession:
Step (5.1): the GAST that tables look-up finds state machine < Sub-TA2, Sub-TA3 >, and checking is also removed label 2;
Step (5.2): the LAST that tables look-up finds state machine < AS U, AS Y >, adds label 3, mails to AS Y; Accomplish second stage checking and label replacement for the second time.Handling process is shown in figure 11.
Step (6): when AS L_AER (intermediate ends AER) receives the message of forwarded; The GA-TA-1 that tables look-up find this message source from autonomous territory, non-this locality purpose point to autonomous territory, non-this locality; This message label is not done any processing, directly be forwarded to next jumping according to the purpose prefix.Handling process is shown in figure 11.
Step (7): as AS Y_TAER (destination AER) when receiving the message of forwarded; The GA-TA-1 that tables look-up finds the local autonomous territory of the ownership of this message purpose prefix, and the LAST that tables look-up finds state machine < AS U, AS Y >; Checking is also removed label 3, accomplishes the checking in last stage.Handling process is shown in figure 12.
Below describe with regard to the mode of specifically giving an example, disposed the trust alliance of three levels according to the method for above-mentioned deployment embodiment in pure IPv6 Networking China's education and scientific research network (CERNET2) simulation, shown in figure 13, wherein:
Step (1): be deployed in Beijing core, make it become the alliance border of CERNET2 alliance and higher level alliance CNGI (CNGI) trust alliance;
Step (2): be deployed in China Telecom and trust alliance's Egress node, make it become the alliance border that China Telecom trusts alliance and higher level CNGI alliance;
Step (3): be deployed in CNGI-6IX, make it become the alliance border of CNGI alliance and higher level League of Nations;
Step (4): CERNET2 (first order), alliance of China Telecom (first order) belong to together and trust the CNGI member of alliance; Form CNGI alliance (second level); CNGI alliance and other countries trust alliance and form League of Nations (third level); Form equity or membership between above-mentioned alliance each other, internal network does not have influence, invisible mutually mutually.
More than the network architecture with I Pv6 true source address authentication function of a kind of stratification proposed by the invention has been carried out detailed introduction.Through use that the present invention proposes based on IPv6 source address verification method between the autonomous territory of label; The internet can make up the trust alliance architecture of top-down pyramid, is easy to realize that stratification disposes, simultaneously its authentication mechanism for encrypting end to end; Can not receive the influence of autonomous territory interconnecting relation and peripheral network topology change; Not only can be deployed in abutting connection with between autonomous territory, also can be deployed between non-adjacent autonomous territory, and need not the intermediate node special processing; On the other hand; This method can effectively be accomplished repeatedly the source address checking; Make the inner member of each level alliance only need safeguard local information (allied member at the corresponding levels information, state machine information and address prefix information) and need not to grasp overall situation; Global information (all level allied member information, state machine information and address prefix information) is then grasped by the alliance border (TAE) of each level, fully guarantees the reliability and the redundancy of checking, effectively reduces the checking expense; Along with the continuous growth of participating in trust alliance autonomous territory scale; The maintenance of encrypting and authenticating label and processing expenditure only are lightweight and increase, and management, negotiation and synchronous difficulty do not increase, and therefore have the excitation of gradual deployment to a certain extent.
Although illustrated and described embodiments of the invention; For those of ordinary skill in the art; Be appreciated that under the situation that does not break away from principle of the present invention and spirit and can carry out multiple variation, modification, replacement and modification that scope of the present invention is accompanying claims and be equal to and limit to these embodiment.
Claims (5)
- Between an autonomous territory based on the IPv6 true source address verification method of label replacement, it is characterized in that, may further comprise the steps:Step 1 is judged the affiliated trust alliance in the autonomous territory of source autonomous domain and purpose;Step 2; When the autonomous territory of source autonomous domain and purpose belongs to one together when trusting alliance, accomplish the source address checking of the data message that transmits between single allied member according to the corresponding label in source autonomous domain and the autonomous territory of purpose by the border router source autonomous domain end and the autonomous territory of purpose end;Step 3; When different trusts alliance is adhered in the autonomous territory of source autonomous domain and purpose separately, verify by the source autonomous domain end and the alliance's border router autonomous territory of purpose end and the border router source address that label is repeatedly replaced the data message of accomplishing the cross-alliance transmission of cooperating;Step 4 when the source autonomous domain is non-trusts allied member for trusting the autonomous territory of allied member's purpose, need not be carried out the source address checking, and data message is directly pressed the destination address forwarding.
- 2. the IPv6 true source address verification method of replacing based on label between autonomous territory as claimed in claim 1; It is characterized in that; When the autonomous territory of source autonomous domain and purpose belongs to one together when trusting alliance; Verify according to each source address that the corresponding label in source autonomous domain and the autonomous territory of purpose is accomplished the data message that transmits between single allied member by the border router source autonomous domain end and the autonomous territory of purpose end, further comprise:Step 1, the said source autonomous domain end border router port (Ingress Port) of network in the link field is received data message, judges whether this message source address belongs to this autonomous territory, if then further check destination address, then abandons this message if not;Step 1.1; Further whether judgment data message destination address belongs to a trust alliance together with source address; If then search effective and overall unique state machine in the corresponding some cycles in the autonomous territory of said source autonomous domain and purpose; Generate respective labels and be added in the message extension header, send in the network;Step 2, the autonomous territory of relaying end does not deal with the data message of process, directly according to the destination address forwarding of tabling look-up;Step 3; Data message is sent to the autonomous territory of purpose end, and the autonomous territory of purpose end border router is received message from the port (Egress Port) of link field outer network, judges whether the message source address belongs to this autonomous territory; If then abandon said message, then further check the destination address of message if not;Step 3.1, whether the further judgment data message of the autonomous territory end border router of purpose destination address belongs to this autonomous territory, if the state machine of then searching said source autonomous domain end and the autonomous territory of purpose end correspondence is sent to network in the territory with checking and removal label.
- 3. the IPv6 true source address verification method of replacing based on label between autonomous territory as claimed in claim 1; It is characterized in that; When different trust alliance is adhered in the autonomous territory of source autonomous domain and purpose separately; Verify by the source address of label repeatedly being replaced the data message of accomplishing the cross-alliance transmission source autonomous domain end, further comprise with alliance's border router and border router the cooperation autonomous territory of purpose end:Step 1; Said source autonomous domain end border router is received when autonomous territory of originating from local and purpose are the message of non-alliance at the corresponding levels address prefix; To search with autonomous territory, this locality be the source with the alliance border of the route process of leading to the destination address prefix is the state machine 1 of place; Generate and interpolation corresponding label 1, to local autonomous overseas forwarding;When step 2, said source autonomous domain end alliance border router receive that being derived from alliance at the corresponding levels and purpose is the message of said non-alliance at the corresponding levels address prefix, start handling procedure 1;Step 3, the router of the autonomous territory of relaying end is that the message of non-alliance at the corresponding levels prefix is directly transmitted to being derived from non-alliance at the corresponding levels and purpose;When step 4, the autonomous territory of purpose end alliance border router receive that being derived from non-alliance at the corresponding levels and purpose is the message of alliance at the corresponding levels prefix, start handling procedure 2;Step 5 when the autonomous territory of said purpose end border router is received alliance's border router message sent, is verified the authenticity of said message source address, when said message source address is true, transmits to inside, autonomous territory, this locality;Wherein, said startup handling procedure 1 further comprises:Step 1 is searched said state machine 1, verifies and remove said label 1;Step 2, searching with said alliance at the corresponding levels is that the source is the state machine 2 of place with purpose prefix place alliance, generates and interpolation corresponding label 2, to the outside forwarding of alliance at the corresponding levels;Wherein, said startup handling procedure 2 further comprises:Step 1, searching with alliance at the corresponding levels is that purpose prefix place, source alliance is the state machine 2 of place, checking is also removed corresponding label 2;Step 2, searching with autonomous territory, said this locality is the source, and is the state machine 3 of place with the autonomous territory at said purpose prefix place, adds also generating corresponding label 3, transmits to alliance at the corresponding levels is inner.
- 4. the IPv6 true source address verification method of replacing based on label between autonomous territory as claimed in claim 3; It is characterized in that; When the autonomous territory of said purpose end border router is received alliance's border router message sent; Verify the authenticity of said message source address, when said message source address is true, E-Packet, further comprise to inside, autonomous territory, this locality:When the autonomous territory of said purpose end border router is received alliance's border router message sent, search said state machine 3, verify and remove said label 3, E-Packet to inside, autonomous territory, this locality.
- 5. the IPv6 true source address verification method of replacing based on label between autonomous territory as claimed in claim 1; It is characterized in that; When said source autonomous domain is non-trusts allied member for trusting the autonomous territory of the said purpose of allied member, press destination address forwarding data message, further comprise:When communication message between said trust allied member and non-trust allied member when transmit in the path that leads to the purpose prefix, by way of border router to non-originating from local autonomy territory, and the message that purpose is pointed to autonomous territory, non-this locality prefix is directly transmitted;When communication message between said trust allied member and non-trust allied member when leading to the path transmission of purpose prefix, by way of alliance's border router be derived from alliance at the corresponding levels to non-, and the message that purpose is pointed to non-alliance at the corresponding levels prefix is directly transmitted.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010234850.XA CN101902474B (en) | 2010-07-21 | 2010-07-21 | Label replacement based verification method of IPv6 true source address between every two autonomous domains |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010234850.XA CN101902474B (en) | 2010-07-21 | 2010-07-21 | Label replacement based verification method of IPv6 true source address between every two autonomous domains |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101902474A CN101902474A (en) | 2010-12-01 |
| CN101902474B true CN101902474B (en) | 2012-11-14 |
Family
ID=43227675
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010234850.XA Active CN101902474B (en) | 2010-07-21 | 2010-07-21 | Label replacement based verification method of IPv6 true source address between every two autonomous domains |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101902474B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9560055B2 (en) * | 2014-04-30 | 2017-01-31 | Microsoft Technology Licensing, Llc | Client-side integration framework of services |
| CN105791458B (en) * | 2016-02-29 | 2020-01-03 | 新华三技术有限公司 | Address configuration method and device |
| CN107547558B (en) * | 2017-09-18 | 2020-09-08 | 新华三技术有限公司 | Access method and device for SMA networking |
| CN110061918B (en) * | 2019-04-18 | 2021-01-22 | 广西大学 | Method and device for evaluating safety of routing between autonomous domains |
| CN111211976B (en) * | 2020-03-02 | 2021-03-19 | 清华大学 | BGP routing information verification method and device |
| CN111585984B (en) * | 2020-04-24 | 2021-10-26 | 清华大学 | Decentralized security guarantee method and device for packet full life cycle |
| CN111726368B (en) * | 2020-07-02 | 2021-05-11 | 清华大学 | SRv 6-based inter-domain source address verification method |
| CN112738113B (en) * | 2020-12-31 | 2022-04-01 | 清华大学 | Organization information label generation method and message transmission method |
| CN114866470A (en) * | 2021-02-03 | 2022-08-05 | 华为技术有限公司 | Method, device, system and storage medium for sending message |
| CN114172731A (en) * | 2021-12-09 | 2022-03-11 | 赛尔网络有限公司 | Method, device, equipment and medium for quickly verifying and tracing IPv6 address |
| CN114268551A (en) * | 2021-12-16 | 2022-04-01 | 南京华飞数据技术有限公司 | Autonomous domain level network topology mapping method based on active and passive cooperation |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1921487A (en) * | 2006-09-19 | 2007-02-28 | 清华大学 | Identifying method for IPv6 actual source address between autonomy systems based on signature |
| CN1921394A (en) * | 2006-09-19 | 2007-02-28 | 清华大学 | Actual IPv6 source address verification method based on autonomy system interconnecting relation |
| CN1953373A (en) * | 2006-09-19 | 2007-04-25 | 清华大学 | A method to filter and verify open real IPv6 source address |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100211661A1 (en) * | 2007-07-18 | 2010-08-19 | Panasonic Corporation | Address generation method, address generation system, communication device, communication method, communication system, and partner communication device |
-
2010
- 2010-07-21 CN CN201010234850.XA patent/CN101902474B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1921487A (en) * | 2006-09-19 | 2007-02-28 | 清华大学 | Identifying method for IPv6 actual source address between autonomy systems based on signature |
| CN1921394A (en) * | 2006-09-19 | 2007-02-28 | 清华大学 | Actual IPv6 source address verification method based on autonomy system interconnecting relation |
| CN1953373A (en) * | 2006-09-19 | 2007-04-25 | 清华大学 | A method to filter and verify open real IPv6 source address |
Non-Patent Citations (2)
| Title |
|---|
| 吴建平等.IPv6网络自治系统间源地址验证技术研究.《中国科技论文在线》.2007,第2卷(第10期), * |
| 吴建平等.构建基于真实IPv6源地址验证体系结构的下一代互联网.《中国科学(E辑:信息科学)》.2008,第38卷(第10期), * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101902474A (en) | 2010-12-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101902474B (en) | Label replacement based verification method of IPv6 true source address between every two autonomous domains | |
| Mabodi et al. | Multi-level trust-based intelligence schema for securing of internet of things (IoT) against security threats using cryptographic authentication | |
| Zhou et al. | Security and privacy for cloud-based IoT: Challenges | |
| Prihodko et al. | Flare: An approach to routing in lightning network | |
| Zapata et al. | Securing ad hoc routing protocols | |
| Ahmed et al. | IPv6 neighbor discovery protocol specifications, threats and countermeasures: a survey | |
| CN1937589B (en) | Routing configuration validation apparatus and methods | |
| CN101534309B (en) | A node registration method, a routing update method, a communication system and the relevant equipment | |
| CN100539501C (en) | Unified Identity sign and authentication method based on domain name | |
| CN100483997C (en) | Actual IPv6 source address verification method based on autonomy system interconnecting relation | |
| CN101110762A (en) | Ad hoc network security path method | |
| CN110012119B (en) | A kind of IP address prefix authorization and management method | |
| CN103701700A (en) | Node discovering method and system in communication network | |
| CN101960814A (en) | IP address delegation | |
| CN104219239A (en) | LoWPAN (low-power wireless personal area network) node secure access control method based on neighbor discovery | |
| CN101304407A (en) | Method, system and apparatus for authentication of source address | |
| CN101594339B (en) | Method for managing and querying mapping information, device and communication system | |
| CN102123071B (en) | The method that realizes, network, terminal and the intercommunication service node that Packet Classification processes | |
| Liu et al. | Secure name resolution for identifier-to-locator mappings in the global internet | |
| CN101753438B (en) | Router for realizing passage separation and transmitting method of passage separation thereof | |
| CN102711103B (en) | A kind of wireless sensor network interior joint goes offline the safety routing method reconnected | |
| Jara et al. | Mobility modeling and security validation of a mobility management scheme based on ecc for ip-based wireless sensor networks (6lowpan) | |
| Kohler | One, Two, or Two Hundred Internets?: The Politics of Future Internet Architectures | |
| CN102223372A (en) | Resource reservation protocol (RSVP) authentication method and RSVP authentication device | |
| CN110401646A (en) | CGA parameter detection method and device in IPv6 safety neighbor discovering transitional environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |