CN101931628A - Method and device for verifying intra-domain source addresses - Google Patents
Method and device for verifying intra-domain source addresses Download PDFInfo
- Publication number
- CN101931628A CN101931628A CN2010102665482A CN201010266548A CN101931628A CN 101931628 A CN101931628 A CN 101931628A CN 2010102665482 A CN2010102665482 A CN 2010102665482A CN 201010266548 A CN201010266548 A CN 201010266548A CN 101931628 A CN101931628 A CN 101931628A
- Authority
- CN
- China
- Prior art keywords
- source address
- deployment point
- address prefix
- message
- jumping
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a device and a method for verifying intra-domain source addresses. The device comprises an acquisition module, a calculation module, an extraction module and a message verification module, wherein the acquisition module respectively acquires all source address premixes by way of each deployment point from a preset node serving as each deployment point, which is selected from intra-domain network nodes; the calculation module reads a link state database on a router corresponding to each deployment point, and calculates a route forwarding path from each premix serving as a source to other premixes by combining a source address premix corresponding to each deployment point; the extraction module extracts each source address premix, an access interface reaching each deployment point and the hop count from the route forwarding path; and the message verification module acquires a source address premix announced by a message to be verified, an access interface reaching the current deployment point and the hop count by actual forwarding, and respectively performs matching verification on the extracted source address premix, the access interface reaching the current deployment point and the hop count. The device and the method are simple to implement, support increment deployment and have better source address verification effect.
Description
Technical field
This method belongs to Internet technical field, relates in particular to real IP source address verification technique.
Background technology
The attack of the employing spoofed IP source address on the Internet is quite spread unchecked, and according to the statistics of the Internet tissue visualization, has 4000 Denial of Service attacks that adopt cook source address weekly at least.But this class is attacked has easy initiation the characteristics that are difficult to review, and this is the reason that causes cook source address aggression to spread unchecked.
There have been a lot of technology to be suggested hope at present and can have controlled this class attack.They can be divided three classes:
Path filtering class (Filtering), this class technology mainly is to use routing iinformation to filter out the message of a part of cook source address.Typical example such as ingress filtering (Ingress filtering) exactly by checking its source address of message of receiving on the gateway whether in the address space range that inserts subnet, thereby judge whether message is legal.
End to end authentication class (End-to-End Approach), this class technology adds mark at the source end to message, and this destination that is marked at message is examined the authenticity that is used for judging contained source address in the message.
Recall class (Traceback), recalling the class technology is a kind of passive technology.Its wish to obtain message on the internet the path of process, attacking when taking place, by analyzing the address that packet route obtains the attack source.
Although a lot of solutions occurred, do not have a kind of method at present and can ideally solve the forgery of source address problem.The excitation of not supporting incremental deploying and lacking operator also is the major reason that this difficult problem forms.
Disposing Ingress Filtering fully is a kind of technical simple and efficient way the most, but owing to lack incentive mechanism, we can't impose it to be disposed fully.URPF (Unicast ReversePath Forwarding, the clean culture inverse path is transmitted) be a kind of actual more replacement scheme, more existing development also are uRPF to be replenished and strengthening, but also there is fatal shortcoming in it, such as relatively poor, unable for the forgery of source address incapability on the same reverse path for asymmetric route effect.This situation has demand widely in the territory, add greatly developing of present IPv6 (internet protocol version 6) network, and a kind of demand of the intra-domain source addresses scheme of IPv6 and IPv4 (internet protocol version 4) of supporting simultaneously just becomes very urgent.
Summary of the invention
Purpose of the present invention is intended to one of solve the aforementioned problems in the prior at least.
For this reason, embodiments of the invention propose a kind of realize simple, support incremental deploying and have the source address proof scheme of better effect.
According to an aspect of the present invention, the embodiment of the invention has proposed a kind of verification method of intra-domain source addresses, is applied in the territory on the network node, said method comprising the steps of:
A) network node selects destined node as each deployment point in the territory;
B) obtain all source address prefix respectively by way of each deployment point;
C) read LSD on each deployment point corresponding router, and in conjunction with each deployment point correspondence to calculate with each by way of source address prefix be the routing forwarding path that the source arrives other prefixes by way of source address prefix;
D) arrive the incoming interface of each deployment point and the jumping figure that each source address prefix arrives each deployment point process from each source address prefix of described routing forwarding path extraction, each source address prefix; And
E) for message to be verified, obtain message to be verified declaration source address prefix, arrive the incoming interface and the actual jumping figure that is forwarded to current deployment point process of current deployment point, and mate checking with the source address prefix of extracting, the jumping figure that arrives the incoming interface of current deployment point and arrive current deployment point respectively.
The further embodiment according to the present invention, described step c comprises:
Be root with each of each deployment point by way of source address prefix respectively, use shortest path first SPF to calculate corresponding shortest path tree, to obtain described routing forwarding path.
The further embodiment according to the present invention, described step e comprises:
Utilize the source address prefix of message declaration to be verified to search corresponding extraction source address prefix;
According to the extraction source address prefix of searching, the incoming interface of the current deployment point of arrival of acquisition extraction source address prefix correspondence and the jumping figure that arrives current deployment point;
Mate the incoming interface that message to be verified arrives the current deployment point of arrival of the incoming interface of current deployment point and extraction source address prefix correspondence; And
When incoming interface mates, the jumping figure of the current deployment point of arrival of actual jumping figure that is forwarded to current deployment point process of message to be verified and extraction source address prefix correspondence is mated.
According to a further aspect in the invention, embodiments of the invention propose a kind of demo plant of intra-domain source addresses, be applied in the territory on the network node, described device comprises: acquisition module, described acquisition module network node in the territory is selected to obtain all source address prefix by way of each deployment point respectively on the destined node as each deployment point; Computing module, described computing module read the LSD on each deployment point corresponding router, and in conjunction with each deployment point correspondence to calculate with each by way of source address prefix be the routing forwarding path that the source arrives other prefixes by way of source address prefix; Extraction module, described extraction module extract each source address prefix from described routing forwarding path, each source address prefix arrives the incoming interface of each deployment point and the jumping figure that each source address prefix arrives each deployment point process; And authentication of message module, described authentication of message module obtain message to be verified declaration source address prefix, arrive the incoming interface and the actual jumping figure that is forwarded to current deployment point process of current deployment point, and mate checking with the source address prefix of extracting, the jumping figure that arrives the incoming interface of current deployment point and arrive current deployment point respectively.
The further embodiment according to the present invention, described computing module are root with each of each deployment point by way of source address prefix respectively, use shortest path first SPF to calculate corresponding shortest path tree, to obtain described routing forwarding path.
The further embodiment according to the present invention, described authentication of message module comprises:
Search the unit, described source address prefix of searching unit by using message declaration to be verified is searched corresponding extraction source address prefix;
Extraction unit, the extraction source address prefix that described extraction unit basis is searched, the incoming interface of the current deployment point of arrival of acquisition extraction source address prefix correspondence and the jumping figure that arrives current deployment point;
First matching unit, described first matching unit are used to mate the incoming interface that message to be verified arrives the current deployment point of arrival of the incoming interface of current deployment point and extraction source address prefix correspondence; And
Second matching unit, when incoming interface mated, second matching unit mated the jumping figure of the current deployment point of arrival of actual jumping figure that is forwarded to current deployment point process of message to be verified and extraction source address prefix correspondence.
The present invention does not rely on underlay network device, does not rely on source address distribution modes, is the intra-domain source addresses proof scheme with prefix level granularity, and the present invention can be deployed in network in the ospf domain, supports IPv6 and IPv4.
This method is not used other extra technology, is message forwarding direction and these two behavioral indicators of jumping figure in the interior network of analysis domain in essence, thereby reaches the whether true purpose in checking message source address.Method is supported in incremental deploying in the network, will embed in the router as widening parts.The present invention realizes simply, and has the source address checking of better effect.
Aspect that the present invention adds and advantage part in the following description provide, and part will become obviously from the following description, or recognize by practice of the present invention.
Description of drawings
Above-mentioned and/or additional aspect of the present invention and advantage are from obviously and easily understanding becoming the description of embodiment below in conjunction with accompanying drawing, wherein:
Fig. 1 is the verification method flow chart of the intra-domain source addresses of the embodiment of the invention;
Fig. 2 is the fundamental diagram of demo plant of the intra-domain source addresses of the embodiment of the invention;
Fig. 3 is a deployment embodiment schematic diagram of the present invention.
Embodiment
Describe embodiments of the invention below in detail, the example of described embodiment is shown in the drawings, and wherein identical from start to finish or similar label is represented identical or similar elements or the element with identical or similar functions.Below by the embodiment that is described with reference to the drawings is exemplary, only is used to explain the present invention, and can not be interpreted as limitation of the present invention.
The present invention is deployed in network node in the territory, such as router or three-tier switch, be a kind of have prefix level granularity, under that be applicable to IPv6 and IPv4, that do not revise main frame and prior protocols and the prerequisite that do not increase new agreement, support incremental deploying, compare the source address proof scheme that uRPF has better effect.
With reference now to Fig. 1,, this figure is the verification method flow chart of the intra-domain source addresses of the embodiment of the invention.
As shown in the figure, said method comprising the steps of:
This method is supported incremental deploying.At first choose the deployment point, network node selects destined node as each deployment point (step 102) in the territory.
Can choose some crucial Centroids, such as choosing the bigger node of linking number, select the big node of message flow, choosing in addition and be easy to the node of upgrading and being convenient to dispose, this depends primarily on the experience of network manager.
Before disposing, to do following preliminary treatment work earlier.That is, obtain all source address prefix (step 104) respectively by way of each deployment point.These information all will be known in each deployment point, at one time the section, each deployment point has identical node prefix information.
Specifically, can pass through dual mode: the subnet prefix by way of certain deployment point is collected and write down in (1).In long time (one day or several days, set up on their own, certainly the longer the better the time) collect by way of all prefixes (comprising the prefix addresses that may forge) of this deployment point and be recorded in prefix sets this collection process of end till number in this table and content are more stable; (2) or can be directly in the territory network manager obtain these prefix informations (if any).If can obtain all prefix informations in the territory from upper layer network administrative office, then can save above-mentioned statistics collection step.But in subsequent calculations, but to take a lot of time, because be that the prefix of thinking all will be passed through each deployment point at this moment.Though but computing time longer, but very accurate, can not introduce non-existent prefix.
After preliminary treatment work is finished, read on each deployment point corresponding router the LSD (LSDB) that generates by ospf protocol, when in the territory during all routing convergences, for each territory interior nodes, this LSD is identical.
And each deployment point correspondence of obtaining of integrating step 104 to calculate with each by way of source address prefix be the routing forwarding path (step 106) that the source arrives other prefixes by way of source address prefix.
Because the LSDB that obtains is identical, and each dispose record on node separately by way of source address prefix, so each deployment point is the routing forwarding path that can calculate separately separately, and needn't consider the collaborative and exchanges data between all deployment points.
Be that example illustrates computational methods to calculate a deployment point below.The deployment point of from step 104, knowing in prefix sets, take out in order one by way of prefix each is a root by way of prefix, use shortest path (SPF, Shortest Path First) algorithm, calculate a corresponding shortest path tree, be the routing forwarding path that other prefixes are arrived in the source by way of prefix thereby also just calculated corresponding with each.Promptly from the shortest path tree that calculates, find out all with the routing forwarding path of current deployment node as intermediate node.
If by way of prefix sets is to collect in the pass-through mode 1, certainly exist in every the shortest path tree that in this step, calculates then that to occur with current deployment node on the path be some the routing forwarding paths of centre by way of node.If record by way of set all prefixes that is pass-through mode in the territory that 2 network management sections obtain, then certainly exist with some prefix be on the shortest path tree of root node not with current deployment node as the routing forwarding path of centre by way of node, this belongs to redundant computation, to in the prefix set of records ends, it deleted for such prefix record, think this prefix be not one by way of prefix.Though brought redundant computation, can avoid itself just having the situation of the source prefix addresses of forging by way of the prefix sets the inside by what collection got, increased the accuracy of method.
Then, arrive the incoming interface of current deployment point and the jumping figure (step 108) that each source address prefix arrives current deployment point process from these each source address prefix of routing forwarding paths extraction, each source address prefix, then they are designated as a three-dimensional vector (prefix, incoming interface, jumping figure) form, up to calculating all such three-dimensional vectors, and this three-dimensional vector recorded in the tables of data these mapping relations of storage, can be called filtered data base (FDB, Filter DataBase) to such three-dimensional vector set.
The mapping relations table that FDB represents has been set up source address prefix, prefix and has been arrived the incoming interface of disposing node and the mapping relations that arrive jumping figure, and verifies the authenticity of the source address of message according to these mapping relations.
Consider the address prefix that in step 104, may write down forgery, but in Practical Calculation, can accurately calculate the real filtration mapping relations of this prefix, for non-existent address prefix, shortest path tree that can the calculator correspondence then.
For message to be verified, obtain message to be verified declaration source address prefix, arrive the incoming interface and the actual jumping figure that is forwarded to current deployment point process of current deployment point, and mate checking (step 110) with the source address prefix of extracting, the jumping figure that arrives the incoming interface of current deployment point and arrive current deployment point respectively.
Particularly, for certain message to be verified, extract the address prefix (obtaining) of message declaration by source IP and address mask, check the incoming interface of message, variation according to TTL (Time To Live, the life span) value of message infers that (thinking under the regular situation that the initial value of TTL of various operating systems is constants as can be known) message is forwarded to the jumping figure of this deployment point process.In addition, the present invention gives tacit consent to the ttl value that user under the normal condition can not remove to revise message, and the behavior of any modification ttl value all thinks to have the behavior of the source address of distorting attempt.
Search FDB with the source address prefix of the message declaration of extracting as term then, find out corresponding clauses and subclauses, the incoming interface that writes down in the incoming interface of matching message and the clauses and subclauses at first is if mismatch directly abandons this message.
If the incoming interface of message coupling continues then to see whether the jumping figure of message process and the record in the clauses and subclauses mate, if mate then this message of letting pass; If differ bigger, directly abandon.That is, when the difference between the jumping figure of the current deployment point of arrival of actual jumping figure that is forwarded to current deployment point process of message to be verified and extraction source address prefix correspondence exceeds predetermined threshold, can be similar to this packet loss is fallen.This message of can letting pass if be more or less the same.Predetermined threshold can be provided with according to the experiment of real network.
In one embodiment, can utilize " filtration log sheet ", the situation situation of record filtration prefix in the past in the filtration decision-making in future in this log sheet, this table record is to do further affirmation mechanism for the message going or staying that can't determine, used the historical statistics method, come more rational decision-making is done in the going or staying of the prefix message that receive future.
By the information of reference log record, formulate statistical decision method.If be more or less the same, write down the actual information (set of this information is called collection undetermined) of this prefix message earlier, the clearance message, if identical but the message jumping figure of a large amount of same prefix occurs next time, then the message of prefix carries out speed limit hereto; If different in the message jumping figure that occur next time and the collection record undetermined are then upgraded this collection clauses and subclauses undetermined, handle according to the step of front then.
For then directly giving route system, finish at the overall process of the authentication of message of this router through the speed limit or the message of directly letting pass.
In one embodiment, can regularly check the filtration daily record.Can set the regular hour, such as checking 24 hours or the like the filtration daily record.Decide the effect and the validity of filtering decision-making by filtering daily record, provide data to support for the statistical decision of step 110.
Specific practice is: record is dropped in the daily record prefix and quantity thereof, can write down once, but will preserve all daily records, for statistical decision later on provides data set every day.And calculating the decision conclusions for different prefixes every day leaves one in and is called decision table (NDT next time, Next-TimeDecide Table) table): the prefix that has should continue to abandon next time, the prefix that has next time should be to its speed limit, the prefix that has should directly be let pass next time, for the same prefix that is dropped, every day, the record in NDT may be different.Perhaps in order more clearly to may also be referred to as following decision table (FDT, Future Decide Table).
When step 110 is verified, can't determine the message that whether will abandon for one, search NDT first and decide disposal options for current message, if be not recorded in the inside, then handle according to remaining step in the step 110.
In the reality, LSDB can constantly change, and just means that also this wants constantly the mapping relations record among the more capable FDB.Whenever network presence changes, cause LSDB to change.
This method can detect the variation of LSDB.Change in case detect LSDB, step 106 is then got back in each deployment point, recomputates FDB at once.
During recomputating FDB, the message that enters is not checked, till the FDB that calculating makes new advances.Otherwise may cause false negative, false positive all to increase greatly.
The present invention also provides a kind of demo plant of intra-domain source addresses, is applied in the territory on the network node, below in conjunction with Fig. 2 its operation principle is described.
This demo plant can embed among the route system module, is operated in before the work of route system nucleus module, and all are verified through the source address of the prefix granularity of deployment point.
Described device comprises acquisition module (not shown), computing module 12, extraction module 14 and authentication of message module 16.
Acquisition module network node in the territory is selected to obtain all source address prefix by way of each deployment point respectively on the destined node as each deployment point.
Then they are compiled, be designated as the form of a three-dimensional vector (prefix, incoming interface, jumping figure), and this three-dimensional vector is recorded in the FDB tables of data, store these mapping relations three-dimensional vector set.
The FDB tables of data can be deposited and inquiry at a high speed.This demo plant can comprise special memory module and be used to deposit the FDB data.In the real work, this module is also supported high speed access, the inquiry for FDB, and carry out indexation for the higher FDB clauses and subclauses of the frequency of occurrences and manage, purpose is the treatment effeciency of raising method, and can't influence the treatment effeciency of this programme because of this link significantly.
For message to be verified, authentication of message module 16 obtain message declaration to be verified source address prefix, arrive the incoming interface and the actual jumping figure that is forwarded to current deployment point process of current deployment point, and mate checking with the source address prefix of extracting, the jumping figure that arrives the incoming interface of current deployment point and arrive current deployment point respectively.
Particularly, described authentication of message module comprises and searches unit (not shown), extraction unit (not shown), the first matching unit (not shown) and the second matching unit (not shown).
Search the source address prefix inquiry FDB of unit by using message declaration to be verified, therefrom search corresponding extraction source address prefix, the extraction source address prefix that the extraction unit basis is searched, the incoming interface of the current deployment point of arrival of acquisition extraction source address prefix correspondence and the jumping figure that arrives current deployment point.
First matching unit and second matching unit are used to verify the going or staying of message and the message of making a strategic decision, and wherein first matching unit is used to mate the incoming interface that message to be verified arrives the current deployment point of arrival of the incoming interface of current deployment point and extraction source address prefix correspondence; And when incoming interface mated, second matching unit mated the jumping figure of the current deployment point of arrival of actual jumping figure that is forwarded to current deployment point process of message to be verified and extraction source address prefix correspondence.
When the difference of second matching unit between the jumping figure of the current deployment point of arrival of actual jumping figure that is forwarded to current deployment point process of message to be verified and extraction source address prefix correspondence exceeds predetermined threshold, abandon this message to be verified.
In one embodiment, first matching unit and second matching unit can the combined filtering daily record be verified and are made a strategic decision.The situation situation of record filtration prefix in the past in the filtration decision-making in future in the log sheet, this table record is to do further affirmation mechanism for the message going or staying that can't determine, used the historical statistics method, come more rational decision-making is done in the going or staying of the prefix message that receive future.
By the information of reference log record, formulate statistical decision method.If be more or less the same, write down the actual information (set of this information is called collection undetermined) of this prefix message earlier, the clearance message, if identical but the message jumping figure of a large amount of same prefix occurs next time, then the message of prefix carries out speed limit hereto; If different in the message jumping figure that occur next time and the collection record undetermined are then upgraded this collection clauses and subclauses undetermined, handle according to the step of front then.
For then directly giving the route system module, finish at the overall process of the authentication of message of this router through the speed limit or the message of directly letting pass.
The present invention need safeguard two data thesauruss, is respectively FDB and filtration log sheet, and wherein FDB is the mapping relations of prefix, incoming interface and jumping figure, is the key data foundation of authentication of message.Another is the situation situation of filtration prefix in the filtration decision-making in future in the past of record in " filtration log sheet ", this table record is to do further affirmation mechanism for the message going or staying that can't determine, used the historical statistics method, come more rational decision-making is done in the going or staying of the prefix message that receive future.
The mapping relations data structure of prefix and IngressIf, HopCount is as follows:
| PreFix (prefix addresses) | IngressIf (incoming interface) | HopCount (transmitting the jumping figure of process) |
The filtration decision-making data structure of filtering prefix future is as follows:
| PreFix (prefix addresses that is filtered) | Discard/Decelerate (abandoning/slow down clearance) |
Fig. 3 is the schematic diagram of deployment examples of the present invention.Host C is a main frame under the router prefix Prefix, supposes to calculate according to routing table, and host C mails to the path forwarding of the message of server S along illustrated dotted line.
As can be seen from the figure, message enters the A node through an if_1 interface of jumping by deployment point A, will carry out authentication of message one time at this, if not by checking, then just will be dropped at A point place; Otherwise message continues to enter the B node through double bounce from the if_2 interface of deployment point B again, carries out authentication of message again one time at this, if not by checking, then just will be dropped, otherwise message will continue to jump to through one and reach node N, thereby finally arrive server S at B point place.
The present invention can install a module at deployment point gateway (router), safeguards in this module that one will arrive the mapping table FDB that the interface that this deployment point will enter and the jumping figure that will pass through (counterparty to and distance) respectively constitute through the message of this deployment point prefix by all forwardings in the territory.Before message enters the router forwarding, think that at first the source address that enters the message declaration is true, the interface that the corresponding prefix of this source address enters among this module searches FDB and the jumping figure of process then, jumping figure (jumping figure is inferred by the variable quantity of message ttl value) with actual interface that enters of message and process mates again, wherein there is any one mismatch to think that all this is the message of a cook source address, thereby with this packet loss; Otherwise think that the message source address is true, give router with this message then and transmit.
The present invention realizes simply can supporting IPv4 and IPv6, can reach the main frame granularity, do not revise main frame and protocol stack, do not increase new agreement, satisfies all address distribution.Than the ingress filtering method, it has characteristics such as fine granularity and support IPv6.Than IP Source Guard (IP source address guard), it can support IPv6.Compare and additive method, major advantage of the present invention is not revise main frame, and can satisfy all address distribution.The expanded function that the present invention can be used as switch, router and WAP (wireless access point) realizes.
Although illustrated and described embodiments of the invention, for the ordinary skill in the art, be appreciated that without departing from the principles and spirit of the present invention and can carry out multiple variation, modification, replacement and modification that scope of the present invention is by claims and be equal to and limit to these embodiment.
Claims (8)
1. the verification method of an intra-domain source addresses is applied in the territory on the network node, it is characterized in that, said method comprising the steps of:
A) network node selects destined node as each deployment point in the territory;
B) obtain all source address prefix respectively by way of each deployment point;
C) read LSD on each deployment point corresponding router, and in conjunction with each deployment point correspondence to calculate with each by way of source address prefix be the routing forwarding path that the source arrives other prefixes by way of source address prefix;
D) arrive the incoming interface of each deployment point and the jumping figure that each source address prefix arrives each deployment point process from each source address prefix of described routing forwarding path extraction, each source address prefix; And
E) for message to be verified, obtain message to be verified declaration source address prefix, arrive the incoming interface and the actual jumping figure that is forwarded to current deployment point process of current deployment point, and mate checking with the source address prefix of extracting, the jumping figure that arrives the incoming interface of current deployment point and arrive current deployment point respectively.
2. the method for claim 1 is characterized in that, described step c comprises:
Be root with each of each deployment point by way of source address prefix respectively, use shortest path first SPF to calculate corresponding shortest path tree, to obtain described routing forwarding path.
3. the method for claim 1 is characterized in that, described step e comprises:
Utilize the source address prefix of message declaration to be verified to search corresponding extraction source address prefix;
According to the extraction source address prefix of searching, the incoming interface of the current deployment point of arrival of acquisition extraction source address prefix correspondence and the jumping figure that arrives current deployment point;
Mate the incoming interface that message to be verified arrives the current deployment point of arrival of the incoming interface of current deployment point and extraction source address prefix correspondence; And
When incoming interface mates, the jumping figure of the current deployment point of arrival of actual jumping figure that is forwarded to current deployment point process of message to be verified and extraction source address prefix correspondence is mated.
4. method as claimed in claim 3, it is characterized in that, when the difference between the jumping figure of the current deployment point of arrival of actual jumping figure that is forwarded to current deployment point process of message to be verified and extraction source address prefix correspondence exceeds predetermined threshold, abandon this message to be verified.
5. the demo plant of an intra-domain source addresses is applied in the territory on the network node, it is characterized in that described device comprises:
Acquisition module, described acquisition module network node in the territory is selected to obtain all source address prefix by way of each deployment point respectively on the destined node as each deployment point;
Computing module, described computing module read the LSD on each deployment point corresponding router, and in conjunction with each deployment point correspondence to calculate with each by way of source address prefix be the routing forwarding path that the source arrives other prefixes by way of source address prefix;
Extraction module, described extraction module extract each source address prefix from described routing forwarding path, each source address prefix arrives the incoming interface of each deployment point and the jumping figure that each source address prefix arrives each deployment point process; And
The authentication of message module, described authentication of message module obtain message to be verified declaration source address prefix, arrive the incoming interface and the actual jumping figure that is forwarded to current deployment point process of current deployment point, and mate checking with the source address prefix of extracting, the jumping figure that arrives the incoming interface of current deployment point and arrive current deployment point respectively.
6. device as claimed in claim 5 is characterized in that, described computing module is root with each of each deployment point by way of source address prefix respectively, uses shortest path first SPF to calculate corresponding shortest path tree, to obtain described routing forwarding path.
7. device as claimed in claim 5 is characterized in that, described authentication of message module comprises:
Search the unit, described source address prefix of searching unit by using message declaration to be verified is searched corresponding extraction source address prefix;
Extraction unit, the extraction source address prefix that described extraction unit basis is searched, the incoming interface of the current deployment point of arrival of acquisition extraction source address prefix correspondence and the jumping figure that arrives current deployment point;
First matching unit, described first matching unit are used to mate the incoming interface that message to be verified arrives the current deployment point of arrival of the incoming interface of current deployment point and extraction source address prefix correspondence; And
Second matching unit, when incoming interface mated, second matching unit mated the jumping figure of the current deployment point of arrival of actual jumping figure that is forwarded to current deployment point process of message to be verified and extraction source address prefix correspondence.
8. device as claimed in claim 7, it is characterized in that, when the difference of described second matching unit between the jumping figure of the current deployment point of arrival of actual jumping figure that is forwarded to current deployment point process of message to be verified and extraction source address prefix correspondence exceeds predetermined threshold, abandon this message to be verified.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102665482A CN101931628B (en) | 2010-08-27 | 2010-08-27 | Method and device for verifying intra-domain source addresses |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102665482A CN101931628B (en) | 2010-08-27 | 2010-08-27 | Method and device for verifying intra-domain source addresses |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101931628A true CN101931628A (en) | 2010-12-29 |
| CN101931628B CN101931628B (en) | 2012-12-05 |
Family
ID=43370554
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010102665482A Active CN101931628B (en) | 2010-08-27 | 2010-08-27 | Method and device for verifying intra-domain source addresses |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101931628B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105634660A (en) * | 2014-07-16 | 2016-06-01 | 阿里巴巴集团控股有限公司 | Data packet detection method and system |
| CN105847034A (en) * | 2016-03-16 | 2016-08-10 | 清华大学 | Source verification and path authentication method and device |
| CN106357660A (en) * | 2016-09-29 | 2017-01-25 | 广州华多网络科技有限公司 | Method and device for detecting IP (internet protocol) of spoofing source in DDOS (distributed denial of service) defense system |
| CN109756390A (en) * | 2018-12-06 | 2019-05-14 | 网易(杭州)网络有限公司 | Automatic test network accelerator connectivity method and apparatus |
| CN110493367A (en) * | 2019-08-20 | 2019-11-22 | 清华大学 | The non-public server of unaddressed IPv6, client computer and communication means |
| CN111478808A (en) * | 2020-04-02 | 2020-07-31 | 清华大学 | Method, system, electronic device and storage medium for assisting configuration update verification |
| CN111726368A (en) * | 2020-07-02 | 2020-09-29 | 清华大学 | SRv 6-based inter-domain source address verification method |
| CN112929279A (en) * | 2021-03-09 | 2021-06-08 | 清华大学 | Distributed generation method and device for source address verification table in internet domain |
| CN113612684A (en) * | 2020-08-11 | 2021-11-05 | 北京航空航天大学 | Inter-domain path identifier prefix matching method based on binary search |
| CN113630378A (en) * | 2021-06-29 | 2021-11-09 | 清华大学 | IPv6 network access source address verification deployment measurement method and device based on ICMP speed limit |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006020740A2 (en) * | 2004-08-13 | 2006-02-23 | Flarion Technologies, Inc. | Methods and apparatus for vpn support in mobility management |
| CN101548566A (en) * | 2007-02-16 | 2009-09-30 | 华为技术有限公司 | Method and system for managing address prefix information associated with handover in networks |
-
2010
- 2010-08-27 CN CN2010102665482A patent/CN101931628B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006020740A2 (en) * | 2004-08-13 | 2006-02-23 | Flarion Technologies, Inc. | Methods and apparatus for vpn support in mobility management |
| CN101548566A (en) * | 2007-02-16 | 2009-09-30 | 华为技术有限公司 | Method and system for managing address prefix information associated with handover in networks |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105634660B (en) * | 2014-07-16 | 2019-04-09 | 阿里巴巴集团控股有限公司 | Data packet detection method and system |
| CN105634660A (en) * | 2014-07-16 | 2016-06-01 | 阿里巴巴集团控股有限公司 | Data packet detection method and system |
| CN105847034A (en) * | 2016-03-16 | 2016-08-10 | 清华大学 | Source verification and path authentication method and device |
| CN105847034B (en) * | 2016-03-16 | 2019-02-05 | 清华大学 | Source verifying and path authentication method and device |
| CN106357660B (en) * | 2016-09-29 | 2023-04-18 | 广州华多网络科技有限公司 | Method and device for detecting forged source IP in DDOS defense system |
| CN106357660A (en) * | 2016-09-29 | 2017-01-25 | 广州华多网络科技有限公司 | Method and device for detecting IP (internet protocol) of spoofing source in DDOS (distributed denial of service) defense system |
| CN109756390A (en) * | 2018-12-06 | 2019-05-14 | 网易(杭州)网络有限公司 | Automatic test network accelerator connectivity method and apparatus |
| CN110493367A (en) * | 2019-08-20 | 2019-11-22 | 清华大学 | The non-public server of unaddressed IPv6, client computer and communication means |
| CN110493367B (en) * | 2019-08-20 | 2020-07-28 | 清华大学 | Address-free IPv6 non-public server, client and communication method |
| CN111478808A (en) * | 2020-04-02 | 2020-07-31 | 清华大学 | Method, system, electronic device and storage medium for assisting configuration update verification |
| CN111478808B (en) * | 2020-04-02 | 2021-05-25 | 清华大学 | Method, system, electronic device and storage medium for assisting configuration update verification |
| CN111726368A (en) * | 2020-07-02 | 2020-09-29 | 清华大学 | SRv 6-based inter-domain source address verification method |
| CN113612684A (en) * | 2020-08-11 | 2021-11-05 | 北京航空航天大学 | Inter-domain path identifier prefix matching method based on binary search |
| CN112929279A (en) * | 2021-03-09 | 2021-06-08 | 清华大学 | Distributed generation method and device for source address verification table in internet domain |
| CN112929279B (en) * | 2021-03-09 | 2021-11-30 | 清华大学 | Distributed generation method and device for source address verification table in internet domain |
| CN113630378A (en) * | 2021-06-29 | 2021-11-09 | 清华大学 | IPv6 network access source address verification deployment measurement method and device based on ICMP speed limit |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101931628B (en) | 2012-12-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101931628B (en) | Method and device for verifying intra-domain source addresses | |
| CN101917434B (en) | Method for verifying intra-domain Internet protocol (IP) source address | |
| Oliveira et al. | In search of the elusive ground truth: the Internet's AS-level connectivity structure | |
| Oliveira et al. | The (in) completeness of the observed Internet AS-level structure | |
| CN105493450B (en) | The method and system of service exception in dynamic detection network | |
| JP4341413B2 (en) | PACKET TRANSFER APPARATUS HAVING STATISTICS COLLECTION APPARATUS AND STATISTICS COLLECTION METHOD | |
| CN1937589B (en) | Routing configuration validation apparatus and methods | |
| Gregori et al. | On the incompleteness of the AS-level graph: a novel methodology for BGP route collector placement | |
| CN100413290C (en) | Method for setting up notification function for route selection according to border gateway protocol | |
| CN102801738B (en) | Distributed DoS (Denial of Service) detection method and system on basis of summary matrices | |
| CN101662393B (en) | Inter-domain prefix hijack detection and location method | |
| CN101473605B (en) | Method for determining anticipation peer-to-peer collaborator of Internet service supplier | |
| Zhang et al. | A framework to quantify the pitfalls of using traceroute in AS-level topology measurement | |
| CN101547125B (en) | System and method for abnormal network positioning of autonomous system | |
| CN108009807A (en) | A kind of bit coin transaction identity method | |
| CN105745870A (en) | Removing lead filter from serial multiple-stage filter used to detect large flows in order to purge flows for prolonged operation | |
| CN104168154A (en) | Network-situation-awareness-oriented multi-level network system and building method thereof | |
| JP5283192B2 (en) | Method, node device, and program for detecting faulty link in real time based on routing protocol | |
| JP4860745B2 (en) | BGP traffic fluctuation monitoring apparatus, method, and system | |
| CN101741745B (en) | Method and system for identifying application traffic of peer-to-peer network | |
| CN101030835B (en) | Apparatus and method for obtaining detection characteristics | |
| Luckie | Spurious routes in public bgp data | |
| Xiang et al. | Internet flattening: Monitoring and analysis of inter-domain routing | |
| JP4846663B2 (en) | IP packet tracking device | |
| CN102957581A (en) | Network access detection system and network access detection method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |