CN101931628B - Method and device for verifying intra-domain source addresses - Google Patents
Method and device for verifying intra-domain source addresses Download PDFInfo
- Publication number
- CN101931628B CN101931628B CN2010102665482A CN201010266548A CN101931628B CN 101931628 B CN101931628 B CN 101931628B CN 2010102665482 A CN2010102665482 A CN 2010102665482A CN 201010266548 A CN201010266548 A CN 201010266548A CN 101931628 B CN101931628 B CN 101931628B
- Authority
- CN
- China
- Prior art keywords
- source address
- deployment point
- address prefix
- message
- jumping
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 62
- 238000000605 extraction Methods 0.000 claims abstract description 44
- 238000012795 verification Methods 0.000 claims abstract description 10
- 239000000284 extract Substances 0.000 claims abstract description 8
- 230000009191 jumping Effects 0.000 claims description 58
- 230000008569 process Effects 0.000 claims description 32
- 230000000694 effects Effects 0.000 abstract description 6
- 238000004364 calculation method Methods 0.000 abstract description 4
- 238000001914 filtration Methods 0.000 description 23
- 238000013507 mapping Methods 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 7
- 239000013598 vector Substances 0.000 description 7
- 230000002354 daily effect Effects 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 238000009826 distribution Methods 0.000 description 3
- 230000003203 everyday effect Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 239000000654 additive Substances 0.000 description 1
- 230000000996 additive effect Effects 0.000 description 1
- 230000016571 aggressive behavior Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 238000000205 computational method Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 230000005284 excitation Effects 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
- 230000003442 weekly effect Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a device and a method for verifying intra-domain source addresses. The device comprises an acquisition module, a calculation module, an extraction module and a message verification module, wherein the acquisition module respectively acquires all source address premixes by way of each deployment point from a preset node serving as each deployment point, which is selected from intra-domain network nodes; the calculation module reads a link state database on a router corresponding to each deployment point, and calculates a route forwarding path from each premix serving as a source to other premixes by combining a source address premix corresponding to each deployment point; the extraction module extracts each source address premix, an access interface reaching each deployment point and the hop count from the route forwarding path; and the message verification module acquires a source address premix announced by a message to be verified, an access interface reaching the current deployment point and the hop count by actual forwarding, and respectively performs matching verification on the extracted source address premix, the access interface reaching the current deployment point and the hop count. The device and the method are simple to implement, support increment deployment and have better source address verification effect.
Description
Technical field
This method belongs to Internet technical field, relates in particular to real IP source address verification technique.
Background technology
The attack of the employing spoofed IP source address on the Internet is quite spread unchecked, and according to the statistics of the Internet tissue visualization, has 4000 Denial of Service attacks that adopt cook source address weekly at least.But this type attack has easy initiation the characteristics that are difficult to review, and this is the reason that causes cook source address aggression to spread unchecked.
There have been a lot of technology to be suggested hope at present and can have controlled this type attack.They can be divided three classes:
Path filtering class (Filtering), this type technology mainly are to use routing iinformation to filter out the message of a part of cook source address.Typical example such as ingress filtering (Ingress filtering), exactly through its source address of message of receiving on the inspection gateway whether in the address space range that inserts subnet, thereby judge whether message legal.
End to end authentication class (End-to-End Approach), end adds mark to message to this type technology in the source, and this destination that is marked at message is examined the authenticity that is used for judging contained source address in the message.
Type of recalling (Traceback), type of recalling technology is a kind of passive technology.Its hope to obtain message on the internet the path of process, attacking when taking place, through analyzing the address that packet route obtains the attack source.
Although a lot of solutions occurred, do not have a kind of method at present and can ideally solve the forgery of source address problem.The excitation of not supporting incremental deploying and lacking operator also is the major reason that this difficult problem forms.
Disposing Ingress Filtering fully is a kind of technical simple and efficient way the most, but owing to lack incentive mechanism, we can't impose it to be disposed fully.URPF (Unicast ReversePath Forwarding; The clean culture inverse path is transmitted) be a kind of actual more replacement scheme; More existing development also are uRPF to be replenished and strengthening; But also there is fatal shortcoming in it, and is such as relatively poor for asymmetric route effect, unable for the forgery of source address incapability on the same reverse path.This situation has demand widely in the territory, add greatly developing of present IPv6 (internet protocol version 6) network, and a kind of demand of the intra-domain source addresses scheme of IPv6 and IPv4 (internet protocol version 4) of supporting simultaneously just becomes very urgent.
Summary of the invention
The object of the invention is intended to one of solve the aforementioned problems in the prior at least.
For this reason, embodiments of the invention propose a kind of realize simple, support incremental deploying and have the source address proof scheme of better effect.
According to an aspect of the present invention, the embodiment of the invention has proposed a kind of verification method of intra-domain source addresses, is applied in the territory on the network node, said method comprising the steps of:
A) network node selects destined node as each deployment point in the territory;
B) obtain all source address prefix respectively by way of each deployment point;
C) read LSD on each deployment point corresponding router, and combine each deployment point corresponding to calculate with each by way of source address prefix be the routing forwarding path that the source arrives other prefixs by way of source address prefix;
D) extract the incoming interface of each source address prefix, each each deployment point of source address prefix arrival and the jumping figure that each source address prefix arrives each deployment point process from said routing forwarding path; And
E) for message to be verified; Obtain message to be verified declaration source address prefix, arrive the incoming interface and the actual jumping figure that is forwarded to current deployment point process of current deployment point, and mate checking with the source address prefix of extracting, the jumping figure that arrives the incoming interface of current deployment point and arrive current deployment point respectively.
The further embodiment according to the present invention, said step c comprises:
Be root with each of each deployment point by way of source address prefix respectively, use shortest path first SPF to calculate corresponding shortest path tree, to obtain said routing forwarding path.
The further embodiment according to the present invention, said step e comprises:
Utilize the source address prefix of message declaration to be verified to search corresponding extraction source address prefix;
According to the extraction source address prefix of searching, obtain the incoming interface of the corresponding current deployment point of arrival of extraction source address prefix and the jumping figure that arrives current deployment point;
Mate the incoming interface that message to be verified arrives the corresponding current deployment point of arrival of incoming interface and the extraction source address prefix of current deployment point; And
When incoming interface mated, the jumping figure of the current deployment point of arrival that the actual jumping figure that is forwarded to current deployment point process of message to be verified and extraction source address prefix is corresponding mated.
According to a further aspect in the invention; Embodiments of the invention propose a kind of demo plant of intra-domain source addresses; Be applied in the territory on the network node; Said device comprises: acquisition module, said acquisition module network node in the territory is selected to obtain all source address prefix by way of each deployment point respectively on the destined node as each deployment point; Computing module, said computing module read the LSD on each deployment point corresponding router, and combine each deployment point corresponding to calculate with each by way of source address prefix be the routing forwarding path that the source arrives other prefixs by way of source address prefix; Extraction module, said extraction module extract each source address prefix from said routing forwarding path, each source address prefix arrives the incoming interface of each deployment point and the jumping figure that each source address prefix arrives each deployment point process; And authentication of message module; Said authentication of message module obtain message to be verified declaration source address prefix, arrive the incoming interface and the actual jumping figure that is forwarded to current deployment point process of current deployment point, and mate checking with the source address prefix of extracting, the jumping figure that arrives the incoming interface of current deployment point and arrive current deployment point respectively.
The further embodiment according to the present invention, said computing module are root with each of each deployment point by way of source address prefix respectively, use shortest path first SPF to calculate corresponding shortest path tree, to obtain said routing forwarding path.
The further embodiment according to the present invention, said authentication of message module comprises:
Search the unit, said source address prefix of searching unit by using message declaration to be verified is searched corresponding extraction source address prefix;
Extraction unit, said extraction unit obtain the incoming interface of the corresponding current deployment point of arrival of extraction source address prefix and the jumping figure that arrives current deployment point according to the extraction source address prefix of searching;
First matching unit, said first matching unit are used to mate the incoming interface that message to be verified arrives the corresponding current deployment point of arrival of incoming interface and the extraction source address prefix of current deployment point; And
Second matching unit, when incoming interface mated, the jumping figure of the current deployment point of arrival that second matching unit is corresponding with the actual jumping figure that is forwarded to current deployment point process of message to be verified and extraction source address prefix mated.
The present invention does not rely on underlay network device, does not rely on source address distribution modes, is the intra-domain source addresses proof scheme with prefix level granularity, and the present invention can be deployed in network in the ospf domain, supports IPv6 and IPv4.
This method is not used other extra technology, is message forwarding direction and these two behavioral indicators of jumping figure in the interior network of analysis domain in essence, thereby reaches the whether true purpose in checking message source address.Method is supported in incremental deploying in the network, will embed in the router as widening parts.The present invention realizes simply, and has the source address checking of better effect.
Aspect that the present invention adds and advantage part in the following description provide, and part will become obviously from the following description, or recognize through practice of the present invention.
Description of drawings
Above-mentioned and/or additional aspect of the present invention and advantage are from obviously with easily understanding becoming the description of embodiment below in conjunction with accompanying drawing, wherein:
Fig. 1 is the verification method flow chart of the intra-domain source addresses of the embodiment of the invention;
Fig. 2 is the fundamental diagram of demo plant of the intra-domain source addresses of the embodiment of the invention;
Fig. 3 is a deployment embodiment sketch map of the present invention.
Embodiment
Describe embodiments of the invention below in detail, the example of said embodiment is shown in the drawings, and wherein identical from start to finish or similar label is represented identical or similar elements or the element with identical or similar functions.Be exemplary through the embodiment that is described with reference to the drawings below, only be used to explain the present invention, and can not be interpreted as limitation of the present invention.
The present invention is deployed in network node in the territory; Such as router or three-tier switch; Be a kind of have prefix level granularity, under that be applicable to IPv6 and IPv4, that do not revise main frame and prior protocols and the prerequisite that do not increase new agreement; Support incremental deploying, compare the source address proof scheme that uRPF has better effect.
With reference now to Fig. 1,, this figure is the verification method flow chart of the intra-domain source addresses of the embodiment of the invention.
As shown in the figure, said method comprising the steps of:
This method is supported incremental deploying.At first choose the deployment point, network node selects destined node as each deployment point (step 102) in the territory.
Can choose some crucial Centroids, such as choosing the bigger node of linking number, select the big node of message flow, choosing in addition and be easy to the node of upgrading and being convenient to dispose, this depends primarily on the experience of network manager.
Before disposing, to do following preliminary treatment work earlier.That is, obtain all source address prefix (step 104) respectively by way of each deployment point.These information all will be known in each deployment point, at one time the section, each deployment point has identical node prefix information.
Specifically, can pass through dual mode: the subnet prefix by way of certain deployment point is collected and write down in (1).In long time (one day or several days; Set up on their own; Certainly the longer the better the time) collect by way of all prefixs (comprising the prefix addresses that possibly forge) of this deployment point and be recorded in prefix sets this collection process of end till number in this table and content are more stable; (2) or can be directly in the territory network manager obtain these prefix informations (if any).If can obtain all prefix informations in the territory from upper layer network administrative office, then can save above-mentioned statistics collection step.But in subsequent calculations, but to take a lot of time, because be that the prefix of thinking all will be passed through each deployment point at this moment.Though but computing time longer, but very accurate, can not introduce non-existent prefix.
After preliminary treatment work is accomplished, read the LSD (LSDB) that generates by ospf protocol on each deployment point corresponding router, when in the territory during all routing convergences, for each territory interior nodes, this LSD is identical.
And each deployment point of obtaining of integrating step 104 corresponding to calculate with each by way of source address prefix be the routing forwarding path (step 106) that the source arrives other prefixs by way of source address prefix.
Because the LSDB that obtains is identical, and each dispose record on node separately by way of source address prefix, so each deployment point is the routing forwarding path that can calculate separately separately, and needn't consider the collaborative and exchanges data between all deployment points.
Be that example is explained computational methods to calculate a deployment point below.The deployment point of from step 104, knowing in prefix sets, take out in order one by way of prefix each is a root by way of prefix; Use shortest path (SPF; Shortest Path First) algorithm; Calculate a corresponding shortest path tree, be the routing forwarding path that other prefixs are arrived in the source by way of prefix thereby also just calculated corresponding with each.Promptly from the shortest path tree that calculates, find out all with the routing forwarding path of current deployment node as intermediate node.
If by way of prefix sets is to collect in the pass-through mode 1, certainly exist in every the shortest path tree that then in this step, calculates that to occur with current deployment node on the path be some the routing forwarding paths of centre by way of node.If record by way of set all prefixs that is pass-through mode in the territory that 2 network management sections obtain; Then certainly exist with some prefix be on the shortest path tree of root node not with current deployment node as the routing forwarding path of centre by way of node; This belongs to redundant computation; To in the prefix set of records ends, it deleted for such prefix record, think this prefix be not one by way of prefix.Though brought redundant computation, can avoid itself just having the situation of the source prefix addresses of forging by way of the prefix sets the inside through what collection got, increased the accuracy of method.
Then; Arrive the incoming interface of current deployment point and the jumping figure (step 108) that each source address prefix arrives current deployment point process from these each source address prefix of routing forwarding paths extraction, each source address prefix; Then they are designated as the form of a three-dimensional vector (prefix, incoming interface, jumping figure); Up to calculating all such three-dimensional vectors; And this three-dimensional vector recorded in the tables of data these mapping relations of storage, can be called filtered data base (FDB, Filter DataBase) to such three-dimensional vector set.
The mapping relations table that FDB representes has been set up source address prefix, prefix and has been arrived the incoming interface of disposing node and the mapping relations that arrive jumping figure, and verifies the authenticity of the source address of message according to these mapping relations.
Consider the address prefix that in step 104, may write down forgery, but in Practical Calculation, can accurately calculate the real filtration mapping relations of this prefix, for non-existent address prefix, then can the corresponding shortest path tree of calculator.
For message to be verified; Obtain message to be verified declaration source address prefix, arrive the incoming interface and the actual jumping figure that is forwarded to current deployment point process of current deployment point, and mate checking (step 110) with the source address prefix of extracting, the jumping figure that arrives the incoming interface of current deployment point and arrive current deployment point respectively.
Particularly; For certain message to be verified; Extract the address prefix (obtaining) of message declaration through source IP and address mask; The incoming interface of inspection message is forwarded to the jumping figure of this deployment point process according to the variation deduction of TTL (Time To Live, the life span) value of message (thinking under the regular situation that the initial value of TTL of various operating systems is the constants that can know) message.In addition, the present invention gives tacit consent to the ttl value that user under the normal condition can not remove to revise message, and the behavior of any modification ttl value all thinks to have the behavior of the source address of distorting attempt.
The source address prefix of declaring with the message that extracts is then searched FDB as term, finds out corresponding clauses and subclauses, and the incoming interface that at first writes down in the incoming interface of matching message and the clauses and subclauses is if mismatch directly abandons this message.
If the incoming interface of message coupling continues then to see whether the jumping figure of message process and the record in the clauses and subclauses mate, if mate then this message of letting pass; If differ bigger, directly abandon.That is, when the difference between the jumping figure of the corresponding current deployment point of arrival of the actual jumping figure that is forwarded to current deployment point process of message to be verified and extraction source address prefix exceeds predetermined threshold, can be similar to this packet loss is fallen.This message of can letting pass if be more or less the same.Predetermined threshold can be provided with according to the experiment of real network.
In one embodiment; Can utilize " filtration log sheet "; The situation situation of record filtration prefix in the past in the filtration decision-making in future in this log sheet; This table record is that further affirmation mechanism is done in going or staying for the message that can't confirm, has used the historical statistics method, comes more reasonably decision-making is done in the going or staying of the prefix message that receive future.
Through information, formulate statistical decision method with reference to log record.If be more or less the same, write down the actual information (set of this information is called collection undetermined) of this prefix message earlier, the clearance message, if identical but the message jumping figure of a large amount of same prefix occurs next time, then the message of prefix carries out speed limit hereto; If different in the message jumping figure that occur next time and the collection record undetermined are then upgraded this collection clauses and subclauses undetermined, handle according to the step of front then.
For then directly giving route system, finish to the overall process of the authentication of message of this router through the speed limit or the message of directly letting pass.
In one embodiment, can regularly check the filtration daily record.Can set the regular hour, such as checking 24 hours or the like the filtration daily record.Decide the effect and the validity of filtering decision-making through filtering daily record, provide data to support for the statistical decision of step 110.
Specific practice is: record is dropped in the daily record prefix and quantity thereof, can write down once, but will preserve all daily records, for statistical decision later on provides data set every day.And calculating the decision conclusions for different prefixs every day leaves one in and is called decision table (NDT next time; Next-TimeDecide Table) table): the prefix that has should continue to abandon next time; The prefix that has next time should be to its speed limit; The prefix that has should directly be let pass next time, and for the same prefix that is dropped, every day, the record in NDT possibly be different.Perhaps in order more clearly to may also be referred to as following decision table (FDT, Future Decide Table).
When step 110 is verified, can't determine the message that whether will abandon for one, search NDT first and decide disposal options for current message, if be not recorded in the inside, then handle according to remaining step in the step 110.
In the reality, LSDB can constantly change, and just means that also this wants constantly the mapping relations record among the more capable FDB.Whenever network presence changes, cause LSDB to change.
This method can detect the variation of LSDB.Change in case detect LSDB, step 106 is then got back in each deployment point, recomputates FDB at once.
During recomputating FDB, the message that gets into is not checked, till the FDB that calculating makes new advances.Otherwise possibly cause false negative, false positive all to increase greatly.
The present invention also provides a kind of demo plant of intra-domain source addresses, is applied in the territory on the network node, below in conjunction with Fig. 2 its operation principle is described.
This demo plant can embed among the route system module, is operated in before the work of route system nucleus module, and all are verified through the source address of the prefix granularity of deployment point.
Said device comprises acquisition module (not shown), computing module 12, extraction module 14 and authentication of message module 16.
Acquisition module network node in the territory is selected to obtain all source address prefix by way of each deployment point respectively on the destined node as each deployment point.
Then they are compiled, be designated as the form of a three-dimensional vector (prefix, incoming interface, jumping figure), and this three-dimensional vector is recorded in the FDB tables of data, store these mapping relations three-dimensional vector set.
The FDB tables of data can be deposited and inquiry at a high speed.This demo plant can comprise special memory module and be used to deposit the FDB data.In the real work; This module is also supported high speed access, the inquiry for FDB; And carry out indexation for the higher FDB clauses and subclauses of the frequency of occurrences and manage, purpose is the treatment effeciency of raising method, and can't influence the treatment effeciency of this programme because of this link significantly.
For message to be verified; Authentication of message module 16 obtain message declaration to be verified source address prefix, arrive the incoming interface and the actual jumping figure that is forwarded to current deployment point process of current deployment point, and mate checking with the source address prefix of extracting, the jumping figure that arrives the incoming interface of current deployment point and arrive current deployment point respectively.
Particularly, said authentication of message module comprises and searches unit (not shown), extraction unit (not shown), the first matching unit (not shown) and the second matching unit (not shown).
Search the source address prefix inquiry FDB of unit by using message declaration to be verified; Therefrom search corresponding extraction source address prefix; Extraction unit obtains the incoming interface of the corresponding current deployment point of arrival of extraction source address prefix and the jumping figure that arrives current deployment point according to the extraction source address prefix of searching.
First matching unit and second matching unit are used to verify the going or staying of message and the message of making a strategic decision, and wherein first matching unit is used to mate message to be verified and arrives the incoming interface of current deployment point and the incoming interface of the current deployment point of arrival of extraction source address prefix correspondence; And when incoming interface mated, the jumping figure of the current deployment point of arrival that second matching unit is corresponding with the actual jumping figure that is forwarded to current deployment point process of message to be verified and extraction source address prefix mated.
When the difference of second matching unit between the jumping figure of the corresponding current deployment point of arrival of the actual jumping figure that is forwarded to current deployment point process of message to be verified and extraction source address prefix exceeds predetermined threshold, abandon this message to be verified.
In one embodiment, first matching unit and second matching unit can the combined filtering daily record be verified and are made a strategic decision.The situation situation of record filtration prefix in the past in the filtration decision-making in future in the log sheet; This table record is to do further affirmation mechanism for the message going or staying that can't confirm; Used the historical statistics method, come more reasonably decision-making is done in the going or staying of the prefix message that receive future.
Through information, formulate statistical decision method with reference to log record.If be more or less the same, write down the actual information (set of this information is called collection undetermined) of this prefix message earlier, the clearance message, if identical but the message jumping figure of a large amount of same prefix occurs next time, then the message of prefix carries out speed limit hereto; If different in the message jumping figure that occur next time and the collection record undetermined are then upgraded this collection clauses and subclauses undetermined, handle according to the step of front then.
For then directly giving the route system module, finish to the overall process of the authentication of message of this router through the speed limit or the message of directly letting pass.
The present invention need safeguard two data thesauruss, is respectively FDB and filtration log sheet, and wherein FDB is the mapping relations of prefix, incoming interface and jumping figure, is the key data foundation of authentication of message.Another is the situation situation of filtration prefix in the filtration decision-making in future in the past of record in " filtration log sheet "; This table record is to do further affirmation mechanism for the message going or staying that can't confirm; Used the historical statistics method, come more reasonably decision-making is done in the going or staying of the prefix message that receive future.
The mapping relations data structure of prefix and IngressIf, HopCount is following:
| PreFix (prefix addresses) | IngressIf (incoming interface) | HopCount (transmitting the jumping figure of process) |
It is following to filter following filtration decision-making data structure of prefix:
| PreFix (prefix addresses that is filtered) | Discard/Decelerate (abandoning/slow down clearance) |
Fig. 3 is the sketch map of deployment examples of the present invention.Host C is a main frame under the router prefix Prefix, supposes to calculate according to routing table, and host C mails to the path forwarding of the message of server S along illustrated dotted line.
As can be seen from the figure, message will carry out authentication of message one time at this, if through checking, then just will be dropped at A point place through the if_1 interface entering A node of a jumping by deployment point A; Otherwise message continues the if_2 interface entering B node of process double bounce B from the deployment point again, carries out authentication of message again one time at this; If not through checking; Then just will be dropped, otherwise message will continue to jump to through one and reach node N, thereby finally arrive server S at B point place.
The present invention can be in the deployment point gateway (router) module is installed, safeguard in this module that a message that will pass through this deployment point prefix by all forwardings in the territory arrives the mapping table FDB that the interface that this deployment point will get into and the jumping figure that will pass through (counterparty to and distance) respectively constitute.Before message gets into the router forwarding; Think that at first the source address that gets into the message declaration is true; The interface that the corresponding prefix of this source address gets among this module searches FDB then and the jumping figure of process; Mate with the interface of the actual entering of message and the jumping figure of process (jumping figure is inferred through the variable quantity of message ttl value) again, wherein have any one mismatch to think that all this is the message of a cook source address, thereby with this packet loss; Otherwise think that the message source address is true, give router with this message then and transmit.
The present invention realizes simply can supporting IPv4 and IPv6, can reach the main frame granularity, do not revise main frame and protocol stack, do not increase new agreement, satisfies all address distribution.Than the ingress filtering method, it has characteristics such as fine granularity and support IPv6.Than IP Source Guard (IP source address guard), it can support IPv6.Compare and additive method, major advantage of the present invention is not revise main frame, and can satisfy all address distribution.The expanded function that the present invention can be used as switch, router and WAP realizes.
Although illustrated and described embodiments of the invention; For those of ordinary skill in the art; Be appreciated that under the situation that does not break away from principle of the present invention and spirit and can carry out multiple variation, modification, replacement and modification that scope of the present invention is accompanying claims and be equal to and limit to these embodiment.
Claims (8)
1. the verification method of an intra-domain source addresses is applied in the territory on the network node, it is characterized in that, said method comprising the steps of:
A) network node selects destined node as each deployment point in the territory;
B) obtain all source address prefix respectively by way of each deployment point;
C) read LSD on each deployment point corresponding router, and combine each deployment point corresponding to calculate with each by way of source address prefix be the routing forwarding path that the source arrives other prefixs by way of source address prefix;
D) extract the incoming interface of each source address prefix, each each deployment point of source address prefix arrival and the jumping figure that each source address prefix arrives each deployment point process from said routing forwarding path; And
E) for message to be verified; Obtain message to be verified declaration source address prefix, arrive the incoming interface and the actual jumping figure that is forwarded to current deployment point process of current deployment point, and mate checking with the source address prefix of extracting, the jumping figure that arrives the incoming interface of current deployment point and arrive current deployment point respectively.
2. the method for claim 1 is characterized in that, said step c comprises:
Be root with each of each deployment point by way of source address prefix respectively, use shortest path first SPF to calculate corresponding shortest path tree, to obtain said routing forwarding path.
3. the method for claim 1 is characterized in that, said step e comprises:
Utilize the source address prefix of message declaration to be verified to search corresponding extraction source address prefix;
According to the extraction source address prefix of searching, obtain the incoming interface of the corresponding current deployment point of arrival of extraction source address prefix and the jumping figure that arrives current deployment point;
Mate the incoming interface that message to be verified arrives the corresponding current deployment point of arrival of incoming interface and the extraction source address prefix of current deployment point; And
When incoming interface mated, the jumping figure of the current deployment point of arrival that the actual jumping figure that is forwarded to current deployment point process of message to be verified and extraction source address prefix is corresponding mated.
4. method as claimed in claim 3; It is characterized in that; When the difference between the jumping figure of the corresponding current deployment point of arrival of the actual jumping figure that is forwarded to current deployment point process of message to be verified and extraction source address prefix exceeds predetermined threshold, abandon this message to be verified.
5. the demo plant of an intra-domain source addresses is applied in the territory on the network node, it is characterized in that said device comprises:
Acquisition module, said acquisition module network node in the territory is selected the destined node as each deployment point, obtains all source address prefix by way of each deployment point respectively;
Computing module, said computing module read the LSD on each deployment point corresponding router, and combine each deployment point corresponding to calculate with each by way of source address prefix be the routing forwarding path that the source arrives other prefixs by way of source address prefix;
Extraction module, said extraction module extract each source address prefix from said routing forwarding path, each source address prefix arrives the incoming interface of each deployment point and the jumping figure that each source address prefix arrives each deployment point process; And
The authentication of message module; Said authentication of message module obtain message to be verified declaration source address prefix, arrive the incoming interface and the actual jumping figure that is forwarded to current deployment point process of current deployment point, and mate checking with the source address prefix of extracting, the jumping figure that arrives the incoming interface of current deployment point and arrive current deployment point respectively.
6. device as claimed in claim 5 is characterized in that, said computing module is root with each of each deployment point by way of source address prefix respectively, uses shortest path first SPF to calculate corresponding shortest path tree, to obtain said routing forwarding path.
7. device as claimed in claim 5 is characterized in that, said authentication of message module comprises:
Search the unit, said source address prefix of searching unit by using message declaration to be verified is searched corresponding extraction source address prefix;
Extraction unit, said extraction unit obtain the incoming interface of the corresponding current deployment point of arrival of extraction source address prefix and the jumping figure that arrives current deployment point according to the extraction source address prefix of searching;
First matching unit, said first matching unit are used to mate the incoming interface that message to be verified arrives the corresponding current deployment point of arrival of incoming interface and the extraction source address prefix of current deployment point; And
Second matching unit, when incoming interface mated, the jumping figure of the current deployment point of arrival that second matching unit is corresponding with the actual jumping figure that is forwarded to current deployment point process of message to be verified and extraction source address prefix mated.
8. device as claimed in claim 7; It is characterized in that; When the difference of said second matching unit between the jumping figure of the corresponding current deployment point of arrival of the actual jumping figure that is forwarded to current deployment point process of message to be verified and extraction source address prefix exceeds predetermined threshold, abandon this message to be verified.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102665482A CN101931628B (en) | 2010-08-27 | 2010-08-27 | Method and device for verifying intra-domain source addresses |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102665482A CN101931628B (en) | 2010-08-27 | 2010-08-27 | Method and device for verifying intra-domain source addresses |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101931628A CN101931628A (en) | 2010-12-29 |
| CN101931628B true CN101931628B (en) | 2012-12-05 |
Family
ID=43370554
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010102665482A Active CN101931628B (en) | 2010-08-27 | 2010-08-27 | Method and device for verifying intra-domain source addresses |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101931628B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105634660B (en) * | 2014-07-16 | 2019-04-09 | 阿里巴巴集团控股有限公司 | Data packet detection method and system |
| CN105847034B (en) * | 2016-03-16 | 2019-02-05 | 清华大学 | Source verifying and path authentication method and device |
| CN106357660B (en) * | 2016-09-29 | 2023-04-18 | 广州华多网络科技有限公司 | Method and device for detecting forged source IP in DDOS defense system |
| CN109756390B (en) * | 2018-12-06 | 2020-12-01 | 网易(杭州)网络有限公司 | Method and device for automatically testing connectivity of network accelerator |
| CN110493367B (en) * | 2019-08-20 | 2020-07-28 | 清华大学 | Address-free IPv6 non-public server, client and communication method |
| CN111478808B (en) * | 2020-04-02 | 2021-05-25 | 清华大学 | Method, system, electronic device and storage medium for assisting configuration update verification |
| CN111726368B (en) * | 2020-07-02 | 2021-05-11 | 清华大学 | SRv 6-based inter-domain source address verification method |
| CN113612684B (en) * | 2020-08-11 | 2022-09-20 | 北京航空航天大学 | Inter-domain path identifier prefix matching method based on binary search |
| CN112929279B (en) * | 2021-03-09 | 2021-11-30 | 清华大学 | Distributed generation method and device for source address verification table in internet domain |
| CN113630378B (en) * | 2021-06-29 | 2022-08-19 | 清华大学 | IPv6 network access source address verification deployment measurement method and device based on ICMP speed limit |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101548566A (en) * | 2007-02-16 | 2009-09-30 | 华为技术有限公司 | Method and system for managing address prefix information associated with handover in networks |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8189530B2 (en) * | 2004-08-13 | 2012-05-29 | Qualcomm Incorporated | Methods and apparatus for VPN support in mobility management |
-
2010
- 2010-08-27 CN CN2010102665482A patent/CN101931628B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101548566A (en) * | 2007-02-16 | 2009-09-30 | 华为技术有限公司 | Method and system for managing address prefix information associated with handover in networks |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101931628A (en) | 2010-12-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101931628B (en) | Method and device for verifying intra-domain source addresses | |
| Oliveira et al. | In search of the elusive ground truth: the Internet's AS-level connectivity structure | |
| CN101917434B (en) | Method for verifying intra-domain Internet protocol (IP) source address | |
| Oliveira et al. | The (in) completeness of the observed Internet AS-level structure | |
| CN105493450B (en) | The method and system of service exception in dynamic detection network | |
| Chen et al. | Where the sidewalk ends: Extending the Internet AS graph using traceroutes from P2P users | |
| Augustin et al. | IXPs: mapped? | |
| JP4341413B2 (en) | PACKET TRANSFER APPARATUS HAVING STATISTICS COLLECTION APPARATUS AND STATISTICS COLLECTION METHOD | |
| Gregori et al. | On the incompleteness of the AS-level graph: a novel methodology for BGP route collector placement | |
| EP2081321A2 (en) | Sampling apparatus distinguishing a failure in a network even by using a single sampling and a method therefor | |
| CN102801738B (en) | Distributed DoS (Denial of Service) detection method and system on basis of summary matrices | |
| CN101662393B (en) | Inter-domain prefix hijack detection and location method | |
| CN105745870A (en) | Removing lead filter from serial multiple-stage filter used to detect large flows in order to purge flows for prolonged operation | |
| CN101473605B (en) | Method for determining anticipation peer-to-peer collaborator of Internet service supplier | |
| CN108009807A (en) | A kind of bit coin transaction identity method | |
| CN104168154A (en) | Network-situation-awareness-oriented multi-level network system and building method thereof | |
| JP5283192B2 (en) | Method, node device, and program for detecting faulty link in real time based on routing protocol | |
| JP4860745B2 (en) | BGP traffic fluctuation monitoring apparatus, method, and system | |
| CN101547125A (en) | System and method for abnormal network positioning of autonomous system | |
| Pansiot et al. | Extracting intra-domain topology from mrinfo probing | |
| JP4455285B2 (en) | Route analyzer | |
| Xiang et al. | Internet flattening: Monitoring and analysis of inter-domain routing | |
| JP4846663B2 (en) | IP packet tracking device | |
| CN105591836B (en) | Data-flow detection method and apparatus | |
| JP2008258996A (en) | Statistical information collection device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |