CN102201951B - Source address repeatability detection method and equipment - Google Patents

Source address repeatability detection method and equipment Download PDF

Info

Publication number
CN102201951B
CN102201951B CN201110160169.XA CN201110160169A CN102201951B CN 102201951 B CN102201951 B CN 102201951B CN 201110160169 A CN201110160169 A CN 201110160169A CN 102201951 B CN102201951 B CN 102201951B
Authority
CN
China
Prior art keywords
savi
source address
equipment
message
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201110160169.XA
Other languages
Chinese (zh)
Other versions
CN102201951A (en
Inventor
李�杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Information Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN201110160169.XA priority Critical patent/CN102201951B/en
Publication of CN102201951A publication Critical patent/CN102201951A/en
Application granted granted Critical
Publication of CN102201951B publication Critical patent/CN102201951B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Small-Scale Networks (AREA)

Abstract

The invention discloses a source address repeatability detection method and equipment. The method includes steps of: if a message source address SAVI (Source Address Validation Improvement) binding embodiment received by a first SAVI device is not stored locally, determining a second SAVI device which records binding embodiment storage information, transmitting a source address repeatability detection message to the second SAVI device, if the source address repeatability detection message is not received in a preset time, building device the SVI binding embodiment of the source address locally, or else not building; the second SAVI device receiving the detection message, if the SAVI binding embodiment storage information is not recorded locally, then recording the information of the embodiment stored in the first SAVI device locally; if recording, then judging to store the SAVI device of the embodiment, if being a third SAVI device, transmitting a source address repeatability detection message to the third SAVI device; if the source address repeatability detection message is not received in the preset time, recording the information of the embedment stored in the first SAVI device locally, or else transmitting the received source address repeatability message to the first SAVI device so as to reduce load and ensure normal transmission of the data.

Description

Source address repeatability detection method and device
Technical Field
The invention relates to the technical field of communication, in particular to a method and equipment for detecting source address repeatability.
Background
SAVI (Source Address Validation Improvement) is a mechanism for validating a Source Address of a data packet, a Source Address spoofing message is filtered by using a binding example (the binding example binds a terminal IP Address, a terminal MAC (Media Access Control) Address and an Access port), whether the relation of the binding example is met is judged for the Source Address of the message from a terminal, if so, the message is allowed to pass, otherwise, the message is not allowed to pass.
In order to optimize the SAVI binding instance and the SAVI authentication process, a concept of an execution boundary is proposed, such as the execution boundary diagram shown in fig. 1, where a topological boundary is formed by SAVI devices (i.e., network devices capable of SAVI functions) and other network devices, traffic within the boundary does not require SAVI authentication, and traffic outside the boundary requires SAVI authentication; and the ports of the SAVI equipment are divided into a trust port and a verification port, the trust port does not verify the source address of the message, and the verification port needs to verify the source address of the message. The execution boundary reduces the storage number of binding examples, reduces the verification amount and improves the performance of the SAVI equipment by setting a trust port and a verification port and only detecting a source address for the verification port.
Taking fig. 1 as an example, trusted ports are located between the SAVI devices (SAVI 1, SAVI 2, SAVI 3, SAVI 4) and Switch a (Switch a), and between the SAVI devices, authenticated ports are located between SAVI 1 and terminals 1 and 2, authenticated ports are located between SAVI 2 and terminals 3, authenticated ports are located between SAVI 3 and terminals 4, and authenticated ports are located between SAVI 4 and Switch B (since SAVI 4 is connected to Switch B without SAVI function, and Switch B has connected under it terminals 5 and 6, and for authenticating traffic between terminals 5 and 6, authenticated ports are located between SAVI 4 and Switch B).
It should be noted that since the purpose of the SAVI is to control source address spoofing attacks, spoofing of source addresses is not allowed; when different SAVI devices have binding instances with the same source address, the flow cannot be normally forwarded, and the number of the binding instances of the SAVI devices is increased; the source address cannot create a binding instance on a different SAVI device.
But the case of creating binding instances for the same source address on different SAVI devices occurs: (1) when the method for acquiring the address by the terminal is stateless address allocation, different terminals may generate the same address; (2) an attacker may forge the same address; (3) the terminal moves among different SAVI devices. Therefore, to ensure that binding instances are not created for the same source address on different SAVI devices, the SAVI devices need to perform a consistency check of the binding instances to ensure that the source address is not reused.
In the prior art, an SAVI device monitors messages received from a verification port and a trust port, the SAVI device connected to a terminal establishes a SAVI binding instance for the terminal, and in order to maintain consistency of the binding instance, the SAVI device sends a DAD (Duplicate Address Detection) message in a broadcast manner through the trust port to check whether a source Address is repeatedly bound.
As shown in fig. 2, in the schematic diagram of the process of detecting consistency of an SAVI binding instance, when a terminal E connects to an SAVI device a, the terminal E indicates that it tries to own a source Address X through DAD _ NSOL (Duplicate Address Detection neighbor solicitation); when receiving the DAD _ NSOL, the SAVI device a records binding instance information (such as a source IP address, a source MAC address, an access port, etc., where no binding instance is created) of the source address X, and broadcasts the DAD _ NSOL through a trusted port; when receiving the DAD _ NSOL, the SAVI equipment B finds that the SAVI equipment B does not have a binding example of the source address X, and broadcasts the DAD _ NSOL through the trust port; when the SAVI device C receives the DAD _ NSOL, the SAVI device C discovers its binding instance with source address X, since the terminal F has indicated possession of source address X.
In order to verify whether the terminal F exists or not, the SAVI device C forwards the DAD _ NSOL message to the terminal F from the verification port, if the terminal F exists, the terminal F responds to DAD _ NADV (Duplicate Address detection Neighbor Advertisement), the DAD _ NADV is sent to the SAVI device A by the SAVI device C, the SAVI device A considers that the terminal E and the terminal F try to have the same source address, deletes the binding example information of the source address X, forwards the DAD _ NADV to the terminal E, and the terminal E needs to regenerate a new source address after receiving the DAD _ NADV.
However, since DAD _ NSOL and DAD _ NADV are broadcast messages, the broadcast messages need to reach all SAVI devices through trusted ports, and when a terminal frequently moves among the SAVI devices, the broadcast messages among the SAVI devices are heavily loaded. Moreover, when the SAVI device is restarted, the binding instance on the SAVI device may be lost, and then the data packet will be discarded, which affects the normal transmission of data.
Disclosure of Invention
The invention provides a method and equipment for detecting repeatability of a source address, which are used for reducing the load among SAVI (software architecture virtualization infrastructure) equipment and ensuring normal transmission of data.
In order to achieve the above object, the present invention provides a method for detecting source address repeatability, comprising the following steps:
a first SAVI device receives a message sent by a terminal, if the SAVI binding example of the message source address is not locally stored, a second SAVI device recording the storage information of the SAVI binding example is determined, a source address repeatability detection message inquiring the existence information of the SAVI binding example is sent to the second SAVI device, if the source address repeatability detection message is not received within preset time, the first SAVI device locally establishes the SAVI binding example of the source address, otherwise, the SAVI binding example of the source address is not established;
after the second SAVI device receives the source address repeatability detection message of the first SAVI device, which is used for inquiring the existence information of the SAVI binding instance, if the storage information of the SAVI binding instance is not locally recorded, the information of the SAVI binding instance stored in the first SAVI device is locally recorded; if the SAVI binding instance storage information is locally recorded, the SAVI equipment storing the SAVI binding instance is judged according to the SAVI binding instance storage information, and if the SAVI binding instance storage information is third SAVI equipment, a source address repeatability detection message for inquiring whether the message source address is repeated is sent to the third SAVI equipment; if the second SAVI equipment does not receive the source address repeated message within the preset time, locally recording the information stored in the first SAVI equipment by the SAVI binding instance, and otherwise, sending the received source address repeated message to the first SAVI equipment;
and after receiving a source address repeatability detection message of the second SAVI equipment for inquiring whether the message source address is repeated, the third SAVI equipment inquires a terminal corresponding to the source address, and sends a source address repetition message to the second SAVI equipment if the source address is repeated.
The determining, by the first SAVI, a second SAVI device that records the SAVI binding instance storage information specifically includes: and the first SAVI equipment obtains an address identifier through the HASH calculation of the message source address, and determines second SAVI equipment for recording the SAVI binding instance storage information according to the relationship between the address identifier and the SAVI equipment identifier.
Determining a second SAVI device recording the SAVI binding instance storage information according to the relationship between the address identifier and the SAVI device identifier, which specifically comprises: the first SAVI equipment determines that the second SAVI equipment is SAVI equipment with an SAVI equipment identification which is larger than the address identification and has the smallest difference with the address identification; or, the first SAVI device determines that the second SAVI device is a SAVI device whose SAVI device identity is smaller than the address identity and whose difference from the address identity is the smallest.
The SAVI equipment identifications are notified to other SAVI equipment by each SAVI equipment in a broadcasting mode, the first SAVI equipment locally records each SAVI equipment identification after receiving the broadcasting notification of each SAVI equipment, and the SAVI equipment identifications are obtained through Hash calculation.
A source address repeatability detection apparatus, comprising:
the receiving module is used for receiving the message sent by the terminal; receiving a source address repeatability detection message for inquiring the SAVI binding example existence information of the message source address; receiving a source address repeatability detection message for inquiring whether the message source address is repeated;
the processing module is used for determining the SAVI equipment for recording the storage information of the SAVI binding instance when the SAVI binding instance of the message source address is not locally stored after receiving the message sent by the terminal; when a source address repeated message is not received within preset time, an SAVI binding example of the source address is established locally, otherwise, the SAVI binding example of the source address is not established;
after receiving a source address repeatability detection message for inquiring the SAVI binding instance existence information of the message source address, locally recording the information of the SAVI binding instance stored in the SAVI equipment receiving the message of the terminal when the SAVI binding instance storage information is not locally recorded or the source address repeatability message is not received within a preset time; when the SAVI binding instance storage information is locally recorded, the SAVI equipment storing the SAVI binding instance is judged according to the SAVI binding instance storage information;
after receiving a source address repeatability detection message for inquiring whether the message source address is repeated, inquiring a terminal corresponding to the source address;
a sending module, configured to send a source address repeatability detection message for querying presence information of the SAVI binding instance; sending a source address repeatability detection message for inquiring whether the message source address is repeated; and sending the source address repeated message.
The processing module is specifically configured to obtain an address identifier through calculation of the message source address HASH, and determine the SAVI device that records the storage information of the SAVI binding instance according to a relationship between the address identifier and the SAVI device identifier.
The processing module is further configured to determine that the SAVI device that records the storage information of the SAVI binding instance is a SAVI device whose SAVI device identifier is greater than the address identifier and whose difference from the address identifier is minimum; or determining that the SAVI equipment recording the SAVI binding instance storage information is SAVI equipment with an SAVI equipment identifier smaller than the address identifier and with the minimum difference with the address identifier.
The SAVI equipment identifications are notified to other SAVI equipment by each SAVI equipment in a broadcasting mode, and after the broadcasting notification of each SAVI equipment is received, each SAVI equipment identification is locally recorded, and the SAVI equipment identifications are obtained through Hash calculation.
Compared with the prior art, the invention has at least the following advantages:
by maintaining the binding instance information of the same source address on the two SAVI devices, the load between the SAVI devices can be reduced, and the normal transmission of data is ensured.
Drawings
FIG. 1 is a schematic diagram of a prior art implementation boundary;
FIG. 2 is a diagram illustrating a SAVI binding instance consistency detection process in the prior art;
FIG. 3 is a schematic diagram of an application scenario of the present invention;
fig. 4 is a schematic diagram of a message format of a broadcast packet carrying a device identifier according to the present invention;
FIG. 5 is a diagram of the address space with device identifiers distributed over 128 bits according to the present invention;
FIG. 6 is a flowchart of a method for detecting repeatability of a source address according to the present invention;
fig. 7 is a structural diagram of a source address repeatability detection processing device according to the present invention.
Detailed Description
The invention provides a method for detecting source address repeatability, which is applied to a network system comprising a plurality of SAVI devices, and takes figure 3 as a reference network schematic diagram of the invention, wherein SAVI devices A, SAVI, B, SAVI, C, SAVI, D, SAVI, E are network devices (such as switches, routers and the like) which enable SAVI functions, trust ports are arranged among the SAVI devices, verification ports are arranged between a terminal A and the SAVI devices A, and verification ports are arranged between a terminal B and the SAVI devices C.
In the invention, each SAVI device can have an access function and a storage function; the access function is used for establishing an SAVI binding example for the source address of the terminal, filtering a source address deception message by using the binding example, allowing the message of which the source address meets the binding example to pass through, and filtering the message of which the source address does not meet the binding example; the storage function is used to store information of which SAVI device a binding instance of a certain source address is located in, and at this time, a mapping relationship between the source address and the device identifier needs to be established. For example, for the source address of the terminal a, an access function of the SAVI device a may be used to establish a SAVI binding instance for the source address, and a storage function of the SAVI device D may be used to establish a mapping relationship between the source address and the device identifier.
In order to implement the above functions, each SAVI device may calculate a device identifier (the number of bits of the device identifier may be selected according to actual conditions, for example, 128 bits) by using device information (such as an IP address and a name of the SAVI device) HASH, where all SAVI devices have a 128-bit device identifier.
Based on the device identifier of each SAVI device, each SAVI device needs to obtain the device identifiers of other SAVI devices, and maintain a SAVI device list, where the device identifiers of other SAVI devices and the export information between the SAVI devices are recorded in the SAVI device list. For example, the SAVI device list of SAVI device a has recorded therein: the device identification of the SAVI device B and the egress information to the SAVI device B, and so on. The message transmission can be carried out between the SAVI devices by utilizing the information maintained in the SAVI device list; for example, when the SAVI device a sends a message to the SAVI device C, the message may be sent to the SAVI device C based on the device identifier of the SAVI device C and the egress information that reaches the SAVI device C.
The device identification of other SAVI devices can be obtained through manual configuration or automatic configuration, and the manual configuration can be prioritized over the automatic configuration. The manual configuration mode is suitable for the situation that the SAVI equipment is few, and the equipment identifiers of other SAVI equipment are directly configured on the SAVI equipment. The automatic configuration mode is suitable for the conditions that SAVI equipment is more and the SAVI equipment is unstable, each SAVI equipment periodically broadcasts the own equipment identifier through a trusted port, the SAVI equipment receiving the broadcast message maintains an SAVI equipment list, a timer is set for each SAVI equipment, the broadcast message of the SAVI equipment is received before the timer is overtime, the record of the SAVI equipment is continuously maintained, and the record of the SAVI equipment is deleted from the SAVI equipment list when the timer is overtime and the broadcast message of the SAVI equipment is not received.
For the broadcast message carrying the device identifier, the message format diagram shown in fig. 4 may be adopted, where a first Type field indicates a frame Type, and a Type of 8888 indicates an SAVI data frame. The second Type field describes the Type of the SAVI message, the Type of the SAVI message is 0, the SAVI device requests the device identifiers of other SAVI devices, the destination MAC address is a broadcast address, and the SAVI Identifier fields are all 0; type is 1, which indicates that the SAVI device broadcasts the device Identifier of the SAVI device, the message is a response of Type 0 or a heartbeat for maintaining the device Identifier of the SAVI device, the destination MAC address is a broadcast address, and the SAVI Identifier is an SAVI device Identifier; the Type of 2 indicates that the SAVI device encapsulates the packet, that is, data from the terminal is filled in the Padding field. The Length field describes the Length from the second Type to the end of Padding. The SAVI Identifier describes a device identification of the SAVI device.
It should be noted that the above values (e.g. Type is 8888, Type is 1, etc.) are only for convenience of description, and can be adjusted in practical applications; in addition, in order to maintain the SAVI device list, the SAVI device may send a message with a Type of 0 and a Type of 1 multiple times (for example, 3 times).
When an SAVI device accesses a network, the SAVI device requests the device identifiers of other SAVI devices by using the broadcast message with the Type of 0, and broadcasts the message carrying the device identifier of the SAVI device by using the broadcast message with the Type of 1. Thus, the SAVI device may maintain a SAVI device list, and other SAVI devices may update the device identification of the SAVI device into their own SAVI device list.
It should be noted that, before broadcasting the message carrying the device identifier of the SAVI device, the SAVI device may further determine whether the device identifiers of the other SAVI devices are the same as the device identifier of the SAVI device, and if not, the message is broadcasted; if the two SAVI devices are the same, the HASH obtains a new device identifier by negating the IP address of the device, and continuously judges whether the new device identifier is the same as the device identifiers of the other SAVI devices, if not, the message is broadcast; if the two are the same, an error is reported and a log is recorded, and an administrator is prompted to configure the equipment identifier.
Taking the device id of the SAVI device a is IDa, the device id of the SAVI device B is IDb, the device id of the SAVI device C is IDc, the device id of the SAVI device D is IDd, and the device id of the SAVI device E is IDe as an example, as shown in fig. 5, the device ids are distributed in a 128-bit address space, the device id values increase clockwise, and IDa < IDb < IDc < IDd < IDe.
In order to establish a mapping relationship between a source address and a device identifier on an SAVI device, (1) a specific device (such as an SAVI device D) can be selected to establish a mapping relationship between all source addresses and device identifiers; (2) the method comprises the steps that the SAVI equipment with the equipment identifier larger than the address identifier (the address identifier calculated by utilizing source address information HASH, the equipment identifier and the address identifier are numerical values with the same number of bits, such as the address identifier is also 128 bits) and the difference with the address identifier is minimum is selected to establish the mapping relation between the source address and the equipment identifier, for example, when the address identifier of the source address of the terminal A is positioned between IDb and IDc, the SAVI equipment C establishes the mapping relation between the source address of the terminal A and IDa; (3) selecting the SAVI equipment with the equipment identifier smaller than the address identifier and the minimum difference with the address identifier to establish the mapping relation between the source address and the equipment identifier, namely, the SAVI equipment A establishes the mapping relation between all the source addresses and the equipment identifiers of the address identifier positioned between IDa and IDb, and so on, the SAVI equipment E establishes the mapping relation between all the source addresses and the equipment identifiers of the address identifier positioned between [ IDe, 2^128) and [0, IDa); for example, when the address identifier of the source address of the terminal a is located between IDb and IDc, the SAVI device B establishes a mapping relationship between the source address of the terminal a and IDa.
It should be noted that, when the method (2) or the method (3) is adopted, if an SAVI device (e.g., the SAVI device F) joins the network (receives the broadcast message carrying the device identifier IDf of the SAVI device F) or an SAVI device (e.g., the SAVI device E) leaves the network (does not receive the broadcast message of the SAVI device E for a predetermined time), the storage device in the mapping relationship between the source address and the IDa may be changed. If the method (3) is adopted, if IDf is located between IDa and IDb, the mapping relationship between all source addresses and device identifiers located between IDf and IDb of the address identifiers is to be established by the SAVI device F (previously established by the SAVI device a); the mapping relationship recorded on the SAVI device E will also be established by other SAVI devices.
Therefore, the storage location of the mapping relationship between the SAVI devices may be adjusted, for example, when the mapping relationship of the address 2 is recorded by the SAVI device a currently, after the SAVI device F joins the network, when it is known that the mapping relationship of the address 2 needs to be recorded by the SAVI device F according to the device identifier and the address identifier of the address 2, the SAVI device a may send the mapping relationship of the address 2 (may send by using a DAD _ NSOL packet) to the SAVI device F, the SAVI device F records the mapping relationship of the address 2, and the SAVI device a deletes the mapping relationship of the address 2 recorded by the SAVI device a.
Based on the SAVI device list maintained on each SAVI device, as shown in fig. 6, the method comprises the steps of:
step 601, a first SAVI device (e.g., SAVI device a) receives a message from a terminal (e.g., terminal a). If the SAVI equipment A records the SAVI binding example of the message source address, executing the existing filtering process, which is not described again; if the SAVI device a does not store the SAVI binding instance of the source address of the message, the binding instance information of the source address is recorded, and step 602 is executed.
In step 602, the first SAVI device determines a second SAVI device that records the SAVI binding instance storage information of the source address (address 1 is taken as an example).
Specifically, the SAVI equipment A calculates by using the address 1HASH to obtain an address identifier, and determines second SAVI equipment according to the equipment identifiers and the address identifiers of other SAVI equipment; for example, when an SAVI device with a device identifier larger than the address identifier and with the smallest difference with the address identifier is selected to establish a mapping relationship between a source address and the device identifier, determining that the second SAVI device is the SAVI device with the device identifier larger than the address identifier and with the smallest difference with the address identifier; and when the SAVI equipment with the equipment identifier smaller than the address identifier and the minimum difference with the address identifier is selected to establish the mapping relation between the source address and the equipment identifier, determining that the second SAVI equipment is the SAVI equipment with the equipment identifier smaller than the address identifier and the minimum difference with the address identifier.
In practical application, the first SAVI device may further determine that the designated device is a second SAVI device; for example, when the SAVI device D is used to record whether there is a binding instance for establishing active address information on the SAVI device, the second SAVI device is the SAVI device D.
Taking the second SAVI device as the SAVI device whose device identifier is smaller than the address identifier and whose difference from the address identifier is the minimum, the SAVI device a obtains a 128-bit address identifier X through the HASH address 1, and compares the address identifier X with each device identifier by searching the SAVI device list to obtain IDd < X < IDe, thereby determining the second device as the SAVI device D.
Step 603, the first SAVI device sends a source address repeatability detection message for querying presence information of the SAVI binding instance (i.e., whether the SAVI binding instance exists and the SAVI device in which the SAVI binding instance exists) to the second SAVI device.
It should be noted that the message from the terminal may be a DAD _ NSOL message or a data message, and for the DAD _ NSOL message, the SAVI device a packages the message into a source address repeatability detection message of Type 2 through a trusted port (known from the SAVI device list) and sends the source address repeatability detection message to the SAVI device D; and for the data message, the SAVI equipment A caches the data message, sends a source address repeatability detection message to the second SAVI equipment, and sends the cached data message if the source address is not repeated subsequently, or discards the cached data message.
In the invention, the source address repeatability detection message for inquiring the existence information of the SAVI binding instance can be a message encapsulated with DAD _ NSOL, and the destination MAC address of the message is the MAC address of the second SAVI device.
Step 604, the second SAVI device determines whether a SAVI binding instance with address 1 is recorded according to the SAVI binding instance storage information; if not, go to step 605, otherwise, go to step 606.
Whether an SAVI binding instance of the source address exists is represented on the SAVI device D by maintaining the corresponding relationship (not including the MAC address and the access port information) between the device identifier and the source address of the SAVI device, and if the SAVI device D has an address 1 and a corresponding device identifier, the SAVI binding instance of the address 1 on the SAVI device corresponding to the device identifier is described. For example, when the corresponding relationship between the address 1 and the IDc is recorded on the SAVI device D, the SAVI device C has a SAVI binding instance with the address 1.
It should be noted that, after the SAVI device D receives the source address repeatability detection message for querying the presence information of the SAVI binding instance from the trusted port, if the destination MAC address of the source address repeatability detection message is the MAC address of itself, the above step 604 is executed; otherwise, the source address repeatability detection is continuously sent according to the destination MAC address of the source address repeatability detection message.
Step 605, the second SAVI device records the SAVI binding instance with the address 1 established on the first SAVI device, and the first SAVI device establishes the SAVI binding instance by using the address 1. For example, the SAVI device D records the corresponding relationship between address 1 and IDa, and the SAVI device a establishes a SAVI binding instance by using binding instance information such as address 1.
It should be noted that the SAVI device D may not return a response message to the SAVI device a, and on the SAVI device a, if a source address duplicate message is not received within a predetermined time, the SAVI device a directly establishes a SAVI binding instance locally using the address 1.
In step 606, the second SAVI device determines, according to the SAVI binding instance storage information, that the SAVI device having the address 1 of the SAVI binding instance is the third SAVI device (e.g., SAVI device C).
The SAVI device D may directly determine, by using the correspondence between the device identifier and the address 1, that the SAVI binding instance with the address 1 is established on the third SAVI device, and execute step 607.
In practical application, when the SAVI device a loses the SAVI binding instance due to a restart or the like, the SAVI device D may also know that the address 1 of the SAVI device a is established on the SAVI device D, and notify the SAVI device a to establish the SAVI binding instance by using the address 1; or ending the process, and establishing the SAVI binding example after the SAVI equipment A does not receive the source address repeated message within the preset time.
In step 607, the second SAVI device sends a source address duplication detection message (i.e., DAD _ NSOL message) for inquiring whether the message source address is duplicated to the third SAVI device.
In step 608, the third SAVI device queries whether address 1 is in use, and if so, performs step 609, otherwise, performs step 610.
If the SAVI device C does not have the SAVI binding instance corresponding to the address 1, the address 1 is not used; if the SAVI device C has a SAVI binding instance corresponding to the address 1, the SAVI device C forwards the DAD _ NSOL packet from the verification port to the corresponding terminal in order to verify whether the terminal corresponding to the address 1 exists, and if the corresponding terminal exists, the SAVI device C receives the DAD _ NADV, which indicates that the address 1 is in use, otherwise, indicates that the address 1 is not in use.
Step 609, the third SAVI device sends a source address duplicate message (such as DAD _ NADV) to the second SAVI device, the second SAVI device sends the source address duplicate message to the first SAVI device, and after receiving the source address duplicate message, the first SAVI device learns that the terminal a does not allow to use the address 1, deletes the binding instance information of the address 1, does not establish the SAVI binding instance of the address 1, forwards the source address duplicate message to the terminal a, and the terminal a needs to regenerate a new address.
Step 610, the second SAVI device records the SAVI binding instance with address 1 established on the first SAVI device, and the address 1 of the first SAVI device establishes the SAVI binding instance.
If the SAVI equipment D does not receive the source address repeated message within the preset time, the fact that the address 1 is not used is known, the SAVI equipment D updates the corresponding relation between the address 1 and the equipment identifier of the SAVI equipment C into the corresponding relation between the address 1 and the equipment identifier of the SAVI equipment A, namely, an SAVI binding example with the address 1 established on the SAVI equipment A is recorded; if the SAVI equipment A does not receive the message for informing the terminal that the use of the address 1 is not allowed within the preset time, the SAVI binding example is established by using the address 1.
It should be noted that the predetermined time can be realized by waiting for the DAD _ NADV timer to time out, and the setting of the waiting DAD _ NADV timer of each SAVI device needs to be consistent.
Based on the same inventive concept as the above method, the present invention further provides a source address repeatability detection apparatus, as shown in fig. 7, including:
a receiving module 11, configured to receive a message sent by a terminal; receiving a source address repeatability detection message for inquiring the SAVI binding example existence information of the message source address; receiving a source address repeatability detection message for inquiring whether the message source address is repeated;
a processing module 12, configured to determine, after receiving a message sent by a terminal, an SAVI device that records storage information of an SAVI binding instance when the local SAVI binding instance that stores a source address of the message is not available; when a source address repeated message is not received within preset time, an SAVI binding example of the source address is established locally, otherwise, the SAVI binding example of the source address is not established;
after receiving a source address repeatability detection message for inquiring the SAVI binding instance existence information of the message source address, locally recording the information of the SAVI binding instance stored in the SAVI equipment receiving the message of the terminal when the SAVI binding instance storage information is not locally recorded or the source address repeatability message is not received within a preset time; when the SAVI binding instance storage information is locally recorded, the SAVI equipment storing the SAVI binding instance is judged according to the SAVI binding instance storage information;
after receiving a source address repeatability detection message for inquiring whether the message source address is repeated, inquiring a terminal corresponding to the source address;
a sending module 13, configured to send a source address repeatability detection message for querying presence information of the SAVI binding instance; sending a source address repeatability detection message for inquiring whether the message source address is repeated; and sending the source address repeated message.
The processing module 12 is specifically configured to obtain an address identifier through calculation of the message source address HASH, and determine, according to a relationship between the address identifier and an SAVI device identifier, the SAVI device that records the storage information of the SAVI binding instance.
The processing module 12 is further configured to determine that the SAVI device that records the storage information of the SAVI binding instance is a SAVI device that has a SAVI device identifier that is greater than the address identifier and has a minimum difference from the address identifier; or determining that the SAVI equipment recording the SAVI binding instance storage information is SAVI equipment with an SAVI equipment identifier smaller than the address identifier and with the minimum difference with the address identifier.
The SAVI equipment identifications are notified to other SAVI equipment by each SAVI equipment in a broadcasting mode, and after the broadcasting notification of each SAVI equipment is received, each SAVI equipment identification is locally recorded, and the SAVI equipment identifications are obtained through Hash calculation.
In addition, to further illustrate the source address repeatability detection device shown in fig. 7, based on the same inventive concept as the method, the source address repeatability detection device may be in the role of a first SAVI device, a second SAVI device, and a third SAVI device, and includes: the device comprises a receiving module, a determining module, a sending module, a recording module and an establishing module;
when the role of the source address repeatability detection device is used as a first SAVI device, the receiving module is used for receiving a message sent by a terminal; the determining module is configured to determine, when the local sai i binding instance storing the message source address does not exist, a second sai i device recording storage information of the sai i binding instance; the sending module is used for sending a source address repeatability detection message for inquiring the existence information of the SAVI binding instance to the second SAVI device; the establishing module is used for locally establishing the SAVI binding example of the source address when the repeated message of the source address is not received within the preset time, otherwise, not establishing the SAVI binding example of the source address.
When the role of the source address repeatability detection equipment serves as second SAVI equipment, the receiving module is used for receiving the source address repeatability detection message of the first SAVI equipment, wherein the source address repeatability detection message is used for inquiring the existence information of the SAVI binding instance; the recording module is used for locally recording the information that the SAVI binding instance is stored in the first SAVI device when the SAVI binding instance storage information is not locally recorded; if the source address repeated message is not received within the preset time, the information stored in the first SAVI device by the SAVI binding instance is locally recorded; the determining module is configured to, when the storage information of the SAVI binding instance is locally recorded, determine, according to the storage information of the SAVI binding instance, that the SAVI device storing the SAVI binding instance is a third SAVI device; the sending module is configured to send a source address repeatability detection message for querying whether the message source address is repeated to the third SAVI device; and if the source address repeated message is received within the preset time, sending the received source address repeated message to the first SAVI equipment.
When the role of the source address repeatability detection equipment is used as third SAVI equipment, the receiving module is used for receiving a source address repeatability detection message of second SAVI equipment; the determining module is used for inquiring the terminal corresponding to the source address; and the sending module is used for sending a source address repeat message to the second SAVI device when the source address is repeated.
When the source address repeatability detection device is a role first SAVI device, the determining module is specifically configured to calculate an address identifier through the message source address HASH, and determine a second SAVI device recording the SAVI binding instance storage information according to a relationship between the address identifier and an SAVI device identifier. The second SAVI device is further used for determining that the device identifier is larger than the address identifier and has the smallest difference with the address identifier; or, determining that the second SAVI device is a SAVI device whose device identifier is smaller than the address identifier and whose gap from the address identifier is the smallest.
The SAVI equipment identifications are notified to other SAVI equipment by each SAVI equipment in a broadcasting mode, and after the broadcasting notification of each SAVI equipment is received, each SAVI equipment identification is locally recorded, and the SAVI equipment identifications are obtained through Hash calculation.
The modules of the device can be integrated into a whole or can be separately deployed. The modules can be combined into one module, and can also be further split into a plurality of sub-modules.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present invention may be implemented by hardware, or by software plus a necessary general hardware platform. Based on such understanding, the technical solution of the present invention can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which can be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments of the present invention.
Those skilled in the art will appreciate that the drawings are merely schematic representations of one preferred embodiment and that the blocks or flow diagrams in the drawings are not necessarily required to practice the present invention.
Those skilled in the art will appreciate that the modules in the devices in the embodiments may be distributed in the devices in the embodiments according to the description of the embodiments, and may be correspondingly changed in one or more devices different from the embodiments. The modules of the above embodiments may be combined into one module, or further split into multiple sub-modules.
The above-mentioned serial numbers of the present invention are for description only and do not represent the merits of the embodiments.
The above disclosure is only for a few specific embodiments of the present invention, but the present invention is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present invention.

Claims (8)

1. A source address repeatability detection method is characterized by comprising the following steps:
a first SAVI device receives a message sent by a terminal, if the SAVI binding example of the message source address is not locally stored, a second SAVI device recording the storage information of the SAVI binding example is determined, a source address repeatability detection message inquiring the existence information of the SAVI binding example is sent to the second SAVI device, if the source address repeatability detection message is not received within preset time, the first SAVI device locally establishes the SAVI binding example of the source address, otherwise, the SAVI binding example of the source address is not established;
after the second SAVI device receives the source address repeatability detection message of the first SAVI device, which is used for inquiring the existence information of the SAVI binding instance, if the storage information of the SAVI binding instance is not locally recorded, the information of the SAVI binding instance stored in the first SAVI device is locally recorded; if the SAVI binding instance storage information is locally recorded, the SAVI equipment storing the SAVI binding instance is judged according to the SAVI binding instance storage information, and if the SAVI equipment storing the SAVI binding instance is third SAVI equipment, a source address repeatability detection message for inquiring whether the message source address is repeated is sent to the third SAVI equipment; if the second SAVI equipment does not receive the source address repeated message within the preset time, locally recording the information stored in the first SAVI equipment by the SAVI binding instance, and otherwise, sending the received source address repeated message to the first SAVI equipment;
and after receiving a source address repeatability detection message of the second SAVI equipment for inquiring whether the message source address is repeated, the third SAVI equipment inquires a terminal corresponding to the source address, and sends a source address repetition message to the second SAVI equipment if the source address is repeated.
2. The method of claim 1, wherein the determining, by the first SAVI, a second SAVI device that records the SAVI binding instance storage information specifically includes:
and the first SAVI equipment obtains an address identifier through the HASH calculation of the message source address, and determines second SAVI equipment for recording the SAVI binding instance storage information according to the relationship between the address identifier and the SAVI equipment identifier.
3. The method of claim 2, wherein determining a second SAVI device that records the SAVI binding instance storage information according to a relationship between the address identifier and a SAVI device identifier specifically includes:
the first SAVI equipment determines that the second SAVI equipment is SAVI equipment with an SAVI equipment identification which is larger than the address identification and has the smallest difference with the address identification; or,
and the first SAVI equipment determines that the second SAVI equipment is the SAVI equipment with the SAVI equipment identification smaller than the address identification and the difference with the address identification is minimum.
4. The method of claim 2, wherein each SAVI device notifies other SAVI devices in a broadcast manner, the first SAVI device locally records each SAVI device identifier after receiving the broadcast notification of each SAVI device, and the SAVI device identifier is obtained by Hash calculation.
5. A source address repeatability detection apparatus, comprising: the device comprises a receiving module, a processing module and a sending module;
when the role of the source address repeatability detection device is used as a first SAVI device, the receiving module is used for receiving a message sent by a terminal; the processing module is used for determining second SAVI equipment for recording the storage information of the SAVI binding instance when the SAVI binding instance of the message source address is not stored locally; the sending module is used for sending a source address repeatability detection message for inquiring the existence information of the SAVI binding instance to the second SAVI device; the processing module is further configured to locally establish an SAVI binding instance for the source address when the source address repeat message is not received within a predetermined time, and otherwise not establish the SAVI binding instance for the source address;
when the role of the source address repeatability detection equipment serves as second SAVI equipment, the receiving module is used for receiving a source address repeatability detection message of the first SAVI equipment, wherein the source address repeatability detection message is used for inquiring the existence information of the SAVI binding example; the processing module is configured to locally record information that the SAVI binding instance is stored in the first SAVI device when the information that the SAVI binding instance is stored is not locally recorded, and locally record the information that the SAVI binding instance is stored in the first SAVI device if a source address duplicate packet is not received within a predetermined time; the processing module is further configured to, when the storage information of the SAVI binding instance is locally recorded, determine, according to the storage information of the SAVI binding instance, that the SAVI device storing the SAVI binding instance is a third SAVI device; the sending module is configured to send a source address repetition detection message to the third SAVI device, the source address repetition detection message being used to query whether the message source address is repeated, and if a source address repetition message is received within a predetermined time, send the received source address repetition message to the first SAVI device;
when the role of the source address repeatability detection equipment is used as third SAVI equipment, the receiving module is used for receiving a source address repeatability detection message of second SAVI equipment; the processing module is used for inquiring the terminal corresponding to the source address; and the sending module is used for sending a source address repeat message to the second SAVI device when the source address is repeated.
6. The apparatus of claim 5,
when the role of the source address repeatability detection device serves as the first SAVI device, the processing module is specifically configured to calculate an address identifier through the message source address HASH, and determine, according to a relationship between the address identifier and the SAVI device identifier, a second SAVI device that records storage information of the SAVI binding instance.
7. The apparatus of claim 6,
when the role of the source address repeatability detection device serves as the first SAVI device, the processing module is further configured to determine that the second SAVI device recording the storage information of the SAVI binding instance is a SAVI device whose identifier is greater than the address identifier and whose difference from the address identifier is the smallest; or,
and determining that the second SAVI device recording the SAVI binding instance storage information is an SAVI device with a SAVI device identifier smaller than the address identifier and the difference with the address identifier being minimum.
8. The device of claim 6, wherein each SAVI device notifies other SAVI devices in a broadcast manner, and each SAVI device identifier is locally recorded after receiving the broadcast notification of each SAVI device, and is obtained by Hash calculation.
CN201110160169.XA 2011-06-15 2011-06-15 Source address repeatability detection method and equipment Active CN102201951B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110160169.XA CN102201951B (en) 2011-06-15 2011-06-15 Source address repeatability detection method and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110160169.XA CN102201951B (en) 2011-06-15 2011-06-15 Source address repeatability detection method and equipment

Publications (2)

Publication Number Publication Date
CN102201951A CN102201951A (en) 2011-09-28
CN102201951B true CN102201951B (en) 2014-06-25

Family

ID=44662356

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110160169.XA Active CN102201951B (en) 2011-06-15 2011-06-15 Source address repeatability detection method and equipment

Country Status (1)

Country Link
CN (1) CN102201951B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109120741B (en) * 2018-08-27 2020-10-02 南京中兴新软件有限责任公司 Duplicate address detection method and device and computer readable storage medium
CN113656448B (en) * 2021-08-09 2023-12-26 国家计算机网络与信息安全管理中心 Message processing method, device, equipment and readable storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040179536A1 (en) * 2003-03-10 2004-09-16 Pascal Thubert Arrangement for traversing an IPv4 network by IPv6 mobile nodes
CN102014142A (en) * 2010-12-31 2011-04-13 中国科学院计算技术研究所 Source address validation method and system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040179536A1 (en) * 2003-03-10 2004-09-16 Pascal Thubert Arrangement for traversing an IPv4 network by IPv6 mobile nodes
CN102014142A (en) * 2010-12-31 2011-04-13 中国科学院计算技术研究所 Source address validation method and system

Also Published As

Publication number Publication date
CN102201951A (en) 2011-09-28

Similar Documents

Publication Publication Date Title
CN109842906B (en) Communication method, device and system
EP3550892B1 (en) Method for network slice selection, user equipment, and network device
US11451510B2 (en) Method and apparatus for processing service request
US20180069872A1 (en) Route updating method, communication system, and relevant devices
US11671402B2 (en) Service resource scheduling method and apparatus
RU2366109C2 (en) Methods and devices for updating of mobile unit position data
US20210250771A1 (en) Method For Determining Class Information And Apparatus
EP3977792A1 (en) Systems and methods for supporting traffic steering through a service function chain
US10243974B2 (en) Detecting deauthentication and disassociation attack in wireless local area networks
US20220256396A1 (en) Congestion control method and apparatus
CN111147422B (en) Method and device for controlling connection between terminal and network
US20160234307A1 (en) Data transmission method, device, and system
EP3206422A1 (en) Method and device for creating subscription resource
CN109417492A (en) A kind of network function NF management method and NF management equipment
CN101820432A (en) Safety control method and device of stateless address configuration
CN110086839B (en) Dynamic access method and device for remote equipment
CN109561004B (en) Message forwarding method and device and switch
CN111131484A (en) Node mounting method, device, network node and storage medium
US20200120025A1 (en) Methods and Apparatus for Verification of Non-Steered Traffic Flows Having Unspecified Paths Based on Traversed Network Node or Service Function Identities
CN102201951B (en) Source address repeatability detection method and equipment
CN112333172B (en) Signature verification method and system
US11509565B2 (en) Network link verification
WO2017198088A1 (en) Resource subscription method, resource subscription device, and resource subscription system
US11153877B2 (en) Method for bonding a plurality of radio connections in a wireless network
WO2023109450A1 (en) Access control method and related device thereof

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20230627

Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province

Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd.

Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466

Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd.