CN104811380A - Method for transmitting traffic-guiding routing information and cleaning apparatus - Google Patents
Method for transmitting traffic-guiding routing information and cleaning apparatus Download PDFInfo
- Publication number
- CN104811380A CN104811380A CN201410038368.7A CN201410038368A CN104811380A CN 104811380 A CN104811380 A CN 104811380A CN 201410038368 A CN201410038368 A CN 201410038368A CN 104811380 A CN104811380 A CN 104811380A
- Authority
- CN
- China
- Prior art keywords
- router
- address
- routing iinformation
- cleaning equipment
- network segment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This application discloses a method for transmitting traffic-guiding routing information. The method is applied to a cleaning apparatus in a multi-protocol label switching virtual private network (MPLS VPN) so as to solve the problem of incapability of effectively defending attack traffic in a multi-protocol label switching virtual private network (MPLS VPN) scene existing in an existing traffic cleaning scheme. The method includes the following steps that: the cleaning apparatus generates traffic-guiding routing information, wherein the traffic-guiding routing information carries an autonomous system (AS) number and the IP address of a protected node, wherein the autonomous system (AS) number is an autonomous system (AS) number of a first custom edge (CE) router connected with a network section to which the protected node belongs; and the cleaning apparatus transmits the traffic-guiding routing information to the first custom edge (CE) router and a second custom edge (CE) router, and therefore, the first custom edge (CE) router can be made to discard the traffic-guiding routing information according to the autonomous system (AS) number and an external border gateway protocol (EBGP) loop-prevention mechanism, and the second custom edge (CE) router can be made to save the traffic-guiding routing information according to the autonomous system (AS) number and the external border gateway protocol (EBGP) loop-prevention mechanism. The invention also discloses a cleaning apparatus.
Description
Technical field
The present invention relates to communication technical field, particularly relate to a kind of method and the cleaning equipment that send drainage routing iinformation.
Background technology
In prior art; when there is protected node in network; usually at the CE(Custom Edge of this network; customer edges) cleaning equipment is disposed with bypass mode in router position; be drained in cleaning equipment clean by the flow (below will referred to as " protected flow ") of the IP address by object IP address being protected node; again the flow after cleaning is recycled into protected node, thus realizes the protection to protected node.Wherein, " drainage process " and " re-injection process " is vital link in whole flow cleaning process.
Such as: in the network shown in fig. 1, comprising: router one and router two, router one as ce router and Internet(Internetwork, the Internet) connect, attack traffic can enter into this network by router one.When not disposing cleaning equipment, attack traffic, by the forwarding by router one and router two, directly arrives protected node, this considerably increases the probability that protected node is under attack.After being deployed with cleaning equipment; cleaning equipment is by setting up EBGP(External BorderGateway Protocol with router one; External BGP) neighborhood, and send drainage routing iinformation to router one, comprise the IP address of protected node in this drainage routing iinformation.The route learnt by learning drainage routing iinformation, thus is added in the routing table of self by router one, and down hop corresponding for protected flow is defined as cleaning equipment.When router one obtains protected flow; router one is according to longest match principle; the route determining the arrival cleaning equipment the longest with the object IP matching addresses figure place of protected flow from self routing table is down hop route; and protected flow is sent to cleaning equipment, this just completes " drainage process " that protected flow drained into cleaning equipment.Cleaning equipment checks protected flow, clean after; cleaning equipment is connected by setting up tunnel with router two; and flow after cleaning is sent to router two; wherein, the object IP address of flow and the object IP address identical (being all the IP address of protected node) of flow before cleaning after cleaning.Router two is according to longest match principle; determine from self routing table with cleaning after the route of the longest protected node of arrival of the object IP matching addresses figure place of flow be down hop route; and flow after cleaning is sent to protected node, this just completes and is recycled into " re-injection process " of protected node by flow after cleaning.
But cleaning equipment of the prior art can only be applied to the protected node shown in Fig. 1 and be connected in the scene of the Internet by ce router, solve the problem of how to defend the attack come from the Internet.But, comprising the MPLS VPN(Multi-Protocol Label Switching VirtualPrivate Network of multiple ce router, MPLS VPN network) scene in, adopt above-mentioned cleaning process cannot realize normal flow re-injection process, therefore cause cannot being effectively on the defensive to attack traffic in MPLS VPN scene.
Summary of the invention
The embodiment of the present application is by providing a kind of method and the cleaning equipment that send drainage routing iinformation, and solving the existing flow cleaning scheme of employing cannot effectively to the problem that attack traffic is on the defensive in MPLS VPN scene.
First aspect, a kind of method sending drainage routing iinformation is provided, be applied in the cleaning equipment in multiprotocol label switching Multiprotocol Label Switching Virtual Private Network network VPN, described MPLS VPN also comprises at least two customer edges ce routers, and described cleaning equipment and each described ce router exist External BGP ebgp neighbor relation; Described method comprises:
Described cleaning equipment generates drainage routing iinformation, carries the IP address of No. AS, autonomous system and protected node in described drainage routing iinformation, and described No. AS is No. AS of the first ce router that the network segment belonging to described protected node connects;
Described drainage routing iinformation is sent to described first ce router and the second ce router by described cleaning equipment, make described first ce router abandon described drainage routing iinformation according to described No. AS with the anti-ring mechanism of External BGP EBGP, and make described second ce router preserve described drainage routing iinformation according to described No. AS with the anti-ring mechanism of described EBGP.
In conjunction with first aspect, in the first possible execution mode of first aspect, described cleaning equipment generates drainage routing iinformation, comprising:
Described cleaning equipment obtains the IP address of described protected node;
The Border Gateway Protocol (BGP) routing iinformation of the network segment belonging to the IP address that described cleaning equipment determines described protected node;
Described cleaning equipment, from the autonomous system path Table A S-Path list attribute information the bgp routing information of the network segment belonging to the IP address of described protected node, extracts described No. AS;
Described cleaning equipment, according to the IP address of described protected node and described No. AS, generates described drainage routing iinformation, wherein, comprises the IP address of described protected node and described No. AS in described drainage routing iinformation.
In conjunction with the first possible execution mode of first aspect, in the execution mode that the second of first aspect is possible, the bgp routing information of the network segment belonging to the IP address that described cleaning equipment determines described protected node, comprising:
At least two each self-corresponding bgp routing informations of ce router described in described cleaning equipment obtains, obtain at least two bgp routing informations;
Described cleaning equipment respectively from described at least two bgp routing informations, the network segment IP address that described in extraction, at least two bgp routing informations comprise respectively;
Described cleaning equipment, according to longest match principle, determines the network segment IP address of the network segment IP address the longest with the IP matching addresses figure place of described protected node belonging to the IP address of described protection node from the network segment IP address that described at least two bgp routing informations comprise respectively;
Described cleaning equipment determines the bgp routing information of the bgp routing information of the network segment IP address belonging to IP address comprising described protected node network segment belonging to the IP address of described protected node.
In conjunction with first aspect or the first possible execution mode of first aspect or the possible execution mode of the second of first aspect, in the third possible execution mode of first aspect, described first ce router abandons described drainage routing iinformation according to described No. AS with the anti-ring mechanism of EBGP, comprising:
Described first ce router determine described No. AS identical with No. AS of described first ce router self after, described first ce router abandons described drainage routing iinformation;
Described second ce router preserves described drainage routing iinformation according to described No. AS with the anti-ring mechanism of described EBGP, comprising:
Described second ce router determine described No. AS not identical with No. AS of described second ce router self after, described second ce router preserves described drainage routing iinformation.
Second aspect, a kind of cleaning equipment is provided, be applied in multiprotocol label switching Multiprotocol Label Switching Virtual Private Network network VPN, described MPLS VPN also comprises at least two customer edges ce routers, and described cleaning equipment and each described ce router exist External BGP ebgp neighbor relation; Described cleaning equipment comprises:
Generation unit, for generating drainage routing iinformation, carries the IP address of No. AS, autonomous system and protected node in described drainage routing iinformation, described No. AS is No. AS of the first ce router that the network segment belonging to described protected node connects;
Transmitting element, for receiving described drainage routing iinformation from described generation unit, and described drainage routing iinformation is sent to described first ce router and the second ce router, make described first ce router abandon described drainage routing iinformation according to described No. AS with the anti-ring mechanism of External BGP EBGP, and make described second ce router preserve described drainage routing iinformation according to described No. AS with the anti-ring mechanism of described EBGP.
In conjunction with second aspect, in the first possible execution mode of second aspect, described generation unit, comprising:
Obtain subelement, for obtaining the IP address of described protected node;
Determine subelement, for determine described protected node IP address belonging to the Border Gateway Protocol (BGP) routing iinformation of the network segment;
Extract subelement, in the autonomous system path Table A S-Path list attribute information in the bgp routing information of the network segment belonging to the IP address from described protected node, extract described No. AS;
Generate subelement, for according to the IP address of described protected node and described No. AS, generate described drainage routing iinformation, wherein, in described drainage routing iinformation, comprise the IP address of described protected node and described No. AS.
In conjunction with the first possible execution mode of second aspect, in the execution mode that the second of second aspect is possible, describedly determine subelement, specifically for:
Described in acquisition, at least two each self-corresponding bgp routing informations of ce router, obtain at least two bgp routing informations; Respectively from described at least two bgp routing informations, the network segment IP address that described in extraction, at least two bgp routing informations comprise respectively; According to longest match principle, from the network segment IP address that described at least two bgp routing informations comprise respectively, determine the network segment IP address of the network segment IP address the longest with the IP matching addresses figure place of described protected node belonging to the IP address of described protection node; Determine the bgp routing information of the bgp routing information of the network segment IP address belonging to IP address comprising described protected node network segment belonging to the IP address of described protected node.
In conjunction with second aspect or the first possible execution mode of second aspect or the possible execution mode of the second of second aspect, in the third possible execution mode of second aspect, the anti-ring mechanism of described EBGP, comprising:
Described first ce router determine described No. AS identical with No. AS of described first ce router self after, described first ce router abandons the mechanism of described drainage routing iinformation; And/or
Described second ce router determine described No. AS not identical with No. AS of described second ce router self after, described second ce router preserves the mechanism of described drainage routing iinformation.
The third aspect, a kind of cleaning equipment is provided, be applied in multiprotocol label switching Multiprotocol Label Switching Virtual Private Network VPN, described MPLS VPN also comprises at least two customer edges ce routers, and described cleaning equipment and each described ce router exist External BGP ebgp neighbor relation; Described cleaning equipment comprises:
Memory, for storing program therefor code;
Processor, for reading described related program code from described memory, to perform: generate drainage routing iinformation, carry the IP address of No. AS, autonomous system and protected node in described drainage routing iinformation, described No. AS is No. AS of the first ce router that the network segment belonging to described protected node connects;
Network interface, for described drainage routing iinformation is sent to described first ce router and the second ce router, make described first ce router abandon described drainage routing iinformation according to described No. AS with the anti-ring mechanism of External BGP EBGP, and make described second ce router preserve described drainage routing iinformation according to described No. AS with the anti-ring mechanism of described EBGP.
In conjunction with the third aspect, in the first possible execution mode of the third aspect, described processor, specifically for:
Obtain the IP address of described protected node; The Border Gateway Protocol (BGP) routing iinformation of the network segment belonging to the IP address determining described protected node; From in the autonomous system path Table A S-Path list attribute information the bgp routing information of the network segment belonging to the IP address of described protected node, extract described No. AS; According to the IP address of described protected node and described No. AS, generate described drainage routing iinformation, wherein, in described drainage routing iinformation, comprise the IP address of described protected node and described No. AS.
In conjunction with the first possible execution mode of the third aspect, in the execution mode that the second of the third aspect is possible, described processor, specifically for:
Described in acquisition, at least two each self-corresponding bgp routing informations of ce router, obtain at least two bgp routing informations; Respectively from described at least two bgp routing informations, the network segment IP address that described in extraction, at least two bgp routing informations comprise respectively; According to longest match principle, from the network segment IP address that described at least two bgp routing informations comprise respectively, determine the network segment IP address of the network segment IP address the longest with the IP matching addresses figure place of described protected node belonging to the IP address of described protection node; Determine the bgp routing information of the bgp routing information of the network segment IP address belonging to IP address comprising described protected node network segment belonging to the IP address of described protected node.
In conjunction with the third aspect or the first possible execution mode of the third aspect or the possible execution mode of the second of the third aspect, in the third possible execution mode of the third aspect, the anti-ring mechanism of described EBGP, comprising:
Described first ce router determine described No. AS identical with No. AS of described first ce router self after, described first ce router abandons the mechanism of described drainage routing iinformation; And/or
Described second ce router determine described No. AS not identical with No. AS of described second ce router self after, described second ce router preserves the mechanism of described drainage routing iinformation.
Fourth aspect, provides a kind of multiprotocol label switching Multiprotocol Label Switching Virtual Private Network VPN, comprising:
Cleaning equipment, the first ce router and the second ce router in the arbitrary possible execution mode of second aspect (or third aspect);
Described second ce router according to the described drainage routing iinformation preserved, receiving after object IP address is the flow of IP address of protected node, by described traffic forwarding to described cleaning equipment.
The embodiment of the present application has following technique effect:
In the embodiment of the present application; No. AS of the first ce router that the network segment belonging to protected node connects by cleaning equipment is added in drainage routing iinformation; and this drainage routing iinformation is sent to the ce router that there is ebgp neighbor relation; make the first ce router abandon drainage routing iinformation according to this No. AS and the anti-ring mechanism of EBGP, and make the second ce router (that is: the arbitrary ce router except the first ce router) preserve drainage routing iinformation according to this No. AS and the anti-ring mechanism of EBGP.So just make the second router learn drainage routing iinformation smoothly, thus realize the second router and protected flow can be drained into the technique effect that cleaning equipment carries out cleaning.Meanwhile, because the first ce router does not learn this drainage routing iinformation, thus after achieving the cleaning that cleaning equipment can send by the first ce router, flow is recycled into the technique effect of protected node smoothly.And then solve adopt existing flow cleaning scheme cannot effectively to the problem that attack traffic is on the defensive in MPLS VPN scene.Achieve and carry out flow cleaning by a cleaning equipment in the MPLS VPN containing multiple ce router, thus to the technique effect that attack traffic is on the defensive.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the schematic diagram of prior art application scenarios;
Fig. 2 is the schematic diagram of the MPLS VPN containing multiple ce router in the embodiment of the present application;
Fig. 3 is the flow chart of the method sending drainage routing iinformation in the embodiment of the present application one;
Fig. 4 is the refinement flow chart of step S101 in the embodiment of the present application one;
Fig. 5 is the structural representation of cleaning equipment in the embodiment of the present application two;
Fig. 6 is the structural representation of cleaning equipment in the embodiment of the present application three.
Embodiment
The embodiment of the present application, by providing a kind of method and the cleaning equipment that send drainage routing iinformation, solves cleaning equipment of the prior art and there is the technical problem that cannot be applied in the MPLS VPN comprising multiple attack node.
Before introducing the embodiment of the present application, first the existing flow cleaning scheme of employing effectively to the reason that attack traffic is on the defensive, cannot be analyzed as follows in MPLS VPN scene:
In the MPLS VPN shown in Fig. 2; include CE1 ~ CE4 tetra-ce routers; wherein each ce router connects in the network segment and may there is attack node; attack traffic can enter MPLS VPN from the arbitrary ce router CE1 ~ CE4; and attack protected node in the network segment that other ce routers connect (such as: attack traffic enters MPLS VPN from CE2/CE3/CE4, and attack CE1 connect protected node in the network segment).
Now; if cleaning equipment of the prior art is added in MPLS VPN; cleaning equipment can set up ebgp neighbor relation with CE1 ~ CE4 simultaneously; and send drainage information (including the IP address of protected node in this drainage information) respectively to CE1 ~ CE4; make CE1 ~ CE4 can both learn the route of protected flow arrival cleaning equipment, and down hop corresponding for protected flow is defined as cleaning equipment.When in CE2 ~ CE4, arbitrary ce router acquires protected flow; CE2 ~ CE4 can according to longest match principle; from respective routing table, determine that the route the longest with the IP matching addresses figure place of protected node is the route arriving cleaning equipment; and according to this route, attack traffic is sent to cleaning equipment, complete " drainage process ".
But when flow after the cleaning obtained after cleaning equipment is by cleaning sends to CE1; due to; the route the longest with the object IP matching addresses figure place of the rear flow of cleaning that CE1 determines from self routing table according to longest match principle remains the route arriving cleaning equipment; thus cause CE1 flow after cleaning can be sent to cleaning equipment again; thus causing " re-injection process " failure, protected node cannot obtain the flow after cleaning.
For making the object of the application one embodiment, technical scheme and advantage clearly, below in conjunction with the accompanying drawing in the embodiment of the present application, technical scheme in the embodiment of the present application is clearly and completely described, obviously, described embodiment is some embodiments of the present application, instead of whole embodiments.According to the embodiment in the application, those of ordinary skill in the art are not making the every other embodiment obtained under creative work prerequisite, all belong to the protected scope of the present invention.
First illustrate, the term "and/or" occurred herein, being only a kind of incidence relation describing affiliated partner, can there are three kinds of relations in expression, and such as, A and/or B, can represent: individualism A, exists A and B simultaneously, these three kinds of situations of individualism B.In addition, character "/" herein, general expression forward-backward correlation is to the relation liking a kind of "or".
Secondly explanation, the term " cleaning equipment " occurred herein, can be DDOS(Distributed Denialof Service, distributed denial of service attack) equipment, or other have the equipment of flow detection and cleaning, for this cleaning equipment specifically which kind of equipment, the embodiment of the present application does not do concrete restriction.
Again illustrate, the term " the first ce router " occurred herein, refer to the ce router that the protected node place network segment connects, the first ce router can be MPLS VPN be in arbitrary ce router of ebgp neighbor relation with cleaning equipment.Such as: in the MPLS VPN shown in Fig. 2, the first ce router is CE1.
Again illustrate, the term " the second ce router " occurred herein, refer to the arbitrary ce router except the first ce router in MPLS VPN, the second ce router and cleaning equipment are ebgp neighbor relation.Such as: in the MPLS VPN shown in Fig. 2, the second ce router is CE2 or CE3 or CE4.
Embodiment one
The present embodiment provides a kind of method sending drainage routing iinformation, and be applied in the cleaning equipment in MPLS VPN, MPLS VPN also comprises at least two ce routers, and cleaning equipment and each ce router are ebgp neighbor relation.
As shown in Figure 3, the method comprises:
Step S101: cleaning equipment generates drainage routing iinformation, AS(Autonomous System is carried in this drainage routing iinformation, autonomous system) number and the IP address of protected node, this No. AS is No. AS of the first ce router that the network segment belonging to protected node connects;
Step S102: drainage routing iinformation is sent to the first ce router and the second ce router by cleaning equipment, make the first ce router abandon drainage routing iinformation according to this No. AS and the anti-ring mechanism of EBGP, and make the second ce router preserve drainage routing iinformation according to this No. AS and the anti-ring mechanism of EBGP.
For example, as shown in Figure 2, CE1, CE2, CE3 and CE4 are connected with provider P P by each self-corresponding Provider edge router (not marking).
The IP address of protected node is: 1.0.0.1;
The routing iinformation of router five is: 1.0.0.0/24AS-Path list(65005);
The bgp routing information of the network segment that CE1 connects is: 1.0.0.0/16AS-Path list(65001);
The bgp routing information of the network segment that CE2 connects is: 2.0.0.0/16AS-Path list(65002);
The bgp routing information of the network segment that CE3 connects is: 3.0.0.0/16AS-Path list(65003);
The bgp routing information of the network segment that CE4 connects is: 4.0.0.0/16AS-Path list(65004);
Wherein, protected node is arranged in the network segment 1.0.0.0/24 that router five connects, and router five is arranged in the network segment 1.0.0.0/16 that CE1 connects, and namely protected node is also arranged in the network segment 1.0.0.0/16 that CE1 connects.
Wherein, include in the routing table of CE1 self:
The bgp routing information of the network segment that CE2 connects: 2.0.0.0/16AS-Path list(65002);
The bgp routing information of the network segment that CE3 connects: 3.0.0.0/16AS-Path list(65003);
The bgp routing information of the network segment that CE4 connects: 4.0.0.0/16AS-Path list(65004);
And, the routing iinformation of router five: 1.0.0.0/24AS-Path list(65005);
Thus after making CE1 receive network traffics, according to the destination address of flow and the routing table self stored, flow can be sent to CE2 or CE3 or CE4 or router five.
Wherein, include in the routing table of CE2 self:
The bgp routing information of the network segment that CE1 connects: 1.0.0.0/16AS-Path list(65001);
The bgp routing information of the network segment that CE3 connects: 3.0.0.0/16AS-Path list(65003);
The bgp routing information of the network segment that CE4 connects: 4.0.0.0/16AS-Path list(65004).
Thus after making CE2 receive network traffics, according to the destination address of flow and the routing table self stored, flow can be sent to CE1 or CE3 or CE4.
The drainage routing iinformation that cleaning equipment generates is: 1.0.0.1/32AS-Path list(65001), wherein, include No. AS " 65001 " of CE1, and the IP address " 1.0.0.1 " of protected node.
After step s 102, CE1 has abandoned according in drainage routing iinformation No. AS and the anti-ring mechanism of EBGP the drainage routing iinformation that cleaning equipment sends, so, this drainage routing iinformation can not be stored in the routing table of CE1 self.CE2 saves according to the anti-ring mechanism of AS EBGP in drainage routing iinformation the drainage routing iinformation that cleaning equipment sends, (being specifically kept in the routing table of CE2 self).Now, the routing iinformation that the routing table of CE2 self comprises, comprising:
The bgp routing information of the network segment that CE1 connects: 1.0.0.0/16AS-Path list(65001);
The bgp routing information of the network segment that CE3 connects: 3.0.0.0/16AS-Path list(65003);
The bgp routing information of the network segment that CE4 connects: 4.0.0.0/16AS-Path list(65004); And
The drainage routing iinformation of cleaning equipment: 1.0.0.1/32AS-Path list(65001).
When to receive object IP address be the protected flow of " 1.0.0.1 " to CE2; CE2 is according to longest match principle; from the routing table of self, determine that the network segment IP address the longest with this object IP address (1.0.0.1) match bit array is the network segment IP address " 1.0.0.1/32 " in the drainage routing iinformation that cleaning equipment is corresponding; and determine that the route arriving cleaning equipment is down hop route, and protected flow is sent to cleaning equipment.
Further, equipment to be cleaned is to after attack flow cleaning, and flow after cleaning can be sent to CE1 by cleaning equipment, and wherein, after cleaning, the object IP address of flow is identical with the object IP address of attack traffic, is all the IP address " 1.0.0.1 " of protected node.
For example, in the routing table of cleaning equipment self, comprising:
The bgp routing information of the network segment that CE1 connects: 1.0.0.0/16AS-Path list(65001);
The bgp routing information of the network segment that CE2 connects: 2.0.0.0/16AS-Path list(65002);
The bgp routing information of the network segment that CE3 connects: 3.0.0.0/16AS-Path list(65003);
The bgp routing information of the network segment that CE4 connects: 4.0.0.0/16AS-Path list(65004).
Cleaning equipment extracts network segment IP address " 1.0.0.0/16 " in these four routing iinformations, " 2.0.0.0/16 ", " 3.0.0.0/16 ", " 4.0.0.0/16 " successively, and according to longest match principle, from these four network segment IP addresses, determine that the network segment IP address the longest with " 1.0.0.1 " match bit array is for " 1.0.0.0/16 ", and determine that corresponding CE1 is down hop route, thus flow after cleaning is sent to CE1.
Further; CE1 is according to longest match principle; from self routing table, determine that the network segment IP address the longest with the object IP match bit array of flow after cleaning is the network segment IP address " 1.0.0.0/24 " in routing iinformation that router five is corresponding " 1.0.0.0/24AS-Path list(65005) "; and determine that to the route of router five be down hop route, and protected flow is sent to router five.
Further, protected flow, again through the forwarding of router five, finally arrives protected node.Thus achieve flow after cleaning is recycled into the technique effect of protected node, and then achieve the attack traffic in MPLS VPN scene is on the defensive.
In the embodiment of the present application; No. AS of the first ce router that the network segment belonging to protected node connects by cleaning equipment is added in drainage routing iinformation; and this drainage routing iinformation is sent to the ce router that there is ebgp neighbor relation; make the first ce router abandon drainage routing iinformation according to this No. AS and the anti-ring mechanism of EBGP, and make the second ce router (that is: the arbitrary ce router except the first ce router) preserve drainage routing iinformation according to this No. AS and the anti-ring mechanism of EBGP.So just make the second router learn drainage routing iinformation smoothly, thus realize the second router and protected flow can be drained into the technique effect that cleaning equipment carries out cleaning.Meanwhile, because the first ce router does not learn this drainage routing iinformation, thus after achieving the cleaning that cleaning equipment can send by the first ce router, flow is recycled into the technique effect of protected node smoothly.And then solve adopt existing flow cleaning scheme cannot effectively to the problem that attack traffic is on the defensive in MPLS VPN scene.Achieve and carry out flow cleaning by a cleaning equipment in the MPLS VPN containing multiple ce router, thus to the technique effect that attack traffic is on the defensive.
Optionally, in the present embodiment, as shown in Figure 4, step S101, comprising:
Step S201: cleaning equipment obtains the IP address of protected node;
Step S202: the BGP(BorderGateway Protocol of the network segment belonging to the IP address that cleaning equipment determines protected node, Border Gateway Protocol) routing iinformation;
Step S203: cleaning equipment from the AS-Path list(Autonomous System Path list the bgp routing information of the network segment belonging to the IP address of protected node, autonomous system path table) in attribute information, No. AS that extracts the first ce router;
Step S204: cleaning equipment, according to the IP address of protected node and No. AS of the first ce router, generates drainage routing iinformation, wherein, comprises the IP address of protected node and No. AS of the first ce router in drainage routing iinformation.
For example, as shown in Figure 2, cleaning equipment obtains the IP address " 1.0.0.1 " of protected node; Cleaning equipment is according to longest match principle, the routing iinformation bgp routing information for " 1.0.0.1 " belonging to the longest with " 1.0.0.1 " match bit array is confirmed from the routing table of self, the routing iinformation of the network segment that the bgp routing information herein, belonging to " 1.0.0.1 " connects for CE1 " 1.0.0.0/16AS-Path list(65001) ".
Further, extract in the AS-Path list attribute of cleaning equipment from " 1.0.0.0/16AS-Path list(65001) " No. AS " 65001 " of CE1.
Further, cleaning equipment generates drainage routing iinformation, comprises No. AS " 65001 " of " 1.0.0.1 " and CE1 in drainage routing iinformation.In specific implementation process, CE1 No. AS " 65001 " can be added in the AS-Path list attribute information of drainage routing iinformation, the drainage routing iinformation obtained is: 1.0.0.1/32AS-Path list(65001).
Optionally, in the present embodiment, step S202, comprising:
Cleaning equipment obtains at least two each self-corresponding bgp routing informations of ce router, obtains at least two bgp routing informations;
Cleaning equipment, respectively from least two bgp routing informations, extracts the network segment IP address that at least two bgp routing informations comprise separately respectively;
Cleaning equipment, according to longest match principle, determines the network segment IP address of the network segment IP address the longest with the IP matching addresses figure place of described protected node belonging to the IP address of described protection node from the network segment IP address that at least two bgp routing informations comprise respectively;
Cleaning equipment determines the routing iinformation of bgp routing information belonging to the IP address of protected node of the network segment IP address belonging to IP address comprising described protected node.
For example, before step S101, cleaning equipment can receive:
The bgp routing information of the correspondence that CE1 sends: 1.0.0.0/16AS-Path list(65001);
The bgp routing information of the correspondence that CE2 sends: 2.0.0.0/16AS-Path list(65002);
The bgp routing information of the correspondence that CE3 sends: 3.0.0.0/16AS-Path list(65003);
The bgp routing information of the correspondence that CE4 sends: 4.0.0.0/16AS-Path list(65004).
Cleaning equipment can learn above-mentioned four routing iinformations, and is stored in the routing table of self.Cleaning equipment extracts each self-corresponding network segment IP address of above-mentioned four bgp routing informations successively, obtains four network segment IP addresses " 1.0.0.0/16 ", " 2.0.0.0/16 ", " 3.0.0.0/16 ", " 4.0.0.0/16 ".Cleaning equipment is according to longest match principle; from these four network segment IP addresses, determine that the network segment IP address the longest with " 1.0.0.1 " match bit array is for " 1.0.0.0/16 ", and determine corresponding bgp routing information " 1.0.0.0/16AS-Path the list(65001) " bgp routing information of the network segment belonging to the IP address of protected node.
Optionally, in the present embodiment, the first ce router abandons described drainage routing iinformation according to described No. AS with the anti-ring mechanism of External BGP EBGP, comprising:
No. AS in the first ce router determination drainage routing iinformation identical with No. AS of the first ce router self after, the first ce router abandons drainage routing iinformation;
Described second ce router preserves described drainage routing iinformation according to described No. AS with the anti-ring mechanism of described EBGP, comprising:
No. AS in the second ce router determination drainage routing iinformation not identical with No. AS of the second ce router self after, the second ce router preserves drainage routing iinformation.
Such as: when CE1 determines that No. AS " 65001 " of No. AS " 65001 " and CE1 self in drainage routing iinformation " 1.0.0.1AS-Path list(65001) " are identical, CE1 abandons drainage routing iinformation; When CE2 determines that No. AS " 65002 " of No. AS " 65001 " and CE1 self in drainage routing iinformation " 1.0.0.1AS-Path list(65001) " are not identical, CE2 learns drainage routing iinformation, and is saved in the routing table of oneself by this drainage routing iinformation.
Embodiment two
Based on same inventive concept, present embodiments provide a kind of cleaning equipment, be applied to MPLS VPN(Multi-Protocol Label Switching Virtual Private Network, MPLS VPN network) in, MPLS VPN also comprises at least two customer edges ce routers, and cleaning equipment and each ce router exist External BGP ebgp neighbor relation.As shown in Figure 5, this cleaning equipment comprises:
Generation unit 301, for generating drainage routing iinformation, carries the IP address of No. AS, autonomous system and protected node in drainage routing iinformation, this No. AS is No. AS of the first ce router that the network segment belonging to protected node connects;
Transmitting element 302, for receiving drainage routing iinformation from generation unit 301, and drainage routing iinformation is sent to the first ce router and the second ce router, make the first ce router abandon drainage routing iinformation according to this No. AS and the anti-ring mechanism of External BGP EBGP, and make the second ce router preserve drainage routing iinformation according to this No. AS and the anti-ring mechanism of EBGP.
Optionally, in the present embodiment, generation unit 301, comprising:
Obtain subelement, for obtaining the IP address of protected node;
Determine subelement, be connected with acquisition subelement, for receiving the IP address of protected node, and the Border Gateway Protocol (BGP) routing iinformation of the network segment belonging to the IP address determining described protected node;
Extract subelement, with determine that subelement is connected, for receive described protected node IP address belonging to the bgp routing information of the network segment, and from the autonomous system path Table A S-Path list attribute information the bgp routing information of the network segment belonging to the IP address of described protected node, extract this No. AS;
Generate subelement, be connected with extraction subelement, for receiving the IP address of described protected node and described No. AS; and according to the IP address of protected node and this No. AS; generate drainage routing iinformation, wherein, in drainage routing iinformation, comprise the IP address of protected node and this No. AS.
Optionally, in the present embodiment, subelement is determined, specifically for:
Obtain at least two each self-corresponding bgp routing informations of ce router, obtain at least two bgp routing informations; Respectively from least two bgp routing informations, extract the network segment IP address that at least two bgp routing informations comprise respectively; According to longest match principle, determine from the network segment IP address that at least two bgp routing informations comprise respectively the network segment IP address the longest with the IP matching addresses figure place of protected node for protect node IP address belonging to network segment IP address; Determine the bgp routing information of bgp routing information network segment belonging to the IP address of protected node of the network segment IP address belonging to IP address comprising protected node.
Optionally, in the present embodiment, the anti-ring mechanism of EBGP, comprising:
The first ce router determine this No. AS identical with No. AS of the first ce router self after, the first ce router abandons the mechanism of drainage routing iinformation; And/or
The second ce router determine this No. AS not identical with No. AS of the second ce router self after, the second ce router preserves the mechanism of drainage routing iinformation.
In the embodiment of the present application; No. AS of the first ce router that the network segment belonging to protected node connects by cleaning equipment is added in drainage routing iinformation; and this drainage routing iinformation is sent to the ce router that there is ebgp neighbor relation; make the first ce router abandon drainage routing iinformation according to this No. AS and the anti-ring mechanism of EBGP, and make the second ce router (that is: the arbitrary ce router except the first ce router) preserve drainage routing iinformation according to this No. AS and the anti-ring mechanism of EBGP.So just make the second router learn drainage routing iinformation smoothly, thus realize the second router and protected flow can be drained into the technique effect that cleaning equipment carries out cleaning.Meanwhile, because the first ce router does not learn this drainage routing iinformation, thus after achieving the cleaning that cleaning equipment can send by the first ce router, flow is recycled into the technique effect of protected node smoothly.And then solve adopt existing flow cleaning scheme cannot effectively to the problem that attack traffic is on the defensive in MPLS VPN scene.Achieve and carry out flow cleaning by a cleaning equipment in the MPLS VPN containing multiple ce router, thus to the technique effect that attack traffic is on the defensive.
Embodiment three
Based on same inventive concept, the present embodiment provides a kind of cleaning equipment, be applied to MPLS VPN(Multi-Protocol Label Switching Virtual Private Network, MPLS VPN network) in, MPLS VPN also comprises at least two customer edges ce routers, and cleaning equipment and each ce router exist External BGP ebgp neighbor relation.As shown in Figure 6, this cleaning equipment comprises:
Memory 410, for program code stored;
Processor 420, for program code read from memory, to perform: generate drainage routing iinformation, carry the IP address of No. AS, autonomous system and protected node in drainage routing iinformation, this No. AS is No. AS of the first ce router that the network segment belonging to protected node connects;
Network interface 430, for drainage routing iinformation is sent to the first ce router and the second ce router, make the first ce router abandon drainage routing iinformation according to this No. AS and the anti-ring mechanism of External BGP EBGP, and make the second ce router preserve drainage routing iinformation according to this No. AS and the anti-ring mechanism of EBGP.
In specific implementation process, memory 410, processor 420 and network interface 430 are all connected in bus 440, make memory 410 can carry out data interaction with processor 420 and network interface 430.
Optionally, in the present embodiment, processor 420, specifically for:
Obtain the IP address of protected node; The Border Gateway Protocol (BGP) routing iinformation of the network segment belonging to the IP address determining protected node; From in the autonomous system path Table A S-Path list attribute information the bgp routing information of the network segment belonging to the IP address of protected node, extract this No. AS; According to the IP address of protected node and this No. AS, generate drainage routing iinformation, wherein, in drainage routing iinformation, comprise the IP address of protected node and this No. AS.
Optionally, in the present embodiment, processor 420, specifically for:
Obtain at least two each self-corresponding bgp routing informations of ce router, obtain at least two bgp routing informations; Respectively from least two bgp routing informations, extract the network segment IP address that at least two bgp routing informations comprise respectively; According to longest match principle, determine from the network segment IP address that at least two bgp routing informations comprise respectively the network segment IP address the longest with the IP matching addresses figure place of protected node for protect node IP address belonging to network segment IP address; Determine the bgp routing information of bgp routing information network segment belonging to the IP address of protected node of the network segment IP address belonging to IP address comprising protected node.
Optionally, in the present embodiment, the anti-ring mechanism of EBGP, comprising:
The first ce router determine this No. AS identical with No. AS of the first ce router self after, the first ce router abandons the mechanism of drainage routing iinformation; And/or
The second ce router determine this No. AS not identical with No. AS of the second ce router self after, the second ce router preserves the mechanism of drainage routing iinformation.
In the embodiment of the present application; No. AS of the first ce router that the network segment belonging to protected node connects by cleaning equipment is added in drainage routing iinformation; and this drainage routing iinformation is sent to the ce router that there is ebgp neighbor relation; make the first ce router abandon drainage routing iinformation according to this No. AS and the anti-ring mechanism of EBGP, and make the second ce router (that is: the arbitrary ce router except the first ce router) preserve drainage routing iinformation according to this No. AS and the anti-ring mechanism of EBGP.So just make the second router learn drainage routing iinformation smoothly, thus realize the second router and protected flow can be drained into the technique effect that cleaning equipment carries out cleaning.Meanwhile, because the first ce router does not learn this drainage routing iinformation, thus after achieving the cleaning that cleaning equipment can send by the first ce router, flow is recycled into the technique effect of protected node smoothly.And then solve adopt existing flow cleaning scheme cannot effectively to the problem that attack traffic is on the defensive in MPLS VPN scene.Achieve and carry out flow cleaning by a cleaning equipment in the MPLS VPN containing multiple ce router, thus to the technique effect that attack traffic is on the defensive.
Embodiment four
Based on same inventive concept, as shown in Figure 2, the present embodiment provides a kind of MPLS VPN(Multi-Protocol Label Switching Virtual Private Network, MPLS VPN network), comprising:
Cleaning equipment in embodiment two (or embodiment three);
At least two customer edges ce routers, such as: the first ce router and the second ce router;
Wherein, there is External BGP ebgp neighbor relation in cleaning equipment and each ce router; Cleaning equipment can generate drainage routing iinformation; and drainage routing iinformation is sent to the first ce router and the second ce router; the IP address of No. AS, autonomous system and protected node is carried in drainage routing iinformation; this No. AS No. AS of the first ce router being the network segment belonging to protected node and connecting; make the first ce router can abandon drainage routing iinformation according to No. AS and the anti-ring mechanism of External BGP EBGP, and make the second ce router can accept drainage routing iinformation according to No. AS and the anti-ring mechanism of EBGP.
Wherein, the first ce router refers to: the ce router that the network segment belonging to protected node connects.Such as: in the MPLS VPN shown in Fig. 2, the first ce router is CE1.
Wherein, the second ce router refers to: the arbitrary ce router except the first ce router in MPLS VPN.Such as: in the MPLS VPN shown in Fig. 2, the second ce router is CE2 or CE3 or CE4.
For example, as shown in Figure 2, CE1, CE2, CE3 and CE4 are connected with provider P P by each self-corresponding Provider edge router (not marking).
The IP address of protected node is: 1.0.0.1;
The routing iinformation that router five is corresponding is: 1.0.0.0/24AS-Path list(65005);
The bgp routing information of the network segment that CE1 connects is: 1.0.0.0/16AS-Path list(65001);
The bgp routing information of the network segment that CE2 connects is: 2.0.0.0/16AS-Path list(65002);
The bgp routing information of the network segment that CE3 connects is: 3.0.0.0/16AS-Path list(65003);
The bgp routing information of the network segment that CE4 connects is: 4.0.0.0/16AS-Path list(65004);
Wherein, protected node is arranged in the network segment " 1.0.0.0/24 " that router five connects, and router five is arranged in the network segment " 1.0.0.0/16 " that CE1 connects, and namely protected node is also arranged in the network segment " 1.0.0.0/16 " that CE1 connects.
Wherein, include in the routing table of CE1 self:
The bgp routing information of the network segment that CE2 connects: 2.0.0.0/16AS-Path list(65002);
The bgp routing information of the network segment that CE3 connects: 3.0.0.0/16AS-Path list(65003);
The bgp routing information of the network segment that CE4 connects: 4.0.0.0/16AS-Path list(65004);
And, the routing iinformation of router five: 1.0.0.0/24AS-Path list(65005);
Thus after making CE1 receive network traffics, according to the destination address of flow and the routing table self stored, flow can be sent to CE2 or CE3 or CE4 or router five.
Wherein, include in the routing table of CE2 self:
The bgp routing information of the network segment that CE1 connects: 1.0.0.0/16AS-Path list(65001);
The bgp routing information of the network segment that CE3 connects: 3.0.0.0/16AS-Path list(65003);
The bgp routing information of the network segment that CE4 connects: 4.0.0.0/16AS-Path list(65004).
Thus after making CE2 receive network traffics, according to the destination address of flow and the routing table self stored, flow can be sent to CE1 or CE3 or CE4.
The drainage routing iinformation that cleaning equipment generates is: 1.0.0.1/32AS-Path list(65001), wherein, include No. AS " 65001 " of CE1, and the IP address " 1.0.0.1 " of protected node.
Because, CE1 has abandoned according in drainage routing iinformation No. AS and the anti-ring mechanism of EBGP the drainage routing iinformation that cleaning equipment sends, so, this drainage routing iinformation can not be stored in the routing table of CE1 self.CE2 saves according to the anti-ring mechanism of AS EBGP in drainage routing iinformation the drainage routing iinformation that cleaning equipment sends, (being specifically kept in the routing table of CE2 self).Now, the routing iinformation that the routing table of CE2 self comprises, comprising:
The bgp routing information of the network segment that CE1 connects: 1.0.0.0/16AS-Path list(65001);
The bgp routing information of the network segment that CE3 connects: 3.0.0.0/16AS-Path list(65003);
The bgp routing information of the network segment that CE4 connects: 4.0.0.0/16AS-Path list(65004); And
The drainage routing iinformation that cleaning equipment is corresponding: 1.0.0.1/32AS-Path list(65001).
When to receive object IP address be the protected flow of " 1.0.0.1 " to CE2; CE2 is according to longest match principle; from the routing table of self, determine that the network segment IP address the longest with this object IP address (1.0.0.1) match bit array is the network segment IP address " 1.0.0.1/32 " in the drainage routing iinformation that cleaning equipment is corresponding; and determine that the route arriving cleaning equipment is down hop route, and protected flow is sent to cleaning equipment.
Further, equipment to be cleaned is to after attack flow cleaning, and flow after cleaning can be sent to CE1 by cleaning equipment, and wherein, after cleaning, the object IP address of flow is identical with the object IP address of attack traffic, is all the IP address " 1.0.0.1 " of protected node.
For example, in the routing table of cleaning equipment self, comprising:
The bgp routing information of the network segment that CE1 connects: 1.0.0.0/16AS-Path list(65001);
The bgp routing information of the network segment that CE2 connects: 2.0.0.0/16AS-Path list(65002);
The bgp routing information of the network segment that CE3 connects: 3.0.0.0/16AS-Path list(65003);
The bgp routing information of the network segment that CE4 connects: 4.0.0.0/16AS-Path list(65004).
Cleaning equipment extracts network segment IP address " 1.0.0.0/16 " in these four routing iinformations, " 2.0.0.0/16 ", " 3.0.0.0/16 ", " 4.0.0.0/16 " successively, and according to longest match principle, from these four network segment IP addresses, determine that the network segment IP address the longest with " 1.0.0.1 " match bit array is for " 1.0.0.0/16 ", and determine that corresponding CE1 is down hop route, thus flow after cleaning is sent to CE1.
Further; CE1 is according to longest match principle; from self routing table, determine that the network segment IP address the longest with the object IP match bit array of flow after cleaning is the network segment IP address " 1.0.0.0/24 " in routing iinformation that router five is corresponding " 1.0.0.0/24AS-Path list(65005) "; and determine that to the route of router five be down hop route, and protected flow is sent to router five.
Further, protected flow, again through the forwarding of router five, finally arrives protected node.Thus achieve flow after cleaning is recycled into the technique effect of protected node, and then achieve the attack traffic in MPLS VPN scene is on the defensive.
In the embodiment of the present application; No. AS of the first ce router that the network segment belonging to protected node connects by cleaning equipment is added in drainage routing iinformation; and this drainage routing iinformation is sent to the ce router that there is ebgp neighbor relation; make the first ce router abandon drainage routing iinformation according to this No. AS and the anti-ring mechanism of EBGP, and make the second ce router (that is: the arbitrary ce router except the first ce router) preserve drainage routing iinformation according to this No. AS and the anti-ring mechanism of EBGP.So just make the second router learn drainage routing iinformation smoothly, thus realize the second router and protected flow can be drained into the technique effect that cleaning equipment carries out cleaning.Meanwhile, because the first ce router does not learn this drainage routing iinformation, thus after achieving the cleaning that cleaning equipment can send by the first ce router, flow is recycled into the technique effect of protected node smoothly.And then solve adopt existing flow cleaning scheme cannot effectively to the problem that attack traffic is on the defensive in MPLS VPN scene.Achieve and carry out flow cleaning by a cleaning equipment in the MPLS VPN containing multiple ce router, thus to the technique effect that attack traffic is on the defensive.
Those skilled in the art should understand, embodiments of the invention can be provided as method, system or computer program.Therefore, the present invention can adopt the form of complete hardware embodiment, completely software implementation or the embodiment in conjunction with software and hardware aspect.And the present invention can adopt in one or more form wherein including the upper computer program implemented of computer-usable storage medium (including but not limited to magnetic disc store, CD-ROM, optical memory etc.) of computer usable program code.
The present invention describes with reference to according to the flow chart of the method for the embodiment of the present invention, equipment (system) and computer program and/or block diagram.Should understand can by the combination of the flow process in each flow process in computer program instructions realization flow figure and/or block diagram and/or square frame and flow chart and/or block diagram and/or square frame.These computer program instructions can being provided to the processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce a machine, making the instruction performed by the processor of computer or other programmable data processing device produce device for realizing the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
These computer program instructions also can be stored in can in the computer-readable memory that works in a specific way of vectoring computer or other programmable data processing device, the instruction making to be stored in this computer-readable memory produces the manufacture comprising command device, and this command device realizes the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
These computer program instructions also can be loaded in computer or other programmable data processing device, make on computer or other programmable devices, to perform sequence of operations step to produce computer implemented process, thus the instruction performed on computer or other programmable devices is provided for the step realizing the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
Although describe the preferred embodiments of the present invention, those skilled in the art once obtain the basic creative concept of cicada, then can make other change and amendment to these embodiments.So claims are intended to be interpreted as comprising preferred embodiment and falling into all changes and the amendment of the scope of the invention.
Obviously, those skilled in the art can carry out various change and modification to the present invention and not depart from the spirit and scope of the present invention.Like this, if these amendments of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification.
Claims (10)
1. one kind sends the method for drainage routing iinformation, be applied in the cleaning equipment in multiprotocol label switching Multiprotocol Label Switching Virtual Private Network network VPN, it is characterized in that, described MPLS VPN also comprises at least two customer edges ce routers, and described cleaning equipment and each described ce router exist External BGP ebgp neighbor relation; Described method comprises:
Described cleaning equipment generates drainage routing iinformation, carries the IP address of No. AS, autonomous system and protected node in described drainage routing iinformation, and described No. AS is No. AS of the first ce router that the network segment belonging to described protected node connects;
Described drainage routing iinformation is sent to described first ce router and the second ce router by described cleaning equipment, make described first ce router abandon described drainage routing iinformation according to described No. AS with the anti-ring mechanism of External BGP EBGP, and make described second ce router preserve described drainage routing iinformation according to described No. AS with the anti-ring mechanism of described EBGP.
2. the method for claim 1, is characterized in that, described cleaning equipment generates drainage routing iinformation, comprising:
Described cleaning equipment obtains the IP address of described protected node;
The Border Gateway Protocol (BGP) routing iinformation of the network segment belonging to the IP address that described cleaning equipment determines described protected node;
Described cleaning equipment, from the autonomous system path Table A S-Path list attribute information the bgp routing information of the network segment belonging to the IP address of described protected node, extracts described No. AS;
Described cleaning equipment, according to the IP address of described protected node and described No. AS, generates described drainage routing iinformation, wherein, comprises the IP address of described protected node and described No. AS in described drainage routing iinformation.
3. method as claimed in claim 2, is characterized in that, the bgp routing information of the network segment belonging to the IP address that described cleaning equipment determines described protected node, comprising:
At least two each self-corresponding bgp routing informations of ce router described in described cleaning equipment obtains, obtain at least two bgp routing informations;
Described cleaning equipment respectively from described at least two bgp routing informations, the network segment IP address that described in extraction, at least two bgp routing informations comprise respectively;
Described cleaning equipment, according to longest match principle, determines the network segment IP address of the network segment IP address the longest with the IP matching addresses figure place of described protected node belonging to the IP address of described protection node from the network segment IP address that described at least two bgp routing informations comprise respectively;
Described cleaning equipment determines the bgp routing information of the bgp routing information of the network segment IP address belonging to IP address comprising described protected node network segment belonging to the IP address of described protected node.
4. the method as described in as arbitrary in claims 1 to 3, is characterized in that, described first ce router abandons described drainage routing iinformation according to described No. AS and the anti-ring mechanism of EBGP, comprising:
Described first ce router determine described No. AS identical with No. AS of described first ce router self after, described first ce router abandons described drainage routing iinformation;
Described second ce router preserves described drainage routing iinformation according to described No. AS with the anti-ring mechanism of described EBGP, comprising:
Described second ce router determine described No. AS not identical with No. AS of described second ce router self after, described second ce router preserves described drainage routing iinformation.
5. a cleaning equipment, be applied in multiprotocol label switching Multiprotocol Label Switching Virtual Private Network network VPN, it is characterized in that, described MPLS VPN also comprises at least two customer edges ce routers, and described cleaning equipment and each described ce router exist External BGP ebgp neighbor relation; Described cleaning equipment comprises:
Generation unit, for generating drainage routing iinformation, carries the IP address of No. AS, autonomous system and protected node in described drainage routing iinformation, described No. AS is No. AS of the first ce router that the network segment belonging to described protected node connects;
Transmitting element, for receiving described drainage routing iinformation from described generation unit, and described drainage routing iinformation is sent to described first ce router and the second ce router, make described first ce router abandon described drainage routing iinformation according to described No. AS with the anti-ring mechanism of External BGP EBGP, and make described second ce router preserve described drainage routing iinformation according to described No. AS with the anti-ring mechanism of described EBGP.
6. cleaning equipment as claimed in claim 5, it is characterized in that, described generation unit, comprising:
Obtain subelement, for obtaining the IP address of described protected node;
Determine subelement, for determine described protected node IP address belonging to the Border Gateway Protocol (BGP) routing iinformation of the network segment;
Extract subelement, in the autonomous system path Table A S-Path list attribute information in the bgp routing information of the network segment belonging to the IP address from described protected node, extract described No. AS;
Generate subelement, for according to the IP address of described protected node and described No. AS, generate described drainage routing iinformation, wherein, in described drainage routing iinformation, comprise the IP address of described protected node and described No. AS.
7. cleaning equipment as claimed in claim 6, is characterized in that, describedly determines subelement, specifically for:
Described in acquisition, at least two each self-corresponding bgp routing informations of ce router, obtain at least two bgp routing informations; Respectively from described at least two bgp routing informations, the network segment IP address that described in extraction, at least two bgp routing informations comprise respectively; According to longest match principle, from the network segment IP address that described at least two bgp routing informations comprise respectively, determine the network segment IP address of the network segment IP address the longest with the IP matching addresses figure place of described protected node belonging to the IP address of described protection node; Determine the bgp routing information of the bgp routing information of the network segment IP address belonging to IP address comprising described protected node network segment belonging to the IP address of described protected node.
8. the cleaning equipment as described in as arbitrary in claim 5 ~ 7, it is characterized in that, the anti-ring mechanism of described EBGP, comprising:
Described first ce router determine described No. AS identical with No. AS of described first ce router self after, described first ce router abandons the mechanism of described drainage routing iinformation; And/or
Described second ce router determine described No. AS not identical with No. AS of described second ce router self after, described second ce router preserves the mechanism of described drainage routing iinformation.
9. a cleaning equipment, be applied in multiprotocol label switching Multiprotocol Label Switching Virtual Private Network VPN, it is characterized in that, described MPLS VPN also comprises at least two customer edges ce routers, and described cleaning equipment and each described ce router exist External BGP ebgp neighbor relation; Described cleaning equipment comprises:
Memory, for storing program therefor code;
Processor, for reading described related program code from described memory, to perform: generate drainage routing iinformation, carry the IP address of No. AS, autonomous system and protected node in described drainage routing iinformation, described No. AS is No. AS of the first ce router that the network segment belonging to described protected node connects;
Network interface, for described drainage routing iinformation is sent to described first ce router and the second ce router, make described first ce router abandon described drainage routing iinformation according to described No. AS with the anti-ring mechanism of External BGP EBGP, and make described second ce router preserve described drainage routing iinformation according to described No. AS with the anti-ring mechanism of described EBGP.
10. a multiprotocol label switching Multiprotocol Label Switching Virtual Private Network VPN, is characterized in that, comprising:
Cleaning equipment as described in claim arbitrary in claim 5 ~ 8, the first ce router and the second ce router;
Described second ce router according to the described drainage routing iinformation preserved, receiving after object IP address is the flow of IP address of protected node, by described traffic forwarding to described cleaning equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410038368.7A CN104811380B (en) | 2014-01-26 | 2014-01-26 | A kind of method and cleaning equipment sending drainage routing iinformation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410038368.7A CN104811380B (en) | 2014-01-26 | 2014-01-26 | A kind of method and cleaning equipment sending drainage routing iinformation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104811380A true CN104811380A (en) | 2015-07-29 |
| CN104811380B CN104811380B (en) | 2018-08-14 |
Family
ID=53695889
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410038368.7A Active CN104811380B (en) | 2014-01-26 | 2014-01-26 | A kind of method and cleaning equipment sending drainage routing iinformation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104811380B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106209784A (en) * | 2016-06-24 | 2016-12-07 | 杭州华三通信技术有限公司 | A kind of data filtering method and device |
| CN106685823A (en) * | 2016-12-16 | 2017-05-17 | 杭州迪普科技股份有限公司 | Flow cleaning method and flow cleaning device |
| CN108512756A (en) * | 2017-02-28 | 2018-09-07 | 瞻博网络公司 | Promote the devices, systems, and methods of the routing decision of the tag identifier of iBGP peer-to-peers |
| CN109039898A (en) * | 2018-08-08 | 2018-12-18 | 网宿科技股份有限公司 | A kind of management method and device draining information |
| CN109981453A (en) * | 2019-03-13 | 2019-07-05 | 网宿科技股份有限公司 | Handle the method and system of network request drainage mistake |
| CN110995884A (en) * | 2019-12-13 | 2020-04-10 | 成都知道创宇信息技术有限公司 | Method for cleaning and transmitting flow based on Anycast architecture DNS |
| CN111083033A (en) * | 2019-12-20 | 2020-04-28 | 瑞斯康达科技发展股份有限公司 | Three-layer virtual private network based on multi-protocol label switching protocol |
| WO2020168954A1 (en) * | 2019-02-20 | 2020-08-27 | 华为技术有限公司 | Method, apparatus, and device for establishing connection between blockchain nodes |
| CN113709045A (en) * | 2021-07-19 | 2021-11-26 | 国网河南省电力公司信息通信公司 | Peer-to-peer network traffic traction system and traffic traction method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020136223A1 (en) * | 2000-12-19 | 2002-09-26 | Ho Ka K. | Method and apparatus for interworking PNNI with the signalling and routing protocols used in MPLS networks |
| WO2007124251A1 (en) * | 2006-04-20 | 2007-11-01 | At & T Knowledge Ventures, L.P. | Method for updating a virtual private network in a multi-protocol label switching network |
| CN101436995A (en) * | 2008-12-04 | 2009-05-20 | 中国移动通信集团广东有限公司 | Method for rapidly plugging IP address based on BGP virtual next-hop |
| CN101764728A (en) * | 2010-01-27 | 2010-06-30 | 杭州华三通信技术有限公司 | Network topology discovering method and equipment |
| CN101958829A (en) * | 2009-07-13 | 2011-01-26 | 华为技术有限公司 | Route distribution method, device and system |
-
2014
- 2014-01-26 CN CN201410038368.7A patent/CN104811380B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020136223A1 (en) * | 2000-12-19 | 2002-09-26 | Ho Ka K. | Method and apparatus for interworking PNNI with the signalling and routing protocols used in MPLS networks |
| WO2007124251A1 (en) * | 2006-04-20 | 2007-11-01 | At & T Knowledge Ventures, L.P. | Method for updating a virtual private network in a multi-protocol label switching network |
| CN101436995A (en) * | 2008-12-04 | 2009-05-20 | 中国移动通信集团广东有限公司 | Method for rapidly plugging IP address based on BGP virtual next-hop |
| CN101958829A (en) * | 2009-07-13 | 2011-01-26 | 华为技术有限公司 | Route distribution method, device and system |
| CN101764728A (en) * | 2010-01-27 | 2010-06-30 | 杭州华三通信技术有限公司 | Network topology discovering method and equipment |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106209784B (en) * | 2016-06-24 | 2019-09-17 | 新华三技术有限公司 | A kind of data filtering method and device |
| CN106209784A (en) * | 2016-06-24 | 2016-12-07 | 杭州华三通信技术有限公司 | A kind of data filtering method and device |
| CN106685823A (en) * | 2016-12-16 | 2017-05-17 | 杭州迪普科技股份有限公司 | Flow cleaning method and flow cleaning device |
| CN108512756A (en) * | 2017-02-28 | 2018-09-07 | 瞻博网络公司 | Promote the devices, systems, and methods of the routing decision of the tag identifier of iBGP peer-to-peers |
| CN108512756B (en) * | 2017-02-28 | 2020-09-29 | 瞻博网络公司 | Apparatus, system, and method for facilitating routing decisions for label identification of iBGP peers |
| CN109039898A (en) * | 2018-08-08 | 2018-12-18 | 网宿科技股份有限公司 | A kind of management method and device draining information |
| WO2020168954A1 (en) * | 2019-02-20 | 2020-08-27 | 华为技术有限公司 | Method, apparatus, and device for establishing connection between blockchain nodes |
| CN109981453A (en) * | 2019-03-13 | 2019-07-05 | 网宿科技股份有限公司 | Handle the method and system of network request drainage mistake |
| CN109981453B (en) * | 2019-03-13 | 2021-10-22 | 网宿科技股份有限公司 | Method and system for processing network request drainage error |
| CN110995884A (en) * | 2019-12-13 | 2020-04-10 | 成都知道创宇信息技术有限公司 | Method for cleaning and transmitting flow based on Anycast architecture DNS |
| CN111083033A (en) * | 2019-12-20 | 2020-04-28 | 瑞斯康达科技发展股份有限公司 | Three-layer virtual private network based on multi-protocol label switching protocol |
| CN111083033B (en) * | 2019-12-20 | 2021-09-24 | 瑞斯康达科技发展股份有限公司 | Three-layer virtual private network based on multi-protocol label switching protocol |
| CN113709045A (en) * | 2021-07-19 | 2021-11-26 | 国网河南省电力公司信息通信公司 | Peer-to-peer network traffic traction system and traffic traction method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104811380B (en) | 2018-08-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104811380A (en) | Method for transmitting traffic-guiding routing information and cleaning apparatus | |
| CN110784411B (en) | Method, device and system for establishing BIER forwarding table item | |
| CN111092801B (en) | Data transmission method and device | |
| CN109873760A (en) | Handle the method and apparatus of routing and the method and apparatus of data transmission | |
| US9001644B2 (en) | Ethernet virtual private network system for providing fast protection for access rings | |
| RU2612599C1 (en) | Control device, communication system, method for controlling switches and program | |
| CN106209553A (en) | Message processing method, equipment and system | |
| JP6633775B2 (en) | Packet transmission | |
| WO2013045084A1 (en) | Incremental deployment of mrt based ipfrr | |
| CN103634423B (en) | Three-layered interface based MPLS-TP (multi-protocol label switching-transport profile) configuration method and device | |
| CN104734955A (en) | Network function virtualization implementation method, wide-band network gateway and control device | |
| US9088498B2 (en) | Communication networks that provide a common transport domain for use by multiple service domains and methods and computer program products for using the same | |
| CN103259726A (en) | Method, device and system for storing and sending MAC address table entries | |
| TWI500295B (en) | Link state identifier collision handling | |
| CN103326915A (en) | Method, device and system for achieving three-layer VPN | |
| CN106713130B (en) | A kind of routing table update method, EVPN control equipment and EVPN system | |
| CN112702773A (en) | Communication method and device | |
| CN102904814B (en) | Data transmission method, source PE, object PE and data transmission system | |
| CN102647328B (en) | A kind of label distribution method, equipment and system | |
| EP3018866A1 (en) | Signaling aliasing capability in data centers | |
| CN103795630A (en) | Message transmitting method and device of label switching network | |
| CN103457756A (en) | Method, device and system for loop path detection | |
| EP3461079B1 (en) | Path establishment method and device, and network node | |
| CN113542114B (en) | Route configuration method and route configuration device | |
| CN106161228B (en) | A kind of method and apparatus of publication routing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |