CN106302461B - Method and device for checking validity of flow strategy - Google Patents
Method and device for checking validity of flow strategy Download PDFInfo
- Publication number
- CN106302461B CN106302461B CN201610677411.3A CN201610677411A CN106302461B CN 106302461 B CN106302461 B CN 106302461B CN 201610677411 A CN201610677411 A CN 201610677411A CN 106302461 B CN106302461 B CN 106302461B
- Authority
- CN
- China
- Prior art keywords
- destination address
- route
- traffic
- unicast
- changed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a method for checking the validity of a flow strategy, which is applied to any network equipment and comprises the following steps: when any unicast route changes, identifying a destination address having an inclusion or included relationship with the destination address of the changed unicast route from destination addresses corresponding to each locally-stored traffic policy; and determining each flow strategy corresponding to each identified destination address, and carrying out validity check on each flow strategy. The embodiment of the invention can improve the efficiency of checking the validity of the flow strategy, save system resources and ensure the normal operation of a client.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for checking validity of a traffic policy.
Background
The Flow policy (Flow Specification) can be used to precisely match the attack traffic (source address, destination address, port, source port, destination port, protocol type, etc.), and there are various selection actions for the attack traffic: discarding, rate limiting, traffic redirection, etc., are effective methods for defending against Denial of service (DoS) and distributed Denial of service (DDoS) attacks.
With the help of the multi-Protocol extension capability of the BGP (Border Gateway Protocol), the traffic policy can be easily distributed to each device configured with the BGP Protocol to limit the traffic for initiating a DoS/DDoS attack.
When the network device performs traffic matching control for a specific destination address using a traffic policy, validity checking of the destination address is required to determine validity and validity of the traffic policy. Traffic policies that fail the legitimacy check do not take effect.
Specifically, after receiving a traffic policy with a destination address D sent by a neighbor, a network device needs to check whether the neighbor issues a unicast route a, where the destination address of the unicast route a includes the destination address D, and is used to ensure that intercepted traffic can reach the neighbor originally; secondly, other neighbors cannot issue unicast route B, and the destination address of unicast route B is contained in the destination address of unicast route a or contained in destination address D, so as to ensure that the intercepted traffic is not destined for other neighbors.
The fact that the destination address of the unicast route a includes the destination address D means that the destination address D is a subnet of the destination address of the unicast route a. The fact that the destination address of the unicast route B is contained in the destination address of the unicast route A means that the destination address of the unicast route B is a subnet of the destination address of the unicast route A; the fact that the destination address of the unicast route B is included in the destination address D means that the destination address of the unicast route B is a subnet of the destination address D.
From the perspective of the validity check rule, if any unicast route locally stored by the network device changes, the result of the validity of the traffic policy may be changed. Therefore, the prior art will perform the validity check again on all the traffic policies each time the unicast route changes.
However, in practical applications, the network device may locally maintain more unicast routing and traffic policies. When any unicast route changes, the unicast route needs to traverse and query the whole unicast route table, and all the traffic policies are checked again for validity. This will take a long time, and the memory resource consumption of the network device in this time is large, which results in the performance degradation of the network device and affects the use of the normal service of the client.
Disclosure of Invention
The embodiment of the invention aims to provide a method and a device for checking flow validity, so as to improve the efficiency of checking the flow strategy validity, save system resources and ensure the normal operation of a client. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present invention provides a method for checking a validity of a traffic policy, where the method is applied to any network device, and the method includes:
when any unicast route changes, identifying a destination address having an inclusion or included relationship with the destination address of the changed unicast route from destination addresses corresponding to each locally-stored traffic policy;
and determining each flow strategy corresponding to each identified destination address, and carrying out validity check on each flow strategy.
In a second aspect, an embodiment of the present invention provides an apparatus for checking validity of a traffic policy, where the apparatus is applied to any network device, and the apparatus includes:
the identification module is used for identifying a destination address which has an inclusion or contained relation with the destination address of the changed unicast route in the destination address corresponding to each locally-stored flow strategy when any unicast route changes;
and the processing module is used for determining each flow strategy corresponding to each identified destination address and carrying out validity check on each flow strategy.
When any unicast route changes, network equipment can identify a destination address which has an inclusion or contained relation with the destination address of the changed unicast route in destination addresses corresponding to all locally stored flow strategies; further, each traffic policy corresponding to each identified destination address can be determined, and only the determined traffic policies are checked for validity. Compared with the prior art, when the unicast route changes, the validity check of all the locally stored flow strategies is not needed, so that the efficiency of the validity check of the flow strategies can be improved, the system resources are saved, and the normal service of a client is ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a method for checking validity of a traffic policy according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of an apparatus for checking validity of a traffic policy according to an embodiment of the present invention.
Detailed Description
In order to improve the efficiency of checking the validity of a flow policy, save system resources, and ensure the normal business of a client, the embodiment of the invention provides a method and a device for checking the validity of the flow policy.
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict. The present invention will be described in detail below with reference to the embodiments with reference to the attached drawings.
In the embodiment of the present invention, in order to improve the efficiency of checking the validity of a traffic policy, save system resources, and ensure the normal business of a client, an embodiment of the present invention provides a method and a process for checking the validity of a traffic policy, as shown in fig. 1, the process may include the following steps:
and S101, when any unicast route is changed, identifying the destination address which has an inclusion or included relationship with the destination address of the changed unicast route from the destination addresses corresponding to the locally stored traffic policies.
In the embodiment of the invention, the network device can locally store a plurality of unicast routes and a plurality of traffic policies. And, the network device may locally store the destination address corresponding to each traffic policy. For example, the network device may store the correspondence between each traffic policy and the destination address through a locally stored radix tree.
Specifically, when the network device receives the traffic policy for the first time, the destination address D corresponding to the traffic policy may be stored in the radix tree, and an association relationship is established between the node of the destination address D in the radix tree and the traffic policy. Because different traffic policies can correspond to the same destination address D, one node in the radix tree can correspond to multiple traffic policies. When multiple traffic policies correspond to a node in the radix tree, the multiple traffic policies can be stored in a linked list or the like.
The biggest advantage of the Radix tree storage structure is whether the queried network segment address is included by the nodes in Radix or not can be easily realized. Therefore, the corresponding relation between each flow strategy and the destination address is stored through the radix tree, and the query speed of the network equipment can be improved.
Each traffic policy may be a traffic policy that has been subjected to validity check. The validity check result of each traffic policy may be a pass validity check or a fail validity check.
In practical applications, the unicast routes maintained locally by the network device may change. And after the unicast route is changed, the result of the validity check of the locally stored traffic policy may be affected.
Therefore, in the embodiment of the present invention, the network device may detect whether there is a unicast route change, and if so, the network device may further perform a validity check again on the traffic policy whose validity check result may change.
Two principles of the validity check of the traffic policy are: after receiving a traffic policy with a destination address D sent by a first neighbor, a first network device needs to check whether the first neighbor issues a unicast route a, where a destination address of the unicast route a includes the destination address D; the next time that other neighbors of the first network device than the first neighbor are unable to publish a unicast route B whose destination address is included in the destination address of unicast route a or in destination address D.
The fact that the destination address of the unicast route a includes the destination address D means that the destination address D is a subnet of the destination address of the unicast route a. The fact that the destination address of the unicast route B is contained in the destination address of the unicast route A means that the destination address of the unicast route B is a subnet of the destination address of the unicast route A; the fact that the destination address of the unicast route B is included in the destination address D means that the destination address of the unicast route B is a subnet of the destination address D.
That is, when any unicast route is changed, the destination address and the changed unicast route have a traffic policy in an inclusion or inclusion relationship, and the result of the validity check may change.
Therefore, in the embodiment of the present invention, after any unicast route is changed, the network device may identify, from among destination addresses corresponding to the locally stored traffic policies, a destination address having an inclusion or included relationship with the destination address of the changed unicast route.
For example, the network device may determine whether a destination address corresponding to a certain traffic policy is a subnet of the changed unicast route, and if so, determine that the destination address is included in the destination address of the changed unicast route, that is, there is an included relationship with the destination address of the changed unicast route.
And, the network device may determine whether the changed unicast route is a subnet of a destination address corresponding to a certain traffic policy, and if so, determine that the destination address contains the destination address of the changed unicast route, that is, there is an inclusion relationship with the destination address of the changed unicast route.
When the network device stores the corresponding relationship between each traffic policy and the destination address through the locally stored radix tree, it can determine the destination address having an inclusion or included relationship with the destination address of the changed unicast route by using the radix tree.
S102, determining each flow strategy corresponding to each identified destination address, and checking the validity of each flow strategy.
After identifying each destination address having an inclusion or included relationship with the destination address of the changed unicast route, the network device may further determine each traffic policy corresponding to each identified destination address, and perform validity check on each traffic policy.
For example, when the network device stores the corresponding relationship between each traffic policy and the destination address through the locally stored radix tree, if the destination address of the changed unicast route B has an inclusion or contained relationship with a certain destination address D in the radix tree, that is, the destination address D is a subnet of the destination address of the unicast route B, or the destination address of the unicast route B is a subnet of the destination address D, it is necessary to perform the validity check again on all the traffic policies corresponding to the destination address D. And directly finishing the validity check of the traffic strategy aiming at other traffic strategies, wherein the validity check result is kept unchanged.
In practical applications, one destination address may correspond to a plurality of traffic policies. That is, in the embodiment of the present invention, after the network device identifies each destination address, it may further determine all traffic policies corresponding to each destination address.
The traffic policy corresponding to the destination address having an inclusion or included relationship with the destination address of the changed unicast route is the traffic policy whose validity check result may be changed. And the flow strategy corresponding to the destination address which has no containing or contained relation with the destination address of the changed unicast route does not exist, and the result of the validity check does not change.
Therefore, the network device can perform the validity check again on the traffic policy corresponding to the destination address having the inclusion or included relationship with the destination address of the changed unicast route, so as to ensure the accuracy of the validity check result of each locally stored traffic policy.
The embodiment of the invention provides a method for checking the validity of a flow strategy, when any unicast route changes, network equipment can identify a destination address which has an inclusion or contained relation with the destination address of the changed unicast route in destination addresses corresponding to all flow strategies stored locally; further, each traffic policy corresponding to each identified destination address can be determined, and only the determined traffic policies are checked for validity. Compared with the prior art, when the unicast route changes, the validity check of all the locally stored flow strategies is not needed, so that the efficiency of the validity check of the flow strategies can be improved, the system resources are saved, and the normal service of a client is ensured.
Further, in the embodiment of the present invention, after determining that any unicast route is changed, the network device needs to identify, from destination addresses corresponding to locally stored traffic policies, for example, the network device may identify, in a correspondence between each traffic policy and a destination address stored in a local radix tree, a destination address having an inclusion or included relationship with the destination address of the changed unicast route. Therefore, when the network device receives the traffic policy sent by the neighbor, the network device may locally store the destination address corresponding to the traffic policy.
In addition, in actual applications, it is not the traffic policy corresponding to the destination address having the inclusion or inclusion relationship with the changed unicast route, and it is necessary to perform the validity check again.
It will be appreciated that the result of the validity check of the traffic policy sent by any neighbor to the network device is related to the unicast route sent by that neighbor to the network device. Specifically, the optimal route is related to the unicast route sent by the neighbor to the network device, where the optimal route includes the destination address corresponding to the traffic policy.
Therefore, in the embodiment of the present invention, in order to accurately determine a traffic policy that needs to be subjected to validity check, after the network device receives a traffic policy sent by a neighbor, the network device may further identify, in a unicast route sent by the neighbor, an optimal route whose destination address includes a destination address corresponding to the traffic policy, and determine the optimal route as the optimal route corresponding to the traffic policy.
Further, after recognizing that a destination address has an inclusion or inclusion relationship with a destination address of the changed unicast route and determining each traffic policy corresponding to each destination address, the network device performs validity check on the traffic policy when the changed unicast route becomes a preferred route to a non-preferred route and an optimal route corresponding to the traffic policy of the changed unicast route comes from a different neighbor, the destination address of the optimal route includes the destination address of the changed unicast route, or the destination address of the changed unicast route includes the destination address corresponding to the traffic policy, for the traffic policy which does not pass validity check.
Or when the unicast route is changed from the non-preferred route to the preferred route, and the unicast route and the optimal route corresponding to the traffic policy are from the same neighbor, the destination address of the optimal route includes the destination address of the changed unicast route, or the destination address of the changed unicast route includes the destination address corresponding to the traffic policy and the optimal route corresponding to the traffic policy is empty, the traffic policy is subjected to validity check.
It will be appreciated that a traffic policy that fails the validity check may be because the neighbor that issued the traffic policy did not issue a unicast route containing the destination address of the traffic policy, or that other neighbors issued more specific unicast routes containing the destination address.
Therefore, when the traffic policy fails the validity check because other neighbors issue more specific unicast routes containing destination addresses corresponding to the traffic policy, when the changed unicast route becomes a non-preferred route in the preferred route and the unicast route corresponding to the traffic policy is from a different neighbor, the destination address of the optimal route contains the destination address of the changed unicast route, or the destination address of the changed unicast route contains the destination address corresponding to the traffic policy, the unicast route issued by the other neighbor before containing the destination address may have changed, and the route issued by the neighbor issuing the traffic policy may become the optimal route containing the destination address. Therefore, the traffic policy may pass the validity check, and the validity check needs to be performed again on the traffic policy.
When the traffic policy fails the validity check because a neighbor issuing the traffic policy has not issued a unicast route including a destination address corresponding to the traffic policy or the unicast route issued by the neighbor does not include an optimal route including the destination address, when the changed unicast route becomes a non-optimal route and the unicast route corresponding to the traffic policy and the optimal route are from the same neighbor, the destination address of the optimal route includes the destination address of the changed unicast route, or the destination address of the changed unicast route includes the destination address corresponding to the traffic policy and the optimal route corresponding to the traffic policy is empty, there may be an optimal route issued by the neighbor including the destination address. Therefore, the traffic policy may pass the validity check, and the validity check needs to be performed again on the traffic policy.
Similarly, for a traffic policy that has passed the validity check, a change in unicast routing may affect a change in the validity check result of the traffic policy.
For a traffic policy that has passed the validity check, when a unicast route before change is an optimal route corresponding to the traffic policy and the unicast route is a preferred route that is changed into a non-preferred route, there may be no optimal route including a destination address corresponding to the traffic policy.
When the unicast routing is changed from the non-preferred routing to the preferred routing, the destination address of the optimal routing corresponding to the traffic policy contains the destination address of the changed unicast routing, and the destination address of the changed unicast routing contains the destination address corresponding to the traffic policy; or when the destination address corresponding to the traffic policy contains the destination address of the changed unicast route, there may be no optimal route containing the destination address corresponding to the traffic policy, and therefore, the validity check needs to be performed on the traffic policy again.
Specifically, when the unicast route is changed from the non-preferred route to the preferred route, the destination address of the optimal route corresponding to the traffic policy includes the destination address of the changed unicast route, the destination address of the changed unicast route includes the destination address corresponding to the traffic policy, and when the optimal route corresponding to the traffic policy and the unicast route are from the same neighbor, the optimal route corresponding to the traffic policy may be updated to the changed unicast route, and the traffic policy is kept to still pass the validity check; when the optimal route corresponding to the traffic policy and the unicast route are from different neighbors, it indicates that there is a more specific unicast route issued by other neighbors and containing the destination address corresponding to the traffic policy, and at this time, the traffic policy does not pass the validity check.
When the unicast route is changed from the non-preferred route to the preferred route, the destination address corresponding to the traffic policy contains the destination address of the changed unicast route, and when the optimal route corresponding to the traffic policy and the unicast route are from different neighbors, it indicates that there is a more specific unicast route issued by other neighbors and containing the destination address corresponding to the traffic policy, and at this time, the traffic policy does not pass the validity check.
Corresponding to the above method embodiment, the embodiment of the present invention also provides a corresponding device embodiment.
Fig. 2 is a device for checking the validity of a traffic policy according to an embodiment of the present invention, which is applied to any network device, and the device includes:
an identifying module 210, configured to identify, when any unicast route changes, a destination address having an inclusion or included relationship with a destination address of the changed unicast route, from destination addresses corresponding to locally stored traffic policies;
the processing module 220 is configured to determine each traffic policy corresponding to each identified destination address, and perform validity check on each traffic policy.
The embodiment of the invention provides a device for checking the validity of a flow strategy, when any unicast route changes, network equipment can identify a destination address which has an inclusion or contained relation with the destination address of the changed unicast route in destination addresses corresponding to all flow strategies stored locally; further, each traffic policy corresponding to each identified destination address can be determined, and only the determined traffic policies are checked for validity. Compared with the prior art, when the unicast route changes, the validity check of all the locally stored flow strategies is not needed, so that the efficiency of the validity check of the flow strategies can be improved, the system resources are saved, and the normal service of a client is ensured.
Further, the apparatus further comprises:
a storage module (not shown in the figure), configured to, when receiving a traffic policy sent by a neighbor, locally store a destination address corresponding to the traffic policy;
and a determining module (not shown in the figure) configured to identify, in the routes sent by the neighbors, an optimal route whose destination address includes the destination address corresponding to the traffic policy, and determine the optimal route as the optimal route corresponding to the traffic policy.
Further, the processing module 220 is specifically configured to, for a traffic policy that does not pass the validity check, perform the validity check on the traffic policy when a preferred route of the unicast route is changed into a non-preferred route, and an optimal route of the unicast route corresponding to the traffic policy comes from a different neighbor, and a destination address of the optimal route includes a destination address of the changed unicast route, or a destination address of the changed unicast route includes a destination address corresponding to the traffic policy;
and when the unicast route is changed from the non-preferred route to the preferred route, the unicast route and the optimal route corresponding to the traffic strategy come from the same neighbor, the destination address of the optimal route comprises the destination address of the changed unicast route, or the destination address of the changed unicast route comprises the destination address corresponding to the traffic strategy, and the optimal route corresponding to the traffic strategy is empty, carrying out validity check on the traffic strategy.
Further, the processing module 220 is specifically configured to, for a traffic policy that has passed the validity check, perform the validity check on the traffic policy when a unicast route before change is an optimal route corresponding to the traffic policy and the unicast route is changed from a preferred route to a non-preferred route;
when the unicast routing is changed from the non-preferred routing to the preferred routing, the destination address of the optimal routing corresponding to the traffic policy contains the destination address of the changed unicast routing, and the destination address of the changed unicast routing contains the destination address corresponding to the traffic policy; or when the destination address corresponding to the traffic policy contains the destination address of the changed unicast route, the validity check is carried out on the traffic policy.
Further, the processing module is further configured to, when the unicast route is changed from the non-preferred route to the preferred route, the destination address of the optimal route corresponding to the traffic policy includes the destination address of the changed unicast route, the destination address of the changed unicast route includes the destination address corresponding to the traffic policy, and the optimal route corresponding to the traffic policy and the unicast route are from the same neighbor, update the optimal route corresponding to the traffic policy to the changed unicast route.
Further, the network device stores the corresponding relationship between each traffic policy and the destination address through a locally stored radix tree.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.
Claims (12)
1. A method for checking the validity of a traffic policy is applied to any network device, and the method comprises the following steps:
when any unicast route changes, identifying a destination address having an inclusion or included relationship with the destination address of the changed unicast route from destination addresses corresponding to each locally-stored traffic policy;
and determining each flow strategy corresponding to each identified destination address, and carrying out validity check on each flow strategy.
2. The method according to claim 1, wherein when any unicast route changes, before identifying, from among destination addresses corresponding to locally stored traffic policies, a destination address having an inclusion or included relationship with a destination address of the changed unicast route, the method further comprises:
when receiving a traffic strategy sent by a neighbor, locally storing a destination address corresponding to the traffic strategy;
and identifying the optimal route of which the destination address comprises the destination address corresponding to the traffic strategy in the routes sent by the neighbors, and determining the optimal route as the optimal route corresponding to the traffic strategy.
3. The method of claim 2, wherein the checking the validity of the traffic policies comprises:
for the traffic strategy which does not pass the validity check, when the unicast routing optimal route is changed into a non-optimal route, and the unicast routing optimal route corresponding to the traffic strategy comes from different neighbors, and the destination address of the optimal route comprises the destination address of the changed unicast routing, or the destination address of the changed unicast routing comprises the destination address corresponding to the traffic strategy, the validity check is carried out on the traffic strategy;
and aiming at the traffic strategy which does not pass the validity check, when the unicast route is changed from the non-preferred route to the preferred route, the unicast route and the optimal route corresponding to the traffic strategy are from the same neighbor, the destination address of the optimal route comprises the destination address of the changed unicast route, or the destination address of the changed unicast route comprises the destination address corresponding to the traffic strategy, and the optimal route corresponding to the traffic strategy is empty, the validity check is carried out on the traffic strategy.
4. The method of claim 2, wherein the checking the validity of the traffic policies comprises:
aiming at the flow strategy which passes the validity check, when the changed unicast route is the optimal route corresponding to the flow strategy and the unicast route is changed from the optimal route to the non-optimal route, the validity check is carried out on the flow strategy;
aiming at the traffic strategy which passes the validity check, when the unicast route is changed from the non-preferred route to the preferred route, the destination address of the optimal route corresponding to the traffic strategy comprises the destination address of the changed unicast route, and the destination address of the changed unicast route comprises the destination address corresponding to the traffic strategy; or when the destination address corresponding to the traffic policy contains the destination address of the changed unicast route, the validity check is carried out on the traffic policy.
5. The method of claim 4, wherein when the unicast route is changed from the non-preferred route to the preferred route, the destination address of the optimal route corresponding to the traffic policy contains the destination address of the changed unicast route, and the destination address of the changed unicast route contains the destination address corresponding to the traffic policy, the method further comprises:
and when the optimal route corresponding to the flow strategy and the unicast route come from the same neighbor, updating the optimal route corresponding to the flow strategy into the changed unicast route.
6. The method according to any of claims 1-5, wherein the network device stores the correspondence between each traffic policy and the destination address through a locally stored radix tree.
7. An apparatus for checking the validity of a traffic policy, applied to any network device, the apparatus comprising:
the identification module is used for identifying a destination address which has an inclusion or contained relation with the destination address of the changed unicast route in the destination address corresponding to each locally-stored flow strategy when any unicast route changes;
and the processing module is used for determining each flow strategy corresponding to each identified destination address and carrying out validity check on each flow strategy.
8. The apparatus of claim 7, further comprising:
the storage module is used for locally storing a destination address corresponding to the traffic strategy when the traffic strategy sent by the neighbor is received;
and the determining module is used for identifying the optimal route of which the destination address contains the destination address corresponding to the flow strategy in the routes sent by the neighbors and determining the optimal route as the optimal route corresponding to the flow strategy.
9. The apparatus according to claim 8, wherein the processing module is specifically configured to, for a traffic policy that fails a validity check, perform the validity check on the traffic policy when a preferred route of the unicast route is changed to a non-preferred route, and an optimal route of the unicast route corresponding to the traffic policy comes from a different neighbor, and a destination address of the optimal route includes a destination address of the changed unicast route, or a destination address of the changed unicast route includes a destination address corresponding to the traffic policy;
and aiming at the traffic strategy which does not pass the validity check, when the unicast route is changed from the non-preferred route to the preferred route, the unicast route and the optimal route corresponding to the traffic strategy are from the same neighbor, the destination address of the optimal route comprises the destination address of the changed unicast route, or the destination address of the changed unicast route comprises the destination address corresponding to the traffic strategy, and the optimal route corresponding to the traffic strategy is empty, the validity check is carried out on the traffic strategy.
10. The apparatus according to claim 8, wherein the processing module is specifically configured to, for a traffic policy that has passed validity checking, perform validity checking on the traffic policy when a unicast route before change is an optimal route corresponding to the traffic policy and a preferred route of the unicast route is changed into a non-preferred route;
aiming at the traffic strategy which passes the validity check, when the unicast route is changed from the non-preferred route to the preferred route, the destination address of the optimal route corresponding to the traffic strategy comprises the destination address of the changed unicast route, and the destination address of the changed unicast route comprises the destination address corresponding to the traffic strategy; or when the destination address corresponding to the traffic policy contains the destination address of the changed unicast route, the validity check is carried out on the traffic policy.
11. The apparatus of claim 10, wherein the processing module is further configured to update the optimal route corresponding to the traffic policy to the changed unicast route when the unicast route is changed from the non-preferred route to the preferred route, the destination address of the optimal route corresponding to the traffic policy includes the destination address of the changed unicast route, the destination address of the changed unicast route includes the destination address corresponding to the traffic policy, and the optimal route corresponding to the traffic policy and the unicast route are from the same neighbor.
12. The apparatus according to any of claims 7-11, wherein the network device stores the correspondence between each traffic policy and the destination address through a locally stored radix tree.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610677411.3A CN106302461B (en) | 2016-08-16 | 2016-08-16 | Method and device for checking validity of flow strategy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610677411.3A CN106302461B (en) | 2016-08-16 | 2016-08-16 | Method and device for checking validity of flow strategy |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106302461A CN106302461A (en) | 2017-01-04 |
| CN106302461B true CN106302461B (en) | 2020-10-27 |
Family
ID=57678147
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610677411.3A Active CN106302461B (en) | 2016-08-16 | 2016-08-16 | Method and device for checking validity of flow strategy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106302461B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108965137B (en) * | 2018-07-20 | 2021-03-19 | 新华三技术有限公司 | Message processing method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP4673942B1 (en) * | 2010-02-26 | 2011-04-20 | 株式会社野村総合研究所 | Disability response support system |
| CN103117927A (en) * | 2011-11-17 | 2013-05-22 | 中兴通讯股份有限公司 | Method of obtaining address of strategy server |
| CN105072085A (en) * | 2015-07-03 | 2015-11-18 | 北京航空航天大学 | Flow rule validity authentication method under software-defined networking |
| CN105429957A (en) * | 2015-11-02 | 2016-03-23 | 芦斌 | IP address jump safety communication method based on SDN framework |
| KR20160066461A (en) * | 2014-12-02 | 2016-06-10 | 현대모비스 주식회사 | Apparatus for collecting traffic information and method for providing traffic information using thereof |
| CN105763477A (en) * | 2016-02-03 | 2016-07-13 | 杭州华三通信技术有限公司 | Flow control strategy processing method and device |
-
2016
- 2016-08-16 CN CN201610677411.3A patent/CN106302461B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP4673942B1 (en) * | 2010-02-26 | 2011-04-20 | 株式会社野村総合研究所 | Disability response support system |
| CN103117927A (en) * | 2011-11-17 | 2013-05-22 | 中兴通讯股份有限公司 | Method of obtaining address of strategy server |
| KR20160066461A (en) * | 2014-12-02 | 2016-06-10 | 현대모비스 주식회사 | Apparatus for collecting traffic information and method for providing traffic information using thereof |
| CN105072085A (en) * | 2015-07-03 | 2015-11-18 | 北京航空航天大学 | Flow rule validity authentication method under software-defined networking |
| CN105429957A (en) * | 2015-11-02 | 2016-03-23 | 芦斌 | IP address jump safety communication method based on SDN framework |
| CN105763477A (en) * | 2016-02-03 | 2016-07-13 | 杭州华三通信技术有限公司 | Flow control strategy processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106302461A (en) | 2017-01-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10616243B2 (en) | Route updating method, communication system, and relevant devices | |
| CN106506274B (en) | Dynamically-expandable efficient single-packet tracing method | |
| CN107733670B (en) | Forwarding strategy configuration method and device | |
| US9692695B2 (en) | Techniques for aggregating hardware routing resources in a multi-packet processor networking system | |
| US10291536B2 (en) | Tiered services in border gateway protocol flow specification | |
| CN106254152B (en) | A kind of flow control policy treating method and apparatus | |
| CN105745870A (en) | Removing lead filter from serial multiple-stage filter used to detect large flows in order to purge flows for prolonged operation | |
| CN107040393B (en) | Route management method and equipment | |
| CN106789859B (en) | Message matching method and device | |
| CN110061921B (en) | Cloud platform data packet distribution method and system | |
| CN100508453C (en) | A method to filter and verify open real IPv6 source address | |
| CN112866214A (en) | Firewall strategy issuing method and device, computer equipment and storage medium | |
| US9282026B2 (en) | System and method for improved routing in autonomous systems | |
| CN106302461B (en) | Method and device for checking validity of flow strategy | |
| CN106789664B (en) | Route aggregation method and device | |
| US8046490B1 (en) | System and method for enhancing network security | |
| US20150370906A1 (en) | System and method for mapping identifier with locator using bloom filter | |
| US10104105B2 (en) | Distributed network anomaly detection | |
| CN108199965B (en) | Flow spec table item issuing method, network device, controller and autonomous system | |
| US20160337232A1 (en) | Flow-indexing for datapath packet processing | |
| Abid et al. | Merging of DHT‐based logical networks in MANETs | |
| CN109088824B (en) | Message processing method and device | |
| Roy et al. | Distributed star coloring of network for IP traceback | |
| CN110365723B (en) | Asymmetric service discovery method and device | |
| CN107872335B (en) | Security service method and system and security resource unit |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou science and Technology Industrial Park, high tech Industrial Development Zone, Zhejiang Province, No. six and road, No. 310 Applicant before: Huasan Communication Technology Co., Ltd. |
|
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |