CN107566298B - Method and equipment for generating table entry - Google Patents

Method and equipment for generating table entry Download PDF

Info

Publication number
CN107566298B
CN107566298B CN201610506186.7A CN201610506186A CN107566298B CN 107566298 B CN107566298 B CN 107566298B CN 201610506186 A CN201610506186 A CN 201610506186A CN 107566298 B CN107566298 B CN 107566298B
Authority
CN
China
Prior art keywords
flow
spec
bgp
priority
forwarding
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610506186.7A
Other languages
Chinese (zh)
Other versions
CN107566298A (en
Inventor
王芳
许健彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN202111366024.5A priority Critical patent/CN114205312A/en
Priority to CN201610506186.7A priority patent/CN107566298B/en
Publication of CN107566298A publication Critical patent/CN107566298A/en
Application granted granted Critical
Publication of CN107566298B publication Critical patent/CN107566298B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/50Queue scheduling
    • H04L47/62Queue scheduling characterised by scheduling criteria
    • H04L47/625Queue scheduling characterised by scheduling criteria for service slots or service orders
    • H04L47/6275Queue scheduling characterised by scheduling criteria for service slots or service orders based on priority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to a method and a device for generating table entries, wherein the method comprises the following steps: the first network device generates a BGP flow-spec message for publishing a BGP flow-spec route, wherein the BGP flow-spec message comprises a flow-spec priority, the first network device sends the BGP UPDATE message to a forwarding device to trigger the forwarding device to generate a BGP flow-spec table entry according to the BGP UPDATE message, the BGP flow-spec table entry comprises the flow-spec priority, and the flow-spec priority is used for marking the priority of the BGP flow-spec table entry when the BGP flow-spec table entry is used for guiding message forwarding. According to the technical scheme, the message forwarding behavior can be effectively controlled, and flexible flow regulation and control are realized.

Description

Method and equipment for generating table entry
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and a device for generating a table entry.
Background
RFC5575 defines a Border Gateway Protocol (BGP) Flow rule (Flow-spec) route, which contains a new type of BGP network layer reachability information and extended community attributes. With this new network layer reachability information and extended community attributes, BGP flow-spec routes may carry traffic filtering conditions and actions to be performed after traffic filtering. The device for creating the BGP flow-spec route and the forwarding device transfer the BGP flow-spec route by creating a BGP peer relationship. And when the BGP peer receives the BGP flow-spec route, the BGP peer converts the optimized route into a flow control strategy of a forwarding layer, thereby realizing the regulation and control of the flow.
In the prior art, when a user wants to control traffic passing through a forwarding device, for example, by BGP flow-spec routing, the user adjusts the traffic of a specific requirement for routing forwarding. According to the current specification of BGP flow-spec, the priority order of BGP flow-spec entries depends on the priority ordering rule defined in RFC5575, where entries with smaller type numbers have higher priority according to the rule. As shown in table 1.
For example, a user wishes to perform action 1 for a message sent by source address a to destination address D, while another source address performs action 2 for a message sent to destination address D. According to the current protocol, the type number of the BGP flow-spec table entry taking the source address as the filtering condition type is larger than that of the BGP flow-spec table entry taking the destination address as the filtering condition type, so the BGP flow-spec table entry with the larger type number cannot take effect better than the BGP flow-spec table entry with the smaller type number. Therefore, the message sent from the source address a to the destination address D may be erroneously executed as action 2. Therefore, the message forwarding behavior cannot be effectively and flexibly controlled according to the requirement.
Type ID Type name
1 Destination Prefix
2 Source Prefix
3 IP Protocol
4 Port
5 Destination port
6 Source port
TABLE 1
Disclosure of Invention
In view of this, the present application provides a method and a device for generating an entry, where a flow-spec priority is added to a BGP flow-spec entry, and the flow-spec priority is used to identify a priority of the BGP flow-spec entry when the BGP flow-spec entry is used to guide packet forwarding. Therefore, the message forwarding behavior can be effectively controlled, and the flexible regulation and control of the flow can be realized.
In a first aspect, the present application provides a method for generating an entry, where the method includes: a first network device generates a BGP UPDATE UPDATE message, wherein the BGP UPDATE message is used for issuing a BGP flow-spec route, and the BGP UPDATE message comprises a flow-spec priority; and sending the BGP UPDATE UPDATE message to forwarding equipment to trigger the forwarding equipment to generate a BGP flow-spec table entry according to the BGP UPDATE message, wherein the BGP flow-spec table entry comprises the flow-spec priority, and the flow-spec priority is used for marking the priority of the BGP flow-spec table entry when the BGP flow-spec table entry is used for guiding message forwarding.
Adding a flow-spec priority in a BGP flow-spec table entry, and marking the priority of the BGP flow-spec table entry when the BGP flow-spec table entry is used for guiding message forwarding by appointing the flow-spec priority. Therefore, the message forwarding behavior can be effectively controlled, and the flexible regulation and control of the flow can be realized. The method is used for network flow attack defense, such as Distributed Denial of Service (DDoS) attack defense, and can effectively slow down the influence of attack flow on a network.
In a second aspect, the present application provides a method for generating an entry, where the method includes: the forwarding equipment receives a BGP UPDATE message sent by first network equipment, wherein the BGP UPDATE message is used for issuing a BGP flow-spec route, and comprises a flow-spec priority;
and the forwarding equipment generates a BGP flow-spec table item according to the BGP UPDATE message, and stores the BGP flow-spec table item in a BGP flow-spec table, wherein the BGP flow-spec table item comprises the flow-spec priority, and the flow-spec priority is used for marking the priority of the BGP flow-spec table item when the BGP flow-spec table item is used for guiding message forwarding.
Adding a flow-spec priority in a BGP flow-spec table entry, and marking the priority of the BGP flow-spec table entry when the BGP flow-spec table entry is used for guiding message forwarding by appointing the flow-spec priority. Therefore, the message forwarding behavior can be effectively controlled, and the flexible regulation and control of the flow can be realized. The method is used for network traffic attack defense, for example, DDoS attack defense, and can effectively slow down the influence of attack traffic on the network.
In a first possible implementation manner of the second aspect, when multiple BGP flow-spec entries exist in the BGP flow-spec table, and each BGP flow-spec entry contains a flow-spec priority, the method of the second aspect further includes:
and when the forwarding equipment forwards the message, preferentially matching a BGP flow-spec table item with a high flow-spec priority in the BGP flow-spec table according to a keyword of the message, and processing the message according to a processing mode indicated by action item information in the matched BGP flow-spec table item. For example, the message may be discarded according to the indication of the action item information.
In a third aspect, the present application provides a first network device configured to perform the method of the first aspect. In particular, the first network device comprises functional units for performing the method of the first aspect.
In a fourth aspect, the present application provides a forwarding device configured to perform the method in the second aspect or the first possible implementation manner of the second aspect. In particular, the forwarding device comprises functional units for performing the method of the second aspect or the first possible implementation of the second aspect.
In a fifth aspect, the present application provides a first network device, which includes a network interface, a processor, a memory, and a bus connecting the processor and the memory, wherein the processor is configured to execute code in the memory, and when the code is executed, the execution causes the processor to execute the method of the first aspect.
In a sixth aspect, the present application provides a forwarding device, which includes a network interface, a processor, a memory, and a bus, where the processor and the memory are connected to each other through the bus, and the processor is configured to execute code in the memory, and when the code is executed, the execution causes the processor to execute the method in the second aspect or the first possible implementation manner of the second aspect.
In a seventh aspect, the present application provides a computer-readable storage medium for storing a computer program comprising instructions for performing the method of the first possible implementation of the first aspect, the second aspect or the second aspect.
In an eighth aspect, the present application provides a communication system, including the first network device in the third aspect or the fifth aspect, and the forwarding device in the fourth aspect or the sixth aspect, configured to execute the method in the first possible implementation manner in the first aspect, the second aspect, or the second aspect.
In the first to eighth aspects, the first network device is a Controller under a control forwarding split network architecture; or
The first network equipment and the forwarding equipment form forwarding equipment of a BGP peer; or
The first network device is a traffic analysis server.
Therefore, the technical scheme of the application can meet the requirement of flexibly regulating and controlling the forwarding line text of the message under different application scenes.
In the first to eighth aspects described above, the flow-spec priority is carried in an extended community attribute field of the BGP UPDATE message.
According to the technical scheme, the flow-spec priority is added to the BGP flow-spec table entry, and the flow-spec priority is designated to identify the priority of the BGP flow-spec table entry when the BGP flow-spec table entry is used for guiding message forwarding. Therefore, the message forwarding behavior can be effectively controlled, and the flexible regulation and control of the flow can be realized. The method is used for network traffic attack defense, for example, DDoS attack defense, and can effectively slow down the influence of attack traffic on the network.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic diagram of a scenario 1 applied in the embodiment of the present application;
FIG. 2 is a schematic diagram of scenario 2 in which the present application is applied;
fig. 3 is a flowchart of a method for generating an entry according to an embodiment of the present application;
fig. 4 is a schematic diagram of a first network device according to an embodiment of the present application;
fig. 5 is a schematic diagram of a forwarding device according to an embodiment of the present application;
fig. 6 is a schematic hardware structure diagram of a first network device according to an embodiment of the present disclosure;
fig. 7 is a schematic hardware structure diagram of a forwarding device according to an embodiment of the present application;
Detailed Description
Technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments that can be derived by a person skilled in the art from the embodiments given herein without making any creative effort shall fall within the protection scope of the present application.
The application scenario described in the embodiment of the present application is for more clearly illustrating the technical solution of the embodiment of the present application, and does not limit the technical solution provided in the embodiment of the present application. As can be known to those skilled in the art, with the evolution of network architecture and the appearance of new service scenarios, the technical solution provided in the embodiment of the present application is also applicable to similar technical problems.
An application scenario 1 of the embodiment of the present application is described below with reference to fig. 1.
Fig. 1 exemplarily illustrates a Software Defined Network (SDN) 100 applied in an embodiment of the present application. The network 100 includes a controller 110 and a plurality of network devices 120. Alternatively, the Controller 110 may be specifically an intelligent Network Controller (SNC), but the embodiment of the present invention is not limited thereto.
Network device 120 may be configured to forward packets. The network device may specifically be a traditional router, a switch, and other route forwarding devices in a traditional Path Computation Element (PCE) network, or may also be a router, a switch, and other route forwarding devices in an SDN based on control and forwarding separation, which is not limited in this embodiment of the present application.
Fig. 1 exemplarily shows six routers: r1 to R6, wherein R1 to R4 belong to Autonomous System (AS) 1, R5 belongs to AS2, and R6 belongs to AS 3. It should be understood that fig. 1 only shows one controller and six routers by way of example, and the network 100 may include any other number of controllers and network devices, which are not limited by the embodiments of the present application.
In the example shown in fig. 1, it is assumed that the destination address of the service accessed by R1 is D, and there may be two paths from R1 to D, where path X passes through R1, R2 and R5 in turn, and path Y passes through R1, R3 and R6 in turn. In order to ensure that the service traffic of the VIP client can be guaranteed by bandwidth, the path X is a VIP dedicated link for the VIP client, and the path Y is a general link for the general user. When the VIP client having the source IP address a accesses the device having the destination address D through R1 and the non-VIP client accesses the device having the destination address D through R1, the controller 110 generates two pieces of BGP flow-spec table entry information and sends the two pieces of BGP flow-spec table entry information to R1. As shown in table 2:
EntryID Filter Action
1 Destination Prefix:D Path Y
2 Source Prefix:A Path X
TABLE 2
In table 2, the "Entry ID" is an Entry number, and the Entry number is for convenience of intuitive description in the embodiment of the present application, and the BGP flow-spec Entry information actually sent by the controller to the forwarding device may not include the Entry number. The 'Filter': and flow filtering information for indicating a flow filtering condition. The "Action": and the forwarding equipment processes the message according to the processing mode indicated by the action item information. The action item information may include information such as a flow action, a redirection, a flow rate, and a flow marker.
In the two pieces of BGP flow-spec table Entry information sent by the controller 110 to the R1, a packet sent by a VIP client with a source IP address a to a destination IP address D is expected to be directed to the path X for forwarding according to the instruction of Entry2, and a packet sent by a non VIP client with a destination IP address D is expected to be directed to the path Y for forwarding according to the instruction of Entry 1.
However, according to the priority rule of the BGP flow-spec table entry specified by the current protocol, the type number of the BGP flow-spec table entry with the source address as the traffic filtering condition type is larger than the type number of the BGP flow-spec table entry with the destination address as the traffic filtering condition type, and therefore, a packet sent by a VIP client with the source IP address a to the destination IP address D is directed to the path Y for transmission.
An application scenario 2 of the embodiment of the present application is described below with reference to fig. 2.
Fig. 2 schematically shows a network 200 to which an embodiment of the present application is applied. The network 200 includes: a traffic analysis server 210 and a plurality of network devices 220. Network device 120 may be configured to forward packets. The network device may specifically be a router, a switch, or other routing forwarding devices, which is not limited in this embodiment of the present application.
Fig. 2 shows exemplarily 4 routers: R7-R10, wherein R7 belongs to AS100, R8-R10 and the traffic analyzing server 210 belongs to AS 200. It should be understood that fig. 2 only shows one traffic analysis server and four routers by way of example, and the network 200 may include any other number of traffic analysis servers and network devices, which is not limited in this embodiment.
As shown in fig. 2, R9 and R10 send the traffic sample to the traffic analysis server 210, and when the attack source 230 with the source IP address C initiates a traffic attack, the traffic analysis server 210 detects the traffic sample according to a predetermined defined rule to identify abnormal traffic. The traffic analysis server 210 automatically creates a BGP flow-spec route based on the characteristics of the anomalous traffic and then passes the traffic filtering rules to the BGP peer R8 by publishing this BGP flow-spec route. And after receiving the BGP flow-spec route, the R8 converts the route into a flow control strategy and controls the flow of the matching rule. Assume that the traffic filtering rule generated by the traffic analysis server is:
1) flow with source IP address a, discard;
2) traffic with destination IP address D, limiting the transmission rate.
That is, according to the traffic filtering rule generated by the traffic analysis server 210, it is desirable that the forwarding device receives all the traffic from the source IP address a, and all the traffic is discarded. And the forwarding equipment receives all the traffic with the destination address D and limits the transmission rate. However, when the forwarding device receives the attack traffic sent from the source IP address a to the destination IP address D, according to the priority rule of the BGP flow-spec table entry specified by the current protocol, the forwarding device does not discard the attack traffic that should be discarded, but only limits the transmission rate thereof, so that the attack still exists.
Fig. 3 schematically illustrates a method 300 for generating an entry according to an embodiment of the present application. The method 300 may be applied to the SDN100 shown in fig. 1 or the network 200 shown in fig. 2, but the embodiment of the present application is not limited thereto.
S301, the first network equipment generates a BGP UPDATE UPDATE message. The BGP UPDATE message is used for publishing a BGP flow-spec route, and the BGP UPDATE message comprises a flow-spec priority.
The first network device may be configured to control traffic of a network. Optionally, the first network device may specifically be a Controller under a control forwarding separation architecture, and the Controller may specifically be an SNC. For example, the first network device may be embodied as the controller shown in fig. 1.
Optionally, the first network device may also be a traffic analysis server. For example, the first network device may be embodied as a traffic analysis server shown in fig. 2.
Optionally, the first network device may also be a forwarding device, and specifically may be a routing forwarding device such as a traditional router and a switch in a traditional Path Computation Element (PCE) network, or a routing forwarding device such as a router and a switch in an SDN based on control and forwarding separation. For example, the first network device may be embodied as R4 shown in fig. 1 or R9 shown in fig. 2. The embodiments of the present application do not limit this.
In one particular embodiment, as shown in FIG. 1, the controller 110 acts as the first network device. A BGP peer relationship is established between controller 110 and R1. The controller 110 generates the BGP UPDATE message to pass the BGP flow-spec routes to the BGP peers.
In another embodiment, as shown in FIG. 2, the traffic analyzing server 210 serves as the first network device. A BGP peer relationship is established between traffic analysis server 210 and R8. The traffic analysis server 210 generates the BGP UPDATE message to pass the BGP flow-spec routes to the BGP peers.
The BGP UPDATE message may further include action information, which may specifically include one or more of flow rate (english), flow action (english), flow mark (english), and Redirect (english). For example, the Extended Community (English) attribute in the BGP UPDATE message includes the above-mentioned action item information.
The BGP UPDATE message may also include a Multiprotocol Reachable Network Layer Reachability Information (MP _ REACH _ NLRI) field. The MP _ REACH _ NLRI may belong to a path attribute, and optionally, the MP _ REACH _ NLRI field may be included in an Extended Community attribute of the BGP UPDATE message. As an optional example, the MP _ REACH _ NLRI attribute may be composed of one or more triples < Address family Information, Next Hop Information, Network reachability Information >, and accordingly, the MP _ REACH _ NLRI field may include an Address family Information field, a Next Hop Network Address Information (english) field, and an NLRI field. Optionally, the Address Family information field may include an Address Family Identifier (AFI) of 2 bytes and a sub-Address Family Identifier (SAFI) of 1 byte, where the AFI may be used to identify a network layer protocol, and the SAFI may be used to identify a type of the NLRI; the next hop network address information field may include a next hop network address; the NLRI domain may include a length domain, a label domain, and a prefix domain, wherein the prefix domain may correspond to different traffic filtering conditions, such as destination address, source address, destination port, source port, and the like. Optionally, in this embodiment of the present application, the prefix field may only include one traffic filtering condition, i.e., a destination address or a source address, which is not limited in this embodiment of the present application.
Optionally, the flow-spec priority information is carried in an extended community attribute field of the BGP UPDATE message. In the BGP extended community attribute field, a flow-spec priority type is newly added, as shown in table 3:
for descriptions of four existing extended community attribute types with types of 0x8006-0x8009 in table 3, refer to the relevant definitions of RFC5575, which is not described herein again. The type of the newly added flow-spec priority is set to "0 x 800F", and may also correspond to other numerical values, and may specifically be allocated by an Internet Assigned Number Authority (IANA) registry, and the field name of the flow-spec priority may specifically be defined as "traffic-priority", and may also be defined as other names, which is not limited in this embodiment of the present application.
Figure GDA0003101089820000101
TABLE 3
Further optionally, other attribute fields in the BGP UPDATE message may also be used to carry the flow-spec priority. For example, the extended private attribute field in the BGP UPDATE message is used to carry the flow-spec priority, which is not limited in this embodiment of the present application.
S302, the first network device sends the BGP UPDATE message to a forwarding device to trigger the forwarding device to generate a BGP flow-spec table entry according to the BGP UPDATE message. The BGP flow-spec table entry comprises the flow-spec priority, and the flow-spec priority is used for marking the priority of the BGP flow-spec table entry when the BGP flow-spec table entry is used for guiding message forwarding.
The forwarding device is a network device on the routing path of the message and is used for processing the received message. The routing forwarding device may specifically be a traditional router, a switch, or the like in a traditional PCE network, or may also be a router, a switch, or the like in an SDN based on control forwarding separation, which is not limited in this embodiment of the present application. For example, the forwarding device may be embodied as R1 shown in fig. 1 or R8 shown in fig. 2.
In a specific embodiment, after receiving the BGP UPDAT message sent by the first network device, the forwarding device generates a corresponding BGP flow-spec entry according to the flow-spec priority, the traffic filtering condition, and the action item information carried in the BGP UPDAT message.
S303, the forwarding device receives the BGP UPDAT message sent by the first network device.
And S304, the forwarding device generates a BGP flow-spec table item according to the BGP UPDATE message, and stores the BGP flow-spec table item in the BGP flow-spec table.
The BGP flow-spec table comprises at least one BGP flow-spec table entry, the BGP flow-spec table entry comprises the flow-spec priority, and the flow-spec priority is used for marking the priority of the BGP flow-spec table entry when the BGP flow-spec table entry is used for guiding message forwarding.
In a specific embodiment, when a user wants to perform flow control on a message passing through a forwarding device, for example, perform route-specific forwarding on a message with a specific source IP address accessing a certain destination IP address, the forwarding device sets the BGP flow-spec table including at least one BGP flow-spec table entry. The BGP flow-spec table entry may include a traffic filtering condition and information of an action item used for the matched packet. The traffic filtering conditions may include a destination IP address, a source port number, a destination port number, and so on. The action item information may include redirection to a particular port, dropping, limiting transmission rate, etc. In this way, when the forwarding device receives the message, it may first query the BGP flow-spec table, and if there is a BGP flow-spec table entry matching the message in the BGP flow-spec table, it may process the message according to the processing mode indicated by the action item information in the matched BPG flow-spec table entry.
In a specific embodiment, as shown in fig. 1, R1 serves as the forwarding device and receives the BGP UPDATE message sent by controller 110.
In another specific embodiment, as shown in fig. 2, R8 serves as the forwarding device and receives the BGP UPDATE message sent by traffic analysis server 210.
The BGP UPDATE message carries the flow-spec priority. And the forwarding equipment generates a BGP flow-spec table item according to the BGP UPDATE message and stores the BGP flow-spec table item in a BGP flow-spec table. In the embodiment of the application, the BGP flow-spec table of the forwarding equipment is subjected to table item expansion, and a flow-spec priority field is added. Optionally, in the BGP flow-spec table, each BGP flow-spec entry includes flow-spec priority, traffic filtering condition, and action item information.
The BGP flow-spec entries related to the embodiment of the present application are sorted according to the priority specified by the flow-spec priority, and the higher the flow-spec priority is, the higher the priority of the corresponding BGP flow-spec entry is. The priority among BGP flow-spec table entries of the same flow-spec priority conforms to the Type priority definition defined by RFC5575, and the table entries with smaller Type numbers have higher priority. The format of the BGP flow-spec entry with the flow-spec priority field extended, as shown in Table 4:
those skilled in the art will appreciate that table 4 is merely illustrative of the information contained in a BGP flow-spec entry with an extended flow-spec priority.
EntryID Priority Filter Action
1 7 Source Prefix:A Action1
2 6 Destination Prefix:D Action 2
3 5 Source Prefix:B Action 3
n 0 Destination Prefix:Z Action n
TABLE 4
As can be seen from Table 4, Entry1 has a traffic filtering condition of source IP address A and a flow-spec priority of 7. Entry2 has a destination IP address D as a traffic filtering condition and a flow-spec priority of 6. That is, Entry1 has a higher priority than Entry 2.
Optionally, when a plurality of BGP flow-spec entries exist in the BGP flow-spec table, and each BGP flow-spec entry includes a flow-spec priority, the method 300 further includes S305:
and when the forwarding equipment forwards the message, preferentially matching a BGP flow-spec table item with a high flow-spec priority in the BGP flow-spec table according to a keyword of the message, and processing the message according to a processing mode indicated by action item information in the matched BGP flow-spec table item.
In a specific embodiment, referring to fig. 1 and table 4, as shown in fig. 1, when the forwarding device R1 receives a packet with a destination IP address D sent by a VIP client with a source IP address a, the source IP address and the destination IP address of the packet are used as keywords to preferentially match the BGP flow-spec table entry with a high flow-spec priority in the BGP flow-spec table. And carrying out BGP flow-spec table item matching according to the sequence of the flow-spec priority from high to low. The flow-spec priority of Entry1 is higher than the flow-spec priority of Entry 2. Therefore, if the forwarding device matches Entry1, the message will be processed according to the processing method indicated by the action item information in Entry1, for example, the message is forwarded by path X. Similarly, when the forwarding device receives a message with a destination IP address D sent by a non-VIP client, BGP flow-spec table item matching is carried out according to the sequence of the flow-spec priority from high to low. And if the Entry2 is matched, processing the message according to the processing mode indicated by the action item information in the Entry2, for example, forwarding the message by the path Y.
In another specific embodiment, referring to fig. 2 and table 4, as shown in fig. 2, when the forwarding device R8 receives an attack packet with a destination address D sent by an attack source with a source IP address a, the source IP address and the destination IP address of the packet are used as keywords to preferentially match the BGP flow-spec table entry with the high flow-spec priority in the BGP flow-spec table. And carrying out BGP flow-spec table item matching according to the sequence of the flow-spec priority from high to low. The flow-spec priority of Entry1 is higher than the flow-spec priority of Entry 2. Therefore, if the forwarding device matches Entry1, the message will be processed according to the processing mode indicated by the action item information in Entry1, for example, the message is discarded. Similarly, when the forwarding device receives the message with the destination IP address D sent by other IP addresses, BGP flow-spec table item matching is carried out according to the sequence from high to low of the flow-spec priority. And if the Entry2 is matched, processing the message according to the processing mode indicated by the action item information in the Entry2, for example, limiting the transmission rate of the message.
Before step S301, step S306 may be further included:
and the first network equipment acquires the flow-spec priority.
Optionally, the first network device may dynamically configure the flow-spec priority matched to each traffic filtering condition and action item information. Optionally, the first network device may also statically configure the flow-spec priority matched to each traffic filtering condition and action item information. Optionally, the first network device may further obtain the flow-spec priority matched with each traffic filtering condition and the action item information in a BGP UPDATE message interacted with another network device, and forward the flow-spec priority to the forwarding device. The other network device may be another controller, another traffic analysis server, or a forwarding device other than the second network device. The embodiments of the present application do not limit this.
To sum up, in the method provided in the embodiment of the present application, a flow-spec priority is added to the BGP flow-spec entry, and the priority of the BGP flow-spec entry when used for guiding packet forwarding is identified by the flow-spec priority. And adjusting the priority of the corresponding BGP flow-spec table entry by designating the flow-spec priority, thereby realizing effective control on message forwarding behaviors and flexibly carrying out flow regulation and control. The method is used for network traffic attack defense, for example, DDoS attack defense, and can effectively slow down the influence of attack traffic on the network.
Those skilled in the art will understand that: all or part of the steps for implementing the above method embodiments may be implemented by hardware related to program instructions, the program may be stored in a computer-readable storage medium, and when executed, the program performs the steps including the above method embodiments, and the storage medium includes: Read-Only Memory (ROM), Random Access Memory (RAM), Erasable programmable Read-Only Memory (EPROM), Compact Disc Read-Only Memory (CD-ROM), and various media capable of storing program codes, such as a magnetic disk or an optical disk.
In order to execute the method 300 in the foregoing embodiment, the present application provides a network device 400, where the network device 400 may specifically be the first network device for executing the method 300. Referring to fig. 4, the network device 400 includes: a processing unit 401 and a transmitting unit 402.
The processing unit 401 is configured to generate a BGP UPDATE message, where the BGP UPDATE message is used to issue a BGP flow rule flow-spec route, and the BGP UPDATE message includes a flow-spec priority.
The sending unit 402 is configured to send the BGP UPDATE message generated by the processing unit 401 to a forwarding device, so as to trigger the forwarding device to generate a BGP flow-spec entry according to the BGP UPDATE message, where the BGP flow-spec entry includes the flow-spec priority, and the flow-spec priority is used to identify a priority of the BGP flow-spec entry when the BGP flow-spec entry is used to guide packet forwarding.
The network equipment is a Controller under a control forwarding separation network architecture; or
The network equipment and the forwarding equipment form forwarding equipment of a BGP peer; or
The network equipment is a flow analysis server.
Optionally, the flow-spec priority is carried in an extended community attribute field of the BGP UPDATE message.
Optionally, the flow-spec priority is carried in other attribute fields of the BGP UPDATE message. For example, the extended private attribute field in the BGP UPDATE message is used to carry the flow-spec priority, which is not limited in this embodiment of the present application.
In order to execute the method 300 in the foregoing embodiment, an embodiment of the present application provides a forwarding device 500, which includes, referring to fig. 5: a receiving unit 501 and a table processing unit 502.
The receiving unit 501 is configured to receive a BGP UPDATE message sent by a first network device, where the BGP UPDATE message is used to issue a BGP flow-spec route, and the BGP UPDATE message includes a flow-spec priority.
The table processing unit 502 is configured to generate a BGP flow-spec table entry according to the BGP UPDATE message received by the receiving unit 501, and store the BGP flow-spec table entry in a BGP flow-spec table, where the BGP flow-spec table entry includes the flow-spec priority, and the flow-spec priority is used to identify a priority of the BGP flow-spec table entry when the BGP flow-spec table entry is used to guide packet forwarding.
Optionally, the flow-spec priority is carried in an extended community attribute field of the BGP UPDATE message.
Optionally, the flow-spec priority is carried in other attribute fields of the BGP UPDATE message. For example, the extended private attribute field in the BGP UPDATE message is used to carry the flow-spec priority, which is not limited in this embodiment of the present application.
Optionally, the forwarding device 500 further includes: a message forwarding unit 503.
A message forwarding unit 503, configured to preferentially match, according to a keyword of the message, a BGP flow-spec table entry with a high flow-spec priority in the BGP flow-spec table when the forwarding device forwards the message, and process the message according to a processing manner indicated by action item information in the matched BGP flow-spec table entry; the BGP flow-spec table comprises a plurality of BGP flow-spec table entries, and each BGP flow-spec table entry comprises a flow-spec priority.
Optionally, the first network device is a Controller under a control forwarding separation network architecture.
Optionally, the first network device is a forwarding device that forms a BGP peer with the forwarding device.
Optionally, the first network device is a traffic analysis server.
The functional units in the embodiments of the present application may be implemented by circuits, or by hardware related to program instructions, where the hardware may adopt various devices known to those skilled in the art, such as: may be a Network Processor (NP), a Central Processing Unit (CPU), etc.
The functional units in the embodiments of the present application may be integrated into one processor, or each unit may exist alone physically, or two or more circuits are integrated into one circuit. The functional units can be realized in a hardware form, and can also be realized in a software functional unit form.
Fig. 6 and fig. 7 are schematic diagrams illustrating possible hardware structures of the first network device and the forwarding device in the method 300 provided in the embodiment of fig. 3. The first network device may be the first network device 600 as shown in fig. 6 and the forwarding device may be the forwarding device 700 as shown in fig. 7. The first network device 600 shown in fig. 6 and the forwarding device 700 shown in fig. 7 may be used to perform the method 300 described in the embodiment of fig. 3.
As shown in fig. 6, the first network device 600 includes a processor 601 and a network interface 602. The processor 601 may communicate with the forwarding device through a network interface 602.
The processor 601 is configured to generate a BGP UPDATE message, where the BGP UPDATE message is used to publish a BGP flow-spec route, and the BGP UPDATE message includes a flow-spec priority;
the network interface 602 is configured to send the BGP UPDATE message generated by the processor 601 to a forwarding device, so as to trigger the forwarding device to generate a BGP flow-spec entry according to the BGP UPDATE message, where the BGP flow-spec entry includes the flow-spec priority, and the flow-spec priority is used to identify a priority of the BGP flow-spec entry when the BGP flow-spec entry is used to guide packet forwarding.
Optionally, the first network device may be a Controller under a control forwarding separation network architecture. Optionally, the first network device may also be a forwarding device that forms a BGP peer with the forwarding device. Optionally, the first network device may also be a traffic analysis server. The embodiments of the present application do not limit this.
The flow-spec priority is carried in the extended community attribute field of the BGP UPDATE message.
Optionally, the flow-spec priority is carried in other attribute fields of the BGP UPDATE message. For example, the extended private attribute field in the BGP UPDATE message is used to carry the flow-spec priority, which is not limited in this embodiment of the present application.
In another embodiment, as shown in fig. 6, the first network device 600 may include: a processor 601, a network interface 602, and a memory 603. The memory 603 and the processor 601 may communicate over a bus 604; the processor 601 communicates with the forwarding device via a network interface 602.
The memory 603 for storing programs, instructions or codes;
the processor 601 is configured to execute the program, the instruction, or the code in the memory 603 to complete the operations of S301 and S306 in the method 300.
The network interface 602 is configured to complete the operation of S302 in the method 300.
The functions of the transmitting unit 402 in fig. 4 may be implemented by the network interface 602. The functions of the processing unit 401 in fig. 4 may be implemented by a processor 601.
As shown in fig. 7, the forwarding device 700 includes a network interface 701 and a processor 702,
the network interface 701 is configured to receive a BGP UPDATE message sent by a first network device, where the BGP UPDATE message is used to issue a BGP flow-spec route, and the BGP UPDATE message includes a flow-spec priority;
the processor 702 is configured to generate a BGP flow-spec entry according to the BGP UPDATE message received by the network interface 701, and store the BGP flow-spec entry in a BGP flow-spec table, where the BGP flow-spec entry includes the flow-spec priority, and the flow-spec priority is used to identify a priority of the BGP flow-spec entry when the BGP flow-spec entry is used to guide packet forwarding.
Optionally, the processor 702 may be further configured to, when the forwarding device forwards a packet, preferentially match, according to a keyword of the packet, a BGP flow-spec table entry with a high flow-spec priority in the BGP flow-spec table, and process the packet according to a processing manner indicated by action item information in the matched BGP flow-spec table entry; the BGP flow-spec table comprises a plurality of BGP flow-spec table entries, and each BGP flow-spec table entry comprises a flow-spec priority.
Optionally, the flow-spec priority is carried in an extended community attribute field of the BGP UPDATE message.
Optionally, the flow-spec priority is carried in other attribute fields of the BGP UPDATE message. For example, the extended private attribute field in the BGP UPDATE message is used to carry the flow-spec priority, which is not limited in this embodiment of the present application.
Optionally, the first network device may be a Controller under a control forwarding separation network architecture. Optionally, the first network device may also be a forwarding device that forms a BGP peer with the forwarding device. Optionally, the first network device may also be a traffic analysis server. The embodiments of the present application do not limit this.
In another embodiment, the forwarding device 700 includes a network interface 701, a processor 702, and a memory 703. The memory 703 and processor 702 may communicate over a bus 704; the processor 702 may communicate with the first network device through a network interface 701.
The memory 703 for storing programs, instructions or codes;
the processor 702 is configured to execute the program, the instructions, or the codes in the memory 703 to complete the operations of S304 and S305 in the method 300.
The network interface 701 is configured to complete the operation of S301 in the method 300.
The functions of the receiving unit 501 in fig. 5 may be implemented by the network interface 701, and the functions of the table processing unit 502 and the packet forwarding unit 503 in fig. 5 may be implemented by the processor 702.
The memory 603 or 703 may be, but is not limited to, various media that can store program instruction codes, such as RAM, ROM, EPROM, CD-ROM, hard disk, or magnetic disk, and the embodiments of the present application are not limited thereto.
The processor 601 or the memory 702 may be one or more CPUs, and in the case of one CPU, the CPU may be a single-core CPU or a multi-core CPU, which is not limited in this embodiment of the present application.
The network Interface 602 or the network Interface 701 is a wired Interface, such as a Fiber Distributed Data Interface (FDDI) Interface, a Gigabit Ethernet (GE) Interface, and the like, which is not limited in this embodiment.
The invention also provides a communication system, which comprises a first network device and a forwarding device, wherein the first network device can be the network device shown in fig. 4 or fig. 6. The forwarding device may be the forwarding device shown in fig. 5 or fig. 7. The first network device and the forwarding device are configured to execute the method 300 for generating an entry according to the embodiment of the present application.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described apparatuses, systems and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The integrated unit, if implemented in hardware in combination with software and sold or used as a stand-alone product, may be stored in a computer readable storage medium. With this understanding, some technical features of the technical solutions of the present invention that contribute to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions to enable a computer device (which may be a personal computer, a server, or a network device) to perform some or all of the steps of the methods described in the embodiments of the present invention. The storage medium may be a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk or an optical disk.
All parts of the specification are described in a progressive mode, the same and similar parts of all embodiments can be referred to each other, and each embodiment is mainly introduced to be different from other embodiments. In particular, as to the apparatus and system embodiments, since they are substantially similar to the method embodiments, the description is relatively simple and reference may be made to the description of the method embodiments in relevant places.
Finally, it is to be noted that: the above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the scope of the invention. To the extent that such modifications and variations of the present application fall within the scope of the claims and their equivalents, they are intended to be included within the scope of the present invention.

Claims (14)

1. A method for generating a table entry, the method comprising:
a first network device generates a BGP UPDATE UPDATE message, wherein the BGP UPDATE message is used for issuing a BGP flow rule flow-spec route, and the BGP UPDATE message comprises a flow-spec priority;
and the first network equipment sends the BGP UPDATE message to forwarding equipment to trigger the forwarding equipment to generate a BGP flow-spec table entry according to the BGP UPDATE message, wherein the BGP flow-spec table entry comprises the flow-spec priority, and the flow-spec priority is used for marking the priority of the BGP flow-spec table entry when the BGP flow-spec table entry is used for guiding message forwarding.
2. The method of claim 1,
the first network equipment is a Controller under a control forwarding separation network architecture; or
The first network equipment and the forwarding equipment form forwarding equipment of a BGP peer; or
The first network device is a traffic analysis server.
3. The method of claim 1 or 2, wherein the flow-spec priority is carried in an extended community attribute field of the BGP UPDATE message.
4. A method for generating a table entry, the method comprising:
the forwarding equipment receives a BGP UPDATE UPDATE message sent by first network equipment, wherein the BGP UPDATE message is used for issuing a BGP flow rule flow-spec route, and comprises a flow-spec priority;
and the forwarding equipment generates a BGP flow-spec table item according to the BGP UPDATE message, and stores the BGP flow-spec table item in a BGP flow-spec table, wherein the BGP flow-spec table item comprises the flow-spec priority, and the flow-spec priority is used for marking the priority of the BGP flow-spec table item when the BGP flow-spec table item is used for guiding message forwarding.
5. The method of claim 4, wherein when there are multiple BGP flow-spec entries in the BGP flow-spec table, and each BGP flow-spec entry contains a flow-spec priority, the method further comprising:
and when the forwarding equipment forwards the message, preferentially matching a BGP flow-spec table item with a high flow-spec priority in the BGP flow-spec table according to a keyword of the message, and processing the message according to a processing mode indicated by action item information in the matched BGP flow-spec table item.
6. The method according to claim 4 or 5, wherein the first network device is a Controller under a control forwarding split network architecture; or
The first network equipment and the forwarding equipment form forwarding equipment of a BGP peer; or
The first network device is a traffic analysis server.
7. A network device, comprising:
a processing unit, configured to generate a BGP UPDATE message, where the BGP UPDATE message is used to issue a BGP flow rule flow-spec route, and the BGP UPDATE message includes a flow-spec priority;
and a sending unit, configured to send the BGP UPDATE message generated by the processing unit to a forwarding device, so as to trigger the forwarding device to generate a BGP flow-spec entry according to the BGP UPDATE message, where the BGP flow-spec entry includes the flow-spec priority, and the flow-spec priority is used to identify a priority of the BGP flow-spec entry when the BGP flow-spec entry is used to guide packet forwarding.
8. The network device of claim 7,
the network equipment is a Controller under a control forwarding separation network architecture; or
The network equipment and the forwarding equipment form forwarding equipment of a BGP peer; or
The network equipment is a flow analysis server.
9. The network device of claim 7 or 8,
the flow-spec priority is carried in the extended community attribute field of the BGP UPDATE message.
10. A forwarding device, comprising:
a receiving unit, configured to receive a BGP UPDATE message sent by a first network device, where the BGP UPDATE message is used to issue a BGP flow rule flow-spec route, and the BGP UPDATE message includes a flow-spec priority;
and the table processing unit is used for generating a BGP flow-spec table entry according to the BGP UPDATE message received by the receiving unit, and storing the BGP flow-spec table entry in a BGP flow-spec table, wherein the BGP flow-spec table entry comprises the flow-spec priority, and the flow-spec priority is used for marking the priority of the BGP flow-spec table entry when the BGP flow-spec table entry is used for guiding message forwarding.
11. The forwarding device of claim 10, wherein the forwarding device further comprises:
a message forwarding unit, configured to, when the forwarding device forwards a message, preferentially match, according to a keyword of the message, a BGP flow-spec table entry with a high flow-spec priority in the BGP flow-spec table, and process the message according to a processing manner indicated by action item information in the matched BGP flow-spec table entry; the BGP flow-spec table comprises a plurality of BGP flow-spec table entries, and each BGP flow-spec table entry comprises a flow-spec priority.
12. The forwarding device of claim 10,
the flow-spec priority is carried in the extended community attribute field of the BGP UPDATE message.
13. The forwarding device of any one of claims 10-12, wherein the first network device is a Controller under a control forwarding split network architecture; or
The first network equipment and the forwarding equipment form forwarding equipment of a BGP peer; or
The first network device is a traffic analysis server.
14. A communication system comprising a network device as claimed in any of claims 7 to 9 and a forwarding device as claimed in any of claims 10 to 13.
CN201610506186.7A 2016-06-30 2016-06-30 Method and equipment for generating table entry Active CN107566298B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202111366024.5A CN114205312A (en) 2016-06-30 2016-06-30 Method and equipment for generating table entry
CN201610506186.7A CN107566298B (en) 2016-06-30 2016-06-30 Method and equipment for generating table entry

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610506186.7A CN107566298B (en) 2016-06-30 2016-06-30 Method and equipment for generating table entry

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN202111366024.5A Division CN114205312A (en) 2016-06-30 2016-06-30 Method and equipment for generating table entry

Publications (2)

Publication Number Publication Date
CN107566298A CN107566298A (en) 2018-01-09
CN107566298B true CN107566298B (en) 2021-11-19

Family

ID=60969879

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202111366024.5A Pending CN114205312A (en) 2016-06-30 2016-06-30 Method and equipment for generating table entry
CN201610506186.7A Active CN107566298B (en) 2016-06-30 2016-06-30 Method and equipment for generating table entry

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN202111366024.5A Pending CN114205312A (en) 2016-06-30 2016-06-30 Method and equipment for generating table entry

Country Status (1)

Country Link
CN (2) CN114205312A (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108616451B (en) * 2018-04-25 2020-12-29 新华三技术有限公司 Flow Spec route validation method, device and network equipment
CN110868429A (en) * 2019-12-20 2020-03-06 北京网太科技发展有限公司 BGP routing protocol security protection method and device
CN114257544A (en) 2020-09-22 2022-03-29 华为技术有限公司 Traffic processing method, traffic processing device and network equipment
CN115277527A (en) * 2021-04-30 2022-11-01 华为技术有限公司 Method and device for processing routing information

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101888334A (en) * 2009-05-11 2010-11-17 丛林网络公司 Utilize the routing policy expanded that dynamically the redefines structure of route priority value
CN103457820A (en) * 2013-08-27 2013-12-18 华为技术有限公司 Method and device for achieving layering virtual special local area network service
CN104821890A (en) * 2015-03-27 2015-08-05 上海博达数据通信有限公司 Realization method for OpenFlow multi-level flow tables based on ordinary switch chip

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2146465A1 (en) * 2008-07-15 2010-01-20 Deutsche Thomson OHG A method for managing data transmission according to a quality of service in a network assembly and a computer network system
CN104426768B (en) * 2013-09-05 2018-06-15 华为技术有限公司 A kind of data message forwarding method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101888334A (en) * 2009-05-11 2010-11-17 丛林网络公司 Utilize the routing policy expanded that dynamically the redefines structure of route priority value
CN103457820A (en) * 2013-08-27 2013-12-18 华为技术有限公司 Method and device for achieving layering virtual special local area network service
CN104821890A (en) * 2015-03-27 2015-08-05 上海博达数据通信有限公司 Realization method for OpenFlow multi-level flow tables based on ordinary switch chip

Also Published As

Publication number Publication date
CN114205312A (en) 2022-03-18
CN107566298A (en) 2018-01-09

Similar Documents

Publication Publication Date Title
JP5874726B2 (en) Communication control system, control server, transfer node, communication control method, and communication control program
EP3213480B1 (en) Content filtering for information centric networks
EP3213489B1 (en) Content classification and content marking for information centric networks
US10491519B2 (en) Routing method, device, and system
US8023504B2 (en) Integrating security server policies with optimized routing control
US9736263B2 (en) Temporal caching for ICN
JP5304947B2 (en) COMMUNICATION SYSTEM, CONTROL DEVICE, NODE CONTROL METHOD, AND PROGRAM
EP2675119B1 (en) Communication system, control device, communication node, and communication method
CN107566298B (en) Method and equipment for generating table entry
JP6024664B2 (en) Communication system, control device and communication method
WO2017107814A1 (en) Method, apparatus and system for propagating qos policies
CN107181691B (en) Method, equipment and system for realizing message routing in network
WO2014112616A1 (en) Control apparatus, communication apparatus, communication system, switch control method and program
EP2922250B1 (en) Control apparatus, communication system, control information creating method and program
US20130275620A1 (en) Communication system, control apparatus, communication method, and program
EP3076611A1 (en) Communication system, communication method, network information combination apparatus, and network information combination program
US20150381775A1 (en) Communication system, communication method, control apparatus, control apparatus control method, and program
RU2675212C1 (en) Adaptive load balancing during package processing
WO2014061583A1 (en) Communication node, control device, communication system, packet processing method, and program
CN108199965B (en) Flow spec table item issuing method, network device, controller and autonomous system
KR20170140953A (en) Apparatus and method for random route mutatuion based on software defined networking
JP6592421B2 (en) Routing system and routing method
US8248956B2 (en) Method or apparatus for distributing routing information in networks
CN109714259B (en) Traffic processing method and device
WO2022237879A1 (en) Routing obtaining method and apparatus, storage medium, and electronic apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant