CN111629275A - Safety filtering method for multicast table item self-aggregation - Google Patents

Safety filtering method for multicast table item self-aggregation Download PDF

Info

Publication number
CN111629275A
CN111629275A CN202010412178.2A CN202010412178A CN111629275A CN 111629275 A CN111629275 A CN 111629275A CN 202010412178 A CN202010412178 A CN 202010412178A CN 111629275 A CN111629275 A CN 111629275A
Authority
CN
China
Prior art keywords
multicast
address
control table
addresses
aggregation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010412178.2A
Other languages
Chinese (zh)
Other versions
CN111629275B (en
Inventor
王真震
许志峰
韩剑锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Xinwangzhen Technology Co ltd
Original Assignee
Zhejiang Xinwangzhen Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Xinwangzhen Technology Co ltd filed Critical Zhejiang Xinwangzhen Technology Co ltd
Priority to CN202010412178.2A priority Critical patent/CN111629275B/en
Publication of CN111629275A publication Critical patent/CN111629275A/en
Application granted granted Critical
Publication of CN111629275B publication Critical patent/CN111629275B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/60Network structure or processes for video distribution between server and client or between remote clients; Control signalling between clients, server and network components; Transmission of management data between server and client, e.g. sending from server to client commands for recording incoming content stream; Communication details between server and client 
    • H04N21/63Control signaling related to video distribution between client, server and network components; Network processes for video distribution between server and clients or between remote clients, e.g. transmitting basic layer and enhancement layers over different transmission paths, setting up a peer-to-peer communication via Internet between remote STB's; Communication protocols; Addressing
    • H04N21/64Addressing
    • H04N21/6405Multicasting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N21/00Selective content distribution, e.g. interactive television or video on demand [VOD]
    • H04N21/20Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
    • H04N21/25Management operations performed by the server for facilitating the content distribution or administrating data related to end-users or client devices, e.g. end-user or client device authentication, learning user preferences for recommending movies
    • H04N21/258Client or end-user data management, e.g. managing client capabilities, user preferences or demographics, processing of multiple end-users preferences to derive collaborative data
    • H04N21/25808Management of client data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/18Closed-circuit television [CCTV] systems, i.e. systems in which the video signal is not broadcast
    • H04N7/181Closed-circuit television [CCTV] systems, i.e. systems in which the video signal is not broadcast for receiving images from a plurality of remote sources

Landscapes

  • Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Computer Graphics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a safe filtering method for multicast list item self-aggregation.A network node judges whether multicast source IP addresses or multicast group IP addresses of a plurality of multicast control list items meet an aggregation condition, if so, the source IP addresses or the multicast group IP addresses are aggregated into corresponding network segment addresses; whether the destination IP addresses of a plurality of unicast control table entries of the same source IP address meet the aggregation condition is judged, and if the destination IP addresses of the unicast control table entries of the same source IP address meet the aggregation condition is found, the destination IP addresses of the unicast control table entries are aggregated into corresponding network segment addresses; and adopting the aggregated network segment address as the address in the new multicast control table entry to forward the data. The invention greatly reduces the number of control table entries.

Description

Safety filtering method for multicast table item self-aggregation
Technical Field
The invention belongs to the technical field of access control, and particularly relates to a safe filtering method for multicast table entry self-aggregation.
Background
In the centralized management information system, the management server has interaction information among all nodes, so that a white list is issued through centralized control of network nodes, and control items are added to the network nodes to realize data forwarding control. Such control entries controlling the forwarding of data are typically access control lists supported by all network nodes.
However, because the specification of the control table entry of the network node is limited, the adoption of the static access control list can cause the specification to exceed the standard, and the method cannot be applied to a system with complex service. And the management server adds/deletes the table items in time along with the interaction with the service terminal. Even so, the number of entries in the access control list of the network node is still very tight, which results in that the system cannot adopt deep control entries, thereby affecting the security of the system.
In a centrally managed information system, a service management server implements control of all service terminals and network nodes. Under the default condition, the network node only allows the network basic protocol data and the service terminal to pass through the registration message of the service management server, and other data messages are totally rejected to be forwarded; after the service terminal passes the registration, the service management server notifies all network nodes on the path from the service terminal to the service management server to allow the service terminal to release signaling and data which can be interacted within the authority range of the service terminal, that is, to add a white list, which certainly contains the IP address of the service terminal.
However, in the prior art, the service management server sends a white list notification message to the network node for each service terminal, and since the service terminals are frequently added and withdrawn, signaling interaction between the service management server and the network node is very frequent, so that both system performance and network bandwidth are occupied, and the number of entries of the access control list of the network node is very short.
Disclosure of Invention
The application aims to provide a safe filtering method for multicast table entry self-aggregation, and the problem that the quantity of control table entries of network nodes is short is solved.
In order to achieve the purpose, the technical scheme of the application is as follows:
a safe filtering method for multicast table entry self-aggregation is applied to network nodes and comprises the following steps:
acquiring multicast control table entries, judging whether a multicast source IP address or a multicast group IP address meets an aggregation condition when the input interfaces and the output interfaces of a plurality of multicast control table entries are the same, and aggregating the source IP address or the multicast group IP address into a corresponding network segment address if the multicast source IP address or the multicast group IP address meets the aggregation condition;
and generating a new multicast control table entry by using the aggregated network segment address, and deleting the original multicast control table entries.
Further, the security filtering method for multicast table entry self-aggregation further includes:
learning unicast control table items, and judging whether the destination IP addresses of a plurality of unicast control table items of the same source IP address meet the aggregation condition or not;
if the destination IP addresses of a plurality of unicast control table entries of the same source IP address are found to meet the aggregation condition, aggregating the destination IP addresses of the unicast control table entries into corresponding network segment addresses;
and merging the plurality of unicast control table entries into one multicast control table entry, wherein the source IP address of the multicast control table entry is the source IP address of the plurality of unicast control table entries, and the destination IP address of the multicast control table entry is the aggregated network segment address.
Further, the determining whether the multicast source IP address or the destination IP address satisfies the aggregation condition includes:
comparing multicast source IP addresses or destination IP addresses of the multicast control entries, acquiring continuous same bit number N starting from a first bit, calculating a characteristic value corresponding to N, wherein the characteristic value is equal to the number M of the unicast control entries divided by the power X of 2, X is equal to the total number of the bits of the IP address minus N, judging whether the calculated characteristic value is greater than or equal to a preset threshold value T, and if so, judging that the aggregation condition is met;
further, the determining whether the destination IP addresses of the unicast control entries of the same source IP address meet the aggregation condition includes:
comparing the destination IP addresses of the unicast control table entries, acquiring the continuous same bit number N starting from the first bit, calculating a characteristic value corresponding to N, wherein the characteristic value is equal to the number M of the unicast control table entries divided by the power X of 2, X is equal to the total number of the bits of the destination IP address minus N, judging whether the calculated characteristic value is greater than or equal to a preset threshold value T, and if so, judging that the aggregation condition is met.
Further, the security filtering method for multicast table entry self-aggregation further includes:
when the multicast control items are combined into a new multicast control item, the IP addresses which do not belong to the multicast source IP address or the multicast group IP address in the aggregated network segment address are also put into a blacklist to generate a blacklist unicast control item.
Further, the security filtering method for multicast table entry self-aggregation further includes:
when the unicast control items are combined into one multicast control item, the IP address in the destination IP address which does not belong to the unicast control item in the network segment address is also put into a blacklist to generate a blacklist unicast control item.
Further, the security filtering method for multicast table entry self-aggregation further includes:
when one or more multicast control table entries are found to be invalid, whether the multicast source IP addresses or the multicast group IP addresses of the rest multicast control table entries meet the aggregation condition is judged again;
if the multicast control list item is still satisfied, the data forwarding is still carried out according to the new multicast control list item, otherwise, the new multicast control list item is deleted.
Further, the security filtering method for multicast table entry self-aggregation further includes:
when one or more unicast control table entries are found to be invalid, judging whether the destination IP addresses of the remaining unicast control table entries meet the aggregation condition again;
if the unicast control table entry is still satisfied, aggregating the destination IP addresses of the rest unicast control table entries into corresponding network segment addresses, otherwise deleting the corresponding multicast control table entry, and forwarding according to the unicast control table entry.
Further, before the determining whether the multicast source IP address or the destination IP address satisfies the aggregation condition, the method further includes:
calculating a dynamic initial prefix length S according to the capacity of a control table entry of a network node, wherein the calculation formula of the dynamic initial prefix length S is as follows:
total number of bits-log of IP address2C
Wherein, C is the capacity of the control list item of the network node;
the judging whether the multicast source IP address or the multicast destination IP address meets the aggregation condition comprises the following steps:
comparing the multicast source IP addresses or the destination IP addresses of the multicast control entries, acquiring the continuous same bit number N starting from the first bit, calculating a characteristic value corresponding to N, wherein the characteristic value is equal to the number M of the unicast control entries divided by the power X of 2, X is equal to the total number of the bits of the IP address minus N, judging whether the calculated characteristic value is greater than or equal to a preset threshold value T, if so, judging that the aggregation condition is met, and N is greater than or equal to S.
Further, the security filtering method for multicast table entry self-aggregation further includes:
judging whether a physical port for forwarding data is a safe port or not;
after the physical port is judged to be the safe port, setting a control table entry corresponding to the physical port, allowing data forwarded from the physical port to pass through, and deleting other control table entries of which the forwarding port is the physical port.
According to the safe filtering method for multicast table entry self-aggregation, the network node carries out self-aggregation on the multicast control table entry and the unicast control table entry, and the network segment address after aggregation is used as the address in the new multicast control table entry, so that the number of the control table entries is reduced.
Drawings
Fig. 1 is a flowchart of a security filtering method for multicast entry self-aggregation according to the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
In the centralized management information system, along with the development of services, a large number of control entries allowed by a white list on a network node are required, and corresponding white list control entries are also added to the network node on the path from the service terminal to other terminals which need interaction. Although the white list is deleted continuously with different service stages, the control list items of the forwarding chip of the network node are still very tight. The general idea of the application is to perform necessary merging processing on the control table entries on the network nodes to reduce the control table entries.
In one embodiment, as shown in fig. 1, a security filtering method for multicast entry self-aggregation is provided, which is applied to a network node, and includes:
acquiring multicast control table entries, judging whether a multicast source IP address or a multicast group IP address meets an aggregation condition when the input interfaces and the output interfaces of a plurality of multicast control table entries are the same, and aggregating the source IP address or the multicast group IP address into a corresponding network segment address if the multicast source IP address or the multicast group IP address meets the aggregation condition;
and generating a new multicast control table entry by using the aggregated network segment address, and deleting the original multicast control table entries.
In this embodiment, the network node is responsible for forwarding data, for example, in a video monitoring system, a video management server is a service management server, and a camera, a video client, and the like are service terminals. The video image data collected by the camera is collected by the camera, the video image data collected by the camera is checked by the video client, and the video image data collected by the camera is sent to the video client through the network node. And setting a control table entry on the network node to control the forwarding of data.
Generally, a video client needs to be registered to a video management server, and when the video client views a video image of a video source, the video client needs to interact with the video management server and perform registration first. Network nodes between the video client and the video management server, such as routers, switches, gateway devices and the like, firstly only allow the network basic protocol data and the registration messages of the video client to the video management server to pass, and totally reject the forwarding of other data messages. After the video client passes the registration, the video management server sends white list information to the network node, and notifies all network nodes on the path to release signaling and data which can be interacted within the authority range of the video client to the service terminal, namely, a white list control table entry is added on the network node. Similarly, the camera also needs to be registered in the video management server first, and a network node between the camera and the video management server also receives a white list sent by the video management server to generate a white list control item for data forwarding.
The following description is directed to the service terminal, the service management server and the network node, and the service terminal, the service management server and the network node are not limited to a specific application system, and may be a video monitoring system or other communication systems.
And the network node generates a control table entry according to the white list issued by the service management server and controls the forwarding of the data. In a forwarding chip of a network node, a unicast control table entry and a multicast control table entry are respectively located in different areas. According to the method and the device, the control table entries of the forwarding chip in the network node can be reduced by combining a plurality of multicast control table entries into one multicast control table entry.
For example, camera a (IP address: 200.200.200.129) is in a multicast group with the multicast group address of 225.1.1.129, then the multicast control entry on the network node is (unicast IP of multicast source, multicast group address of the multicast), that is (200.200.200.129, 225.1.1.129).
Similarly, the camera B (200.200.200.130) is in a multicast group with a multicast group address of 225.1.1.130, and the multicast control entry on the network node is (unicast IP of multicast source, multicast group address of the multicast), that is (200.200.200.130, 225.1.1.130). The camera C (200.200.200.131) is in a multicast group with a multicast group address of 225.1.1.131, and the multicast control entry on the network node is (unicast IP of multicast source, multicast group address of the multicast), that is (200.200.200.131, 225.1.1.131).
In this embodiment, when the ingress interfaces and the egress interfaces of a plurality of multicast control entries are the same, for example, the ingress interfaces and the egress interfaces of the three multicast control entries are the same, if they are aggregated into one multicast control entry, the number of multicast control entries will be greatly reduced.
The following explains how to determine whether the multicast source IP address or the destination IP address satisfies the aggregation condition, and when the aggregation condition is satisfied, the multicast source IP address or the destination IP address is aggregated into a corresponding network segment address.
In this embodiment, considering whether a plurality of IP addresses satisfy the aggregation condition, it is preferable to determine whether the IP addresses satisfy the aggregation condition by:
comparing the multicast source IP addresses or the destination IP addresses of the multicast control entries, acquiring the continuous same bit number N starting from the first bit, calculating a characteristic value corresponding to N, wherein the characteristic value is equal to the number M of the unicast control entries divided by the power of X of 2, X is equal to the total number of the bits of the IP address minus N, judging whether the calculated characteristic value is greater than or equal to a preset threshold value T, and if so, judging that the aggregation condition is met.
First, looking at the multicast source IP address, it is easy to find that the source IP addresses of the three multicast control entries are: 200.200.200.129, 200.200.200.130, 200.200.200.131.
It is easy to find that the first 30 bits of the source IP address are the same, and for the source IP address, the total number of bits of the IP address is 32, where N (the number of consecutive same bits from the first bit) is 30, and there are three IP addresses in total, and then M is equal to 3.
Then: characteristic value M/(2)(32-30))=3/4
Assuming that the set threshold T is 50%, it can be found that the three IP addresses satisfy the aggregation condition, and aggregate them into corresponding network segment addresses. For the three source IP addresses, the network segment 200.200.200.128/30 can be aggregated.
200.200.200.128/30 includes four host addresses, respectively: 200.200.200.128-200.200.200.131. Therefore, the threshold T can be set to 50%, i.e. the ratio of the IP addresses to be aggregated in the network segment address pool is 50%. When the threshold value T is set, the number of IP addresses in the address pool of the aggregated network segment address is considered, and the proportion of the IP addresses in the address pool of the network segment address is preferably 40-80%. The aggregated network segment address may be the minimum network segment including the IP address in the IP addresses that need to be aggregated, and details about the aggregated network segment address are not described below.
Similarly, for the multicast group address, it is easy to find that the multicast group IP addresses of the three multicast control entries are: 225.1.1.129, 225.1.1.130, 225.1.1.131.
It is easy to find that the first 30 bits of the multicast group IP address are the same, and for the multicast group IP address, the total number of bits of the IP address is 32, where N (the number of bits which are continuously the same from the first bit) is 30, and there are three IP addresses in total, and then M is equal to 3.
Then: characteristic value M/(2)(32-30))=3/4
Assuming that the set threshold T is 50%, it can be found that the three IP addresses satisfy the aggregation condition, and aggregate them into corresponding network segment addresses. For the three multicast group IP addresses described above, a network segment of 225.1.1..128/30 may be aggregated.
225.1.1.128/30 includes four host addresses, respectively: 225.1.1.128-225.1.1.131. Therefore, the threshold T can be set to 50%, i.e. the ratio of the IP addresses to be aggregated in the network segment address pool is 50%. When the threshold value T is set, the number of IP addresses in the address pool of the aggregated network segment address is considered, and the proportion of the IP addresses in the address pool of the network segment address is preferably 40-80%. The aggregated network segment address may be the minimum network segment including the IP address in the IP addresses that need to be aggregated, and details about the aggregated network segment address are not described below.
After the IP address aggregation is carried out, the multicast control table entries are merged into one multicast control table entry, and the original multicast control table entries are deleted.
For example, the three multicast control table entries may be merged into one multicast control table entry (S, G), where G in the (S, G) table entry is the IP network segment address after aggregation, and S is the IP address of the camera. For the above example, the merged multicast control entry (S, G) is (200.200.200.128/30, 225.1.1.. 128/30).
It should be noted that, if the calculated characteristic value is smaller than the preset threshold T, the original multicast control entry is not processed, and the forwarding is still performed according to the original single multicast control entry.
In this embodiment, the network node only needs to issue the multicast control table entry related to (200.200.200.128/30, 225.1.1..128/30) to its own forwarding chip, and delete the three scattered multicast control table entries from the forwarding chip, thereby reducing 2 multicast control table entries and reducing the number of control table entries.
In another embodiment, to further increase security, a blacklist may be added to fill in "holes" created by the aggregated network segments. For example, if the aggregated network segment control table entry may cause traffic intrusion of an illegal terminal of 200.200.200.128, a black list control table entry related to 200.200.200.128 may be added to the network node, thereby avoiding hidden danger. Thus, 1 control table entry is saved as a whole.
That is, the present application provides a secure filtering method for multicast entry self-aggregation, further including:
when the multicast control items are combined into a new multicast control item, the IP addresses which do not belong to the multicast source IP address or the multicast group IP address in the aggregated network segment address are also put into a blacklist to generate a blacklist unicast control item.
For the aggregated network segment address 200.200.200.128/30, the network node allows multicast transmission of data to this network segment, however, since the network segment includes 4 IP addresses, 200.200.200.128, which are not IP addresses of cameras, needs to be added to the blacklist and generate corresponding blacklist control entries, and the forwarding of 200.200.200.128 data is rejected.
Similarly, the multicast group address is also processed, and is not described herein again.
In another embodiment, the network node may need to re-analyze the aggregated network segment address when it finds that the original multicast control entry is no longer valid.
That is, the present application provides a secure filtering method for multicast entry self-aggregation, further including:
when one or more multicast control table entries are found to be invalid, whether the multicast source IP addresses or the multicast group IP addresses of the rest multicast control table entries meet the aggregation condition is judged again;
if the multicast control list item still meets the requirement, the data forwarding is still carried out according to the new multicast control list item, otherwise, the new multicast control list item is deleted.
Still taking the above broadcast camera as an example, after the multicast control entry (S, G) is generated as (200.200.200.128/30, 225.1.1..128/30), the network node records the original multicast control entry, but deletes the multicast control entry actually controlling data forwarding in the forwarding chip, and performs data forwarding only with the new multicast control entry after aggregation.
If the camera a exits the multicast group, the corresponding multicast control entry recorded by the network node is no longer valid, and at this time, the new multicast control entry may also forward 200.200.200.129 data, which needs to be adjusted.
In this embodiment, when it is found that the multicast control entry recorded by the network node is no longer valid, it is determined again whether the multicast source IP address or the multicast group IP address of the remaining multicast control entries meets the aggregation condition, and if so, the multicast source IP address or the multicast group IP address of the remaining multicast control entries is aggregated into the corresponding network segment address.
For example, when camera a exits, M equals 2, the eigenvalues are recalculated:
characteristic value M/(2)(32-30))=2/4
It can be seen that at this point, the threshold T (50%) is still equal, and the multicast control table entries corresponding to the aggregation segment 200.200.200.128/30 can continue to be used. And if the camera B also exits, M is equal to 1, the calculated characteristic value is equal to 1/4 and is smaller than the threshold T, at this time, the multicast control table entry corresponding to the aggregation network segment address 200.200.200.128/30 needs to be deleted, and the multicast control table entry corresponding to the camera C needs to be recovered to control the forwarding of data.
If the multicast source IP address or the multicast group IP address does not satisfy the aggregation condition any more after one multicast control entry fails, it needs to be recovered and forwarded according to the original multicast control entry, which is not described herein again.
It is easy to understand that, if the IP address has 32 bits, if the checking of whether to aggregate is performed from the first bit being the same, more CPU resources are consumed, and a better aggregation effect cannot be obtained. The method and the device firstly calculate the length S of the dynamic initial prefix, do not calculate the characteristic value of the IP address with the same front N bits of N less than S, and do not carry out aggregation, thereby avoiding unnecessary calculation and judgment and saving the resources of a CPU. According to the method and the device, the dynamic initial prefix length S is calculated firstly according to the capacity of the network node control table entry, and the self-decision of the dynamic prefix length is realized.
The dynamic initial prefix length S is calculated, the design can be performed directly according to the capacity C of the control table entry of the network node itself, and the corresponding initial prefix length S can be set directly according to the capacity, for example, if the capacity is 256, the initial prefix length S is set to be greater than or equal to 24 bits, otherwise, the subsequent judgment formula is not necessarily satisfied. If the capacity is 512, the starting prefix is equal to or greater than 23, and so on.
The present application provides a specific embodiment, before determining whether the multicast source IP address or the destination IP address satisfies the aggregation condition, the method further includes:
calculating a dynamic initial prefix length S according to the capacity of a control table entry of a network node, wherein the calculation formula of the dynamic initial prefix length S is as follows:
total number of bits-log of IP address2C
Wherein, C is the capacity of the control table entry of the network node itself.
During calculation, the log value of the capacity of the control table entry with the base number of 2 is rounded, and the difference obtained by subtracting the log value from 32 is used as the dynamic initial prefix length S. By the calculation, the dynamic initial prefix length S can be quickly determined, and the characteristic value and judgment of the IP address with the same first N bits and the N value smaller than S are not calculated during subsequent calculation and judgment.
Namely, judging whether the multicast source IP address or the destination IP address meets the aggregation condition, including:
comparing the multicast source IP addresses or the destination IP addresses of the multicast control entries, acquiring the continuous same bit number N starting from the first bit, calculating a characteristic value corresponding to N, wherein the characteristic value is equal to the number M of the unicast control entries divided by the power X of 2, X is equal to the total number of the bits of the IP address minus N, judging whether the calculated characteristic value is greater than or equal to a preset threshold value T, if so, judging that the aggregation condition is met, and N is greater than or equal to S.
In another embodiment, the present application provides a security filtering method for controlling entry self-transformation, further comprising:
learning unicast control table entries, and aggregating the destination IP addresses of a plurality of unicast control table entries into corresponding network segment addresses if the destination IP addresses of the unicast control table entries of the same source IP address are found to meet the aggregation condition;
and merging the unicast control table entries into a multicast control table entry, wherein the source IP address of the multicast control table entry is the same source IP address, and the destination IP address of the multicast control table entry is the aggregated network segment address.
And the network node generates a control table entry according to the white list issued by the service management server and controls the forwarding of the data. In the forwarding chip of the network node, the unicast control table entry and the multicast control table entry are respectively located in different areas, because the table entry structures are different, the unicast control table entry has only one output interface, and the multicast control table entry has a plurality of output interfaces.
According to the method and the device, the number of the control table items of the forwarding chip in the network node can be reduced by combining a plurality of unicast control table items into one multicast control table item.
For example, video camera a (IP address: 10.10.10.120) is on demand by a plurality of video clients, assuming that there are three video clients on demand, where the IP address of video client 1 is 20.20.20.128, the IP address of video client 2 is 20.20.20.129, and the IP address of video client 3 is 20.20.20.130.
It is easy to understand that after the video client is registered to the video management server, the video management server sends white list information to the network node, and the network node generates three corresponding unicast control entries, where the source IP addresses of the three unicast control entries are 10.10.10.120, and the destination addresses are 20.20.20.128, 20.20.20.129, and 20.20.20.130, respectively.
It should be noted that the output interfaces of the unicast control table entries may be the same or different, and when the output interfaces of the unicast control table entries are different, generally, a plurality of unicast control table entries must be provided. The method and the device utilize the multicast control table entry to support the characteristics of a plurality of output interfaces, and convert a plurality of unicast control table entries into the multicast control table entry so as to reduce the number of the control table entries.
The method and the device hope to observe the unicast control table items, aggregate the destination IP addresses of the unicast control table items into corresponding network segment addresses when the destination IP addresses of the unicast control table items of the same source IP address meet the aggregation condition, and combine the unicast control table items into one multicast control table item. After the multicast control table entry is generated, the original unicast control table entry is deleted, so that the number of the control table entries in the network node forwarding chip is reduced.
Taking the video-on-demand camera a of the video client as an example, the source IP address of the unicast control entry is 10.10.10.120, and the destination addresses are 20.20.20.128, 20.20.20.129 and 20.20.20.130, respectively. The following explains how to judge whether the destination address meets the aggregation condition, and when the aggregation condition is met, the destination IP address is aggregated into the corresponding network segment address.
In this embodiment, considering whether multiple IP addresses satisfy the aggregation condition, it is preferable to determine whether the destination IP addresses of multiple unicast control entries of the same source IP address satisfy the aggregation condition by the following method:
comparing the destination IP addresses of the unicast control table entries, acquiring the continuous same bit number N starting from the first bit, calculating a characteristic value corresponding to N, wherein the characteristic value is equal to the number M of the unicast control table entries divided by the power X of 2, X is equal to the total number of the bits of the destination IP address minus N, judging whether the calculated characteristic value is greater than or equal to a preset threshold value T, and if so, judging that the aggregation condition is met.
In this embodiment, it is easy to find that the first 30 bits of the three destination IP addresses are the same, and for the destination IP address, the total number of bits of the IP address is 32, where N (the number of consecutive same bits from the first bit) is 30, and there are three IP addresses in total, and then M is equal to 3.
Then: characteristic value M/(2)(32-30))=3/4
Assuming that the set threshold T is 50%, it can be found that the three IP addresses satisfy the aggregation condition, and aggregate them into corresponding network segment addresses. For the three IP addresses, the network segment of 20.20.20.128/30 can be aggregated.
20.20.20.128/30 includes four host addresses, respectively: 20.20.20.128-20.20.20.131. Therefore, the threshold T can be set to 50%, i.e. the ratio of the IP addresses to be aggregated in the network segment address pool is 50%. When the threshold value T is set, the number of IP addresses in the address pool of the aggregated network segment address is considered, and the proportion of the IP addresses in the address pool of the network segment address is preferably 40-80%. The aggregated network segment address may be the minimum network segment including the IP address in the IP addresses that need to be aggregated, and details about the aggregated network segment address are not described below.
After IP address aggregation is carried out, the unicast control table entries are merged into one multicast control table entry, and the original unicast control table entries are deleted.
For example, the three unicast control table entries may be merged into one multicast control table entry (S, G), where G in the (S, G) table entry is the IP network segment address after aggregation, and S is the IP address of the camera. For the above example, the merged multicast control entry (S, G) is (10.10.10.120, 20.20.20.128/30).
It should be noted that, if the calculated characteristic value is smaller than the preset threshold T, the unicast control table entry is not processed, and the forwarding is still performed according to the unicast control table entry.
In this embodiment, the network node only needs to issue 20.20.20.128/30 network segment control entries to its forwarding chip, and delete the three scattered control entries from the forwarding chip, thereby reducing 2 control entries and the number of control entries.
In another embodiment, to further increase security, a blacklist may be added to fill in "holes" created by the aggregated network segments. For example, if the aggregated network segment control table entry may cause traffic intrusion of an illegal terminal of 20.20.20.128, a black list control table entry related to 20.20.20.128 may be added to the network node, thereby avoiding hidden danger. Thus, 1 control table entry is saved as a whole.
Namely, the application provides a security filtering method for controlling the self-conversion of the table entry, which further comprises the following steps:
when the unicast control items are combined into one multicast control item, the IP address in the destination IP address which does not belong to the unicast control item in the network segment address is also put into a blacklist to generate a blacklist unicast control item.
For the aggregated network segment address 20.20.20.128/30, the network node allows multicast transmission of data to this network segment, however, since the network segment includes 4 IP addresses, 20.20.20.128 is not the IP address of the video client, and needs to add it to the blacklist and generate a corresponding blacklist control entry, the forwarding of 20.20.20.128 data is rejected.
In another embodiment, the network node may need to re-analyze the aggregated network segment address when it finds that the unicast control table entry is no longer valid.
Namely, the application provides a security filtering method for controlling the self-conversion of the table entry, which further comprises the following steps:
when one or more unicast control table entries are found to be invalid, judging whether the destination IP addresses of the remaining unicast control table entries meet the aggregation condition again;
if the unicast control table entry is still satisfied, aggregating the destination IP addresses of the rest unicast control table entries into corresponding network segment addresses, otherwise deleting the corresponding multicast control table entry, and forwarding according to the unicast control table entry.
Still taking the above video client-on-demand camera as an example, after the multicast control entry (S, G) is generated as (10.10.10.120, 20.20.20.128/30), the network node records the original unicast control entry, but deletes the unicast control entry actually controlling data forwarding in the forwarding chip, and performs data forwarding only with the multicast control entry. If the video client 1 no longer requests the data of the camera a, the corresponding unicast control entry recorded by the network node is no longer valid, and at this time, the multicast control entry also sends the multicast data to 20.20.20.128, which needs to be adjusted.
In this embodiment, when it is found that the unicast control table entry recorded by the network node is no longer valid, it is determined again whether the destination IP addresses of the remaining unicast control table entries meet the aggregation condition, and if so, the destination IP addresses of the remaining unicast control table entries are aggregated into the corresponding network segment address, otherwise, the corresponding multicast control table entry is deleted, and forwarding is performed according to the unicast control table entry.
For example, when video client 1 exits, M equals 2, the feature values are recalculated:
characteristic value M/(2)(32-30))=2/4
It can be seen that at this point, the threshold T (50%) is still equal, and the multicast control table entries corresponding to the aggregation segment 20.20.20.128/30 can continue to be used. If the video client 2 also exits, M is equal to 1, the calculated characteristic value is equal to 1/4 and is smaller than the threshold T, at this time, the multicast control entry corresponding to the aggregation network segment address 20.20.20.128/30 needs to be deleted, and the unicast control entry corresponding to the video client 3 needs to be recovered to control the forwarding of data.
It is easy to understand that, after the video client 1 exits, the feature value is still equal to the threshold T (50%), the multicast control entry corresponding to the aggregation segment 20.20.20.128/30 may be continuously used, but the video client 1 may be placed in a blacklist to generate a corresponding blacklist unicast control entry, and data forwarding is rejected, which is not described herein again.
In another embodiment, the present application provides a security filtering method for controlling entry self-transformation, further comprising:
judging whether a physical port for forwarding data is a safe port or not;
after the physical port is judged to be the safe port, setting a control table entry corresponding to the physical port, allowing data forwarded from the physical port to pass through, and deleting other control table entries of which the forwarding port is the physical port.
In this embodiment, the optimization condition is set to detect whether the physical port is a secure port. The following describes how to determine whether a physical port is a secure port by using specific examples, where one embodiment of determining whether a physical port is a secure port includes:
and when the network node finds that the attribute information of the data forwarded by the physical port is fixed within the preset time, judging that the physical port is a safe port.
For example, if five-tuple information of data transmitted on some physical port (e.g., physical port a) is fixed for a long time (e.g., more than 1 month), i.e., only a few specific five-tuple data enter from the physical port a, the physical port a is set as a secure port. Under the condition that the control list items of the network nodes are tense, the network nodes send a list item (namely, an input port A) containing the input port to the forwarding chips by self-decision, which means that all data from the physical port A are uniformly released, and the input port is deleted as other control list items of the physical port A, so that the control list items are saved.
It should be noted that, in this embodiment, a certain physical port is considered as a secure port, whether quintuple information of data on the physical port is specified or not is observed, whether the five tuple information is operated for a long time or not is adopted, and if the five tuple information is operated for a long time, the physical port is considered as a secure port. For how to determine whether a certain physical port is a safe port, other methods can be used for determining, for example, observing messages received on the physical port, and if similar messages of the same type are received at high frequency, the port is an unsafe port, and otherwise the port is considered as a safe port. The embodiments of the present application are not described in detail with respect to the method for identifying a security port.
It should be noted that, when the service management server finds that the data of the service terminal no longer satisfies the optimization condition, the white list increase and decrease information is sent to the network node according to the existing technical scheme, and after the network node receives the white list increase and decrease information, the control table entry is regenerated according to the white list increase and decrease information to forward the data, which is not described herein again.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A security filtering method for multicast table entry self-aggregation is applied to a network node, and is characterized in that the security filtering method for multicast table entry self-aggregation comprises the following steps:
acquiring multicast control table entries, judging whether a multicast source IP address or a multicast group IP address meets an aggregation condition when the input interfaces and the output interfaces of a plurality of multicast control table entries are the same, and aggregating the source IP address or the multicast group IP address into a corresponding network segment address if the multicast source IP address or the multicast group IP address meets the aggregation condition;
and generating a new multicast control table entry by using the aggregated network segment address, and deleting the original multicast control table entries.
2. The method of claim 1, wherein the method for securely filtering multicast table entry self-aggregation further comprises:
learning unicast control table items, and judging whether the destination IP addresses of a plurality of unicast control table items of the same source IP address meet the aggregation condition or not;
if the destination IP addresses of a plurality of unicast control table entries of the same source IP address are found to meet the aggregation condition, aggregating the destination IP addresses of the unicast control table entries into corresponding network segment addresses;
and merging the plurality of unicast control table entries into one multicast control table entry, wherein the source IP address of the multicast control table entry is the source IP address of the plurality of unicast control table entries, and the destination IP address of the multicast control table entry is the aggregated network segment address.
3. The method of claim 1, wherein the determining whether the multicast source IP address or the destination IP address satisfies the aggregation condition comprises:
comparing the multicast source IP addresses or the destination IP addresses of the multicast control entries, acquiring the continuous same bit number N starting from the first bit, calculating a characteristic value corresponding to N, wherein the characteristic value is equal to the number M of the unicast control entries divided by the power of X of 2, X is equal to the total number of the bits of the IP address minus N, judging whether the calculated characteristic value is greater than or equal to a preset threshold value T, and if so, judging that the aggregation condition is met.
4. The method of claim 2, wherein the determining whether the destination IP addresses of the unicast control entries in the same source IP address meet the aggregation condition comprises:
comparing the destination IP addresses of the unicast control table entries, acquiring the continuous same bit number N starting from the first bit, calculating a characteristic value corresponding to N, wherein the characteristic value is equal to the number M of the unicast control table entries divided by the power X of 2, X is equal to the total number of the bits of the destination IP address minus N, judging whether the calculated characteristic value is greater than or equal to a preset threshold value T, and if so, judging that the aggregation condition is met.
5. The method of claim 1, wherein the method for securely filtering multicast table entry self-aggregation further comprises:
when the multicast control items are combined into a new multicast control item, the IP addresses which do not belong to the multicast source IP address or the multicast group IP address in the aggregated network segment address are also put into a blacklist to generate a blacklist unicast control item.
6. The method of claim 2, wherein the method for securely filtering multicast table entry self-aggregation further comprises:
when the unicast control items are combined into one multicast control item, the IP address in the destination IP address which does not belong to the unicast control item in the network segment address is also put into a blacklist to generate a blacklist unicast control item.
7. The method of claim 1, wherein the method for securely filtering multicast table entry self-aggregation further comprises:
when one or more multicast control table entries are found to be invalid, whether the multicast source IP addresses or the multicast group IP addresses of the rest multicast control table entries meet the aggregation condition is judged again;
if the multicast control list item is still satisfied, the data forwarding is still carried out according to the new multicast control list item, otherwise, the new multicast control list item is deleted.
8. The method of claim 2, wherein the method for securely filtering multicast table entry self-aggregation further comprises:
when one or more unicast control table entries are found to be invalid, judging whether the destination IP addresses of the remaining unicast control table entries meet the aggregation condition again;
if the unicast control table entry is still satisfied, aggregating the destination IP addresses of the rest unicast control table entries into corresponding network segment addresses, otherwise deleting the corresponding multicast control table entry, and forwarding according to the unicast control table entry.
9. The method of claim 1, wherein before determining whether the multicast source IP address or the multicast destination IP address satisfies the aggregation condition, the method further comprises:
calculating a dynamic initial prefix length S according to the capacity of a control table entry of a network node, wherein the calculation formula of the dynamic initial prefix length S is as follows:
total number of bits-log of IP address2C
Wherein, C is the capacity of the control list item of the network node;
the judging whether the multicast source IP address or the multicast destination IP address meets the aggregation condition comprises the following steps:
comparing the multicast source IP addresses or the destination IP addresses of the multicast control entries, acquiring the continuous same bit number N starting from the first bit, calculating a characteristic value corresponding to N, wherein the characteristic value is equal to the number M of the unicast control entries divided by the power X of 2, X is equal to the total number of the bits of the IP address minus N, judging whether the calculated characteristic value is greater than or equal to a preset threshold value T, if so, judging that the aggregation condition is met, and N is greater than or equal to S.
10. The method of claim 1, wherein the method for securely filtering multicast table entry self-aggregation further comprises:
judging whether a physical port for forwarding data is a safe port or not;
after the physical port is judged to be the safe port, setting a control table entry corresponding to the physical port, allowing data forwarded from the physical port to pass through, and deleting other control table entries of which the forwarding port is the physical port.
CN202010412178.2A 2020-05-15 2020-05-15 Safety filtering method for multicast table item self-aggregation Active CN111629275B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010412178.2A CN111629275B (en) 2020-05-15 2020-05-15 Safety filtering method for multicast table item self-aggregation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010412178.2A CN111629275B (en) 2020-05-15 2020-05-15 Safety filtering method for multicast table item self-aggregation

Publications (2)

Publication Number Publication Date
CN111629275A true CN111629275A (en) 2020-09-04
CN111629275B CN111629275B (en) 2022-06-10

Family

ID=72271869

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010412178.2A Active CN111629275B (en) 2020-05-15 2020-05-15 Safety filtering method for multicast table item self-aggregation

Country Status (1)

Country Link
CN (1) CN111629275B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1595879A (en) * 2003-09-08 2005-03-16 华为技术有限公司 A method for increasing efficiency of multicast data forwarding in circumstance of large-capacity routing table
US7149215B1 (en) * 2002-02-20 2006-12-12 Nortel Networks Limited Technique for multicasting receiver membership reports
US20090262677A1 (en) * 2008-04-18 2009-10-22 Raja Banerjea Multicast to unicast conversion system
CN101605103A (en) * 2009-07-16 2009-12-16 杭州华三通信技术有限公司 A kind of method of static forwarding multicast data and device
CN102055817A (en) * 2010-12-30 2011-05-11 中国人民解放军信息工程大学 Method for gathering homologous address beam and homologous gathering network route system
CN103944826A (en) * 2013-01-22 2014-07-23 杭州华三通信技术有限公司 Entry aggregation method in SPBM (shortest path bridging MAC mode) network and equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7149215B1 (en) * 2002-02-20 2006-12-12 Nortel Networks Limited Technique for multicasting receiver membership reports
CN1595879A (en) * 2003-09-08 2005-03-16 华为技术有限公司 A method for increasing efficiency of multicast data forwarding in circumstance of large-capacity routing table
US20090262677A1 (en) * 2008-04-18 2009-10-22 Raja Banerjea Multicast to unicast conversion system
CN101605103A (en) * 2009-07-16 2009-12-16 杭州华三通信技术有限公司 A kind of method of static forwarding multicast data and device
CN102055817A (en) * 2010-12-30 2011-05-11 中国人民解放军信息工程大学 Method for gathering homologous address beam and homologous gathering network route system
CN103944826A (en) * 2013-01-22 2014-07-23 杭州华三通信技术有限公司 Entry aggregation method in SPBM (shortest path bridging MAC mode) network and equipment

Also Published As

Publication number Publication date
CN111629275B (en) 2022-06-10

Similar Documents

Publication Publication Date Title
WO2021207922A1 (en) Packet transmission method, device, and system
US7870611B2 (en) System method and apparatus for service attack detection on a network
US9276852B2 (en) Communication system, forwarding node, received packet process method, and program
US8213347B2 (en) Scalable IP-services enabled multicast forwarding with efficient resource utilization
EP3188440B1 (en) Network session data sharing
US7769025B2 (en) Load balancing in data networks
CN103609070A (en) Network traffic detection method, system, equipment and controller
CN106130962B (en) Message processing method and device
CN101399749A (en) Method, system and device for packet filtering
US20220286409A1 (en) Method and apparatus for configuring quality of service policy for service, and computing device
US10476746B2 (en) Network management method, device, and system
CN104883363A (en) Method and device for analyzing abnormal access behaviors
CN112311674B (en) Message sending method, device and storage medium
WO2020043200A1 (en) Establishment of fast forwarding table
CN113395711B (en) Method and equipment for distributing service flow
WO2020119682A1 (en) Load sharing method, control plane entity, and repeater
CN111629276B (en) Security filtering method and device for controlling self-conversion of items
CN104883362A (en) Method and device for controlling abnormal access behaviors
WO2017000861A1 (en) Method and apparatus for learning mac address in virtual local area network of switch
CN111629275B (en) Safety filtering method for multicast table item self-aggregation
CN113014530B (en) ARP spoofing attack prevention method and system
CN105471817B (en) The discharging method of Business Stream, device and system
JP2003289337A (en) Communication network, router, and distributed service refusal attack detection and defense method
CN114374622B (en) Shunting method based on fusion shunting equipment and fusion shunting equipment
CN106470421A (en) A kind of method and apparatus preventing malicious peer from illegally occupying resources of core network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant