CN113612782B - Virtual machine migration verification method and device - Google Patents

Virtual machine migration verification method and device Download PDF

Info

Publication number
CN113612782B
CN113612782B CN202110903768.XA CN202110903768A CN113612782B CN 113612782 B CN113612782 B CN 113612782B CN 202110903768 A CN202110903768 A CN 202110903768A CN 113612782 B CN113612782 B CN 113612782B
Authority
CN
China
Prior art keywords
message
virtual machine
tunnel endpoint
endpoint device
forwarded
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110903768.XA
Other languages
Chinese (zh)
Other versions
CN113612782A (en
Inventor
张余
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202110903768.XA priority Critical patent/CN113612782B/en
Publication of CN113612782A publication Critical patent/CN113612782A/en
Application granted granted Critical
Publication of CN113612782B publication Critical patent/CN113612782B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/4557Distribution of virtual machine instances; Migration and load balancing

Abstract

The invention discloses a virtual machine migration verification method and device, and relates to the technical field of communication. The method comprises the following steps: receiving a route updating message sent by first tunnel endpoint equipment, wherein the route updating message is generated by the first tunnel endpoint equipment according to a virtual machine address corresponding to a message to be forwarded under the condition that the message to be forwarded is determined to be a target message, the target message is sent by a target virtual machine, the target virtual machine is a virtual machine which is arranged below the first tunnel endpoint equipment, and the next hop address is the current tunnel endpoint equipment; sending a verification request to a virtual machine corresponding to the virtual machine address; and under the condition of receiving a verification response message returned by the virtual machine, refusing to update the routing information of the current tunnel endpoint equipment according to the routing update message, generating and sending the routing update refusing message to the first tunnel endpoint equipment so that the first tunnel endpoint equipment refuses to forward the message to be forwarded according to the routing update refusing message, thereby preventing the virtual machine from migrating and cheating.

Description

Virtual machine migration verification method and device
Technical Field
The invention relates to the technical field of communication, in particular to a virtual machine migration verification method and device.
Background
Virtual Machine (VM) migration refers to the migration of a Virtual Machine from one server to another server. In Virtual eXtensible local area networks (Virtual eXtensible)
Local Area Network, VXLAN), tunnel Endpoints (VXLAN Tunnel Endpoints,
VTEP) devices may have one or more virtual machines configured therein. In the current technical solution, after an attacker under the tunnel endpoint device VTEP2 uses the virtual machine VM1 under the tunnel endpoint device VTEP1 to send a data packet to the VTEP2, the VTEP2 finds out, in the local address table, the next hop address corresponding to the source address of the data packet as VTEP1, thereby misjudging that the VM1 migrates from the VTEP1 to the VTEP2, and sends route update information about the VM1 to other tunnel endpoint devices, thereby updating the device corresponding to the next hop address of the VM1 from VTEP1 to VTEP2, so that when other devices access the VM1, the data packet is sent to the VTEP2 according to the updated route information, and then the VTEP2 forwards the data packet to the VTEP1. However, since VM1 is not migrated to VTEP2, VTEP2 cannot forward the corresponding packet to VM1, thereby causing a problem that data cannot be normally transmitted.
Disclosure of Invention
Therefore, the invention provides a virtual machine migration verification method and a virtual machine migration verification device, which are used for solving the problem that data cannot be normally transmitted due to virtual machine migration cheating performed by an attacker.
In order to achieve the above object, a first aspect of the present invention provides a virtual machine migration verification method, which is applied to a second tunnel endpoint device, and the method includes:
receiving a route update message sent by a first tunnel endpoint device, wherein the route update message is generated by the first tunnel endpoint device according to a virtual machine address corresponding to a message to be forwarded under the condition that the message to be forwarded is determined to be a target message, the target message is sent by a target virtual machine, the target virtual machine is a virtual machine which is arranged below the first tunnel endpoint device, but a next hop address is a virtual machine of the current tunnel endpoint device;
sending a verification request to a virtual machine corresponding to the virtual machine address;
refusing to update the routing information of the current tunnel endpoint device according to the routing update message under the condition that a verification response message returned by the virtual machine is received, wherein the verification response message is a feedback message generated by the virtual machine under the condition that the verification request is received;
and generating and sending a route updating rejection message to the first tunnel endpoint device, so that the first tunnel endpoint device rejects to forward the message to be forwarded according to the route updating rejection message.
Further, the verification request is an extended address resolution protocol request message, and the operation type indication value of the extended address resolution protocol request message is 0x0003;
the verification response message is an extended address resolution protocol response message, and the operation type indication value of the extended address resolution protocol response message is 0x0004.
Further, after sending the verification request to the virtual machine corresponding to the virtual machine address, the virtual machine migration verification method further includes:
under the condition that a verification response message returned by the virtual machine is not received, updating the routing information of the current tunnel endpoint equipment according to the address of the virtual machine;
generating and sending a route update response message to the first tunnel endpoint device.
In order to achieve the above object, a second aspect of the present invention provides a virtual machine migration verification method, applied to a first tunnel endpoint device, including:
under the condition that the message to be forwarded is determined to be a target message, generating a routing update message according to the virtual machine address corresponding to the message to be forwarded; the target message is a message sent by a target virtual machine, the target virtual machine is a virtual machine which is arranged below the current tunnel endpoint equipment and has a next hop address as second tunnel endpoint equipment;
sending the route update message to the second tunnel endpoint device;
and refusing to forward the message to be forwarded under the condition of receiving a route update refusing message returned by the second tunnel endpoint device, wherein the route update refusing message is a message which is generated and sent by the second tunnel endpoint device under the condition of receiving a verification response message returned by a virtual machine corresponding to the virtual machine address, and the verification response message is a message which is generated by the virtual machine under the condition of receiving a verification request sent by the second tunnel endpoint device.
Further, before generating a routing update message according to the virtual machine address corresponding to the message to be forwarded when it is determined that the message to be forwarded is the target message, the virtual machine migration verification method further includes:
receiving the message to be forwarded;
and determining whether the message to be forwarded is the target message or not according to the virtual machine address corresponding to the message to be forwarded and the routing information of the current tunnel endpoint equipment.
Further, in the case of receiving a route update rejection message returned by the second tunnel endpoint device, after rejecting forwarding the packet to be forwarded, the virtual machine migration verification method further includes:
setting a reminding identifier for an address table item corresponding to the virtual machine address in the routing information of the current tunnel endpoint equipment, and setting a reminding identifier timer;
under the condition that a message matched with the reminding identifier is received within preset time, discarding the message, wherein the message matched with the reminding identifier is a message with the source address same as the virtual machine address, and the preset time is the validity period of the reminding identifier timer;
and clearing the reminding mark timer under the condition that the starting duration of the reminding mark timer is greater than or equal to the validity period.
Further, after sending the route update message to the second tunnel endpoint device, the virtual machine migration verification method further includes:
and forwarding the message to be forwarded under the condition of receiving a route update response message returned by the second tunnel endpoint device, wherein the route update response message is a message generated and sent to the current tunnel endpoint device after the route information of the second tunnel endpoint device is updated according to the virtual machine address under the condition that the second tunnel endpoint device does not receive a verification response message returned by the virtual machine.
Further, in the case of receiving a route update response message returned by the second tunnel endpoint device, after forwarding the packet to be forwarded, the virtual machine migration verification method further includes:
updating the routing information of the current tunnel endpoint equipment according to the virtual machine address;
and sending a route updating request to the tunnel endpoint equipment in a preset range so that the tunnel endpoint equipment in the preset range can update respective route information, wherein the route updating request comprises the virtual machine address.
In order to achieve the above object, a third aspect of the present invention provides a virtual machine migration verification apparatus, which is mountable to a second tunnel endpoint device, and includes:
a receiving module, configured to receive a route update message sent by a first tunnel endpoint device, where the route update message is a message generated by the first tunnel endpoint device according to a virtual machine address corresponding to a message to be forwarded when determining that the message to be forwarded is a target message, the target message is a message sent by a target virtual machine, the target virtual machine is a virtual machine which is configured below the first tunnel endpoint device, and a next hop address is a virtual machine of a current tunnel endpoint device;
a first sending module, configured to send a verification request to a virtual machine corresponding to the virtual machine address, and send a route update rejection message to the first tunnel endpoint device, so that the first tunnel endpoint device rejects to forward the packet to be forwarded according to the route update rejection message;
a refusing updating module configured to refuse to update the routing information of the current tunnel endpoint device according to the routing updating message when receiving a verification response message returned by the virtual machine, wherein the verification response message is a feedback message generated by the virtual machine when receiving the verification request;
a first generation module configured to generate the route update reject message.
In order to achieve the above object, a fourth aspect of the present invention provides a virtual machine migration verification apparatus, which is mountable to a first tunnel endpoint device, and includes:
the second generation module is configured to generate a routing update message according to a virtual machine address corresponding to a message to be forwarded under the condition that the message to be forwarded is determined to be a target message; the target message is a message sent by a target virtual machine, the target virtual machine is a virtual machine which is arranged below the current tunnel endpoint equipment and has a next hop address as second tunnel endpoint equipment;
a second sending module configured to send the route update message to the second tunnel endpoint device;
and a reject forwarding module configured to reject forwarding the to-be-forwarded packet when receiving a route update reject message returned by the second tunnel endpoint device, where the route update reject message is a message generated and sent by the second tunnel endpoint device when receiving a verification response message returned by a virtual machine corresponding to the virtual machine address, and the verification response message is a message generated by the virtual machine when receiving a verification request sent by the second tunnel endpoint device.
The invention has the following advantages:
the invention provides a virtual machine migration verification method and a device, which receive a route update message sent by first tunnel endpoint equipment, wherein the route update message is a message generated by the first tunnel endpoint equipment according to a virtual machine address corresponding to a message to be forwarded under the condition that the message to be forwarded is determined to be a target message, the target message is a message sent by a target virtual machine, the target virtual machine is a virtual machine which is arranged below the first tunnel endpoint equipment, but the next hop address is the current tunnel endpoint equipment; sending a verification request to a virtual machine corresponding to the virtual machine address; refusing to update the routing information of the current tunnel endpoint equipment according to the routing update message under the condition of receiving a verification response message returned by the virtual machine, wherein the verification response message is a message generated by the virtual machine under the condition of receiving a verification request; and generating and sending a route updating reject message to the first tunnel endpoint device so that the first tunnel endpoint device rejects to forward the message to be forwarded according to the route updating reject message, thereby effectively preventing an attacker from carrying out virtual machine migration cheating and further ensuring normal transmission of data.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention.
Fig. 1 is a schematic diagram of a virtual machine network architecture according to an embodiment of the present invention;
fig. 2 is a flowchart of a virtual machine migration verification method according to an embodiment of the present invention;
fig. 3 is a flowchart of a virtual machine migration verification method according to another embodiment of the present invention;
fig. 4 is a flowchart of a virtual machine migration verification method according to yet another embodiment of the present invention;
fig. 5 is a block diagram illustrating a virtual machine migration verification apparatus according to an embodiment of the present invention;
fig. 6 is a block diagram illustrating a virtual machine migration verification apparatus according to another embodiment of the present invention;
fig. 7 is a schematic signaling interaction diagram of a virtual machine migration verification system according to an embodiment of the present invention;
fig. 8 is a schematic signaling interaction diagram of a virtual machine migration verification system according to another embodiment of the present invention.
Detailed Description
The following describes in detail embodiments of the present invention with reference to the drawings. It should be understood that the detailed description and specific examples, while indicating the present invention, are given by way of illustration and explanation only, not limitation.
With the rise of computer technology and 'cloud computing', virtualization technology develops rapidly. Virtualization technology is an intermediate layer technology at one or more layers of a computer architecture that provides a virtual lower layer interface to an upper layer. In a virtualized environment, it is desirable to transfer a virtual machine that is normally running on one physical computer to another physical computer for several reasons, and this execution process is referred to as virtual machine migration.
In the migration process, the physical computer has the possibility of being attacked, so that the designated physical computer in the network holds the address information expected by the attacker, and the designated physical computer cannot be sent to the correct physical computer when sending a message to the designated address polluted by the attacker and is sent to the physical computer expected by the attacker, so that the virtual machine migration spoofing attack is caused, and data cannot be normally transmitted.
In view of this, the present application provides a method and an apparatus for verifying virtual machine migration, which perform migration verification on a virtual machine through a verification request to ensure that the virtual machine actually migrates, thereby avoiding virtual machine migration spoofing and ensuring normal data transmission.
A first aspect of the present application provides a virtual machine network architecture. Fig. 1 is a schematic diagram of a virtual machine network architecture according to an embodiment of the present invention.
As shown in fig. 1, the virtual machine network architecture is based on virtual extensible network setup, specifically, a first tunnel endpoint device 101 and a second tunnel endpoint device 102 are set in a virtual machine extensible network 100, where the first tunnel endpoint device 101 is composed of a first server 103 and a second server 104, a first virtual machine 106 and a second virtual machine 107 run in the first server 103, and a third virtual machine 108 runs in the second server 104; the second tunnel endpoint device 102 is composed of a third server 105, and a fourth virtual machine 109 is running in the third server 105.
In some embodiments, the virtual machine may be migrated from one server to another according to actual needs. When the servers before and after the migration of the virtual machine do not belong to the same tunnel endpoint device, the virtual machine is equivalent to the migration between the tunnel endpoint devices. For example, migrating the first virtual machine 106 to the third server 105 is equivalent to migrating the first virtual machine 106 from the first tunnel endpoint device 101 to the second tunnel endpoint device 102.
The second aspect of the present application provides a virtual machine migration verification method. Fig. 2 is a flowchart of a virtual machine migration verification method according to an embodiment of the present application, where the method is applicable to a second tunnel endpoint device. As shown in fig. 2, the method comprises the steps of:
step S201, receiving a route update message sent by the first tunnel endpoint device.
The route update message is a message generated by the first tunnel endpoint device according to a virtual machine address corresponding to the message to be forwarded when the message to be forwarded is determined to be a target message, where the target message is a message sent by a target virtual machine, the target virtual machine is a virtual machine which is arranged below the first tunnel endpoint device, but has a next hop address of a current tunnel endpoint device (the current tunnel endpoint device is a second tunnel endpoint device). In some embodiments, the virtual machine address includes a Media Access Control (MAC) address and/or an Internet Protocol (IP) address of the virtual machine.
In other words, when the first tunnel endpoint device determines, according to the message to be forwarded, that the virtual machine that sends the message to be forwarded is the virtual machine that is migrated from the other tunnel endpoint device to the lower tunnel endpoint device, and the first tunnel endpoint device does not perform corresponding update on the local address table entry of the virtual machine, the first tunnel endpoint device sends a routing update message to the tunnel endpoint device before the virtual machine is migrated, so as to perform migration verification on the virtual machine, thereby avoiding migration spoofing.
In some embodiments, after receiving a to-be-forwarded message sent by a virtual machine set under the tunnel endpoint device, the first tunnel endpoint device determines whether the to-be-forwarded message is a target message according to a virtual machine address corresponding to the to-be-forwarded message and routing information of the first tunnel endpoint device. And when the message to be forwarded is determined to be the target message, generating a routing update message according to the virtual machine address corresponding to the message to be forwarded, and sending the routing update message to the current tunnel endpoint equipment. The current tunnel endpoint device receives a route update message sent by the first tunnel endpoint device.
For example, VM1 is a virtual machine set under VTEP1, and when VM1 is to communicate with VM2 (it is assumed that VM2 is not a virtual machine set under VTEP 1), VM1 obtains a MAC Address of VM2 in an Address Resolution Protocol (ARP) cache, and sends a message to be forwarded to VTEP1. The VTEP1 judges that a message to be forwarded needs to enter a VXLAN tunnel according to the configuration of the two-layer subinterfaces, and determines a VXLAN Network Identifier (VNI) to which the message to be forwarded belongs after determining a big two-layer broadcast Domain (Bridge-Domain, BD) to which the message to be forwarded belongs. Meanwhile, the VTEP1 acquires the MAC address of the VM1 from the message to be forwarded, and judges that the next hop of the address table item of the VM1 in the local MAC address table is VTEP2, so that the condition that the VM1 belongs to the target virtual machine and the message to be forwarded belongs to the target message is judged. Based on this, VTEP1 generates a route update message based on the MAC address and IP address of VM1, and sends the route update message to VTEP2 through the VXLAN tunnel according to the VNI.
Step S202, a verification request is sent to the virtual machine corresponding to the virtual machine address.
The verification request is used for verifying whether the virtual machine is migrated or not. Specifically, if the packet to be forwarded is sent by the attacker impersonating the target virtual machine, and the target virtual machine is still connected to the current tunnel endpoint device instead of the first tunnel endpoint device, the target virtual machine may still receive the authentication request sent by the current tunnel endpoint device, and then return an authentication response message to the current tunnel endpoint device. After receiving the verification response message, the current tunnel endpoint device learns that the target virtual machine is still arranged in the current tunnel endpoint device and is not migrated to the first tunnel endpoint device, so that the message to be forwarded is a message sent by an attacker serving as the target virtual machine, and virtual machine migration cheating behaviors are identified.
In some embodiments, after receiving the route update message, the current tunnel endpoint device determines that the address of the target virtual machine is in the local address table entry, and sends a verification request to the virtual machine corresponding to the virtual machine address. In some implementations, the authentication request may be sent over the local network segment in a broadcast fashion.
For example, after receiving the route update message sent by VTEP1, VTEP2 determines that the MAC address of VM1 is in the local address table entry and the ingress interface is an interface Circuit (AC). VTEP2 sends out an extended ARP packet (which can only be broadcast in the local network segment), and the Operation (OP) type indication value in the extended ARP packet is 0x0003, which indicates that VTEP2 sends out an authentication request to VM1 in two layers. In the extended ARP packet, the destination MAC address is the MAC address of VM1, the destination IP address is the IP address of VM1, the source MAC address is the MAC address of VTEP2, and the source IP address is the IP address of VTEP2.
If the extended ARP packet is sent by attacker emulated VM1, VM1 is still up-linked to VTEP2.VM1 may receive the extended ARP packet, and obtain that the extended ARP packet belongs to a Reverse Address Resolution Protocol (RARP) request according to an OP indication value of 0x0003 in the extended ARP packet, thereby returning an extended ARP response packet to VTEP2, where the OP indication value in the extended ARP response packet is 0x0004.
It should be noted that, in the prior art, after receiving the route update message, the current tunnel endpoint device generally responds to the route update message and updates the route information of the current tunnel endpoint device. Therefore, when virtual machine migration spoofing occurs, this spoofing cannot be recognized, and the routing information is changed to address information that the attacker wishes to hold.
Step S203, refusing to update the routing information of the current tunnel endpoint device according to the routing update message when receiving the verification response message returned by the virtual machine.
Wherein the authentication response message is a feedback message generated by the virtual machine in case of receiving the authentication request.
In some embodiments, the virtual machine returns an authentication response message to the current tunnel endpoint device after receiving the authentication request. And the current tunnel endpoint equipment receives the verification response message, namely determines that the virtual machine can also receive the broadcast message of the local network segment, and knows that the virtual machine does not migrate, thereby refusing to update the routing information of the virtual machine according to the routing update message.
It should be noted that, if the current tunnel endpoint device does not receive the verification response message returned by the virtual machine, the current tunnel endpoint device updates the routing information of the current tunnel endpoint device according to the virtual machine address, and generates and sends a routing update response message to the first tunnel endpoint device. And after receiving the route updating response message sent by the current tunnel endpoint equipment, the first tunnel endpoint equipment executes the forwarding operation of the message to be forwarded.
For example, if VM1 does migrate from VTEP2 to VTEP1, VM1 can no longer receive the extended ARP packet broadcast by VTEP2 and thus will not return an extended ARP response packet to VTEP2. Therefore, VTEP2 knows that the migration behavior of VM1 is substantial, updates the routing information of VTEP2 according to the route update message, and sends a route update response message to VTEP1. After receiving the route updating response message, the VTEP1 forwards the message to be forwarded.
Step S204, generating and sending a route updating refusing message to the first tunnel endpoint equipment, so that the first tunnel endpoint equipment refuses to forward the message to be forwarded according to the route updating refusing message.
In some embodiments, the current tunnel endpoint device learns that the target virtual machine is not migrated to the first tunnel endpoint device after receiving the validation response message, and therefore, the current tunnel endpoint device generates a route update reject message and sends the route update reject message to the first tunnel endpoint device. After the first tunnel endpoint device receives the route updating rejection message, it is known that the target virtual machine is not migrated to the lower part, and it is recognized that the message to be forwarded is a forged message, so that the forwarding of the message to be forwarded is rejected.
In this embodiment, a route update message sent by a first tunnel endpoint device is received, where the route update message is a message generated by the first tunnel endpoint device according to a virtual machine address corresponding to a message to be forwarded when determining that the message to be forwarded is a target message, the target message is a message sent by a target virtual machine, the target virtual machine is a virtual machine which is configured below the first tunnel endpoint device, but a next hop address is a current tunnel endpoint device; sending a verification request to a virtual machine corresponding to the virtual machine address; and under the condition of receiving a verification response message returned by the virtual machine, refusing to update the routing information of the current tunnel endpoint equipment according to the routing update message, wherein the verification response message is a message generated by the virtual machine under the condition of receiving a verification request, and generating and sending the routing update refusing message to the first tunnel endpoint equipment so that the first tunnel endpoint equipment refuses to forward the message to be forwarded according to the routing update refusing message, thereby effectively preventing an attacker from carrying out virtual machine migration cheating and further ensuring normal transmission of data.
Fig. 3 is a flowchart of a virtual machine migration verification method according to another embodiment of the present application, where the method is applicable to a first tunnel endpoint device. As shown in fig. 3, the method comprises the steps of:
step S301, under the condition that the message to be forwarded is determined to be the target message, generating a routing update message according to the virtual machine address corresponding to the message to be forwarded.
The target message is a message sent by a target virtual machine, the target virtual machine is a virtual machine which is arranged below the current tunnel endpoint equipment and the next hop address of which is the second tunnel endpoint equipment. In some embodiments, the virtual machine address includes a media access control, MAC, address and/or an IP address of the virtual machine.
When the first tunnel endpoint device judges that the virtual machine sending the message to be forwarded is a virtual machine migrated to the tunnel endpoint device from other tunnel endpoint devices according to the message to be forwarded, and the first tunnel endpoint device does not perform corresponding update on the local address table entry of the virtual machine, the first tunnel endpoint device generates a routing update message and sends the routing update message to the tunnel endpoint device before the virtual machine is migrated so as to perform migration verification on the virtual machine, thereby avoiding migration cheating.
In some embodiments, after receiving a to-be-forwarded message sent by a virtual machine under setup, a first tunnel endpoint device determines whether the to-be-forwarded message is a target message according to a virtual machine address corresponding to the to-be-forwarded message and routing information of the first tunnel endpoint device. And when the message to be forwarded is determined to be the target message, generating a routing update message according to the virtual machine address corresponding to the message to be forwarded, and sending the routing update message to the second tunnel endpoint device. The second tunnel endpoint device receives the route update message sent by the first tunnel endpoint device.
For example, VM1 is a virtual machine set under VTEP1, and when VM1 is to communicate with VM2 (it is assumed that VM2 is not a virtual machine set under VTEP 1), VM1 obtains a MAC address of VM2 in an ARP cache and sends a packet to be forwarded to VTEP1. The VTEP1 judges that the message to be forwarded needs to enter a VXLAN tunnel according to the configuration of the two-layer subinterfaces, and determines the VNI to which the message to be forwarded belongs after determining the BD to which the message to be forwarded belongs. Meanwhile, the VTEP1 acquires the MAC address of the VM1 from the message to be forwarded, and judges that the next hop of the address table item of the VM1 in the local MAC address table is VTEP2, so that the VM1 is judged to belong to the target virtual machine, and the message to be forwarded belongs to the target message. Based on this, VTEP1 generates a route update message based on the MAC address and IP address of VM1.
Step S302, sending the route update message to the second tunnel endpoint device.
And the second tunnel endpoint device is the home tunnel endpoint device before the target virtual machine is migrated.
In some embodiments, after receiving the route update message, the second tunnel endpoint device sends a validation request to the virtual machine corresponding to the virtual machine address. In some implementations, the authentication request may be sent over the local network segment in a broadcast fashion.
If the message to be forwarded is sent by the attacker impersonating the target virtual machine, and the target virtual machine is still connected to the second tunnel endpoint device instead of the first tunnel endpoint device, the target virtual machine can still receive the authentication request sent by the second tunnel endpoint device, and then returns an authentication response message to the second tunnel endpoint device. After receiving the verification response message, the second tunnel endpoint device learns that the target virtual machine is still arranged in the second tunnel endpoint device and is not migrated to the first tunnel endpoint device, so that the message to be forwarded is a message sent by an attacker serving as the target virtual machine, and virtual machine migration cheating behaviors are identified.
Step S303, rejecting to forward the message to be forwarded when receiving the route update reject message returned by the second tunnel endpoint device.
The route update reject message is a message generated and sent by the second tunnel endpoint device when receiving a verification response message returned by the virtual machine corresponding to the virtual machine address, and the verification response message is a message generated by the virtual machine when receiving a verification request sent by the second tunnel endpoint device.
In some embodiments, the virtual machine returns an authentication response message to the second tunnel endpoint device after receiving the authentication request sent by the second tunnel endpoint device. And the second tunnel endpoint device receives the verification response message, namely determines that the virtual machine can also receive the broadcast message of the local network segment of the virtual machine, learns that the virtual machine is not migrated to the first tunnel endpoint device, refuses to update the routing information of the virtual machine according to the routing update message and sends a routing update refusing message to the first tunnel endpoint device. And the first tunnel endpoint equipment receives the routing update rejection message, knows that the message to be forwarded is a forged message and rejects to forward the message to be forwarded.
In some other embodiments, if the second tunnel endpoint device does not receive the verification response message returned by the virtual machine, the second tunnel endpoint device updates its routing information according to the virtual machine address, generates a routing update response message, and sends the routing update response message to the first tunnel endpoint device. And after receiving the route updating response message sent by the second tunnel endpoint device, the first tunnel endpoint device executes the forwarding operation of the message to be forwarded.
For example, if VM1 migrates from VTEP2 to VTEP1, VM1 cannot receive the extended ARP packet broadcast by VTEP2, and therefore, VM1 does not return the extended ARP response packet to VTEP2. Based on this, VTEP2 updates its routing information according to the MAC address and IP address of VM1, generates a routing update response message, and transmits the routing update response message to VTEP1. After receiving the route update response message, the VTEP1 forwards the packet to be forwarded to the destination address, learns the correspondence between the MAC address of the VM1, the VNI, and the packet ingress interface, and records the correspondence in the local MAC table.
Additionally, VTEP1 may also send routing information for VM1 to other VTEPs. After receiving the routing information of the VM1 sent by the VTEP1, the other VTEPs update the address table entry of the VM1 in the local address table entry according to the routing information of the VM1, so that the packet can be forwarded to the VM1 according to the updated address table entry.
In this embodiment, when it is determined that the packet to be forwarded is the target packet, a routing update message is generated according to the virtual machine address corresponding to the packet to be forwarded; the target message is a message sent by a target virtual machine, the target virtual machine is a virtual machine which is arranged below the current tunnel endpoint equipment and has a next hop address as second tunnel endpoint equipment; sending the route update message to a second tunnel endpoint device; and refusing to forward the message to be forwarded under the condition of receiving a route updating refusing message returned by the second tunnel endpoint equipment, wherein the route updating refusing message is a message which is generated and sent by the second tunnel endpoint equipment under the condition of receiving a verification response message returned by the virtual machine corresponding to the virtual machine address, and the verification response message is a message which is generated by the virtual machine under the condition of receiving a verification request sent by the second tunnel endpoint equipment, so that an attacker can be effectively prevented from carrying out virtual machine migration cheating, and the normal transmission of data is further ensured.
Fig. 4 is a flowchart of a virtual machine migration verification method according to yet another embodiment of the present application, where the method is applicable to a first tunnel endpoint device. As shown in fig. 4, the method includes the steps of:
step S401, under the condition that the message to be forwarded is determined to be the target message, generating a routing update message according to the virtual machine address corresponding to the message to be forwarded.
Step S402, sending the route update message to the second tunnel endpoint device.
Step S403, rejecting forwarding the message to be forwarded when receiving the route update reject message returned by the second tunnel endpoint device.
Steps S401 to S403 in this embodiment are the same as steps S301 to S303 in the previous embodiment, and are not described again here.
Step S404, a reminding identifier is set for an address table item corresponding to the virtual machine address in the routing information of the current tunnel endpoint device, and a reminding identifier timer is set.
In some embodiments, the current tunnel endpoint device receives the route update rejection message, and when it is known that the packet to be forwarded is a forged packet, the current tunnel endpoint adds a reminder identifier to an address table entry corresponding to the virtual machine address in the local address table entry, and sets a reminder identifier timer for the reminder identifier.
And step S405, under the condition that the message matched with the reminding identifier is received within the preset time, discarding the message.
The message matched with the reminding identifier is a message with the source address same as the virtual machine address, and the preset time is the validity period of the reminding identifier timer.
In some embodiments, within a preset time, when a data packet with the source address identical to the virtual machine address is received from the AC port, it is determined that the data packet is a packet matching the alert identifier, and therefore, the data packet is directly discarded.
And step S406, clearing the reminding mark timer under the condition that the starting time length of the reminding mark timer is greater than or equal to the validity period.
And when the reminding identifier timer runs beyond the validity period, the reminding identifier timer is cleared, so that the message of the virtual machine can be normally forwarded.
In the embodiment, when the occurrence of the virtual machine migration cheating is determined, the reminding identifier and the reminding identifier timer are set for the address table entry corresponding to the virtual machine address, so that the migration cheating attack behavior of the same virtual machine can be avoided within a period of time, and the network security is improved.
The steps of the above methods are divided for clarity, and the implementation may be combined into one step or split some steps, and the steps are divided into multiple steps, so long as the same logical relationship is included, which are all within the protection scope of the present patent; it is within the scope of the patent to add insignificant modifications to the algorithms or processes or to introduce insignificant design changes to the core design without changing the algorithms or processes.
A third aspect of the present application provides a virtual machine migration verification apparatus. Fig. 5 is a block diagram illustrating a virtual machine migration verification apparatus according to an embodiment of the present application, where the apparatus may be disposed at a second tunnel endpoint device. As shown in fig. 5, the virtual machine migration verification apparatus 500 includes the following modules:
a receiving module 501 configured to receive a route update message sent by a first tunnel endpoint device.
The first sending module 502 is configured to send an authentication request to the virtual machine corresponding to the virtual machine address, and send a route update rejection message to the first tunnel endpoint device, so that the first tunnel endpoint device rejects to forward the packet to be forwarded according to the route update rejection message.
And a refusing updating module 503, configured to refuse to update the routing information of the current tunnel endpoint device according to the routing update message in the case of receiving the verification response message returned by the virtual machine.
A first generating module 504 is configured to generate a route update reject message.
The receiving module 501 is configured to execute the relevant content in step S201, the first sending module 502 is configured to execute the sending operations in step S202 and step S204, the updating rejection module 503 is configured to execute the relevant content in step S203, and the first generating module 504 is configured to execute the generating operation of the route updating rejection message in step S204, which is not described herein again.
In some embodiments, the virtual machine migration verification apparatus 500 further includes an updating module, where the updating module is configured to update the routing information of the current tunnel endpoint device according to the virtual machine address if a verification response message returned by the virtual machine is not received, and the first sending module 502 is further configured to send a routing update response message to the first tunnel endpoint device, where the routing update response message may be generated by the first generating module 504.
In this embodiment, the receiving module receives a route update message sent by a first tunnel endpoint device, where the route update message is a message generated by the first tunnel endpoint device according to a virtual machine address corresponding to a message to be forwarded when determining that the message to be forwarded is a target message, the target message is a message sent by a target virtual machine, the target virtual machine is a virtual machine which is configured below the first tunnel endpoint device, and a next hop address is a virtual machine of a current tunnel endpoint device; sending a verification request to a virtual machine corresponding to the virtual machine address through a first sending module; the method comprises the steps that under the condition that a verification response message returned by the virtual machine is received, updating of routing information of current tunnel endpoint equipment according to the routing updating message is refused through a refusing updating module, wherein the verification response message is generated under the condition that the virtual machine receives a verification request, the routing updating refusing message is generated through a first generating module, and the routing updating refusing message is sent to the first tunnel endpoint equipment through a first sending module so that the first tunnel endpoint equipment refuses to forward a message to be forwarded according to the routing updating refusing message, and therefore an attacker can be effectively prevented from carrying out virtual machine migration cheating, and normal transmission of data is further guaranteed.
Fig. 6 is a block diagram of a virtual machine migration verification apparatus according to another embodiment of the present application, which may be disposed in a first tunnel endpoint device. As shown in fig. 6, the virtual machine migration verification apparatus 600 includes the following modules:
the second generating module 601 is configured to generate a routing update message according to a virtual machine address corresponding to the message to be forwarded, when it is determined that the message to be forwarded is the target message.
A second sending module 602 configured to send the route update message to a second tunnel endpoint device.
And the reject forwarding module 603 is configured to reject forwarding the message to be forwarded when receiving the route update reject message returned by the second tunnel endpoint device.
The second generating module 601 is configured to execute the relevant content in step S301, the second sending module 602 is configured to execute the relevant content in step S302, and the reject forwarding module 603 is configured to execute the relevant content in step S303, which is not described herein again.
In some embodiments, the virtual machine migration verification apparatus 600 further includes a forwarding module, where the forwarding module is configured to forward the message to be forwarded when receiving a routing update response message returned by the second tunnel endpoint device, where the routing update response message is a message that is generated and sent to the current tunnel endpoint device after updating the routing information of the second tunnel endpoint device according to the virtual machine address when the second tunnel endpoint device does not receive a verification response message returned by the virtual machine.
In some other embodiments, the virtual machine migration verification apparatus 600 further includes a setting module, a discarding module, and a clearing module, where the setting module is configured to set a reminding identifier for an address table entry corresponding to a virtual machine address in the routing information of the current tunnel endpoint device, and set a reminding identifier timer; the discarding module is used for discarding the message under the condition that the message matched with the reminding identifier is received within the preset time, wherein the message matched with the reminding identifier is the message with the source address same as the virtual machine address, and the preset time is the validity period of the reminding identifier timer; the clearing module is used for clearing the reminding mark timer under the condition that the starting duration of the reminding mark timer is greater than or equal to the validity period.
In this embodiment, the second generation module generates a route update message according to a virtual machine address corresponding to the message to be forwarded, when determining that the message to be forwarded is the target message; the target message is a message sent by a target virtual machine, the target virtual machine is a virtual machine which is arranged below the current tunnel endpoint equipment and has a next hop address as second tunnel endpoint equipment; sending the route updating message to a second tunnel endpoint device through a second sending module; and refusing to forward the message to be forwarded by the refusing and forwarding module under the condition of receiving a route updating refusing message returned by the second tunnel endpoint equipment, wherein the route updating refusing message is a message which is generated and sent by the second tunnel endpoint equipment under the condition of receiving a verification response message returned by the virtual machine corresponding to the virtual machine address, and the verification response message is a message which is generated by the virtual machine under the condition of receiving a verification request sent by the second tunnel endpoint equipment, so that an attacker can be effectively prevented from carrying out virtual machine migration cheating, and the normal transmission of data is further ensured.
Fig. 7 is a schematic signaling interaction diagram of a virtual machine migration verification system according to an embodiment of the present invention.
The attack virtual machine is arranged below the first tunnel endpoint equipment, the first virtual machine is arranged below the second tunnel endpoint equipment, and the attack virtual machine falsely uses the identity of the first virtual machine, so that the first tunnel endpoint equipment is intended to misjudge that the first virtual machine is migrated from the second tunnel endpoint equipment to the first tunnel endpoint equipment.
As shown in fig. 7, the signaling interaction procedure includes:
step S701, the attack virtual machine needs to communicate with the second virtual machine, and sends a packet to be forwarded to the first tunnel endpoint device.
Wherein the second virtual machine (not shown in fig. 7) is a virtual machine disposed in other tunnel endpoint devices; the source MAC address in the message to be forwarded uses the MAC address of the first virtual machine, and the source IP address is the IP address of the attack virtual machine, so that the aim of the attack virtual machine of falsely using the first virtual machine identity to carry out migration cheating is fulfilled. And the destination MAC address of the message to be forwarded is the MAC address of the second virtual machine, and the destination IP address is the IP address of the second virtual machine.
Step S702, the first tunnel endpoint device obtains a source MAC address from the packet to be forwarded, and determines that a next hop of an address table entry corresponding to the source MAC address in the local MAC address table is the second tunnel endpoint device, thereby determining that the packet to be forwarded is the target packet.
Step S703, the first tunnel endpoint device sends a route update message to the second tunnel endpoint device.
Step S704, the second tunnel endpoint device receives the route update message sent by the first tunnel endpoint device, and broadcasts the extended ARP packet in the local network segment.
Wherein, the OP indication value in the expanded ARP data packet is 0x0003.
Step S705, the first virtual machine receives the extended ARP packet broadcasted by the second tunnel endpoint device, and returns an extended ARP response packet to the second tunnel endpoint device.
Wherein, the OP indication value in the expanded ARP response data packet is 0x0004.
Step S706, the second tunnel endpoint device receives the extended ARP response packet, and rejects updating the routing information of the second tunnel endpoint device according to the routing update message.
In step S707, the second tunnel endpoint device generates and sends a route update reject message to the first tunnel endpoint device.
Step S708, the first tunnel endpoint device receives the route update reject message, and rejects forwarding the message to be forwarded according to the route update reject message.
After receiving the route update reject message, the first tunnel endpoint device learns that the to-be-forwarded message is a forged message, and therefore, the first tunnel endpoint device rejects to execute the forwarding operation of the to-be-forwarded message.
Fig. 8 is a schematic signaling interaction diagram of a virtual machine migration verification system according to another embodiment of the present invention.
The first virtual machine is arranged below the first tunnel endpoint equipment and is a virtual machine which is migrated from the second tunnel endpoint equipment to the first tunnel endpoint equipment; the second virtual machine is a virtual machine arranged on other tunnel endpoint equipment.
As shown in fig. 8, the signaling interaction procedure includes:
step S801, the first virtual machine needs to communicate with the second virtual machine, and sends a packet to be forwarded to the first tunnel endpoint device.
The source MAC address of the message to be forwarded is the MAC address of the first virtual machine, the source IP address is the IP address of the first virtual machine, the destination MAC address is the MAC address of the second virtual machine, and the destination IP address is the IP address of the second virtual machine.
Step S802, the first tunnel endpoint device obtains a source MAC address from the message to be forwarded, and judges that the next hop of the address table item corresponding to the source MAC address in the local MAC address table is the second tunnel endpoint device, thereby determining that the message to be forwarded is a target message.
Step S803, the first tunnel endpoint device sends a route update message to the second tunnel endpoint device.
Step S804, the second tunnel endpoint device receives the route update message sent by the first tunnel endpoint device, and broadcasts the extended ARP packet in the local network segment.
Wherein, the OP indication value in the expanded ARP data packet is 0x0003.
Since the first virtual machine has migrated from the second tunnel endpoint device to the first tunnel endpoint device, the first virtual machine cannot receive the extended ARP packet broadcast by the second tunnel endpoint device on its local network segment, and therefore, the first virtual machine does not generate the extended ARP response packet.
Step S805, when the extended ARP response packet returned by the first virtual machine is not received, the second tunnel endpoint device updates its local routing information according to the address of the first virtual machine.
Step S806, the second tunnel endpoint device generates and sends a route update response message to the first tunnel endpoint device.
In step S807, the first tunnel endpoint device receives the route update response message sent by the second tunnel endpoint device, and forwards the packet to be forwarded to the second virtual machine.
After receiving the route update response message, the first tunnel endpoint device learns that the message to be forwarded is a real message, and therefore performs a forwarding operation of the message to be forwarded.
Step S808, the first tunnel endpoint device updates the local routing information according to the address information of the first virtual machine.
In some embodiments, after the first tunnel endpoint device updates the local routing information, the first tunnel endpoint device also sends the routing information of the first virtual machine to other tunnel endpoint devices, so that the other tunnel endpoint devices receive the routing information of the first virtual machine and update the address table entry of the first virtual machine in the respective local address table entries.
It should be noted that each module referred to in this embodiment is a logical module, and in practical applications, one logical unit may be one physical unit, may be a part of one physical unit, and may be implemented by a combination of multiple physical units. In addition, in order to highlight the innovative part of the present invention, elements that are not so closely related to solving the technical problems proposed by the present invention are not introduced in the present embodiment, but this does not indicate that other elements are not present in the present embodiment.
It will be understood that the above embodiments are merely exemplary embodiments taken to illustrate the principles of the present invention, which is not limited thereto. It will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the spirit and scope of the invention, and such modifications and improvements are also considered to be within the scope of the invention.

Claims (10)

1. A virtual machine migration verification method is characterized by comprising the following steps:
receiving a route update message sent by a first tunnel endpoint device, wherein the route update message is generated by the first tunnel endpoint device according to a virtual machine address corresponding to a message to be forwarded under the condition that the message to be forwarded is determined to be a target message, the target message is sent by a target virtual machine, the target virtual machine is a virtual machine which is arranged below the first tunnel endpoint device, and the next hop address is the current tunnel endpoint device;
sending a verification request to a virtual machine corresponding to the virtual machine address;
refusing to update the routing information of the current tunnel endpoint device according to the routing update message under the condition that a verification response message returned by the virtual machine is received, wherein the verification response message is a feedback message generated by the virtual machine under the condition that the verification request is received;
and generating and sending a route updating refusing message to the first tunnel endpoint device so that the first tunnel endpoint device refuses to forward the message to be forwarded according to the route updating refusing message.
2. The virtual machine migration verification method according to claim 1, wherein the verification request is an extended address resolution protocol request packet, and an operation type indication value of the extended address resolution protocol request packet is 0x0003;
the verification response message is an extended address resolution protocol response message, and the operation type indication value of the extended address resolution protocol response message is 0x0004.
3. The virtual machine migration verification method according to claim 1, wherein after sending the verification request to the virtual machine corresponding to the virtual machine address, the method further comprises:
under the condition that a verification response message returned by the virtual machine is not received, updating the routing information of the current tunnel endpoint equipment according to the address of the virtual machine;
generating and sending a route update response message to the first tunnel endpoint device.
4. A virtual machine migration verification method is characterized by comprising the following steps:
under the condition that the message to be forwarded is determined to be a target message, generating a routing update message according to the virtual machine address corresponding to the message to be forwarded; the target message is a message sent by a target virtual machine, the target virtual machine is a virtual machine which is arranged below the current tunnel endpoint equipment and has a next hop address as second tunnel endpoint equipment;
sending the route update message to the second tunnel endpoint device;
and refusing to forward the message to be forwarded under the condition of receiving a route update refusing message returned by the second tunnel endpoint device, wherein the route update refusing message is a message which is generated and sent by the second tunnel endpoint device under the condition of receiving a verification response message returned by a virtual machine corresponding to the virtual machine address, and the verification response message is a message which is generated by the virtual machine under the condition of receiving a verification request sent by the second tunnel endpoint device.
5. The virtual machine migration verification method according to claim 4, wherein before generating a route update message according to the virtual machine address corresponding to the message to be forwarded when it is determined that the message to be forwarded is the target message, the method further comprises:
receiving the message to be forwarded;
and determining whether the message to be forwarded is the target message or not according to the virtual machine address corresponding to the message to be forwarded and the routing information of the current tunnel endpoint equipment.
6. The virtual machine migration verification method according to claim 4, wherein after the rejecting forwarding the packet to be forwarded is performed on the condition that the route update reject message returned by the second tunnel endpoint device is received, the method further includes:
setting a reminding identifier for an address table item corresponding to the virtual machine address in the routing information of the current tunnel endpoint equipment, and setting a reminding identifier timer;
under the condition that a message matched with the reminding identifier is received within preset time, discarding the message, wherein the message matched with the reminding identifier is a message with the source address same as the virtual machine address, and the preset time is the validity period of the reminding identifier timer;
and clearing the reminding identifier timer under the condition that the starting time length of the reminding identifier timer is greater than or equal to the validity period.
7. The virtual machine migration verification method according to claim 4, wherein after sending the route update message to the second tunnel endpoint device, further comprising:
and forwarding the message to be forwarded under the condition of receiving a route updating response message returned by the second tunnel endpoint device, wherein the route updating response message is a message generated and sent to the current tunnel endpoint device after the route information of the second tunnel endpoint device is updated according to the virtual machine address under the condition that the second tunnel endpoint device does not receive a verification response message returned by the virtual machine.
8. The virtual machine migration verification method according to claim 6, wherein after forwarding the packet to be forwarded on the condition that the route update response message returned by the second tunnel endpoint device is received, the method further includes:
updating the routing information of the current tunnel endpoint equipment according to the virtual machine address;
and sending a route updating request to the tunnel endpoint equipment in a preset range so that the tunnel endpoint equipment in the preset range can update respective route information, wherein the route updating request comprises the virtual machine address.
9. A virtual machine migration verification apparatus, comprising:
a receiving module, configured to receive a route update message sent by a first tunnel endpoint device, where the route update message is a message generated by the first tunnel endpoint device according to a virtual machine address corresponding to a message to be forwarded when the first tunnel endpoint device determines that the message to be forwarded is a target message, the target message is a message sent by a target virtual machine, the target virtual machine is a virtual machine which is located below the first tunnel endpoint device, but a next hop address is a virtual machine of a current tunnel endpoint device;
a first sending module, configured to send a verification request to a virtual machine corresponding to the virtual machine address, and send a route update rejection message to the first tunnel endpoint device, so that the first tunnel endpoint device rejects to forward the packet to be forwarded according to the route update rejection message;
a refusing updating module configured to refuse to update the routing information of the current tunnel endpoint device according to the routing updating message when receiving a verification response message returned by the virtual machine, wherein the verification response message is a feedback message generated by the virtual machine when receiving the verification request;
a first generation module configured to generate the route update reject message.
10. A virtual machine migration verification apparatus, comprising:
the second generation module is configured to generate a routing update message according to a virtual machine address corresponding to a message to be forwarded under the condition that the message to be forwarded is determined to be a target message; the target message is a message sent by a target virtual machine, the target virtual machine is a virtual machine which is arranged below the current tunnel endpoint equipment and has a next hop address as second tunnel endpoint equipment;
a second sending module configured to send the route update message to the second tunnel endpoint device;
and a reject forwarding module configured to reject forwarding the to-be-forwarded packet when receiving a route update reject message returned by the second tunnel endpoint device, where the route update reject message is a message generated and sent by the second tunnel endpoint device when receiving a verification response message returned by a virtual machine corresponding to the virtual machine address, and the verification response message is a message generated by the virtual machine when receiving a verification request sent by the second tunnel endpoint device.
CN202110903768.XA 2021-08-06 2021-08-06 Virtual machine migration verification method and device Active CN113612782B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110903768.XA CN113612782B (en) 2021-08-06 2021-08-06 Virtual machine migration verification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110903768.XA CN113612782B (en) 2021-08-06 2021-08-06 Virtual machine migration verification method and device

Publications (2)

Publication Number Publication Date
CN113612782A CN113612782A (en) 2021-11-05
CN113612782B true CN113612782B (en) 2023-02-17

Family

ID=78307514

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110903768.XA Active CN113612782B (en) 2021-08-06 2021-08-06 Virtual machine migration verification method and device

Country Status (1)

Country Link
CN (1) CN113612782B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101534225A (en) * 2009-01-05 2009-09-16 中国人民解放军信息工程大学 Method and device used for detecting authenticity of routing information
CN103430149A (en) * 2011-08-15 2013-12-04 华为技术有限公司 Virtual machine migration notification method and system
WO2015180539A1 (en) * 2014-05-28 2015-12-03 华为技术有限公司 Packet processing method and device
CN106998297A (en) * 2017-03-22 2017-08-01 新华三技术有限公司 A kind of virtual machine migration method and device
CN107612834A (en) * 2017-09-13 2018-01-19 杭州迪普科技股份有限公司 A kind of EVPN route renewing methods based on virtual unit migration
WO2018040530A1 (en) * 2016-08-30 2018-03-08 华为技术有限公司 Method and apparatus for determining virtual machine migration
CN109067784A (en) * 2018-09-19 2018-12-21 迈普通信技术股份有限公司 The method and apparatus of anti-fraud in a kind of VXLAN
CN110515700A (en) * 2019-08-23 2019-11-29 北京浪潮数据技术有限公司 A kind of virtual machine migration method, system, device and readable storage medium storing program for executing
CN111770035A (en) * 2020-06-30 2020-10-13 中国联合网络通信集团有限公司 MAC address table updating method and device, message sending method and electronic equipment

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101605084B (en) * 2009-06-29 2011-09-21 北京航空航天大学 Method and system for processing virtual network messages based on virtual machine
US9582308B2 (en) * 2014-03-31 2017-02-28 Nicira, Inc. Auto detecting legitimate IP addresses using spoofguard agents

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101534225A (en) * 2009-01-05 2009-09-16 中国人民解放军信息工程大学 Method and device used for detecting authenticity of routing information
CN103430149A (en) * 2011-08-15 2013-12-04 华为技术有限公司 Virtual machine migration notification method and system
WO2015180539A1 (en) * 2014-05-28 2015-12-03 华为技术有限公司 Packet processing method and device
WO2018040530A1 (en) * 2016-08-30 2018-03-08 华为技术有限公司 Method and apparatus for determining virtual machine migration
CN112486627A (en) * 2016-08-30 2021-03-12 华为技术有限公司 Method and device for determining virtual machine migration
CN106998297A (en) * 2017-03-22 2017-08-01 新华三技术有限公司 A kind of virtual machine migration method and device
CN107612834A (en) * 2017-09-13 2018-01-19 杭州迪普科技股份有限公司 A kind of EVPN route renewing methods based on virtual unit migration
CN109067784A (en) * 2018-09-19 2018-12-21 迈普通信技术股份有限公司 The method and apparatus of anti-fraud in a kind of VXLAN
CN110515700A (en) * 2019-08-23 2019-11-29 北京浪潮数据技术有限公司 A kind of virtual machine migration method, system, device and readable storage medium storing program for executing
CN111770035A (en) * 2020-06-30 2020-10-13 中国联合网络通信集团有限公司 MAC address table updating method and device, message sending method and electronic equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
虚拟机动态迁移中的安全分析;蒋学渊等;《计算机科学与探索》;20110515(第05期);全文 *

Also Published As

Publication number Publication date
CN113612782A (en) 2021-11-05

Similar Documents

Publication Publication Date Title
US9258266B2 (en) Host detection by top of rack switch devices in data center environments
TWI583151B (en) System and method for implementing and managing virtual networks
US10673736B2 (en) Traffic reduction in data center fabrics
CN109067784B (en) Method and equipment for preventing cheating in VXLAN
WO2005036831A1 (en) Frame relay device
CN109587286B (en) Equipment access control method and device
CN107623757B (en) Table entry updating method and device
US20210211404A1 (en) Dhcp snooping with host mobility
CN111200611B (en) Method and device for verifying intra-domain source address based on boundary interface equivalence class
CN108777663B (en) Method and device for synchronizing routing information
US20230283589A1 (en) Synchronizing dynamic host configuration protocol snoop information
US10530873B1 (en) Techniques for optimizing EVPN-IRB for IPv6-enabled data centers with top-of-rack deployments
CN111835635B (en) Method, equipment and system for publishing route in BGP network
EP3989512A1 (en) Method for controlling traffic forwarding, device, and system
CN113612782B (en) Virtual machine migration verification method and device
US20150128260A1 (en) Methods and systems for controlling communication in a virtualized network environment
CN116094923A (en) Gateway updating method and device after cloud instance migration and electronic equipment
JP6566124B2 (en) COMMUNICATION SYSTEM, FLOW CONTROL DEVICE, FLOW PROCESSING DEVICE, AND CONTROL METHOD
CN113556283B (en) Route management method and tunnel endpoint equipment
CN111654558B (en) ARP interaction and intranet flow forwarding method, device and equipment
JP4677501B2 (en) Relay device and relay method
CN105915455B (en) Method and device for realizing position identification separation protocol multi-homing
US20240022602A1 (en) Method and Apparatus for Route Verification and Data Sending, Device, and Storage Medium
US20150326474A1 (en) Path to host in response to message
CN108173980B (en) Duplicate address detection method in SDN environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant