CN114553664A

CN114553664A - Method, device and system for realizing reachability verification

Info

Publication number: CN114553664A
Application number: CN202011353562.6A
Authority: CN
Inventors: 汪峰来; 吴瑞飞; 周志光; 董峰
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2020-11-25
Filing date: 2020-11-25
Publication date: 2022-05-27

Abstract

The embodiment of the application discloses a method, a device and a system for realizing reachability verification, which are used for supporting reachability verification of state devices. Firstly, network configuration information of a network to be verified and forwarding information of a plurality of devices in the network to be verified are obtained, wherein the network configuration information comprises network topology, the plurality of devices comprise at least one stateful device, the forwarding information of a first stateful device in any stateful device comprises a forwarding destination address set, and the forwarding destination address set comprises a plurality of forwarding destination addresses which are available when the stateful device forwards a message; then, generating a network model according to the network configuration information and the forwarding information, wherein the network model comprises: and the network model is used for carrying out reachability verification on the network to be verified.

Description

Method, device and system for realizing reachability verification

Technical Field

The present application relates to the field of computer networks, and in particular, to a method, an apparatus, and a system for implementing reachability verification.

Background

The internet is becoming complex and large, network management is becoming more difficult, and minor errors in the network upgrade or modification process may have a serious impact on the normal operation of the network. For example, network configuration errors, software and hardware implementation errors, unexpected errors in network attacks or protocol interactions, etc., all affect the availability and security of the network.

The network needs to operate reliably and efficiently and to discover errors in the operation of the network without undue time and effort input by management and technicians. The existing method for detecting the network needs manual investigation and positioning, which brings great operation expenditure (OPEX), and network verification is an effective method for solving the problems, which can uniformly model the network and continuously verify forwarding, safety and the like, wherein reachability verification is an important means for preventing and positioning network faults and root cause analysis.

In the reachability verification scheme, detection messages such as generic routing encapsulation protocol (GRE), User Datagram Protocol (UDP), and the like may be assembled to verify reachability between source and destination addresses. For example, a probe server (probeserver) is deployed in a network, and the probe server sends probe packets to nodes in the network to complete reachability verification.

The existing reachability verification scheme does not support stateful devices (such as a load balancer), and if a network topology includes stateful devices, reachability of the stateful devices can only be verified, but reachability of other devices connected with the stateful devices cannot be verified, so that the problem that reachability verification cannot be performed is caused.

Disclosure of Invention

The embodiment of the application provides a method, a device and a system for realizing reachability verification, which are used for supporting reachability verification of state devices.

In order to solve the above technical problem, an embodiment of the present application provides the following technical solutions:

in a first aspect, an embodiment of the present application provides a method for implementing reachability verification, including: the method comprises the steps of obtaining network configuration information of a network to be verified and forwarding information of a plurality of devices in the network to be verified, wherein the network configuration information comprises network topology, the plurality of devices comprise at least one stateful device, the forwarding information of a first stateful device in the at least one stateful device comprises a forwarding destination address set, and the forwarding destination address set comprises a plurality of forwarding destination addresses which are available when the stateful device forwards a message; generating a network model according to the network configuration information and the forwarding information, wherein the network model comprises: and the forwarding table of the first stateful device comprises forwarding table entries corresponding to the forwarding destination addresses, and the network model is used for performing reachability verification on the network to be verified. In the foregoing solution, the network to be verified provided in the embodiment of the present application includes a state device, and can acquire forwarding information of the state device, and the network model generated in the embodiment of the present application includes a forwarding table of the state device, and the network model generated in the embodiment of the present application can support reachability verification of the state device.

In one possible implementation, the first stateful device is a firewall or a load balancer.

In a possible implementation manner, the forwarding information of any stateless device in the multiple devices includes at least one of a routing entry, a forwarding entry, and an address resolution protocol, ARP, entry. In the above scheme, the next hop address corresponding to the forwarding instance is recorded in the routing table, the forwarding instance may query the routing table entry according to the current address to obtain the next hop address, and the forwarding instance may forward according to the routing table entry. The forwarding table entry can be generated according to the routing table, the forwarding table entry is directly used for indicating forwarding of the current message, and the forwarding instance can inquire the routing table when the forwarding table entry cannot inquire the corresponding next hop address. The ARP entry is used to query an interface when the forwarding instance forwards the packet, for example, the forwarding instance queries the ARP entry according to the IP address, and may find corresponding interface information, for example, the interface queried by the ARP entry is GE/0/0/2.

In a possible implementation manner, the generating a network model according to the network configuration information and the forwarding information includes: acquiring a target address set, where the target address set is the forwarding destination address set of a first stateful device in the multiple devices, or a source address set used for matching a message source address in forwarding information of any stateless device in the multiple devices, or a destination address set used for matching a message destination address in forwarding information of any stateless device in the multiple devices; determining the corresponding address with the same next hop in the target address set as an equivalent address set to obtain one or more equivalent address sets; and generating a forwarding table of the device to which the target address set belongs according to the equivalent address set, wherein each forwarding table entry of the forwarding table corresponds to one equivalent address set. In the above scheme, after one or more equivalent address sets are obtained, a forwarding table is generated by using the equivalent address sets, where the forwarding table includes one or more forwarding entries, and the forwarding entries correspond to the equivalent address sets one to one. Wherein, one forwarding table entry comprises an equivalent address set and information for indicating a next hop corresponding to the equivalent address set. The network model may include a forwarding table of the device to which the target address set belongs. Each forwarding table entry in the forwarding table corresponds to the equivalent address set, so that when the reachability verification is performed by using the network model, batch forwarding analysis of the messages can be performed through the equivalent address set, forwarding analysis does not need to be performed for each forwarding destination address, and the verification efficiency of the reachability verification is improved.

In a possible implementation manner, the network configuration information further includes: a flow policy of at least one of the plurality of devices, the flow policy comprising: the equipment to which the flow strategy belongs uses at least one of a security strategy, a filtering strategy and an Access Control List (ACL) rule for controlling message forwarding; generating a network model according to the network configuration information and the forwarding information includes: and generating a forwarding strategy based on the equivalent address set of the equipment to which the flow strategy belongs according to the equivalent address set of the equipment to which the flow strategy belongs and the flow strategy, wherein the network model further comprises the forwarding strategy. In the foregoing solution, the forwarding policy includes: the forwarding instance can use the equivalence class when forwarding, so that the reachability problem of a single path of source-destination can be converted into the reachability problem of source-service batch, the batch reachability verification of the equipment with the state is realized, and the verification efficiency of the reachability verification is improved.

In a possible implementation manner, the generating a network model according to the network configuration information and the forwarding information includes: and generating a forwarding table of the first stateful device according to the forwarding information of the first stateful device, wherein each forwarding table entry of the forwarding table corresponds to one forwarding destination address in the forwarding destination address set. In the above solution, the forwarding information of the first stateful device includes a forwarding destination address set, so that forwarding entries in a forwarding table of the first stateful device may be determined according to one forwarding destination address in the forwarding destination address set, that is, the forwarding destination address in the forwarding destination address set corresponds to the forwarding entries in the forwarding table one to one, and each forwarding entry includes one forwarding destination address and information used for indicating a next hop corresponding to the forwarding destination address. The forwarding table of the first stateful device may be generated by the forwarding address set, so that a network model may be generated in the manner described above, and the network model may include the forwarding table.

In a possible implementation manner, the network configuration information further includes: device configuration information, the device configuration information comprising: configuration parameters of forwarding instances and configuration parameters of interfaces in the plurality of devices; the network model further comprises: the data structure of the forwarding instance, the data structure of the interface, and the data structure of the link; the data structure of the forwarding instance is used for describing the relationship between the forwarding instance and other forwarding instances and/or the relationship between interfaces corresponding to the forwarding instance; the data structure of the interface is used for describing the relationship between the interface and the forwarding instance corresponding to the interface and/or the relationship between the interface and the connected link; the data structure of the link is used for describing the relationship between the link and the interface connected with the link. In the above solution, the data structure of the forwarding instance, the data structure of the interface, and the data structure of the link included in the network model may be used to perform reachability verification on the network to be verified.

In one possible implementation, the method further includes: and performing reachability verification on the network to be verified according to the network model. In the foregoing solution, after the device for implementing reachability verification generates the network model, the device for implementing reachability verification may perform reachability verification on the network to be verified by using the network model, so that the device for implementing reachability verification may obtain the result of reachability verification. The problem that reachability verification of the equipment with the state cannot be verified is solved.

In a possible implementation manner, the performing reachability verification on the network to be verified according to the network model includes: and performing reachability verification on the network to be verified based on a source address set and a destination address set according to the network model, wherein the source address set comprises at least one source address, and the destination address set comprises at least one destination address. In the above scheme, the source address refers to an address of a forwarding instance that needs to send a packet in the network to be verified, the destination address refers to an address of a forwarding instance that needs to receive a packet in the network to be verified, the apparatus for implementing reachability verification may perform reachability verification on the network to be verified based on the source address set and the destination address set, and the reachability verification process may also be referred to as "source-destination reachability" verification.

In a possible implementation manner, the performing reachability verification on the network to be verified based on a source address set and a destination address set in the network to be verified according to the network model includes: and according to the network model, performing reachability verification on paths from source addresses in the source address set to destination addresses in the destination address set. In the above solution, the path from the source address to the destination address is a unidirectional path, and reachability verification can be performed on the unidirectional path according to the network model, and based on the above manner, similarly, the path from the destination address to the source address is also a unidirectional path, and if the apparatus for performing reachability verification performs reachability verification on both the unidirectional paths, verification of the source-destination bidirectional reachability path can be performed, and verification efficiency of reachability verification is improved.

In a possible implementation manner, the performing reachability verification on the network to be verified based on a source address set and a destination address set in the network to be verified according to the network model includes: according to the network model, performing reachability verification on a path between a source address in the source address set and a device corresponding to a destination address in the destination address set, wherein the device corresponding to the destination address comprises: the device to which the sink address belongs, and/or the device associated with the sink address. In the above solution, the device associated with the destination address refers to a device to which the destination address belongs and which is directly or indirectly connected, for example, the destination address is an address of a load balancer, and then a plurality of service servers connected to the load balancer may be the devices associated with the destination address. By the method, the reachability verification from the source address to the device corresponding to the destination address can be achieved.

In a possible implementation manner, a destination address in the destination address set is an address corresponding to a target service on a state device to which the destination address belongs, and devices associated with the destination address are a plurality of service servers providing the target service.

In one possible implementation, the method further includes: obtaining a reachability verification result; and outputting the reachability verification result. In the above-described aspect, the means for realizing reachability verification may further acquire the result of reachability verification, and then the means for realizing reachability verification outputs the result of reachability verification, and there are various implementations such as the means for realizing reachability verification presenting the result of reachability verification, or the means for realizing reachability verification transmits the result of reachability verification to a display device so that the display device may present the result of reachability verification, for example, the display device may be a terminal having a display screen.

In one possible implementation, the plurality of devices includes a plurality of stateful devices, the forwarding information of a second stateful device in the plurality of stateful devices includes a set of translation source addresses, and the set of translation source addresses includes: the second stateful device converts the source address of the message to be forwarded into a plurality of available converted source address sets; the forwarding table of the second stateful device includes forwarding table entries corresponding to the plurality of translated source addresses.

In a second aspect, an embodiment of the present application further provides a method for implementing reachability verification, including: obtaining a network model of a network to be verified, wherein the network model comprises: information for describing a connection relationship between a plurality of devices in the network to be verified and forwarding tables of the plurality of devices, where the plurality of devices include at least one stateful device, and a forwarding table of a first stateful device in the at least one stateful device includes forwarding table entries corresponding to a plurality of forwarding destination addresses available for the first stateful device when forwarding a packet; and performing reachability verification on the network to be verified according to the network model. In the above aspect, the network model includes: and the network model is used for carrying out reachability verification on the network to be verified. The network to be verified provided by the embodiment of the application comprises the state device, and can acquire the forwarding information of the state device, the network model generated by the embodiment of the application comprises the forwarding table of the state device, and the network model generated by the embodiment of the application can support reachability verification of the state device.

In a possible implementation manner, the network model further includes: a data structure of a forwarding instance of the device in the network to be verified, a data structure of an interface of the forwarding instance, and a data structure of a link; the data structure of the forwarding instance is used for describing the relationship between the forwarding instance and other forwarding instances and/or the relationship between interfaces corresponding to the forwarding instance; the data structure of the interface is used for describing the relationship between the interface and the forwarding instance corresponding to the interface and/or the relationship between the interface and the connected link; the data structure of the link is used for describing the relationship between the link and the interface connected with the link.

In a possible implementation manner, the performing reachability verification on the network to be verified according to the network model includes: and performing reachability verification on the network to be verified based on a source address set and a destination address set according to the network model, wherein the source address set comprises at least one source address, and the destination address set comprises at least one destination address.

In a possible implementation manner, the performing reachability verification on the network to be verified based on a source address set and a destination address set in the network to be verified according to the network model includes: and according to the network model, performing reachability verification on paths from source addresses in the source address set to destination addresses in the destination address set.

In a possible implementation manner, the performing reachability verification on the network to be verified based on a source address set and a destination address set in the network to be verified according to the network model includes: according to the network model, performing reachability verification on a path between a source address in the source address set and a device corresponding to a destination address in the destination address set, wherein the device corresponding to the destination address comprises: the device to which the sink address belongs, and/or the device associated with the sink address.

In a possible implementation manner, a destination address in the destination address set is an address corresponding to a target service on the first stateful device, and the devices associated with the destination address are a plurality of service servers providing the target service.

In one possible implementation, the method further includes: obtaining a reachability verification result; and outputting the reachability verification result.

In a possible implementation manner, the multiple devices include multiple stateful devices, and a forwarding table of a second stateful device in the multiple stateful devices includes forwarding table entries corresponding to multiple converted source addresses that are available for the second stateful device to convert a source address of a packet to be forwarded.

In a third aspect, an embodiment of the present application further provides an apparatus for implementing reachability verification, including: an obtaining module, configured to obtain network configuration information of a network to be verified and forwarding information of multiple devices in the network to be verified, where the network configuration information includes a network topology, the multiple devices include at least one stateful device, the forwarding information of a first stateful device in the at least one stateful device includes a forwarding destination address set, and the forwarding destination address set includes multiple forwarding destination addresses that are available for the stateful device to forward a packet; a generating module, configured to generate a network model according to the network configuration information and the forwarding information, where the network model includes: and the forwarding table of the first stateful device comprises forwarding table entries corresponding to the forwarding destination addresses, and the network model is used for performing reachability verification on the network to be verified.

In a possible implementation manner, the generating module is configured to obtain a destination address set, where the destination address set is the forwarding destination address set of a first stateful device in the multiple devices, or a source address set used for matching a message source address in forwarding information of any stateless device in the multiple devices, or a destination address set used for matching a message destination address in forwarding information of any stateless device in the multiple devices; determining the corresponding address with the same next hop in the target address set as an equivalent address set to obtain one or more equivalent address sets; and generating a forwarding table of the device to which the target address set belongs according to the equivalent address set, wherein each forwarding table entry of the forwarding table corresponds to one equivalent address set.

In a possible implementation manner, the network configuration information further includes: a flow policy of at least one of the plurality of devices, the flow policy comprising: the equipment to which the flow strategy belongs uses at least one of a security strategy, a filtering strategy and an Access Control List (ACL) rule for controlling message forwarding; the generating module is configured to generate an equivalent address set-based forwarding policy of the device to which the flow policy belongs according to the equivalent address set of the device to which the flow policy belongs and the flow policy, where the network model further includes the forwarding policy.

In a possible implementation manner, the generating module is configured to generate a forwarding table of the first stateful device according to forwarding information of the first stateful device, where each forwarding table entry of the forwarding table corresponds to one forwarding destination address in the forwarding destination address set.

In a possible implementation manner, the network configuration information further includes: device configuration information, the device configuration information comprising: configuration parameters of forwarding instances and configuration parameters of interfaces in the plurality of devices; the network model further comprises: the data structure of the forwarding instance, the data structure of the interface and the data structure of the link; the data structure of the forwarding instance is used for describing the relationship between the forwarding instance and other forwarding instances and/or the relationship between interfaces corresponding to the forwarding instance; the data structure of the interface is used for describing the relationship between the interface and the forwarding instance corresponding to the interface and/or the relationship between the interface and the connected link; the data structure of the link is used to describe the relationship between the link and the interface to which the link is connected.

In one possible implementation manner, the apparatus further includes: and the verification module is used for performing reachability verification on the network to be verified according to the network model.

In a possible implementation manner, the verification module is configured to perform reachability verification on the network to be verified based on a source address set and a destination address set according to the network model, where the source address set includes at least one source address, and the destination address set includes at least one destination address.

In a possible implementation manner, the verification module is configured to perform reachability verification on a path from a source address in the source address set to a destination address in the destination address set according to the network model.

In a possible implementation manner, the verification module is configured to perform reachability verification on a path between a source address in the source address set and a device corresponding to a destination address in the destination address set according to the network model, where the device corresponding to the destination address includes: the device to which the sink address belongs, and/or the device associated with the sink address.

In one possible implementation, the apparatus further includes: the output module is used for acquiring a reachability verification result; the output module is used for outputting the reachability verification result.

In the third aspect of the present application, the constituent modules of the apparatus for implementing reachability verification may further perform the steps described in the foregoing first aspect and various possible implementations, for details, see the foregoing description of the first aspect and various possible implementations.

In a fourth aspect, an embodiment of the present application further provides an apparatus for implementing reachability verification, including: an obtaining module, configured to obtain a network model of a network to be verified, where the network model includes: information for describing a connection relationship between a plurality of devices in the network to be verified and forwarding tables of the plurality of devices, where the plurality of devices include at least one stateful device, and a forwarding table of a first stateful device in the at least one stateful device includes forwarding table entries corresponding to a plurality of forwarding destination addresses available for the first stateful device when forwarding a packet; and the verification module is used for performing reachability verification on the network to be verified according to the network model.

In a possible implementation manner, the network model further includes: a data structure of a forwarding instance of the device in the network to be verified, a data structure of an interface of the forwarding instance, and a data structure of a link; the data structure of the forwarding instance is used for describing the relationship between the forwarding instance and other forwarding instances and/or the relationship between interfaces corresponding to the forwarding instance; the data structure of the interface is used for describing the relationship between the interface and the forwarding instance corresponding to the interface and/or the relationship between the interface and the connected link; the data structure of the link is used to describe the relationship between the link and the interface to which the link is connected.

In one possible implementation, the apparatus further includes: the output module is used for acquiring the reachability verification result; and the output module is used for outputting the reachability verification result.

In a fourth aspect of the present application, the constituent modules of the apparatus for implementing reachability verification may further perform the steps described in the foregoing second aspect and various possible implementations, as detailed in the foregoing description of the second aspect and various possible implementations.

In a fifth aspect, an embodiment of the present application further provides a reachability verification system, including: a first means for implementing reachability verification and a second means for implementing reachability verification; wherein the content of the first and second substances,

the first apparatus for implementing reachability verification is configured to acquire network configuration information of a network to be verified and forwarding information of multiple devices in the network to be verified, where the network configuration information includes a network topology, the multiple devices include at least one stateful device, forwarding information of a first stateful device in the at least one stateful device includes a set of forwarding destination addresses, and the set of forwarding destination addresses includes multiple forwarding destination addresses available for the stateful device when forwarding a packet;

the first device for implementing reachability verification is configured to generate a network model according to the network configuration information and the forwarding information, where the network model includes: the information used for describing the connection relation among the plurality of devices and determined according to the network configuration information and the forwarding tables of the plurality of devices, wherein the forwarding table of the first stateful device comprises forwarding table entries corresponding to the plurality of forwarding destination addresses, and the network model is used for performing reachability verification on the network to be verified;

the first device for realizing reachability verification is used for sending the network model to the second device for realizing reachability verification;

the second device for implementing reachability verification is configured to obtain a network model of a network to be verified, where the network model includes: information for describing a connection relationship between a plurality of devices in the network to be verified and forwarding tables of the plurality of devices, where the plurality of devices include at least one stateful device, and a forwarding table of a first stateful device in the at least one stateful device includes forwarding table entries corresponding to a plurality of forwarding destination addresses available for the first stateful device when forwarding a packet;

and the second device for realizing reachability verification is used for carrying out reachability verification on the network to be verified according to the network model.

In a sixth aspect, embodiments of the present application provide a computer-readable storage medium, having stored therein instructions, which, when executed on a computer, cause the computer to perform the method of the first or second aspect.

In a seventh aspect, the present application provides a computer program product containing instructions, which when executed on a computer, causes the computer to perform the method of the first or second aspect.

In an eighth aspect, an embodiment of the present application provides a communication apparatus, which may be the foregoing apparatus for implementing reachability verification and apparatus for implementing reachability verification, where the communication apparatus may include an entity such as a terminal device or a chip, and the communication apparatus includes: a processor, optionally, the communication device further comprises a memory; the memory is to store instructions; the processor is configured to execute the instructions in the memory to cause the communication device to perform the method of any of the preceding first or second aspects.

In a ninth aspect, the present application provides a system on a chip comprising a processor supporting means for enabling reachability verification and means for enabling reachability verification to carry out the functions referred to in the preceding aspects, e.g. to transmit or process data and/or information referred to in the preceding methods. In one possible design, the system-on-chip further includes a memory for holding program instructions and data necessary for the means for implementing reachability verification and the means for implementing reachability verification. The chip system may be formed by a chip, or may include a chip and other discrete devices.

Drawings

Fig. 1 is a schematic application scenario diagram of an apparatus for implementing reachability verification according to an embodiment of the present application;

fig. 2 is a schematic execution flow diagram of a method for implementing reachability verification provided by an embodiment of the present application;

fig. 3 is a schematic view of an application scenario of a to-be-verified network according to an embodiment of the present application;

fig. 4 is a schematic view of an application scenario for acquiring forwarding information of a stateful device according to an embodiment of the present application;

fig. 5 is a schematic execution flow diagram of a method for implementing reachability verification provided by an embodiment of the present application;

fig. 6 is a schematic execution flow diagram of a method for implementing reachability verification provided by an embodiment of the present application;

fig. 7a is a schematic diagram of a logical architecture of an apparatus for implementing reachability verification according to an embodiment of the present application;

fig. 7b is a schematic logical architecture diagram of another apparatus for implementing reachability verification according to an embodiment of the present disclosure;

fig. 7c is a schematic logical architecture diagram of another apparatus for implementing reachability verification provided in the embodiment of the present application;

fig. 8 is a schematic diagram of a service processing flow for building a network model according to an embodiment of the present application;

fig. 9 is a schematic view of an application scenario of a target address set according to an embodiment of the present application;

FIG. 10 is a schematic diagram illustrating the classification of equivalence classes according to an embodiment of the present application;

fig. 11 is a schematic structural diagram illustrating a component of an apparatus for implementing reachability verification according to an embodiment of the present application;

fig. 12 is a schematic structural diagram illustrating a component of an apparatus for implementing reachability verification according to an embodiment of the present application;

fig. 13 is a schematic structural diagram illustrating a component of an apparatus for implementing reachability verification according to an embodiment of the present application;

fig. 14 is a schematic structural diagram of a device for implementing reachability verification according to an embodiment of the present application.

Detailed Description

Embodiments of the present application are described below with reference to the accompanying drawings.

The terms "first," "second," and the like in the description and in the claims of the present application and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the terms so used are interchangeable under appropriate circumstances and are merely descriptive of the manner in which objects of the same nature are distinguished in the embodiments of the application. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of elements is not necessarily limited to those elements, but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.

Embodiments of the present application provide a method for implementing reachability verification, which may be performed by a device for implementing reachability verification, where the device for implementing reachability verification may be a server (server) in a network or a dedicated device independent of the network, and is not limited herein. As shown in fig. 1, which is a schematic view of an application scenario of an apparatus for implementing reachability verification in the embodiment of the present application, an apparatus 120 for implementing reachability verification may perform reachability verification on a network 110 to be verified. The network 110 includes a plurality of devices 111, where the device 111 may be a stateful device, and the stateful device may also be referred to as a stateful network device, and the stateful device refers to a device that can determine a next hop according to states such as a session state and a device state during a packet forwarding process. For example, a stateful device may include: load Balance (LB) and Firewall (FW), but not limited thereto, the stateful device in the embodiment of the present application may also be another network device, and the present application is not limited herein.

In some embodiments of the present application, the network device 111 included in the network 110 may also be a stateless device, which may also be referred to as a stateless network device, where the stateless device refers to a device that determines a next hop according to an entry (e.g., a routing entry, a forwarding entry, an Address Resolution Protocol (ARP) entry, etc.) used for determining the next hop in a message forwarding process. For example, a stateless device may include: switches and routers, but not limited thereto, the stateless device in the embodiment of the present application may also be other network devices, and is not limited herein.

The apparatus 120 for implementing reachability verification is configured to obtain network configuration information of a network to be verified and forwarding information of multiple devices in the network to be verified, where the network configuration information includes a network topology, the multiple devices include at least one stateful device, forwarding information of at least one device (hereinafter referred to as a first stateful device) in the at least one stateful device includes a set of forwarding destination addresses, and the set of forwarding destination addresses includes multiple forwarding destination addresses available for the first stateful device when forwarding a packet; generating a network model according to the network configuration information and the forwarding information, wherein the network model comprises: and determining information for describing connection relationships among the multiple devices according to the network configuration information and determining forwarding tables of the multiple devices according to the forwarding information, wherein the forwarding table of the first stateful device comprises forwarding table entries corresponding to the multiple forwarding destination addresses, and the network model is used for performing reachability verification on the network to be verified. In this embodiment, the multiple forwarding destination addresses available for the first stateful device when forwarding a message refer to addresses that can be used as new message destination addresses when the first stateful device forwards a message.

In other embodiments of the present application, the apparatus 120 for implementing reachability verification may be further configured to perform reachability verification on the network to be verified according to the network model.

It should be noted that, in the above embodiment, the functions of the apparatus 120 may be implemented by one or more devices, for example, the apparatus 120 includes two sub-apparatuses 120A and 120B, which are respectively deployed in one device, where the apparatus 120A generates the above network model, and the apparatus 120B is configured to perform reachability verification on the network to be verified according to the network model. The specific implementation manner of the apparatus 120 for implementing reachability verification in the embodiment of the present application may be combined with an actual application scenario, and is not limited herein.

An embodiment of the present application further provides a reachability verification system, including: a first means for implementing reachability verification and a second means for implementing reachability verification; wherein the content of the first and second substances,

the second device for implementing reachability verification is configured to obtain a network model of a network to be verified, where the network model includes: information for describing a connection relationship between a plurality of devices in the network to be verified and forwarding tables of the plurality of devices, where the plurality of devices includes at least one stateful device, a forwarding table of a first stateful device in the at least one stateful device includes forwarding table entries corresponding to a plurality of forwarding destination addresses available for the first stateful device when forwarding a packet, and the forwarding table of the first stateful device may further include a correspondence relationship between an address of the first stateful device (e.g., an address of the first stateful device corresponding to a target service) and the plurality of forwarding destination addresses (e.g., addresses of a plurality of servers for implementing the target service);

In the reachability verification system provided in the embodiment of the present application, a first device for implementing reachability verification transmits a network model to a second device for implementing reachability verification, and the second device for implementing reachability verification performs reachability verification on a network to be verified according to the network model.

Embodiments of the present application further provide a method for implementing reachability verification, where the method may be performed by a device for implementing reachability verification, where the device for implementing reachability verification may be a server (server) in a network to be verified, or a dedicated device independent of the network, and is not limited herein.

In the embodiment of the application, the network to be verified comprises a plurality of devices, and the number of the devices in the network to be verified is not limited. The device may be a network device, for example, one network device in a network to be verified may include one or more forwarding instances, where the forwarding instances may also be referred to as forwarding nodes (nodes for short), the network device may have one or more interfaces (interfaces), there is a correspondence between the forwarding nodes and the interfaces, the forwarding nodes of different network devices are connected through the interfaces, and the forwarding nodes may be connected together through links.

The present reachability verification scheme can only verify the reachability of the stateful device, but cannot verify the reachability of other devices connected to the stateful device, which causes a problem that end-to-end reachability verification cannot be performed.

In the embodiment of the present application, the multiple devices in the network to be verified include at least one stateful device, where the at least one stateful device may include a first stateful device, the forwarding information of the first stateful device includes a forwarding destination address set, and the forwarding destination address set includes multiple forwarding destination addresses that are available when the stateful device performs packet forwarding. The forwarding information of the first stateful device may be considered as forwarding information obtained by performing "state removal processing" on the state configuration information of the first stateful device. For example, the first stateful device is a firewall or a load balancer.

In some embodiments of the present application, the plurality of devices in the network to be verified include a plurality of stateful devices, the plurality of stateful devices include a second stateful device, forwarding information of the second stateful device in the plurality of stateful devices includes a set of translation source addresses, and the set of translation source addresses includes: the second stateful device converts the set of available converted source addresses when converting the source address of the message to be forwarded. The forwarding table of the second stateful device may be regarded as forwarding information obtained by performing "state removal processing" on the state configuration information of the second stateful device.

It should be noted that, the first stateful device is a stateful device having a plurality of forwarding destination addresses when forwarding a message, for example, the first stateful device may be a load balancer, and when the current load balancer determines the next hop according to the states of the session state and the device state (e.g., the states of the devices to which the forwarding destination addresses belong and the state of the device sending the message), the next hop corresponding to only one forwarding destination address can be determined, in the embodiment of the present application, the forwarding destination set of the load balancer may include a plurality of forwarding destination addresses, and accordingly, the forwarding table generated according to the forwarding destination address set comprises forwarding table entries corresponding to the forwarding destination addresses, therefore, in the embodiment of the present application, the next hop is not determined according to the session state, the device state, and the like of the load balancer, but the next hop corresponding to the multiple forwarding destination addresses may be determined. Therefore, in the embodiment of the present application, the forwarding information of the first stateful device may be regarded as forwarding information after "stateless processing", and accordingly, a forwarding table included in the network model and generated according to the forwarding information may also be regarded as stateless, so that the generated network model may also be referred to as a "general network model", or "state-independent general network model".

The second stateful device is a stateful device that the source address of the message to be converted needs to be converted into multiple source addresses, for example, the second stateful device may be a firewall, and the current firewall converts the source address of the message into one source address of the firewall according to states such as a session state and a device state, and a specific conversion method is not limited. The firewall translation source address set in the embodiment of the present application includes: the second stateful device may determine a plurality of source addresses instead of forwarding the source address according to the session state of the firewall, the device state, and the like in the embodiment of the present application. Therefore, in the embodiment of the present application, the forwarding table of the second stateful device may be regarded as a forwarding table after being "stateless processed", and thus, the generated network model may also be referred to as a "general network model", or referred to as a "state-independent general network model".

An embodiment of the present application provides a method for implementing reachability verification, which may implement reachability verification on stateful devices, where the method for implementing reachability verification may be performed by the foregoing apparatus for implementing reachability verification, as shown in fig. 2, and the method for implementing reachability verification provided in an embodiment of the present application may specifically include the following steps:

201. the network configuration information of the network to be verified and the forwarding information of the devices in the network to be verified are obtained.

In the embodiment of the present application, the apparatus for implementing reachability verification may perform data acquisition on a network to be verified (hereinafter, referred to as a network for short), for example, a data acquisition service may be deployed in the apparatus for implementing reachability verification, so that network configuration information and forwarding information of multiple devices in the network to be verified may be acquired from the network to be verified. The network configuration information refers to various pieces of configuration information of the network to be verified, for example, the network configuration information may be configuration parameters for a network topology, and optionally, the network configuration information may further include various configuration parameters of the network device. The network topology refers to the topology of the network to be verified, and the network topology may be used to describe a composition structure of the network to be verified, for example, the network topology may include a plurality of devices in the network to be verified and a connection relationship between the devices, and the devices may be switches, routers, firewalls, and load balancers. The network topology has configuration information, which may include: network-related configurations such as a dynamic routing protocol, a Virtual Private Network (VPN), and a tunnel.

In some embodiments of the present application, the network configuration information may also include device configuration information. The device configuration information includes: configuration parameters of forwarding instances in the plurality of devices and configuration parameters of the interfaces.

The device configuration information refers to configuration information of a device in the network to be verified, for example, the device may be a stateful device or a stateless device, where the stateful device may be a first stateful device or a second stateful device. One or more forwarding instances, which may also be referred to as forwarding nodes (nodes), are included on the device. The link in the network to be verified can be determined by the network topology, the configuration parameters of the forwarding instance and the configuration parameters of the interface.

The configuration parameters of the forwarding instance refer to parameters related to the configuration of the forwarding instance itself, for example, a stateful device may be a firewall, for example, one firewall device includes multiple forwarding instances, one forwarding instance represents one VPN instance, and one forwarding instance may be used to process a batch of services.

The configuration parameters of the interface refer to parameters related to interface configuration of the forwarding instance, and the configuration parameters of the interface may be referred to as interface information. For example, the configuration parameters of the interface may include: interface number and Internet Protocol (IP) address.

In some embodiments of the present application, the network configuration information further comprises: a flow policy of at least one of the plurality of devices, the flow policy comprising: the device to which the flow policy belongs uses at least one of a security policy, a filter policy, and an Access Control List (ACL) rule for controlling packet forwarding.

The security policy refers to a policy related to security configuration of the forwarding instance. For example, the security policy may include that the forwarding instance refuses to forward a packet from an address. For example, the packet corresponding to the 192.168.2.0/24 network segment needs to be forwarded according to forwarding information (the forwarding table includes the network segment), but since the security policy is configured with denial (deny) information for the network segment, after the firewall receives the packet, the packet is terminated by the firewall, and the end point of the final path of the packet is the firewall.

The filtering policy refers to a policy related to filtering configuration when the forwarding instance forwards, for example, the filtering policy includes forwarding a message in a certain network segment, filtering messages in other network segments, and not forwarding the message any more.

The ACL rules, which include set conditions, can be used by the forwarding instance to filter packets on the interface, allowing them to pass or drop.

In the embodiment of the present application, besides obtaining network configuration information, forwarding information of a device in a network to be verified may also be obtained, where the forwarding information of the device is information that needs to be used when the device performs packet forwarding, for example, forwarding information of a first stateful device in the network to be verified is obtained, and forwarding information of a stateless device in the network to be verified may also be obtained. The forwarding information of a first stateful device in the at least one stateful device includes a forwarding destination address set, where the forwarding destination address set may include a plurality of available forwarding destination addresses, and a forwarding destination address is a destination address of the stateful device when forwarding a packet. The available forwarding destination address refers to a forwarding destination address that can be used by the stateful device when forwarding a message. The forwarding table of the first stateful device includes forwarding table entries corresponding to a plurality of forwarding destination addresses.

In some embodiments of the present application, the forwarding information of any stateless device in the multiple devices includes at least one of a routing table entry, a forwarding table entry, and an Address Resolution Protocol (ARP) table entry.

The next hop address corresponding to the forwarding instance is recorded in the routing table, the forwarding instance can query the routing table entry according to the current address to obtain the next hop address, and the forwarding instance can forward according to the routing table entry.

The forwarding table entry can be generated according to the routing table, the forwarding table entry is directly used for indicating forwarding of the current message, and the forwarding instance can inquire the routing table when the forwarding table entry cannot inquire the corresponding next hop address.

The ARP entry is used to query an interface when the forwarding instance forwards the packet, for example, the forwarding instance queries the ARP entry according to the IP address, and may find corresponding interface information, for example, the interface queried by the ARP entry is GE/0/0/2.

202. And generating a network model according to the network configuration information and the forwarding information.

Wherein, the network model includes: the network model is used for carrying out reachability verification on the network to be verified.

In this embodiment of the application, after the device for implementing reachability verification obtains network configuration information and forwarding information of multiple devices through data acquisition, the device for implementing reachability verification may obtain a network topology included in the network configuration information, and the device for implementing reachability verification may further analyze the forwarding information of the multiple devices to obtain a forwarding destination address set of the stateful device, where the forwarding destination address set includes multiple forwarding destination addresses of the stateful device when forwarding a message. Next, the means for implementing reachability verification determines information describing connection relationships between the plurality of devices according to the network configuration information, and the means for implementing reachability verification determines forwarding tables of the plurality of devices according to the forwarding information, thereby generating a network model including the information of connection relationships between the plurality of devices and the forwarding tables of the plurality of devices.

In the embodiment of the application, the network model comprises forwarding tables of a plurality of devices, so that the network model can be used for performing reachability verification on a network to be verified, the network model can describe the forwarding flow of each forwarding instance in the network to be verified to the message, and the forwarding flow described in the network model is state-independent, for example, when forwarding is performed according to the forwarding flow of each device in the network to be verified, if the network to be verified includes a state device, it needs to be considered that the state device performs forwarding according to the state, in the embodiment of the present application, a network model may be generated, and when the forwarding process is analyzed according to the network model, even if the state equipment exists in the network model, the message forwarding analysis is carried out according to the forwarding flow irrelevant to the state, so that the reachability verification problem of the state equipment is solved.

In some embodiments of the present application, the step 202 of generating the network model according to the network configuration information and the forwarding information comprises:

2021. the method comprises the steps of obtaining a target address set, wherein the target address set is a forwarding target address set of first stateful equipment in a plurality of pieces of equipment, or a source address set used for matching a message source address in forwarding information of any stateless equipment in the plurality of pieces of equipment, or a target address set used for matching a message destination address in forwarding information of any stateless equipment in the plurality of pieces of equipment, or the target address set is a conversion source address set of second stateful equipment in the plurality of pieces of equipment.

For example, for a stateful device, the destination address set is a forwarding destination address set of a first stateful device in the multiple devices, that is, the forwarding destination address set of the stateful device is the aforementioned destination address set. For example, the forwarding destination address set includes a plurality of forwarding destination addresses, and the plurality of forwarding destination addresses are all forwarding destination addresses of the stateful device when the state is not considered, for example, only 1 forwarding destination address can be used if the stateful device performs forwarding according to the state, and the plurality of forwarding destination addresses can be used if the stateful device does not perform forwarding according to the state. For another example, for a stateless device, a source address set used for matching a message source address in forwarding information of the stateless device is the aforementioned destination address set, and a destination address set used for matching a message destination address in forwarding information of the stateless device may also be the aforementioned destination address set, and the destination address set can be obtained through the above manners. As another example, the set of translation source addresses for the second stateful device includes: the second stateful device can obtain a destination address set by converting the source address set of the source address, wherein the source address set is available for conversion when the source address of the message to be forwarded is converted.

2022. And determining the address with the same next hop in the target address set as an equivalent address set to obtain one or more equivalent address sets.

After the target address set is obtained, the address of the corresponding next hop in the target address set is determined, and the address with the same next hop in the target address set is determined as the same equivalent address set. That is, the addresses with different next hops in the target address set belong to different equivalent address sets, so as to determine one or more equivalent address sets. An equivalent address set corresponds to a message set, and the forwarding behaviors of any message in the message set by a certain device in the network to be verified are the same, that is, the next hop corresponding to any message in the message set on the device is the same. The step 2022 may also be referred to as an equivalent forwarding process, and acquiring one or more equivalent address sets may also be referred to as an equivalent forwarding result.

The address with the same next hop in the target address set is determined as an equivalent address set, which may be called an Equivalence Class (EC). The corresponding next hop is the same, specifically, the corresponding next hop address is the same, or the corresponding outgoing interface is the same. For the same equivalent address set, the same forwarding instance will use the same forwarding path when forwarding any message corresponding to the equivalent address set, i.e. forwarding according to the same next hop address, or forwarding through the same output interface. An equivalent address set includes one or more IP addresses, and typically includes a plurality of IP addresses, and specifically may include one IP address segment, may include a plurality of IP address segments, may include a plurality of discrete IP addresses, and may include a combination of IP addresses and IP address segments.

For example, all IP address segments corresponding to a predetermined forwarding rule are segmented, for example, assuming that 4 ECs are determined, which are EC1, EC2, EC3, and EC 4. The flow policy refers to policies such as ACL and Network Address Translation (NAT) configured on the network device. For example, the forwarding information may include forwarding rule 1, forwarding rule 2, and forwarding rule 3. Forwarding rule 1, forwarding rule 2, and forwarding rule 3 correspond to a segment of IP address, respectively, for example, the equivalence class of forwarding rule 1 may be EC1 and EC2, the equivalence class of forwarding rule 2 may be EC2 and EC3, the equivalence class of forwarding rule 3 may be EC1 and EC4, and then the equivalence address set is the equivalence class of each forwarding rule. When the message is forwarded, for the forwarding rule 1, forwarding is performed according to EC1 and EC2, and forwarding does not need to be performed according to a single IP address. For forwarding rule 2, forwarding is performed according to EC2 and EC3, and no further forwarding is required according to a single IP address. For forwarding rule 3, forwarding is performed according to EC1 and EC4, and no further forwarding is required according to a single IP address.

For example, as shown in fig. 3, an application scenario diagram of a to-be-verified network provided in the embodiment of the present application is illustrated as follows. The network to be verified comprises: device 1, device 2, device 3, device 4, device m, device n and LB, device 1 connects device 2 through interface 1, device 1 connects device m through interface 2, device 2 connects LB through interface 3, device 2 connects device n through interface 4, LB connects device 3 through interface 5, LB connects device 4 through interface 6, device 3 connects Server (Server)1 through interface 7, device 3 connects Server2 through interface 8, device 4 connects Server3 through interface 9, device 4 connects Server 4 through interface 10.

In the forwarding table of device 1, when the destination address is address q, the corresponding outgoing interface is interface 1, and when the destination address is address 2, the corresponding outgoing interface is interface 2.

In the forwarding table of the device 2, when the destination address is address q, the corresponding outgoing interface is interface 3, and when the destination address is address 3, the corresponding outgoing interface is interface 4.

When the LB does not perform step 2022, the forwarding table 1 of the LB is obtained. In the forwarding table 1, when the LB address is address q, the corresponding destination address is address a, and the corresponding egress interface is interface 5. When the LB address is address q, the corresponding destination address is address b, and the corresponding output interface is interface 5. When the LB address is address q, the corresponding destination address is address c, and the corresponding output interface is interface 6. When the LB address is address q, the corresponding destination address is address d, and the corresponding output interface is interface 6.

When the LB performs step 2022, the forwarding table 2 of the LB is obtained. In the forwarding table 2, when the LB address is address q, the corresponding destination address is address set 1, and the corresponding egress interface is interface 5. When the LB address is address q, the corresponding destination address is address set 2, and the corresponding output interface is interface 6.

In the forwarding table of the device 3, when the destination address is address a, the corresponding outgoing interface is interface 7, and when the destination address is address b, the corresponding outgoing interface is interface 8.

In the forwarding table of the device 4, when the destination address is address c, the corresponding outgoing interface is interface 9, and when the destination address is address d, the corresponding outgoing interface is interface 10.

Based on the network to be verified shown in fig. 3, if the source address of the packet is the address (address p) of the device 1, the destination address of the packet is the address (address q) corresponding to the target service on the LB. The servers 1 to 4 can provide the target service, the addresses of the servers 1 to 4 are respectively addresses a, b, c and d, then the forwarding destination address corresponding to the destination address q is determined to be the addresses a, b, c and d according to the forwarding table 1 of the LB, the addresses a, b, c and d are used as new message destination addresses to inquire the forwarding table 1, and further reachability verification is performed. Under the condition of generating an equivalent address set, determining forwarding destination addresses corresponding to a destination address q as an address set 1 (comprising an address a and an address b) and an address set 2 (comprising an address c and an address d) according to the forwarding table 2 of the LB, and querying the forwarding table 2 by taking the address set 1 and the address set 2 as new message destination addresses, thereby performing further reachability verification.

2023. And generating a forwarding table of the equipment to which the target address set belongs according to the equivalent address set, wherein each forwarding table entry of the forwarding table corresponds to one equivalent address set.

After one or more equivalent address sets are obtained, the equivalent address sets are used for generating a forwarding table, the forwarding table comprises one or more forwarding table entries, and the forwarding table entries are in one-to-one correspondence with the equivalent address sets. One forwarding table entry includes an equivalent address set and information (e.g., an IP address of a next hop, and an identifier of an interface corresponding to the next hop on the first stateful device) for indicating a next hop corresponding to the equivalent address set. The network model may include a forwarding table of the device to which the target address set belongs. Each forwarding table entry in the forwarding table corresponds to the equivalent address set, so that when the reachability verification is performed by using the network model, batch forwarding analysis of the messages can be performed through the equivalent address set, forwarding analysis does not need to be performed for each forwarding destination address, and the verification efficiency of the reachability verification is improved.

In other embodiments of the present application, the network configuration information further includes: a flow policy of at least one of the plurality of devices, the flow policy comprising: and the equipment to which the flow strategy belongs uses at least one of a security strategy, a filtering strategy and an ACL rule for controlling message forwarding. For the description of the flow policy, see the foregoing embodiments in detail, and are not described herein again. In the implementation scenario of acquiring the flow policy, step 202 generates a network model according to the network configuration information and the forwarding information, including:

2024. and generating a forwarding strategy based on the equivalent address set of the equipment to which the flow strategy belongs according to the equivalent address set of the equipment to which the flow strategy belongs and the flow strategy, wherein the network model further comprises the forwarding strategy.

The equivalent address set of the device is generated through the foregoing steps 2021 to 2023, the equivalent address set of the device to which the flow policy belongs may be generated in this way, and the forwarding policy may be generated according to the equivalent address set of the device to which the flow policy belongs and the flow policy, where the forwarding policy may be a policy that can be used when the forwarding instance performs forwarding, and the network model further includes the forwarding policy.

Wherein, the forwarding strategy comprises: the forwarding instance can use the equivalence class when forwarding, so that the reachability problem of a single path (namely between a source IP address and a destination IP address) of source-destination can be converted into the reachability problem of a bulk (between a source EC and a destination EC) of source-service, the bulk reachability verification of the stateful device is realized, and the verification efficiency of the reachability verification is improved.

It should be noted that, in the foregoing embodiment, steps 2021 to steps 2023 describe a manner of generating a network model, but not limited to, in this embodiment, the method is not limited to the manner of generating the model, for example, equivalent forwarding processing is performed by using forwarding information and a flow policy, a forwarding policy may be directly generated, and finally, a network model is generated based on the forwarding policy, which is not limited herein.

For example, as shown in fig. 4, a schematic view of an application scenario for acquiring forwarding information of a stateful device according to an embodiment of the present application is shown. The Server (Server) is connected through the switch to a second stateful device, which may be, for example, a firewall, with the default gateway of the Server set to the GE1/0/1 interface of the firewall. According to the requirement of security policy, when the Server accesses the external network, the source IP address needs to be converted into the IP address in the address range of 10.1.1.1 to 10.1.1.25. For example, the source IP address of the message is 192.168.10.5, the message of the address may be one of the 25 addresses 10.1.1.1 to 10.1.1.25 after passing through the firewall, and the specific conversion into which IP address depends on the conversion policy of the firewall, information such as session state and the like may be used to determine which address the source IP address of the message is converted into, and the forwarding information for the firewall includes the 25 addresses 10.1.1.1 to 10.1.1.25, that is, all of 10.1.1.1 to 10.1.1.25 are required to be the converted source IP address, that is, a set of conversion source addresses may be obtained, instead of one converted source IP address determined according to the conversion policy of the firewall, so as to verify the reachability between the source address and the destination address in the case that the source IP address is converted into each of the 25 source addresses.

In other embodiments of the present application, the generating the forwarding table without using an equivalent address set may further include, for example, the step 202 of generating the network model according to the network configuration information and the forwarding information includes:

2025. and generating a forwarding table of the first stateful device according to the forwarding information of the first stateful device, wherein each forwarding table entry of the forwarding table corresponds to one forwarding destination address in the forwarding destination address set.

The forwarding information of one or more first stateful devices may be obtained, and as can be known from the foregoing description, the forwarding information of the first stateful device includes a forwarding destination address set, so that forwarding entries in a forwarding table of the first stateful device may be determined according to one forwarding destination address in the forwarding destination address set, that is, the forwarding destination address in the forwarding destination address set corresponds to the forwarding entries in the forwarding table one by one, and each forwarding entry includes a forwarding destination address and information (an IP address of a next hop and an identifier of an interface on the first stateful device corresponding to the next hop) for indicating a next hop corresponding to the forwarding destination address. The forwarding table of the first stateful device may be generated by the forwarding address set, so that a network model may be generated in the manner described above, and the network model may include the forwarding table.

In other embodiments of the present application, the network configuration information further includes: device configuration information, the device configuration information comprising: configuration parameters of forwarding instances in the plurality of devices and configuration parameters of the interfaces. For the description of the device configuration information, refer to the foregoing embodiments in detail, and are not described herein again. In an application scenario where the device configuration information is obtained, a data structure of a forwarding instance, a data structure of an interface, and a data structure of a link may be generated according to the network topology and the device configuration information, so as to obtain a network model, where the network model further includes: forwarding the data structure of the instance, the data structure of the interface and the data structure of the link;

the data structure of the forwarding instance is used for describing the relationship between the forwarding instance and other forwarding instances and/or the relationship between interfaces corresponding to the forwarding instance;

the data structure of the interface is used for describing the relationship between the interface and the forwarding instance corresponding to the interface and/or the relationship between the interface and the connected link;

the data structure of a link is used to describe the relationship between the link and the interface to which the link is connected.

Specifically, the data structure of the forwarding instance, the data structure of the interface, and the data structure of the link included in the network model may be used to perform reachability verification on the network to be verified.

In some embodiments of the present application, after performing step 201 to step 202, as shown in fig. 5, the method provided in the embodiments of the present application further includes:

203. and performing reachability verification on the network to be verified according to the network model.

After the device for realizing reachability verification generates the network model, the device for realizing reachability verification can use the network model to carry out reachability verification on the network to be verified, so that the device for realizing reachability verification can obtain the result of reachability verification. The problem that reachability verification of the equipment with the state cannot be verified is solved.

For example, first, a device for implementing reachability verification performs data acquisition to obtain information such as a forwarding instance, an interface (interface), a link (link), and a streaming policy (policy), and after the device for implementing reachability verification obtains the information, a network model may be generated, where the network model may be used to perform reachability verification on a source and destination address, for example, to sequentially find whether a path is reachable based on a sequence of source address- > link (link) - > interface (including node) - > forward (forwarding table) - > policy).

Taking stateful devices as firewalls as examples, for example: verifying 192.168.0.5 reachability to 10.1.1.1/27, wherein the reachability verification mainly comprises the following procedures: the device for realizing the reachability verification firstly finds the corresponding interface and VPN information according to the interface information, wherein the VPN information is in one-to-one correspondence with the node, and the node can be a default node on the network equipment. Then find the link corresponding to firewall interface FW GE1/0/1, on the firewall device, through source address conversion, 192.168.0.5 converts to source address set EC1, then queries the forwarding table of the firewall device, where the next hop address of EC1 is 10.1.1.1, and the interface is FW GE1/0/2, and then queries the forwarding table, and since the forwarding table of EC1 records rejection (deny), the packet is terminated at the firewall, and assuming that the forwarding table of EC1 records permission (permit), the next hop is the GE1/0/2 interface of the firewall, and the path is Server- > FWGE1/0/1- > FWGE 1/0/2.

Taking a state device as a load balancer as an example, the processing mode of the state configuration information of the load balancer is different from that of the state configuration information of the firewall, assuming that a message with a source address of 10.130.254.1:9081 passes through the load balancer, a possible next hop is 10.130.6.31-10.130.6.40:1909, wherein the address field of 10.130.6.31-10.130.6.40 can form an equivalence class, a forwarding policy is generated according to the equivalence class and a flow policy, and subsequent reachability verification is similar to that of the firewall, which is not illustrated here.

In some embodiments of the present application, after performing step 201 to step 202, the method provided in embodiments of the present application further includes:

obtaining a reachability verification result;

and outputting the reachability verification result.

Among them, the device for realizing reachability verification may also acquire the result of reachability verification, and then the device for realizing reachability verification outputs the result of reachability verification, and there are various implementations such as the device for realizing reachability verification presenting the result of reachability verification, or the device for realizing reachability verification transmits the result of reachability verification to a display device so that the display device may present the result of reachability verification, for example, the display device may be a terminal having a display screen.

In other embodiments of the present application, the first apparatus for implementing reachability verification may further transmit the network model to the second apparatus for implementing reachability verification. And performing reachability verification on the network to be verified according to the network model by the second device for realizing reachability verification. The second device for realizing the reachability verification acquires the network model, and the acquisition of the network model comprises the following steps: the device comprises a plurality of devices, a network to be verified and a forwarding table of the device, wherein the device comprises at least one stateful device, and the forwarding table of a first stateful device in the stateful device comprises forwarding table entries corresponding to a plurality of forwarding destination addresses available for the first stateful device when forwarding a message.

In some embodiments of the present application, the plurality of devices include a plurality of stateful devices, the plurality of stateful devices include a second stateful device, the network model acquired by the second apparatus for implementing reachability verification further includes a forwarding table of the second stateful device, and the forwarding table of the second stateful device includes a forwarding table entry corresponding to a plurality of converted source addresses that are available when the second stateful device converts a source address of a packet to be forwarded. If the plurality of converted source addresses are divided into the equivalent address set, each forwarding table entry includes an equivalent address set and information indicating a next hop corresponding to the equivalent address set (e.g., an IP address of the next hop, an identifier of an interface corresponding to the next hop on the second stateful device). If the plurality of translated source addresses are not divided into equivalent address sets, each forwarding entry includes an available translated source address and information indicating a next hop corresponding to the source address (e.g., an IP address of the next hop, an identification of an interface on the first stateful device corresponding to the next hop). The forwarding table of the second stateful device may also include a correspondence of an address or address segment for a matching source address to the plurality of translated source addresses.

Next, the reachability verification by the apparatus for realizing the reachability verification will be described as an example.

In some embodiments of the present application, the performing, in step 203, reachability verification on the network to be verified according to the network model includes:

2031. and performing reachability verification on the network to be verified based on a source address set and a destination address set according to the network model, wherein the source address set comprises at least one source address, and the destination address set comprises at least one destination address.

The source address refers to an address of a forwarding instance needing to send a message in the network to be verified, the destination address refers to an address of a forwarding instance needing to receive a message in the network to be verified, the device for realizing reachability verification can perform reachability verification on the network to be verified based on the source address set and the destination address set, and the reachability verification process can also be called source-destination reachability verification.

In some embodiments of the present application, the step 2031, according to the network model, performing reachability verification on the network to be verified based on the source address set and the destination address set in the network to be verified, includes:

and according to the network model, performing reachability verification on paths from the source addresses in the source address set to the destination addresses in the destination address set.

In addition, based on the above manner, similarly, the path from the destination address to the source address is also a unidirectional path, and if the device for implementing reachability validation performs reachability validation on both the unidirectional paths, validation of the two-way reachability paths of the source and the destination can be implemented, thereby improving validation efficiency of reachability validation.

In other embodiments of the present application, the step 2031, according to the network model, performing reachability verification on the network to be verified based on the source address set and the destination address set in the network to be verified, includes:

according to the network model, performing reachability verification on a path between a source address in a source address set and a device corresponding to a destination address in a destination address set, wherein the device corresponding to the destination address comprises: the device to which the destination address belongs, and/or the device associated with the destination address.

The reachability verification may also refer to verification of a path from a source address to a device corresponding to a destination address, where the device corresponding to the destination address includes: the device to which the destination address belongs, and/or the device associated with the destination address. The device associated with the destination address refers to a device to which the destination address belongs is directly or indirectly connected, for example, the destination address is an address of a load balancer, and a plurality of service servers connected to the load balancer may be the devices associated with the destination address. By the method, the reachability verification from the source address to the device corresponding to the destination address can be achieved.

Further, in some embodiments of the present application, a destination address in the destination address set is an address corresponding to the target service on a first stateful device in the multiple devices, and the devices associated with the destination address are multiple service servers providing the target service.

The destination address may be an address corresponding to a target service on the stateful device, where the target service is provided by a plurality of service servers, and the device associated with the destination address may be the plurality of service servers. In the embodiment of the application, reachability verification can be performed on a plurality of service servers connected to the stateful device.

As can be seen from the foregoing description of the embodiment of the present application, first, network configuration information of a network to be verified and forwarding information of multiple devices in the network to be verified are obtained, where the network configuration information includes a network topology, the multiple devices include at least one stateful device, forwarding information of a first stateful device in any stateful device includes a forwarding destination address set, and the forwarding destination address set includes multiple forwarding destination addresses available for the stateful device when forwarding a message; then, generating a network model according to the network configuration information and the forwarding information, wherein the network model comprises: and the network model is used for carrying out reachability verification on the network to be verified. The network to be verified provided by the embodiment of the application comprises the state device, and can acquire the forwarding information of the state device, the network model generated by the embodiment of the application comprises the forwarding table of the state device, and the network model generated by the embodiment of the application can support reachability verification of the state device.

As shown in fig. 6, an embodiment of the present application provides a method for implementing reachability verification, including:

501. and acquiring a network model of the network to be verified.

The network model includes: the network authentication method includes the steps of obtaining information for describing connection relationships among a plurality of devices in the network to be authenticated and forwarding tables of the plurality of devices in the network to be authenticated, wherein the plurality of devices include at least one stateful device, and the forwarding table of a first stateful device in the at least one stateful device includes forwarding table entries corresponding to a plurality of forwarding destination addresses available for the stateful device to forward a message.

In some embodiments of the present application, the plurality of devices include a plurality of stateful devices, where the plurality of stateful devices include a second stateful device, and the apparatus for implementing reachability verification acquires the network model and further includes a forwarding table of the second stateful device, where the forwarding table of the second stateful device includes a forwarding table entry corresponding to a plurality of converted source addresses that are available when the second stateful device converts a source address of a packet to be forwarded.

It should be noted that, for a detailed description of the network model in 501, the foregoing embodiment is referred to in detail.

502. And performing reachability verification on the network to be verified according to the network model.

It should be noted that, for the specific process of reachability verification in 502, the foregoing embodiment is described in detail.

As can be seen from the foregoing description of the embodiments of the present application, the network model includes: and the network model is used for carrying out reachability verification on the network to be verified. The network to be verified provided by the embodiment of the application comprises the state device, and can acquire the forwarding information of the state device, the network model generated by the embodiment of the application comprises the forwarding table of the state device, and the network model generated by the embodiment of the application can support reachability verification of the state device.

In order to better understand and implement the above-described scheme of the embodiments of the present application, the following description specifically illustrates a corresponding application scenario.

The architecture of the device for implementing reachability verification according to the embodiment of the present application is shown in fig. 7a to 7 c. The embodiment of the present application provides a reachability verification scheme, which collects network topology, device configuration information, forwarding information, and state configuration information of a network device, and implements reachability verification for a device with a state by constructing a state-independent network model, where the state-independent network model is the network model generated in step 202 shown in fig. 2.

Reachability verification of stateful devices includes the following services: a data collection service and a network model building service. Optionally, a reachability verification service and a verification report management service may be included. Wherein the content of the first and second substances,

the data collection service is configured to collect network configuration information and state configuration information, where the network configuration information may include: topology, device configuration information, and forwarding information, where the forwarding information may include: ARP entry, routing entry, forwarding entry, Routing Information Base (RIB), Forwarding Information Base (FIB). For example, the device configuration information may include: physical nodes, interfaces, links, virtual extensible local area network (vxlan) configurations, and the like. The state configuration information is related to the forwarding state of the stateful device, and states such as a session state and a device state included in the state configuration information can be used for determining the next hop in the message forwarding process of the stateful device;

the network model building service is used to generate a network model through a stateless process, which may be the network model generated in step 202 in the foregoing embodiment, for example, the network model may include a data structure of a forwarding instance, a data structure of an interface, a data structure of a link, a forwarding table, a forwarding policy, and the like,

the reachability verification service is used for completing source-host unidirectional path verification, full-network full-scale verification and source-host bidirectional path verification through schemes such as recursive search by using a network model. The source-destination unidirectional path verification refers to performing reachability verification on unidirectional paths from source addresses to destination addresses, the full-network full-volume verification refers to performing the source-destination unidirectional path verification in batches, and reachability verification between all available source addresses and all destination addresses in a network to be verified can be achieved through the full-network full-volume verification. Source-sink bi-directional path verification refers to reachability verification from source address to sink address, and reachability verification from sink address to source address.

The verification report management service is used for completely showing the source-sink one-way reachability path and the source-sink two-way reachability path.

When the full-network full-volume verification is performed, a to-be-verified source and destination address pair set of the to-be-verified network can be obtained first, and each to-be-verified source and destination address pair includes a source address set and a destination address set. The source address set may only include one address or may be a specific address field, and the destination address set may only include one address or may be a specific address field. After the to-be-verified source and sink pair set is obtained, according to the implementation manner in the above embodiment, reachability verification may be performed on the basis of each to-be-verified source and sink address pair in the to-be-verified source and sink pair set.

According to the embodiment of the application, centralized deployment can be adopted in networking deployment, distributed deployment in a micro-service mode can also be adopted, 4 services can be deployed on the same equipment in centralized deployment, the equipment mainly refers to a personal computer or server equipment, unified data storage is adopted among the 4 services, the 4 services can be deployed on different equipment in distributed deployment, and data is exchanged among the services through a data bus.

Fig. 8 is a flowchart illustrating an implementation of the embodiment of the present application. Specifically, the network model construction service includes the following processing steps:

(1) acquiring network configuration information and state configuration information acquired by a data acquisition service, wherein the network configuration information may include: topology, device configuration information, and forwarding information, where the forwarding information may include: ARP list item, route list item, forwarding list item, route information base and forwarding information base. For example, the device configuration information may include: physical nodes, interfaces, links, virtual extensible local area network (vxlan) configurations, and the like. The state configuration information is related to the forwarding state of the stateful device, and states such as a session state and a device state included in the state configuration information can be used for determining a next hop in the message forwarding process of the stateful device.

(2) And (2) judging whether the data acquired in the step (1) is state configuration information.

And (3.1) performing stateless processing on the state configuration information, and then generating a forwarding address complete set.

The stateless processing refers to acquiring the forwarding destination address set of the stateful device in step 201 shown in fig. 2 in the foregoing embodiment, and details of the foregoing description are described. The forwarding address complete set generated in step (3.1) refers to the forwarding addresses in the aforementioned forwarding destination address set.

Aiming at the state configuration information of the stateful equipment, a stateless processing method is adopted, the problem of stateless processing of the stateful equipment is solved, the uncertain forwarding behavior which is realized by an external network element and is not directly perceived and depends on internal logic is converted into a deterministic static network model, and end-to-end network reachability verification is realized.

For step (3.1), the purpose of the stateless processing is to convert a single path determined by the state configuration information into multiple paths that are state independent, e.g., there are 3 paths between the LB1 and the Server in total: LB1- > Server1, LB1- > Server2, LB1- > Server 3. The stateful path is only one of the paths, after the stateless processing, the LB1 path to the Server has 3 paths, and the stateless processing is a process of converting a single path into multiple paths.

In the embodiment of the application, the 'source-destination' reachability problem can be converted into the 'source-service' reachability problem, the factors influencing forwarding are very many, including an intelligent routing algorithm, a load balancing scheduling algorithm and the like, and the factors only influence the process of single forwarding and do not influence the complete set of forwarding results; filter, ACL, security policy, Destination Network Address Translation (DNAT), Source Network Address Translation (SNAT), etc. directly affect the forwarding result, and need to participate in the construction of the forwarding policy, similar to the switch/router device.

As shown in fig. 9, the application scenario includes two firewalls (FW1, FW2), two switches (SW1, SW2), two load balancers (LB1, LB2), and 3 servers (Server1, Server2, Server 3). For the load balancing device LB1, each service request of a user, normally, the LB1 selects a Server, for example, the Server3, to provide a service according to the session information of the user request and the actual resource usage of the

servers

1, 2, and 3, and the Server3 selected by the load balancing scheduling algorithm is a single forwarding process with the state information of the Server3 related to the algorithm. The forwarding address complete set refers to that the final scheduling result of the service request of the user as a whole is 3 devices, namely, Server1, Server2 and Server3, regardless of the influence of the load balancing scheduling algorithm, and the 3 devices are the forwarding address complete set.

And (3.2) processing the network topology, the equipment configuration information and the like to generate node information, interface information and link information when the state configuration information is not the state configuration information.

The node information refers to the data structure of the forwarding instance in the foregoing embodiment, the interface information refers to the data structure of the interface in the foregoing embodiment, and the link information refers to the data structure of the link in the foregoing embodiment.

(4) And forwarding processing.

And (4) carrying out equivalent forwarding processing on the forwarding address complete set in the step (3.1) and information such as the ARP table entry, the routing table entry, the NAT table entry and the like to generate an equivalent forwarding result.

The forwarding process in step (4) refers to step 2022 in the foregoing embodiment, which is described in detail in the foregoing description. The equivalent forwarding result generated here may be the aforementioned equivalent address set, which may be referred to as an Equivalence Class (EC).

As shown in fig. 10, an equivalence class may be a set P of packets, and for any packet P1, P2 belongs to P and network device R, and the forwarding behaviors of P1 and P2 on R are identical, and all IP address segments are first divided into 4 parts: 11.0.0.0-11.0.255.255, 11.1.0.0-11.1.255.255, 11.2.255.255-11.255.255.255, 12.1.00-12.1.255.255, namely 4 equivalence classes can be assumed: EC1, EC2, EC3, EC 4. The flow policy is a policy such as ACL and NAT configured on the network device. For example, the forwarding rule 1 is "rule 100permit source 11.0.0.00.255.255.255", the affected IP address segments are 11.0.0.0/8, the forwarding rule 2 is "rule 200permit source 11.0.0.00.255.255.255, rule 201permit source 12.1.0.00.0.255.255", the affected IP address segments are 11.0.0.0/8, 12.1.0.0/16, the forwarding rule 3 is "rule 300permit source 11.1.0.00.0.255.255, rule 301permit source 12.1.0.00.0.255.255", and the affected IP address segments are 11.1.0.0/16, 12.1.0.0/16. Therefore, the equivalence classes corresponding to forwarding rule 1 are EC1 and EC2, the equivalence classes corresponding to forwarding rule 2 are EC1, EC2 and EC4, and the equivalence classes corresponding to forwarding rule 3 are EC2 and EC 4. This translates the "source-sink" single path (i.e., between source and sink IPs) reachability problem into a "source-traffic" bulk (i.e., between source and sink ECs) reachability problem.

For example, according to the equivalence class generated in step (4), a corresponding forwarding policy is generated by combining the security policy, Filter, ACL and other flow policies, for example, for the forwarding rule 1, the generated forwarding policy is: for the perm source EC1/EC2, the generated forwarding strategy is as follows for the forwarding rule 2: for the permit source EC1/EC2/EC4, the generated forwarding strategy is as follows for the forwarding rule 3: permit sourceEC2/EC 4.

(5) And strategy processing.

And on the basis of the equivalent forwarding result, generating a corresponding forwarding strategy by combining the flow strategies such as a security strategy, a filtering strategy, an ACL (access control list) and the like of the equipment.

The policy processing in step (5) refers to step 2024 in the previous embodiment, which is described in detail in the foregoing description.

(6) And constructing a network model.

The network model constructed in step (6) may be the network model generated in step 202 in the foregoing embodiment, for example, the network model includes: the device comprises a plurality of devices, a network to be verified and a forwarding table of the device, wherein the device comprises at least one stateful device, and the forwarding table of a first stateful device in the stateful device comprises forwarding table entries corresponding to a plurality of forwarding destination addresses available for the first stateful device when forwarding a message.

In some embodiments of the present application, the plurality of devices includes a plurality of stateful devices, a second stateful device of the plurality of stateful devices, and the network model further includes a forwarding table of the second stateful device, where the forwarding table of the second stateful device includes forwarding table entries corresponding to a plurality of converted source addresses that are available for the second stateful device to convert a source address of a packet to be forwarded.

In some embodiments of the present application, the network model further comprises: the data structure of the forwarding instance, the data structure of the interface, the data structure of the link, and the forwarding policy.

After the network model shown in step (6) is obtained, reachability verification can be performed on the network to be verified, so that verification of a 'source-sink' single path is achieved, and verification of 'source-sink' single path batch conversion into 'source EC-service EC' is achieved. Based on the forwarding table, the source end and the host end are respectively divided according to the equivalent class mode, the single path accessibility problem of the source-host is converted into the batch path accessibility problem of the source EC-service EC, the network accessibility verification performance is greatly improved, meanwhile, the service-source accessibility problem verification is completed according to the forwarding table and the forwarding strategy while the source-service equivalent class is generated, and the source-host bidirectional path accessibility verification is realized.

And (4) the reachability verification service establishes a network model generated by the service through the network model, and the source end and the service end in the source-service are respectively divided into head spaces according to the method in the step (4) based on a forwarding table, wherein the equivalence class division is divided based on the IP address prefix, namely the head space division is carried out. And converting the reachability problem of the single path of the source-destination into the problem of the bulk reachability of the source-service, and then realizing the verification of the reachability through a scheme such as recursive search and the like.

For example, the reachability of source a to sink B needs to be verified. Wherein, the sink B provides load balancing service by a state device, after the stateless processing in step (3.1), the sink B is composed of 11.0.0.1-10, 11.1.0.1-10, 12.1.0.1-10 and 30 VMs, wherein the Ethernet0/0/1 is down due to the fault state, the routing table is shown in table 1 below, assuming that it can be reached normally after the next hop, and the sink equivalence classes are 3 equivalence classes as follows: the routing tables show that EC1 and EC2 can reach and EC4 cannot reach, namely 20 VMs can reach and 10 VMs cannot reach EC1, EC2 and EC 4. Therefore, 30 times of source and sink single path reachability verification originally needed is converted into 3 times of 'source EC-service EC' batch reachability verification, and the verification efficiency is greatly improved.

Routing table shown in table 1

And the verification report management service carries out complete display on the source-host unidirectional path verification and the source-host bidirectional path based on the result of the reachability verification service verification.

As can be seen from the foregoing illustration, in the embodiment of the present application, by constructing a state-independent network model, a "source and sink" single path reachability problem is converted into a "source EC-service EC" bulk path reachability problem, so as to implement bulk reachability verification for devices with states. According to the embodiment of the application, the source EC-service EC reachability verification is adopted, the problem of efficiency of one-by-one verification of source and destination single paths in the current dial testing scheme is solved, meanwhile, a special detection server is not needed, and the deployment cost is low. In addition, the embodiment of the application can verify the stateful device. By the aid of stateless processing, the problem of stateless processing of stateful equipment is solved, and the uncertain forwarding behavior which is realized by external network elements and is not directly perceived and depends on internal logic is converted into a deterministic static forwarding model, so that end-to-end network reachability verification is realized.

It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.

To facilitate better implementation of the above-described aspects of the embodiments of the present application, the following also provides relevant means for implementing the above-described aspects.

As shown in fig. 11, an apparatus 1100 for implementing reachability verification is provided in an embodiment of the present application, including:

an obtaining module 1101, configured to obtain network configuration information of a network to be verified and forwarding information of multiple devices in the network to be verified, where the network configuration information includes a network topology, the multiple devices include at least one stateful device, the forwarding information of a first stateful device in the at least one stateful device includes a forwarding destination address set, and the forwarding destination address set includes multiple forwarding destination addresses that are available when the stateful device performs packet forwarding;

a generating module 1102, configured to generate a network model according to the network configuration information and the forwarding information, where the network model includes: and the forwarding table of the first stateful device comprises forwarding table entries corresponding to the forwarding destination addresses, and the network model is used for performing reachability verification on the network to be verified.

In some embodiments of the present application, the generating module is configured to obtain a destination address set, where the destination address set is the forwarding destination address set of a first stateful device in the multiple devices, or a source address set used for matching a message source address in forwarding information of any stateless device in the multiple devices, or a destination address set used for matching a message destination address in forwarding information of any stateless device in the multiple devices; determining the address with the same next hop in the target address set as an equivalent address set to obtain one or more equivalent address sets; and generating a forwarding table of the device to which the target address set belongs according to the equivalent address set, wherein each forwarding table entry of the forwarding table corresponds to one equivalent address set.

In some embodiments of the present application, the network configuration information further includes: a flow policy of at least one of the plurality of devices, the flow policy comprising: the equipment to which the flow strategy belongs uses at least one of a security strategy, a filtering strategy and an Access Control List (ACL) rule for controlling message forwarding;

the generating module is configured to generate an equivalent address set-based forwarding policy of the device to which the flow policy belongs according to the equivalent address set of the device to which the flow policy belongs and the flow policy, where the network model further includes the forwarding policy.

In some embodiments of the present application, the generating module is configured to generate a forwarding table of the first stateful device according to forwarding information of the first stateful device, where each forwarding table entry of the forwarding table corresponds to one forwarding destination address in the forwarding destination address set.

In some embodiments of the present application, the network configuration information further includes: the information on the configuration of the device is,

the device configuration information includes: configuration parameters of forwarding instances and configuration parameters of interfaces in the plurality of devices;

the network model further comprises: the data structure of the forwarding instance, the data structure of the interface, and the data structure of the link;

the data structure of the link is used for describing the relationship between the link and the interface connected with the link.

In some embodiments of the present application, as shown in fig. 11, the apparatus 1100 further comprises:

a verification module 1103, configured to perform reachability verification on the network to be verified according to the network model.

In some embodiments of the present application, the verification module is configured to perform reachability verification on the network to be verified based on a source address set and a destination address set according to the network model, where the source address set includes at least one source address, and the destination address set includes at least one destination address.

In some embodiments of the present application, the verification module is configured to perform reachability verification on a path from a source address in the source address set to a destination address in the destination address set according to the network model.

In some embodiments of the present application, the verification module is configured to perform reachability verification on a path between a source address in the source address set and a device corresponding to a destination address in the destination address set according to the network model, where the device corresponding to the destination address includes: the device to which the sink address belongs, and/or the device associated with the sink address.

In some embodiments of the present application, as shown in fig. 11, the apparatus 1100 further comprises: an output module 1104 that, among other things,

the verification module 1103 is configured to obtain a reachability verification result;

the output module 1104 is configured to output the reachability verification result.

In some embodiments of the present application, the plurality of devices comprises a plurality of stateful devices, the forwarding information of a second stateful device of the plurality of stateful devices comprises a set of translation source addresses, the set of translation source addresses comprising: the second stateful device converts the source address of the message to be forwarded into a plurality of available converted source address sets; the forwarding table of the second stateful device includes forwarding table entries corresponding to the plurality of translated source addresses.

In some embodiments of the present application, the foregoing apparatus 1100 for implementing reachability verification may specifically be a first apparatus for implementing reachability verification, as shown in fig. 11, the apparatus 1100 for implementing reachability verification further includes: a sending module 1105, sending module, configured to send the network model to a second apparatus for implementing reachability verification.

As shown in fig. 12, an embodiment of the present application provides an apparatus 1200 for implementing reachability verification, including:

an obtaining module 1201, configured to obtain a network model of a network to be verified, where the network model includes: information for describing a connection relationship between a plurality of devices in the network to be verified and forwarding tables of the plurality of devices, where the plurality of devices include at least one stateful device, and a forwarding table of a first stateful device in the at least one stateful device includes forwarding table entries corresponding to a plurality of forwarding destination addresses available for the first stateful device when forwarding a packet;

and the verification module 1202 is configured to perform reachability verification on the network to be verified according to the network model.

In some embodiments of the present application, the network model further comprises: a data structure of a forwarding instance of the device in the network to be verified, a data structure of an interface of the forwarding instance, and a data structure of a link;

In some embodiments of the present application, as shown in fig. 12, the apparatus 1200 further comprises: an output module 1203, where,

the verification module 1202 is configured to obtain a reachability verification result;

the output module 1203 is configured to output the reachability verification result.

In some embodiments of the present application, the plurality of devices includes a plurality of stateful devices, and the forwarding table of a second stateful device in the plurality of stateful devices includes forwarding table entries corresponding to a plurality of converted source addresses that are available to the second stateful device when converting a source address of a packet to be forwarded.

The device for realizing reachability verification provided by the embodiment of the application comprises the following components: a memory and a processor, wherein,

a processor configured to:

the method comprises the steps of obtaining network configuration information of a network to be verified and forwarding information of a plurality of devices in the network to be verified, wherein the network configuration information comprises network topology, the plurality of devices comprise at least one stateful device, the forwarding information of a first stateful device in any stateful device comprises a forwarding destination address set, and the forwarding destination address set comprises a plurality of forwarding destination addresses which are available when the stateful device forwards a message;

generating a network model according to the network configuration information and the forwarding information, wherein the network model comprises: and the forwarding table of the first stateful device comprises forwarding table entries corresponding to the forwarding destination addresses, and the network model is used for performing reachability verification on the network to be verified.

In some embodiments of the present application, the stateful device is a firewall or a load balancer.

In some embodiments of the present application, the forwarding information of any stateless device of the plurality of devices includes at least one of a routing entry, a forwarding entry, and an address resolution protocol, ARP, entry.

In some embodiments of the present application, the generating a network model according to the network configuration information and the forwarding information comprises:

acquiring a target address set, where the target address set is the forwarding destination address set of a first stateful device in the multiple devices, or a source address set used for matching a message source address in forwarding information of any stateless device in the multiple devices, or a destination address set used for matching a message destination address in forwarding information of any stateless device in the multiple devices;

determining the corresponding address with the same next hop in the target address set as an equivalent address set to obtain one or more equivalent address sets;

and generating a forwarding table of the device to which the target address set belongs according to the equivalent address set, wherein each forwarding table entry of the forwarding table corresponds to one equivalent address set.

the generating a network model according to the network configuration information and the forwarding information includes:

and generating a forwarding strategy based on the equivalent address set of the equipment to which the flow strategy belongs according to the equivalent address set of the equipment to which the flow strategy belongs and the flow strategy, wherein the network model further comprises the forwarding strategy.

and generating a forwarding table of the first stateful device according to the forwarding information of the first stateful device, wherein each forwarding table entry of the forwarding table corresponds to one forwarding destination address in the forwarding destination address set.

In some embodiments of the present application, the network configuration information further includes: the information of the configuration of the device is,

In some embodiments of the present application, a processor to: and performing reachability verification on the network to be verified according to the network model.

In some embodiments of the present application, the performing reachability verification on the network to be verified according to the network model includes:

and performing reachability verification on the network to be verified based on a source address set and a destination address set according to the network model, wherein the source address set comprises at least one source address, and the destination address set comprises at least one destination address.

In some embodiments of the present application, the performing reachability verification on the network to be verified based on a source address set and a destination address set in the network to be verified according to the network model includes:

and according to the network model, performing reachability verification on paths from source addresses in the source address set to destination addresses in the destination address set.

according to the network model, performing reachability verification on a path between a source address in the source address set and a device corresponding to a destination address in the destination address set, wherein the device corresponding to the destination address comprises: the device to which the sink address belongs, and/or the device associated with the sink address.

In some embodiments of the present application, a destination address in the destination address set is an address corresponding to a target service on a first stateful device in the plurality of devices, and the devices associated with the destination address are a plurality of service servers providing the target service.

In some embodiments of the present application, a processor to: obtaining a reachability verification result; and outputting the reachability verification result.

a processor to:

obtaining a network model of a network to be verified, wherein the network model comprises: the forwarding table of a first stateful device in the at least one stateful device comprises forwarding table entries corresponding to a plurality of forwarding destination addresses available for the stateful device in message forwarding;

and performing reachability verification on the network to be verified according to the network model.

In some embodiments of the present application, the forwarding information of any stateless device of the plurality of devices includes at least one of a routing entry, a forwarding entry, and an ARP entry.

the data structure of the link is used to describe the relationship between the link and the interface to which the link is connected.

It should be noted that, because the contents of information interaction, execution process, and the like between the modules/units of the apparatus are based on the same concept as the method embodiment of the present application, the technical effect brought by the contents is the same as the method embodiment of the present application, and specific contents may refer to the description in the foregoing method embodiment of the present application, and are not described herein again.

Embodiments of the present application further provide a computer storage medium, where the computer storage medium stores a program, and the program executes some or all of the steps described in the above method embodiments.

Referring next to another apparatus for implementing reachability verification provided in the embodiment of the present application, referring to fig. 13, an apparatus 1300 for implementing reachability verification includes: a receiver 1301, a transmitter 1302, a processor 1303 and a memory 1304 (wherein the number of processors 1303 in the apparatus 1300 for implementing reachability verification may be one or more, one processor is taken as an example in fig. 13). In some embodiments of the present application, the receiver 1301, the transmitter 1302, the processor 1303 and the memory 1304 may be connected by a bus or other means, wherein fig. 13 illustrates the connection by a bus.

The memory 1304 may include a read-only memory and a random access memory, and provides instructions and data to the processor 1303. A portion of Memory 1304 may also include Non-Volatile Random Access Memory (NVRAM). The memory 1304 stores an operating system and operating instructions, executable modules or data structures, or subsets thereof, or expanded sets thereof, wherein the operating instructions may include various operating instructions for performing various operations. The operating system may include various system programs for implementing various basic services and for handling hardware-based tasks.

The processor 1303 controls the operation of the apparatus for implementing reachability verification, and the processor 1303 may also be referred to as a Central Processing Unit (CPU). In a particular application, the various components of the device for implementing reachability verification are coupled together by a bus system that may include a power bus, a control bus, a status signal bus, etc., in addition to a data bus. For clarity of illustration, the various buses are referred to in the figures as a bus system.

The method disclosed in the embodiment of the present application may be applied to the processor 1303, or implemented by the processor 1303. The processor 1303 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the method may be implemented by hardware integrated logic circuits in the processor 1303 or instructions in the form of software. The processor 1303 may be a general-purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), or other Programmable logic device, discrete Gate or transistor logic device, or discrete hardware component. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 1304, and the processor 1303 reads information in the memory 1304 and completes the steps of the method in combination with hardware thereof.

The receiver 1301 may be used to receive input numeric or character information and generate signal input related to relevant settings and function control of the apparatus for implementing reachability verification, the transmitter 1302 may include a display device such as a display screen, and the transmitter 1302 may be used to output numeric or character information through an external interface.

In this embodiment, the processor 1303 is configured to execute the instructions in the memory, and execute the method for implementing reachability verification described in the foregoing embodiment.

Referring next to another apparatus for implementing reachability verification provided in the embodiment of the present application, referring to fig. 14, an apparatus 1400 for implementing reachability verification includes: a receiver 1401, a transmitter 1402, a processor 1403, and a memory 1404 (wherein the number of processors 1403 in the apparatus 1400 for implementing reachability verification may be one or more, one processor being exemplified in fig. 14). In some embodiments of the present application, the receiver 1401, the transmitter 1402, the processor 1403, and the memory 1404 may be connected by a bus or other means, wherein the connection by the bus is exemplified in fig. 14.

The memory 1404 may include a read-only memory and a random access memory, and provides instructions and data to the processor 1403. A portion of Memory 1404 may also include Non-Volatile Random Access Memory (NVRAM). The memory 1404 stores an operating system and operating instructions, executable modules or data structures, or a subset thereof, or an expanded set thereof, wherein the operating instructions may include various operating instructions for performing various operations. The operating system may include various system programs for implementing various basic services and for handling hardware-based tasks.

Processor 1403 controls the operation of the apparatus for implementing reachability verification, and processor 1403 may also be referred to as a Central Processing Unit (CPU). In a particular application, the various components of the device for implementing reachability verification are coupled together by a bus system that may include a power bus, a control bus, a status signal bus, etc., in addition to a data bus. For clarity of illustration, the various buses are referred to in the figures as a bus system.

The method disclosed in the embodiments of the present application may be applied to the processor 1403, or implemented by the processor 1403. The processor 1403 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method can be performed by hardware integrated logic circuits or instructions in software form in the processor 1403. The processor 1403 may be a general-purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), or other Programmable logic device, discrete Gate or transistor logic device, or discrete hardware component. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 1404, and the processor 1403 reads the information in the memory 1404 and completes the steps of the above method in combination with the hardware thereof.

The receiver 1401 may be used to receive inputted numerical or character information and generate signal inputs related to relevant settings and function control of the apparatus for realizing reachability verification, the transmitter 1402 may include a display device such as a display screen, and the transmitter 1402 may be used to output numerical or character information through an external interface.

In this embodiment, the processor 1403 is configured to execute the instructions in the memory and execute the method for implementing reachability verification described in the foregoing embodiment.

It should be noted that the above-described embodiments of the apparatus are merely schematic, where the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. In addition, in the drawings of the embodiments of the apparatus provided in the present application, the connection relationship between the modules indicates that there is a communication connection therebetween, and may be implemented as one or more communication buses or signal lines.

Through the above description of the embodiments, those skilled in the art will clearly understand that the present application can be implemented by software plus necessary general-purpose hardware, and certainly can also be implemented by special-purpose hardware including special-purpose integrated circuits, special-purpose CPUs, special-purpose memories, special-purpose components and the like. Generally, functions performed by computer programs can be easily implemented by corresponding hardware, and specific hardware structures for implementing the same functions may be various, such as analog circuits, digital circuits, or dedicated circuits. However, for the present application, the implementation of a software program is more preferable. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a readable storage medium, such as a floppy disk, a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk of a computer, and includes instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods described in the embodiments of the present application.

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product.

The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that a computer can store or a data storage device, such as a server, a data center, etc., that is integrated with one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.

Claims

1. A method for implementing reachability verification, comprising:

the method comprises the steps of obtaining network configuration information of a network to be verified and forwarding information of a plurality of devices in the network to be verified, wherein the network configuration information comprises network topology, the plurality of devices comprise at least one stateful device, the forwarding information of a first stateful device in the at least one stateful device comprises a forwarding destination address set, and the forwarding destination address set comprises a plurality of forwarding destination addresses which are available when the stateful device forwards a message;

2. The method of claim 1, wherein the first stateful device is a firewall or a load balancer.

3. The method of claim 1 or 2, wherein the forwarding information of any stateless device of the plurality of devices comprises at least one of a routing entry, a forwarding entry, and an address resolution protocol, ARP, entry.

4. The method according to any of claims 1-3, wherein the generating a network model from the network configuration information and the forwarding information comprises:

5. The method of claim 4, wherein the network configuration information further comprises: a flow policy of at least one of the plurality of devices, the flow policy comprising: the equipment to which the flow strategy belongs uses at least one of a security strategy, a filtering strategy and an Access Control List (ACL) rule for controlling message forwarding;

generating a network model according to the network configuration information and the forwarding information includes:

6. The method according to any of claims 1-3, wherein the generating a network model from the network configuration information and the forwarding information comprises:

7. The method according to any of claims 1-6, wherein the network configuration information further comprises: the information on the configuration of the device is,

8. The method of any one of claims 1 to 7, further comprising:

9. The method according to claim 8, wherein the performing reachability verification on the network to be verified according to the network model comprises:

10. The method of claim 9, wherein performing reachability verification on the network to be verified based on a source address set and a destination address set in the network to be verified according to the network model comprises:

11. The method of claim 9, wherein performing reachability verification on the network to be verified based on a source address set and a destination address set in the network to be verified according to the network model comprises:

12. The method of claim 11, wherein the sink address in the set of sink addresses is an address corresponding to the target service on a state device to which the sink address belongs, and wherein the device associated with the sink address is a plurality of service servers providing the target service.

13. The method according to any one of claims 8 to 12, further comprising:

obtaining a reachability verification result;

and outputting the reachability verification result.

14. The method of any of claims 1 to 13, wherein the plurality of devices comprises a plurality of stateful devices, wherein the forwarding information for a second stateful device in the plurality of stateful devices comprises a set of translation source addresses, wherein the set of translation source addresses comprises: the second stateful device converts the source address of the message to be forwarded into a plurality of available converted source address sets; the forwarding table of the second stateful device includes forwarding table entries corresponding to the plurality of translated source addresses.

15. A method for implementing reachability verification, comprising:

obtaining a network model of a network to be verified, wherein the network model comprises: information for describing a connection relationship between a plurality of devices in the network to be verified and forwarding tables of the plurality of devices, where the plurality of devices include at least one stateful device, and a forwarding table of a first stateful device in the at least one stateful device includes forwarding table entries corresponding to a plurality of forwarding destination addresses available for the first stateful device when forwarding a packet;

16. The method of claim 15, wherein the first stateful device is a firewall or a load balancer.

17. The method of claim 15 or 16, wherein the network model further comprises: a data structure of a forwarding instance of the device in the network to be verified, a data structure of an interface of the forwarding instance, and a data structure of a link;

18. The method according to any one of claims 15 to 17, wherein the performing reachability verification on the network to be verified according to the network model comprises:

19. The method of claim 18, wherein performing reachability verification on the network to be verified based on a set of source addresses and a set of destination addresses in the network to be verified according to the network model comprises:

20. The method of claim 18, wherein performing reachability verification on the network to be verified based on a set of source addresses and a set of destination addresses in the network to be verified according to the network model comprises:

21. The method of claim 20, wherein a sink address in the set of sink addresses is an address on the first stateful device corresponding to a target service, and wherein the device associated with the sink address is a plurality of service servers providing the target service.

22. The method according to any one of claims 15 to 21, further comprising:

obtaining a reachability verification result;

and outputting the reachability verification result.

23. The method of any of claims 15 to 22, wherein the plurality of devices comprises a plurality of stateful devices, and wherein the forwarding table of a second stateful device of the plurality of stateful devices comprises forwarding table entries corresponding to a plurality of translated source addresses available to the second stateful device in translating a source address of the message to be forwarded.

24. An apparatus for implementing reachability verification, comprising:

an obtaining module, configured to obtain network configuration information of a network to be verified and forwarding information of multiple devices in the network to be verified, where the network configuration information includes a network topology, the multiple devices include at least one stateful device, the forwarding information of a first stateful device in the at least one stateful device includes a forwarding destination address set, and the forwarding destination address set includes multiple forwarding destination addresses that are available for the stateful device to forward a packet;

a generating module, configured to generate a network model according to the network configuration information and the forwarding information, where the network model includes: and the forwarding table of the first stateful device comprises forwarding table entries corresponding to the forwarding destination addresses, and the network model is used for performing reachability verification on the network to be verified.

25. The apparatus of claim 24, wherein the generating module is configured to obtain a destination address set, and the destination address set is the forwarding destination address set of a first stateful device in the multiple devices, or a source address set used for matching a message source address in forwarding information of any stateless device in the multiple devices, or a destination address set used for matching a message destination address in forwarding information of any stateless device in the multiple devices; determining the corresponding address with the same next hop in the target address set as an equivalent address set to obtain one or more equivalent address sets; and generating a forwarding table of the device to which the target address set belongs according to the equivalent address set, wherein each forwarding table entry of the forwarding table corresponds to one equivalent address set.

26. The apparatus of claim 25, wherein the network configuration information further comprises: a flow policy of at least one of the plurality of devices, the flow policy comprising: the equipment to which the flow strategy belongs uses at least one of a security strategy, a filtering strategy and an Access Control List (ACL) rule for controlling message forwarding;

27. The apparatus of claim 24, wherein the generating module is configured to generate a forwarding table of the first stateful device according to the forwarding information of the first stateful device, and each forwarding table entry of the forwarding table corresponds to one forwarding destination address in the set of forwarding destination addresses.

28. The apparatus according to any of claims 24 to 27, wherein the network configuration information further comprises: the information on the configuration of the device is,

the data structure of the forwarding instance is used for describing the relationship between the forwarding instance and other forwarding instances and/or the relationship between interfaces corresponding to the forwarding instances;

29. The apparatus of any one of claims 24 to 28, further comprising:

and the verification module is used for performing reachability verification on the network to be verified according to the network model.

30. The apparatus of claim 29, wherein the validation module is configured to perform reachability validation on the network to be validated based on a source address set and a destination address set according to the network model, wherein the source address set comprises at least one source address and the destination address set comprises at least one destination address.

31. The apparatus of claim 30, wherein the verification module is configured to verify reachability of a path from a source address in the set of source addresses to a destination address in the set of destination addresses according to the network model.

32. The apparatus of claim 30, wherein the validation module is configured to perform reachability validation on a path between a source address in the source address set and a device corresponding to a destination address in the destination address set according to the network model, and wherein the device corresponding to the destination address comprises: the device to which the sink address belongs, and/or the device associated with the sink address.

33. The apparatus of any one of claims 29 to 32, further comprising: an output module for outputting, wherein,

the verification module is used for acquiring a reachability verification result;

and the output module is used for outputting the reachability verification result.

34. The apparatus of any of claims 24 to 33, wherein the plurality of devices comprises a plurality of stateful devices, wherein forwarding information for a second stateful device in the plurality of stateful devices comprises a set of translation source addresses, wherein the set of translation source addresses comprises: the second stateful device converts the source address of the message to be forwarded into a plurality of available converted source address sets; the forwarding table of the second stateful device includes forwarding table entries corresponding to the plurality of translated source addresses.

35. An apparatus for implementing reachability verification, comprising:

an obtaining module, configured to obtain a network model of a network to be verified, where the network model includes: information for describing a connection relationship between a plurality of devices in the network to be verified and forwarding tables of the plurality of devices, where the plurality of devices include at least one stateful device, and a forwarding table of a first stateful device in the at least one stateful device includes forwarding table entries corresponding to a plurality of forwarding destination addresses available for the first stateful device when forwarding a packet;

36. The apparatus of claim 35, further comprising: an output module for outputting, wherein,

37. An apparatus for implementing reachability verification, comprising: at least one processor, coupled to the memory, that reads and executes instructions from the memory to perform any of the methods recited in claims 1-14 or any of the methods recited in claims 15-23.

38. A reachability verification system, comprising: a first means for implementing reachability verification and a second means for implementing reachability verification; wherein the content of the first and second substances,

the first device for implementing reachability verification is configured to generate a network model according to the network configuration information and the forwarding information, where the network model includes: the information used for describing the connection relation among the plurality of devices is determined according to the network configuration information, and the forwarding tables of the plurality of devices are determined according to the forwarding information, wherein the forwarding table of the first stateful device comprises forwarding table entries corresponding to the plurality of forwarding destination addresses;

the second device for implementing reachability verification is configured to obtain a network model of a network to be verified, where the network model includes: information for describing connection relationships among a plurality of devices in the network to be verified and forwarding tables of the plurality of devices, the plurality of devices including at least one stateful device;

39. A computer-readable storage medium comprising instructions that, when executed on a computer, cause the computer to perform the method of any of claims 1-14, or 15-23.