CN114978995A - Message forwarding path selection method and device - Google Patents

Message forwarding path selection method and device Download PDF

Info

Publication number
CN114978995A
CN114978995A CN202210581358.2A CN202210581358A CN114978995A CN 114978995 A CN114978995 A CN 114978995A CN 202210581358 A CN202210581358 A CN 202210581358A CN 114978995 A CN114978995 A CN 114978995A
Authority
CN
China
Prior art keywords
address
trust
level
address range
forwarding path
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210581358.2A
Other languages
Chinese (zh)
Other versions
CN114978995B (en
Inventor
马申骁
陈梦骁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN202210581358.2A priority Critical patent/CN114978995B/en
Publication of CN114978995A publication Critical patent/CN114978995A/en
Application granted granted Critical
Publication of CN114978995B publication Critical patent/CN114978995B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/26Route discovery packet
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/54Organization of routing tables
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a method and a device for selecting a message forwarding path, which relate to the technical field of network communication, and the method comprises the following steps: receiving a message to be forwarded, calculating a first address identifier corresponding to a source IP address under a trust table item according to the source IP address of the message and a mask code contained in a trust table item stored locally, determining a target table item matched with the source IP address in each trust table item according to the first address identifier corresponding to the source IP address and a second address identifier contained in the trust table item, and selecting a forwarding path for the message from available message forwarding paths according to a security level of the forwarding path contained in the target table item. By applying the scheme provided by the embodiment of the invention, the forwarding path selection of the message can be realized.

Description

Message forwarding path selection method and device
Technical Field
The present invention relates to the field of network communication technologies, and in particular, to a method and an apparatus for selecting a packet forwarding path.
Background
In an IPV6(Internet Protocol Version 6, Version 6 of the Internet Protocol) backbone network, intra-domain routing devices are assigned trust levels, and routing devices of different trust levels form forwarding paths of different security levels. In addition, the messages also have security levels, and the messages with one security level can only be forwarded by forwarding paths not lower than the security level. Therefore, when the routing device forwards the packet, the routing device needs to select a forwarding path based on the security level of the packet and the security level of the forwarding path.
In view of the above, it is desirable to provide a packet forwarding path selection scheme to ensure that a packet is forwarded safely and quickly.
Disclosure of Invention
The embodiment of the invention aims to provide a method and a device for selecting a message forwarding path, so as to realize the selection of the message forwarding path and further ensure that the message is safely and quickly forwarded. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present invention provides a method for selecting a packet forwarding path, where the method includes:
receiving a message to be forwarded;
calculating a first address identifier corresponding to the source IP address in a trust table item according to the source IP address of the message and a mask contained in the trust table item stored locally, wherein the value of each bit in the mask represents whether the same bit in the IP address is effective or not;
determining a target table item matched with the source IP address in each trust table item according to a first address identifier corresponding to the source IP address and a second address identifier contained in the trust table item;
and selecting a forwarding path for the message from available message forwarding paths according to the security level of the forwarding path contained in the target table entry.
In a second aspect, an embodiment of the present invention provides a packet forwarding path selecting device, where the device includes:
the message receiving module is used for receiving a message to be forwarded;
a first address identifier calculation module, configured to calculate, according to a source IP address of the packet and a mask included in a locally stored trust table entry, a first address identifier corresponding to the source IP address in the trust table entry, where a value of each bit in the mask indicates whether a same bit in the IP address is valid;
a target table item determining module, configured to determine a target table item matching the source IP address in each trust table item according to a first address identifier corresponding to the source IP address and a second address identifier included in the trust table item;
and the forwarding path selection module is used for selecting a forwarding path for the message from available message forwarding paths according to the security level of the forwarding path contained in the target table entry.
In a third aspect, an electronic device includes a processor, a communication interface, a memory, and a communication bus, where the processor and the communication interface communicate with each other via the communication bus;
a memory for storing a computer program;
a processor for implementing any of the method steps of the first aspect described above when executing a program stored in the memory.
In a fourth aspect, a computer-readable storage medium has stored therein a computer program which, when executed by a processor, performs any of the method steps of the first aspect.
The embodiment of the invention has the following beneficial effects:
when the scheme provided by the embodiment of the invention is applied to selecting the message forwarding path, because the routing equipment locally stores the trust table entry and because the value of each bit of the mask in the trust table entry represents whether the same bit in the IP address is valid or not, according to the mask in each trust table entry, which bits in the source IP address of the message to be forwarded are valid can be determined, so that the first address identifier corresponding to the source IP address is obtained. Because the trust table entry also contains the address identifier, the table entry matching can be carried out according to the first address identifier and the address identifier contained in each trust table entry, and the target table entry matched with the message to be forwarded is obtained. And because the trust item comprises the security level of the forwarding path, the security level of the forwarding path contained in the target table entry can be used as the security level of the forwarding path corresponding to the message to be forwarded, so that the forwarding path for forwarding the message is selected according to the security level of the forwarding path. Therefore, the scheme provided by the embodiment of the invention can realize the selection of the forwarding path. After the forwarding path corresponding to the message is determined, the forwarding path can be determined according to the level of the forwarding path, so that the message is guaranteed to be safely forwarded.
In addition, in the scheme provided by the embodiment of the invention, the table item matching is realized in a table item matching mode in the process of selecting the forwarding path for the message, and the efficiency of table item matching of the chip in the routing equipment is higher, so that the scheme provided by the embodiment of the invention can quickly and efficiently complete table item matching, and further quickly select the forwarding path, thereby improving the speed of message forwarding and realizing the quick forwarding of the message.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings can be obtained by those skilled in the art according to the drawings.
Fig. 1A is a schematic topology diagram of a first routing device according to an embodiment of the present invention;
fig. 1B is a schematic topology diagram of a second routing device according to an embodiment of the present invention;
fig. 1C is a schematic topology diagram of a third routing device according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating a binary tree according to the prior art;
fig. 3 is a flowchart illustrating a first method for obtaining a trust table entry according to an embodiment of the present invention;
fig. 4 is a flowchart illustrating a second method for obtaining a trust table entry according to an embodiment of the present invention;
fig. 5 is a schematic flowchart of a first method for selecting a packet forwarding path according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a packet forwarding path selection apparatus according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a first trust expression obtaining apparatus according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a second trust expression obtaining apparatus according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a third trust expression obtaining apparatus according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of a fourth trust expression obtaining apparatus according to an embodiment of the present invention;
fig. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived from the embodiments given herein by one of ordinary skill in the art, are within the scope of the invention.
In order to safely and quickly forward a message, embodiments of the present invention provide a method and an apparatus for selecting a message forwarding path.
In an embodiment of the present invention, a method for selecting a packet forwarding path is provided, where the method includes:
receiving a message to be forwarded;
calculating a first address identifier corresponding to the source IP address in a trust table item according to the source IP address of the message and a mask contained in the trust table item stored locally, wherein the value of each bit in the mask represents whether the same bit in the IP address is valid or not;
determining a target table item matched with the source IP address in each trust table item according to a first address identifier corresponding to the source IP address and a second address identifier contained in the trust table item;
and selecting a forwarding path for the message from available message forwarding paths according to the security level of the forwarding path contained in the target table entry.
When the scheme provided by the embodiment of the invention is applied to selecting the message forwarding path, because the routing equipment locally stores the trust table entry and because the value of each bit of the mask in the trust table entry represents whether the same bit in the IP address is valid or not, according to the mask in each trust table entry, which bits in the source IP address of the message to be forwarded are valid can be determined, so that the first address identifier corresponding to the source IP address is obtained. Because the trust table entry also contains the address identifier, the table entry matching can be carried out according to the first address identifier and the address identifier contained in each trust table entry, and the target table entry matched with the message to be forwarded is obtained. And because the trust item comprises the security level of the forwarding path, the security level of the forwarding path contained in the target table entry can be used as the security level of the forwarding path corresponding to the message to be forwarded, so that the forwarding path for forwarding the message is selected according to the security level of the forwarding path. Therefore, the scheme provided by the embodiment of the invention can realize the selection of the forwarding path. After the forwarding path corresponding to the message is determined, the forwarding path can be determined according to the level of the forwarding path, so that the message is guaranteed to be safely forwarded.
In addition, in the scheme provided by the embodiment of the invention, the table item matching is realized in a table item matching mode in the process of selecting the forwarding path for the message, and the efficiency of table item matching of the chip in the routing equipment is higher, so that the scheme provided by the embodiment of the invention can quickly and efficiently complete table item matching, and further quickly select the forwarding path, thereby improving the speed of message forwarding and realizing the quick forwarding of the message.
It should be noted that an IP (Internet Protocol) address related in the embodiment of the present invention is an IPV6 address, and certainly, the IP address is also applicable to an IPV4 address in some scenarios, which is not limited in the embodiment of the present invention.
In order to facilitate understanding of the solution provided by the embodiment of the present invention, the solution provided by the embodiment of the present invention is described based on a scenario of the IPV6 backbone network, and a description is first given below to relevant concepts involved in the embodiment of the present invention in conjunction with the IPV6 backbone network.
In the IPV6 backbone network, the routing devices in the domain are assigned trust levels, the routing devices with different trust levels form forwarding paths with different security levels, and the message has a security level. The number of trust levels, the number of security levels of forwarding paths and the number of security levels of messages are the same. For example, the above numbers are all 8, the trust levels include trust level 0 to trust level 7, the security levels of the forwarding path include security level 0 to security level 7, and the security level of the packet also includes security level 0 to security level 7.
For a routing device, the higher its trust level, the higher the trustworthiness. For a forwarding path, the higher its security level, the higher the security level. For a message, the higher the security level, the higher the requirement on the security level.
In the IPV6 backbone network, the security level of the forwarding path may correspond to the service level of the SRV6Policy (Segment Routing V6Policy, 6 th generation Segment Routing Policy) for cbts (Class-of-service Based Tunnel Selection) forwarding.
In order to ensure that the message can be safely forwarded, the message with one safety level is forwarded by the routing equipment with the trust level not lower than the safety level, and if the trust level of the routing equipment for forwarding the message is lower than the safety level of the message, potential safety hazards may exist when the message is forwarded.
The above is explained below by way of example, assuming that the trust levels of the routing devices a-D are as shown in table 1 below.
TABLE 1
Routing device Routing device A Routing device B Routing device C Routing device D
Trust ratings Trust level 3 Trust level 3 Trust level 2 Trust level 1
In the first case, a packet of security level 3 is forwarded, and at this time, only the routing devices a and B of trust level 3 can forward the packet, as shown in fig. 1A, only a forwarding path capable of forwarding the packet exists between the routing device a and the routing device B.
In case two, the packet of security level 2 is forwarded, and at this time, the packet may be forwarded by the routing device C of trust level 2 and the routing devices a and B of trust level 3, as shown in fig. 1B, at this time, a forwarding path capable of forwarding the packet exists between the routing devices A, B and C.
In case three, the packet of security level 1 is forwarded, and at this time, the packet may be forwarded by the routing device D of trust level 1, the routing device C of trust level 2, and the routing devices a and B of trust level 3, as shown in fig. 1C, at this time, a forwarding path capable of forwarding the packet exists between the routing devices A, B, C and D.
As can be seen from the above, for a message, the trust level of the routing device that forwards the message is not lower than the security level of the message, and since the forwarding path that forwards the message is composed of the routing devices whose trust levels are not lower than the security level of the message, the security level of the forwarding path of the message is not lower than the security level of the message, that is, a message is forwarded by the forwarding path whose security level is not lower than the security level of the message. As can be obtained from the foregoing description, a message corresponds to the lowest security level of the forwarding path that forwards the message, which is called the security level of the forwarding path that corresponds to the message, and the value is equal to the security level of the message.
The following describes the determination methods of the security level of the packet, the trust level of the routing device, and the security level of the forwarding path.
The security level of the message is determined by the IP address range segment to which the source IP address of the message belongs, and the messages corresponding to the source IP addresses belonging to the same IP address range segment have the same security level, that is, the IP addresses in the same address range segment correspond to the same message security level.
The IP address range segments are obtained by dividing the whole IP address range by the boundary addresses, so that each IP address range segment contains continuous IP addresses. The demarcation address is an IP address used for dividing an IP address range. The demarcation address can be configured by a worker through a configuration interface, and can also be obtained from a management device in the network.
Assuming that there are three demarcation addresses, K0, K1 and K2 in order from small to large, the three demarcation addresses divide the whole IP address range into four IP address range segments, specifically: [0, K0), [ K0, K1), [ K1, K2) and [ K2, maximum IP address ].
In one implementation, the first preset number of bits of the IP address may be considered to represent the security level, and in this case, the security level of the packet corresponding to the IP address range segment may be determined according to the security level represented by the first preset number of bits in the demarcation address. For example, the preset number may be 2, 3, etc.
The following describes the security level of the packet corresponding to each IP address range segment, taking the preset number as 2 as an example.
Assume that the first 2 bits of K0, K1, and K2 are: 01. 10 and 11, the decimal representations of which are respectively: 1. 2 and 3, the security level of the packet corresponding to the IP address range segment containing K0 may be regarded as security level 1, the security level of the packet corresponding to the IP address range segment containing K1 may be regarded as security level 2, and the security level of the packet corresponding to the IP address range segment containing K2 may be regarded as security level 3, so in view of this, the security levels of the packets corresponding to [0, K0 ], [ K0, K1 ], [ K1, K2) and [ K2, maximum IP address ] may be determined as follows: security level 0, security level 1, security level 2, and security level 3.
In one implementation, it can be known from the foregoing description that the number of security levels of the packet, the number of trust levels of the routing device, and the number of security levels of the forwarding path are equal, and based on this, after the security level of the packet corresponding to each IP address range segment is determined, the security level value of the packet corresponding to each IP address range segment can be directly determined as the level value of the trust level of the routing device corresponding to each IP address range segment, and the level value of the security level of the forwarding path corresponding to each IP address range segment.
For example, [0, K0) that the security level of the packet corresponding to the IP address range segment is security level 0, the trust level of the routing device corresponding to the IP address range segment is trust level 0, and the security level of the forwarding path corresponding to the IP address range segment is security level 0.
The trust level of the routing device corresponding to the IP address range segment may be understood as: the lowest trust level of the routing device forwarding the segment packet. Wherein, the segment message is: the source IP address is the message of the IP address in the IP address range section.
The level value of the trust level of the routing device corresponding to each IP address range segment can be understood as: and the lowest trust level of the forwarding path for forwarding the segment of the message.
A scheme for selecting a packet forwarding path in the prior art is described below.
In this scheme, a binary tree is first constructed based on the aforementioned IP address range segment, and a node in the binary tree stores a demarcation address or an IP address range segment, as shown in fig. 2. After the source IP address of the message is obtained, the source IP address is compared with the root node of the binary tree until the IP address range segment to which the source IP address belongs is found, then the safety level of the forwarding path for forwarding the message is determined according to the IP address range segment, and the forwarding path is selected for the message according to the determined safety level.
Specifically, as can be seen from the binary tree shown in fig. 2, the root node stores the boundary address K0, the two child nodes of the root node store the boundary addresses K1 and K2, respectively, and then the child nodes of the two child nodes store the IP address range segments [ min, K1 ], [ K1, K0 ], [ K0, K2) and [ K2, max ], respectively, where min represents the minimum IP address in the entire IP address range and max represents the maximum IP address in the entire IP address range.
The following describes the process of determining the segment of the IP address range to which the source IP address belongs, based on the binary tree described above.
After the routing equipment acquires a source IP address of a message, firstly comparing the source IP address with a boundary address K0, if the source IP address is more than or equal to the boundary address K0, turning to a right child node of a root node, wherein the right child node is called a K2 right child node for convenience of expression, then comparing the source IP address with the boundary address K2, if the source IP address is less than the boundary address K2, turning to a left child node of a K2 right child node, judging whether the source IP address belongs to an IP address range segment [ K0, K2 ] stored by the left child node, if the source IP address is not less than the boundary address K2, turning to a right child node of a K2 right child node, and judging whether the source IP address belongs to an IP address range segment [ K2, max ] stored by the right child node; if the source IP address is smaller than the demarcation address K0, the left child node of the root node is diverted, and the subsequent judgment process is similar to the previous process and is not described in detail here.
After the above process, the IP address range segment to which the source IP address belongs can be determined.
As can be seen from the above, when selecting a packet forwarding path based on the binary tree, it is necessary to compare and determine the source IP address and the information stored in the binary tree node many times, and the comparison and determination is an operation that has low efficiency and consumes computing resources.
In order to solve the above technical problem, the packet forwarding path selection scheme provided in the embodiment of the present invention is implemented based on a trust table entry, and to implement this scheme, a trust table entry is first required to be stored in the routing device, so a scheme for obtaining the trust table entry is described below.
The execution main body of the trust table item acquisition scheme provided by the embodiment of the invention can be electronic equipment such as routing equipment and the like with computing capability and storage capability.
In an embodiment of the present invention, referring to fig. 3, a flowchart of a first method for obtaining a trust table entry is provided, where the method includes the following steps S301 to S305.
Step S301: and acquiring the boundary address of the IP address.
In one implementation, the demarcation address of the IP address configured by the staff may be obtained.
In another implementation, the demarcation address may be obtained from a device having management functionality within the network.
Step S302: and determining an IP address range section according to each boundary address.
Specifically, the specific implementation manner of determining the IP address range segment according to each boundary address has been described in detail above, and is not described herein again.
Step S303: and obtaining the security level of the forwarding path corresponding to each IP address range section.
In an embodiment of the present invention, as described above, the security level of the packet corresponding to each IP address range segment may be determined according to each demarcation address, and then the security level of the forwarding path corresponding to each IP address range segment is obtained according to the determined security level of the packet.
In addition, the security level of the forwarding path may also be obtained in other manners, which will be described in detail in the following embodiments and will not be described in detail here.
Step S304: and obtaining the identification mask pair corresponding to each IP address range segment.
Wherein each identification mask pair comprises an address identification and a mask of the IP address.
For each segment of the IP address range, the address identifier can uniquely identify the IP address in the segment of the IP address range.
The value of each bit in the mask represents whether the same bit in the IP address is valid. For example, a bit may be valid as a1 and invalid as a 0.
In addition, the number of bits of the address identifier and the mask may be the same as the number of bits of the IP address.
In one implementation, the mask may be determined according to a rule set for each IP address range segment. For example, the rule is: the value of the first highest number of bits in the IP address is a preset value, and in this case, the mask may be: the highest first number of bits is 1 and the other bits are 0. For example, the first number may be 64.
The mask may also be obtained in other manners, which may specifically refer to the following embodiment shown in fig. 4, and will not be described in detail here.
The following describes a manner of obtaining an address tag in a tag mask pair.
In one embodiment of the present invention, after determining a mask in an identification mask pair of an IP address range segment, an address identification of an IP address may be determined based on a starting IP address of the IP address range segment and the mask. For example, the start IP address of the IP address range segment is bit-wise anded with the mask, and the result is used as the address identifier in the identifier mask pair.
It should be noted that, in the embodiment of the present invention, the execution order of step S303 and step S304 is not limited, and the two steps may be executed in parallel or in series.
Step S305, generating a trust table entry containing an identification mask pair and the security level of the forwarding path corresponding to the IP address range segment aiming at each IP address range segment.
Since only one identification mask pair may be generated or a plurality of identification mask pairs may be generated when generating an identification mask pair for each IP address range segment, in this step, a trust table entry needs to be generated for each identification mask pair when generating a trust table entry.
Suppose that the security level of the forwarding path corresponding to an IP address range segment is Q, and the IP address range segment corresponds to 2 identification mask pairs, which are: (D1, Y1) and (D2, Y2), wherein D1, D2 are address identifiers, and Y1 and Y2 are masks, the generated trust table entry includes: (D1, Y1, Q) and (D2, Y2, Q).
After generating trust table entries for each segment of the IP address range, these trust table entries may be stored in the form of a linked list.
As can be seen from the above, in the scheme provided in this embodiment, the security level and the identifier mask pair of the forwarding path corresponding to each IP address range segment are first obtained, and then, for each IP address range segment, a trust table entry including one identifier mask pair and the security level of the forwarding path corresponding to the IP address range segment is generated. In addition, since the trust table entry includes the security level of the forwarding path corresponding to the IP address range segment, the trust table entry may be used to provide the security level of the forwarding path in the process of selecting the forwarding path.
Next, another implementation of obtaining the security level of the forwarding path in step S303 is described.
In one embodiment of the present invention, the step S303 can be realized by the following steps a to B.
Step A: and obtaining the trust level of the routing equipment corresponding to each IP address range section.
In one implementation, as described above, the security level of the packet corresponding to each IP address range segment may be determined according to each demarcation address, and then, the trust level of the routing device corresponding to each IP address range segment may be directly obtained based on the security level of the packet corresponding to each IP address range segment. The specific processes can be found in the foregoing, and are not described in detail here.
In another implementation, the trust level of the routing device may be determined based on the type of each demarcation address, and the specific process is described in the following embodiments and will not be described in detail here.
And B, step B: and obtaining the security level of the forwarding path corresponding to each IP address range section according to the corresponding relation between the trust level of the preset routing equipment and the security level of the forwarding path and the obtained trust level.
In one case, the correspondence between the trust level of the routing device and the security level of the forwarding path may be: the rank value of the trust level of the routing device is equal to the rank value of the security level of the forwarding path, and in this case, after the trust level of the routing device corresponding to each IP address range segment is obtained, the security level of the forwarding path corresponding to each IP address range segment can be obtained.
As can be seen from the above, in the solution provided in this embodiment, the corresponding relationship between the trust level of the routing device and the security level of the forwarding path is preset, so that after the trust level of the routing device corresponding to each IP address range segment is obtained, the security level of the forwarding path can be obtained according to the preset corresponding relationship, the process of obtaining the security level of the forwarding path is simplified, and the efficiency of obtaining the security level of the forwarding path can be improved.
Other implementations of obtaining the trust level of the routing device in the foregoing step a are described below.
In an embodiment of the present invention, before the step a obtains the trust level of the routing device corresponding to each IP address range segment, the method for selecting a forwarding path further includes the following step a 1.
Step A1: the address type of each demarcation address is obtained.
Wherein, the address types include: a special demarcation address and a normal demarcation address. The special demarcation address and the normal demarcation address can be represented by different identifiers. The special demarcation address may be understood as a demarcation address corresponding to the lowest trust level of the routing device, i.e. the demarcation address corresponding to the starting trust level of the routing device.
Specifically, the address type of the boundary address may be specified by a worker according to a specific situation, or may be specified by a management device in the network, which is not limited in the embodiment of the present invention.
The address type of the demarcation address may be obtained along with the demarcation address.
Among all the demarcation addresses, the special demarcation address can be the smallest demarcation address, can be the largest demarcation address, and can also be the middle demarcation address.
On the basis of the above, the above step a can be realized by the following step a 2-step A3.
Step A2: and setting the trust level of the routing equipment corresponding to the first IP address range segment taking the special demarcation address as the starting address as a preset starting trust level.
The preset initial trust level may be set by a worker according to actual conditions, for example, the preset initial trust level may be trust level 0, trust level 1, or the like.
Since the special demarcation address may be the smallest demarcation address, the middle demarcation address, or the largest demarcation address, the ending address of the first IP address range may be the largest IP address, or the next demarcation address larger than the special demarcation address.
Step A3: and setting the trust level of the routing equipment from the second IP address range section according to a cycle setting mode by taking the first trust level as an initial value and the preset level variation as a trust level variation step length, and setting the trust level of the routing equipment corresponding to the third IP address range section to be equal to the trust level of the routing equipment corresponding to the fourth IP address range section.
The second IP address range segment is: and the IP address range section takes the first boundary address as an initial address, and the first boundary address is as follows: the first normal demarcation address following the special demarcation address in a circular manner.
The third IP address range segment is: and the IP address range section takes the minimum IP address in the IP address range as the starting address. The fourth IP address range segment is: and the IP address range section takes the maximum IP address in the IP address range as an end address.
Wherein the first trust level is: the sum of the initial confidence level and the predetermined level variance. For example, the above-described gradation change amount may be 1, 2, or the like.
As can be understood from the foregoing description, the specific demarcation address may be the smallest demarcation address, the middle demarcation address, or the largest demarcation address, and therefore, the relative relationship between the general demarcation address and the specific demarcation address varies, and the following description will be given in different cases.
Suppose that K0 is a special boundary address, K1 and K2 are normal boundary addresses, 0 represents the minimum IP address in the IP address range, max represents the maximum IP address in the IP address range, the preset initial trust level is trust level 1, and the level change amount is 1.
In case one, the demarcation addresses are in order from small to large: k1, K2, and K0, the IP address range segment includes: [0, K1), [ K1, K2), [ K2, K0), [ K0, max. Wherein the content of the first and second substances,
[ K0, max ] is a first IP address range segment, which may also be referred to as the fourth IP address range segment, and the trust level of the corresponding routing device is trust level 1;
[0, K1) is a third IP address range segment, and the trust level of the corresponding routing device is equal to the trust level of the routing device corresponding to the fourth IP address range segment, which is trust level 1;
k1, K2) and K2, K0) are the second IP address range segments, and the trust levels of the corresponding routing devices are trust level 2 and trust level 3, respectively.
In case two, the boundary addresses are in the order from small to large: k0, K1 and K2, the IP address range segment includes: [0, K0), [ K0, K1), [ K1, K2), [ K2, max. Wherein the content of the first and second substances,
[ K0, K1) is a first IP address range segment, and the trust level of the corresponding routing device is trust level 1;
k1, K2) and K2, max are the second IP address range segment, and the trust level of the corresponding routing device is trust level 2 and trust level 3, respectively, where K2, max is also referred to as the fourth IP address range segment;
0, K0) is a third IP address range segment, and the trust level of the corresponding routing device is equal to the trust level of the routing device corresponding to the fourth IP address range segment, which is trust level 3.
In case three, the boundary addresses are in the order from small to large: k1, K0 and K2, the IP address range segment includes: [0, K1), [ K1, K0), [ K0, K2), [ K2, max. Wherein the content of the first and second substances,
[ K0, K2) is a first IP address range segment, and the trust level of the corresponding routing device is trust level 1;
[ K2, max ] is a second IP address range segment, also called a fourth IP address range segment, and the trust level of the corresponding routing device is trust level 2;
[0, K1) is a third IP address range segment, and the trust level of the corresponding routing device is equal to the trust level of the routing device corresponding to the fourth IP address range segment, which is trust level 2;
k1, K0) is the second IP address range segment and the corresponding routing device has a trust level of 3.
As can be seen from the above, in this step, after each IP address range segment is set with the trust level of the corresponding routing device, the setting of the trust level of the corresponding routing device is completed without repeated setting.
As can be seen from the above, in the scheme provided in this embodiment, the trust level of the routing device corresponding to each IP address range segment is set in combination with the type of the demarcation address and the preset trust level, so that the same IP address range segment can correspond to the trust levels of different routing devices under different conditions, and the trust level of the routing device corresponding to the IP address range segment is set more flexibly under different conditions.
Fig. 4 is a flowchart illustrating a second method for obtaining a trust entry according to an embodiment of the present invention, and as shown in fig. 4, step S304 may be implemented by the following steps S304A-S304B.
Step S304A: the IP addresses contained within each IP address range segment are grouped.
Specifically, the IP addresses in each IP address range segment may be grouped based on a grouping rule, and each IP address range segment may correspond to one grouping rule or to a plurality of grouping rules, so that one IP address range segment may be divided into one group or a plurality of groups.
The IP addresses within a packet have a common characteristic, since the IP addresses within each packet conform to certain rules.
Specifically, for each IP address range segment, different grouping rules may be set depending on the specific situation. For example, in one case, for an IP address range segment, the grouping rule may be: the even IP addresses are divided into one packet and the odd IP addresses are divided into one packet. Of course, there are other grouping rules for each IP address range segment, and the above description is only given as an example, and the specific form of the grouping rule is not limited.
Step S304B: and aiming at each group corresponding to each IP address range segment, determining the address identifier and the mask of the IP address corresponding to the group according to the grouping rule corresponding to the group and the IP address contained in the group, and obtaining an identifier mask pair containing the determined address identifier and the mask.
In one implementation, for each packet corresponding to each IP address range segment, the value of the mask may be determined based on the specific content of the packet rule corresponding to the packet and the IP address included in the IP address range segment. For example, the grouping rule is to divide even IP addresses in the IP address range segment into a group, and then the same high-order bits of each IP address in the IP address range segment are determined, for example, the high-order X bits are determined to be the same, and then the remaining low-order bits are set as a number representing an even number. For example, in the mask, the high X bits are set to 1, the lowest two bits are set to 10, and the rest bits are set to 0.
After determining the mask of each packet, the address identifier may be determined based on the mask and one IP address in the packet, and the specific determination manner is the same as that described in step S304, and is not described herein again.
In an embodiment of the present invention, when determining the address identifier and the mask of the IP address corresponding to the packet, the lower predetermined number of bits of the IP address included in the packet may be obtained first, and then the address identifier and the mask of the IP address corresponding to the packet may be determined according to the packet rule corresponding to the packet and the obtained bits.
For example, the preset number may be 64.
Specifically, in some scenarios, the IP address used is small, in which case, the high bits in the IP address do not have a specific meaning, and therefore, when generating the mask and the address identifier, only the low preset number of bits in the IP address may be considered, instead of considering all bits. In this way, only partial information in the IP address is considered when determining the mask and the address identifier, and especially for the IPV6 address with a large number of bits, the considered information can be reduced, thereby effectively improving the efficiency of determining the mask and the address identifier. In addition, because only part of information in the IP address is considered, occupation of computing resources and cache resources can be reduced.
As can be seen from the above, in the scheme provided in this embodiment, when generating the identification mask pair, the mask and the address identifier are not directly generated for the IP address in the IP address range segment, but the IP addresses in the IP address range segment are first grouped, and then the identification mask pair is generated based on the grouping, after the grouping, the characteristics of the IP addresses in the group are more clear and definite, so that the mask and the address identifier can be more accurately determined, and thus the trust table entry which is more convenient for table entry matching can be generated.
The following describes the message forwarding path selection method provided in the embodiment of the present invention in detail.
An execution main body of the message forwarding path selection method provided by the embodiments of the present invention is a routing device, where the routing device stores in advance a trust table entry generated according to the schemes provided by the embodiments.
Fig. 5 is a flowchart illustrating a first method for selecting a packet forwarding path according to an embodiment of the present invention, and as shown in fig. 5, the method may include the following steps: S501-S504.
Step S501: and receiving the message to be forwarded.
Step S502: and calculating a first address identifier corresponding to the source IP address in the trust table item according to the source IP address of the message and a mask contained in the locally stored trust table item.
And the value of each bit in the mask represents whether the same bit in the IP address is valid or not.
In one implementation, the mask in the trust table entry and the entire source IP address may be used to calculate the first address identifier in a bit-and manner, and the detailed process is the same as that mentioned in the foregoing embodiment and will not be described in detail here.
In another implementation manner, a low preset number of bits of the source IP address of the packet may be obtained, and the obtained bits and a mask included in a locally stored trust table entry are bitwise and operated to obtain an operation result, and the operation result is used as a first address identifier corresponding to the source IP address in the trust table entry. In this case, when the first address identifier is obtained, only part of the information in the IP address, especially the IPV6 address with a large number of bits, can be reduced in the amount of information to be considered, and the efficiency of determining the mask and the address identifier can be effectively improved. In addition, because only part of information in the IP address is considered, occupation of computing resources and cache resources can be reduced.
Step S503: and determining a target table item matched with the source IP address in each trust table item according to the first address identifier corresponding to the source IP address and the second address identifier contained in the trust table item.
For a trust table entry, if the first address identifier corresponding to the source IP address is the same as the second address identifier included in the trust table entry, the trust table entry is considered to be matched with the source IP address, and may be used as a target table entry.
In the process of matching the source IP address with the trust table entry, if the target trust table entry is determined, the matching of the subsequent trust table entries may be stopped.
Step S504: and selecting a forwarding path for the message from available message forwarding paths according to the security level of the forwarding path contained in the target table entry.
Specifically, a forwarding path with a security level not lower than the security level included in the target entry may be selected from available packet forwarding paths to forward the packet.
When the scheme provided by the embodiment of the invention is applied to selecting the message forwarding path, because the routing equipment locally stores the trust table entry and because the value of each bit of the mask in the trust table entry represents whether the same bit in the IP address is valid or not, according to the mask in each trust table entry, which bits in the source IP address of the message to be forwarded are valid can be determined, so that the first address identifier corresponding to the source IP address is obtained. Because the trust table entry also contains the address identifier, the table entry matching can be carried out according to the first address identifier and the address identifier contained in each trust table entry, and the target table entry matched with the message to be forwarded is obtained. And because the trust item comprises the security level of the forwarding path, the security level of the forwarding path contained in the target table entry can be used as the security level of the forwarding path corresponding to the message to be forwarded, so that the forwarding path for forwarding the message is selected according to the security level of the forwarding path. Therefore, the scheme provided by the embodiment of the invention can realize the selection of the forwarding path. After the forwarding path corresponding to the message is determined, the forwarding path can be determined according to the level of the forwarding path, so that the message is guaranteed to be safely forwarded.
In addition, in the scheme provided by the embodiment of the invention, the table item matching is realized in a table item matching mode in the process of selecting the forwarding path for the message, and the efficiency of table item matching of the chip in the routing equipment is higher, so that the scheme provided by the embodiment of the invention can quickly and efficiently complete table item matching, and further quickly select the forwarding path, thereby improving the speed of message forwarding and realizing the quick forwarding of the message.
Moreover, in the scheme provided by the embodiment of the invention, the security level of the forwarding path is obtained in a table item matching mode, so that the process of judging for multiple times when the path is selected based on the binary tree can be omitted, the efficiency of selecting the forwarding path can be further improved, and the efficiency of forwarding the message can be further improved.
Corresponding to the message forwarding path selection method, the embodiment of the invention also provides a message path forwarding device.
Fig. 6 is a schematic structural diagram of a packet forwarding path selection apparatus provided in an embodiment of the present invention, where the apparatus includes the following modules: 601-604.
The message receiving module 601: used for receiving the message to be forwarded;
the first address identification calculation module 602: the first address identifier corresponding to the source IP address in the trust table entry is calculated according to the source IP address of the message and a mask contained in the trust table entry stored locally, wherein the value of each bit in the mask represents whether the same bit in the IP address is valid or not;
603, the target table item determination module: the target table entry matched with the source IP address in each trust table entry is determined according to the first address identifier corresponding to the source IP address and the second address identifier contained in the trust table entry;
the forwarding path selection module 604: and the forwarding path selection unit is used for selecting a forwarding path for the message from available message forwarding paths according to the security level of the forwarding path contained in the target table entry.
In an embodiment of the present invention, the first address identifier calculating module 602 is specifically configured to:
acquiring a low preset number of bits of a source IP address of the message;
and bitwise AND operation is carried out on the obtained bits and a mask contained in a locally stored trust table entry to obtain an operation result, and the operation result is used as a first address identifier corresponding to the source IP address in the trust table entry.
When the scheme provided by the embodiment of the invention is applied to selecting the message forwarding path, because the routing equipment locally stores the trust table entry and because the value of each bit of the mask in the trust table entry represents whether the same bit in the IP address is valid or not, according to the mask in each trust table entry, which bits in the source IP address of the message to be forwarded are valid can be determined, so that the first address identifier corresponding to the source IP address is obtained. Because the trust table entry also contains the address identifier, the table entry matching can be carried out according to the first address identifier and the address identifier contained in each trust table entry, and the target table entry matched with the message to be forwarded is obtained. And because the trust item comprises the security level of the forwarding path, the security level of the forwarding path contained in the target table entry can be used as the security level of the forwarding path corresponding to the message to be forwarded, so that the forwarding path for forwarding the message is selected according to the security level of the forwarding path. Therefore, the scheme provided by the embodiment of the invention can realize the selection of the forwarding path. After the forwarding path corresponding to the message is determined, the forwarding path can be determined according to the level of the forwarding path, so that the message is guaranteed to be safely forwarded.
In addition, in the scheme provided by the embodiment of the invention, the table item matching is realized in a table item matching mode in the process of selecting the forwarding path for the message, and the efficiency of table item matching of the chip in the routing equipment is higher, so that the scheme provided by the embodiment of the invention can quickly and efficiently complete table item matching, and further quickly select the forwarding path, thereby improving the speed of message forwarding and realizing the quick forwarding of the message.
Fig. 7 is a schematic structural diagram of a first trust table entry obtaining apparatus according to an embodiment of the present invention, where the apparatus includes the following sub-modules 701 and 705.
The boundary address obtaining sub-module 701: a demarcation address for obtaining an IP address;
range segment acquisition determination submodule 702: the IP address range section is determined according to each boundary address;
security level acquisition sub-module 703: the safety level of the forwarding path corresponding to each IP address range segment is obtained;
the identify mask pair obtaining sub-module 704: the system comprises a plurality of IP address range segments, a plurality of identification mask pairs and a plurality of mapping tables, wherein each identification mask pair comprises an address identification and a mask of an IP address;
the trust table entry generation submodule 705: and the trust table entry is used for generating a trust table entry which comprises an identification mask pair and the security level of the forwarding path corresponding to the IP address range segment.
As can be seen from the above, in the scheme provided in this embodiment, the security level and the identifier mask pair of the forwarding path corresponding to each IP address range segment are first obtained, and then, for each IP address range segment, a trust table entry including one identifier mask pair and the security level of the forwarding path corresponding to the IP address range segment is generated. In addition, since the trust table entry includes the security level of the forwarding path corresponding to the IP address range segment, the trust table entry may be used to provide the security level of the forwarding path in the process of selecting the forwarding path.
Fig. 8 is a schematic structural diagram of a second trust expression obtaining apparatus according to an embodiment of the present invention, and compared with the apparatus shown in fig. 7, the identity mask pair obtaining sub-module 704 includes the following units 704A-704B.
IP address grouping unit 704A: the IP address range grouping module is used for grouping the IP addresses contained in each IP address range section;
the identification mask pair obtaining unit 704B: and the method is used for determining the address identifier and the mask of the IP address corresponding to each packet corresponding to each IP address range segment according to the packet rule corresponding to the packet and the IP address contained in the packet, so as to obtain an identifier mask pair containing the determined address identifier and the mask.
In an embodiment of the present invention, the identifier mask pair obtaining unit 704B is specifically configured to:
aiming at each group corresponding to each IP address range segment, acquiring the lower preset number of bits of the IP address contained in the group;
and determining the address identifier and the mask of the IP address corresponding to the packet according to the packet rule corresponding to the packet and the obtained bit.
As can be seen from the above, in the scheme provided in this embodiment, when generating the identification mask pair, the mask and the address identifier are not directly generated for the IP address in the IP address range segment, but the IP addresses in the IP address range segment are first grouped, and then the identification mask pair is generated based on the grouping, after the grouping, the characteristics of the IP addresses in the group are more clear and definite, so that the mask and the address identifier can be more accurately determined, and thus the trust table entry which is more convenient for table entry matching can be generated.
Fig. 9 is a schematic structural diagram of a third trust expression obtaining apparatus according to an embodiment of the present invention, and compared with the apparatus shown in fig. 7, the security level obtaining sub-module 703 includes the following units 703A to 703B.
A first trust level obtaining unit 703A, configured to obtain a trust level of the routing device corresponding to each IP address range segment;
the security level obtaining unit 703B is configured to obtain, according to the correspondence between the preset trust level of the routing device and the security level of the forwarding path and the obtained trust level, the security level of the forwarding path corresponding to each IP address range segment.
As can be seen from the above, in the solution provided in this embodiment, the corresponding relationship between the trust level of the routing device and the security level of the forwarding path is preset, so that after the trust level of the routing device corresponding to each IP address range segment is obtained, the security level of the forwarding path can be obtained according to the preset corresponding relationship, the process of obtaining the security level of the forwarding path is simplified, and the efficiency of obtaining the security level of the forwarding path can be improved.
Fig. 10 is a schematic structural diagram of a fourth trust expression obtaining apparatus according to an embodiment of the present invention, which further includes the following sub-module 703C, compared with the apparatus shown in fig. 9.
A boundary address obtaining unit 703C, configured to obtain an address type of each boundary address before the first trust level obtaining unit obtains the trust level, where the address type includes: a special demarcation address and a normal demarcation address.
In an embodiment of the present invention, the first trust level obtaining unit 703A is specifically configured to:
setting the trust level of the routing equipment corresponding to the first IP address range segment with the special demarcation address as the initial address as a preset initial trust level;
setting the trust level of the routing equipment from the second IP address range section according to a cycle setting mode by taking the first trust level as an initial value and a preset level variation as a trust level variation step length, and setting the trust level of the routing equipment corresponding to the third IP address range section to be equal to the trust level of the routing equipment corresponding to the fourth IP address range section;
wherein the first trust level is: the sum of the initial trust level and the preset level variation, and the second IP address range segment is: and the IP address range section takes the first boundary address as an initial address, and the first boundary address is as follows: a first ordinary demarcation address located after the special demarcation address in a circular manner, the third segment of the IP address range being: the IP address range segment using the minimum IP address in the IP address range as the starting address, and the fourth IP address range segment is: and the IP address range section takes the maximum IP address in the IP address range as an end address.
As can be seen from the above, in the scheme provided in this embodiment, the trust level of the routing device corresponding to each IP address range segment is set in combination with the type of the demarcation address and the preset trust level, so that the same IP address range segment can correspond to the trust levels of different routing devices under different conditions, and the trust level of the routing device corresponding to the IP address range segment is set more flexibly under different conditions.
An embodiment of the present invention further provides an electronic device, as shown in fig. 11, including a processor 1101, a communication interface 1102, a memory 1103 and a communication bus 1104, where the processor 1101, the communication interface 1102 and the memory 1103 complete mutual communication through the communication bus 1104,
a memory 1103 for storing a computer program;
the processor 1101 is configured to, when executing the program stored in the memory 1103, implement the steps of any message forwarding path selection method in the foregoing method embodiments.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In another embodiment of the present invention, a computer-readable storage medium is further provided, where a computer program is stored in the computer-readable storage medium, and when executed by a processor, the computer program implements the steps of any message forwarding path selection method in the foregoing method embodiments.
In another embodiment of the present invention, a computer program product containing instructions is provided, which when run on a computer, causes the computer to perform the steps of any of the message forwarding path selection methods in the above method embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus, the electronic device, the storage medium, and the computer program product embodiment, since they are substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to part of the description of the method embodiment.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (16)

1. A method for selecting a message forwarding path is characterized in that the method comprises the following steps:
receiving a message to be forwarded;
calculating a first address identifier corresponding to the source IP address in a trust table item according to the source IP address of the message and a mask contained in the trust table item stored locally, wherein the value of each bit in the mask represents whether the same bit in the IP address is valid or not;
determining a target table item matched with the source IP address in each trust table item according to a first address identifier corresponding to the source IP address and a second address identifier contained in the trust table item;
and selecting a forwarding path for the message from available message forwarding paths according to the security level of the forwarding path contained in the target table entry.
2. The method according to claim 1, wherein said calculating a first address identifier corresponding to a source IP address in a trusted table entry according to the source IP address of the packet and a mask included in a locally stored trusted table entry comprises:
acquiring a low preset number of bits of a source IP address of the message;
and bitwise AND operation is carried out on the obtained bits and a mask contained in a locally stored trust table entry to obtain an operation result, and the operation result is used as a first address identifier corresponding to the source IP address in the trust table entry.
3. The method according to claim 1 or 2, characterized in that the locally stored trust table entry is obtained as follows:
acquiring a demarcation address of an IP address;
determining an IP address range section according to each boundary address;
obtaining the safety level of the forwarding path corresponding to each IP address range section;
obtaining an identification mask pair corresponding to each IP address range segment, wherein each identification mask pair comprises an address identification and a mask of an IP address;
and generating a trust table entry containing an identification mask pair and the security level of the forwarding path corresponding to each IP address range segment.
4. The method of claim 3, wherein obtaining the identity mask pair corresponding to each segment of the IP address range comprises:
grouping the IP addresses contained in each IP address range segment;
and aiming at each group corresponding to each IP address range segment, determining the address identifier and the mask of the IP address corresponding to the group according to the grouping rule corresponding to the group and the IP address contained in the group, and obtaining an identifier mask pair containing the determined address identifier and the mask.
5. The method of claim 4, wherein determining the address identifier and the mask of the IP address corresponding to the packet according to the packet rule corresponding to the packet and the IP address included in the packet comprises:
obtaining a low preset number of bits of an IP address contained in the packet;
and determining the address identifier and the mask of the IP address corresponding to the packet according to the packet rule corresponding to the packet and the obtained bit.
6. The method of claim 3, wherein obtaining the security level of the forwarding path corresponding to each IP address range segment comprises:
obtaining trust levels of the routing equipment corresponding to each IP address range section;
and obtaining the security level of the forwarding path corresponding to each IP address range section according to the corresponding relation between the trust level of the preset routing equipment and the security level of the forwarding path and the obtained trust level.
7. The method of claim 6, wherein prior to obtaining the trust level of the routing device corresponding to each IP address range segment, the method further comprises:
obtaining an address type of each boundary address, wherein the address type comprises: a special demarcation address and a normal demarcation address;
the obtaining the trust level of the routing device corresponding to each IP address range segment includes:
setting the trust level of the routing equipment corresponding to the first IP address range segment taking the special demarcation address as the initial address as a preset initial trust level;
setting the trust level of the routing equipment from the second IP address range section according to a cycle setting mode by taking the first trust level as an initial value and a preset level variation as a trust level variation step length, and setting the trust level of the routing equipment corresponding to the third IP address range section to be equal to the trust level of the routing equipment corresponding to the fourth IP address range section;
wherein the first trust level is: the sum of the initial trust level and the preset level variation, and the second IP address range segment is: and the IP address range section takes the first boundary address as an initial address, and the first boundary address is as follows: a first ordinary demarcation address located after the special demarcation address in a circular manner, the third segment of the IP address range being: the IP address range segment using the minimum IP address in the IP address range as the starting address, and the fourth IP address range segment is: and the IP address range section takes the maximum IP address in the IP address range as an end address.
8. A packet forwarding path selection apparatus, the apparatus comprising:
the message receiving module is used for receiving a message to be forwarded;
a first address identifier calculation module, configured to calculate, according to a source IP address of the packet and a mask included in a locally stored trust table entry, a first address identifier corresponding to the source IP address in the trust table entry, where a value of each bit in the mask indicates whether a same bit in the IP address is valid;
a target table item determining module, configured to determine a target table item matching the source IP address in each trust table item according to a first address identifier corresponding to the source IP address and a second address identifier included in the trust table item;
and the forwarding path selection module is used for selecting a forwarding path for the message from available message forwarding paths according to the security level of the forwarding path contained in the target table entry.
9. The apparatus of claim 8,
the first address identifier calculation module is specifically configured to obtain, for each packet corresponding to each IP address range segment, a low preset number of bits of a source IP address of the packet; and bitwise AND operation is carried out on the obtained bits and a mask contained in a locally stored trust table entry to obtain an operation result, and the operation result is used as a first address identifier corresponding to the source IP address in the trust table entry.
10. The apparatus according to claim 8 or 9, wherein the apparatus further comprises a trust table entry obtaining module, the trust table entry obtaining module comprising:
the boundary address acquisition submodule is used for acquiring a boundary address of the IP address;
the range section obtaining and determining submodule is used for determining an IP address range section according to each demarcation address;
the safety level obtaining submodule is used for obtaining the safety level of the forwarding path corresponding to each IP address range section;
an identification mask pair obtaining submodule, configured to obtain an identification mask pair corresponding to each IP address range segment, where each identification mask pair includes an address identification and a mask of an IP address;
and the trust table item generating submodule is used for generating a trust table item containing an identification mask pair and the security level of the forwarding path corresponding to each IP address range section aiming at each IP address range section.
11. The apparatus of claim 10, wherein the identity mask pair obtaining sub-module comprises:
an IP address grouping unit used for grouping the IP addresses contained in each IP address range section;
and the identification mask pair obtaining unit is used for determining the address identification and the mask of the IP address corresponding to each group according to the grouping rule corresponding to the group and the IP address contained in the group, and obtaining an identification mask pair containing the determined address identification and the mask.
12. The apparatus of claim 11,
the identification mask pair obtaining unit is specifically configured to obtain a low preset number of bits of the IP address included in the packet; and determining the address identifier and the mask of the IP address corresponding to the packet according to the packet rule corresponding to the packet and the obtained bit.
13. The apparatus of claim 10, wherein the security level acquisition sub-module comprises:
the first trust level acquisition unit is used for acquiring the trust level of the routing equipment corresponding to each IP address range section;
and the safety level acquisition unit is used for acquiring the safety level of the forwarding path corresponding to each IP address range section according to the corresponding relation between the preset trust level of the routing equipment and the safety level of the forwarding path and the acquired trust level.
14. The apparatus of claim 13, wherein the security level acquisition sub-module further comprises:
a boundary address obtaining unit, configured to obtain an address type of each boundary address before the first trust level obtaining unit obtains the trust level, where the address type includes: a special demarcation address and a normal demarcation address;
the first trust level obtaining unit is specifically configured to set a trust level of the routing device corresponding to the first IP address range segment using the special demarcation address as an initial address to a preset initial trust level; setting the trust level of the routing equipment from the second IP address range section according to a cycle setting mode by taking the first trust level as an initial value and a preset level variation as a trust level variation step length, and setting the trust level of the routing equipment corresponding to the third IP address range section to be equal to the trust level of the routing equipment corresponding to the fourth IP address range section; wherein the first trust level is: the sum of the initial trust level and the preset level variation, and the second IP address range segment is: and the IP address range section takes the first boundary address as an initial address, and the first boundary address is as follows: a first ordinary demarcation address located after the special demarcation address in a circular manner, the third segment of the IP address range being: the IP address range segment using the minimum IP address in the IP address range as the starting address, and the fourth IP address range segment is: and the IP address range section takes the maximum IP address in the IP address range as an end address.
15. An electronic device is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any of claims 1 to 7 when executing a program stored in the memory.
16. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of claims 1 to 7.
CN202210581358.2A 2022-05-26 2022-05-26 Message forwarding path selection method and device Active CN114978995B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210581358.2A CN114978995B (en) 2022-05-26 2022-05-26 Message forwarding path selection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210581358.2A CN114978995B (en) 2022-05-26 2022-05-26 Message forwarding path selection method and device

Publications (2)

Publication Number Publication Date
CN114978995A true CN114978995A (en) 2022-08-30
CN114978995B CN114978995B (en) 2023-07-21

Family

ID=82955779

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210581358.2A Active CN114978995B (en) 2022-05-26 2022-05-26 Message forwarding path selection method and device

Country Status (1)

Country Link
CN (1) CN114978995B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102802206A (en) * 2011-05-23 2012-11-28 中兴通讯股份有限公司 Offload method and offload network element for wireless local area network (WLAN)
CN104168201A (en) * 2014-08-06 2014-11-26 福建星网锐捷网络有限公司 Multipath forwarding method and device
CN104580027A (en) * 2013-10-25 2015-04-29 杭州华三通信技术有限公司 OpenFlow message forwarding method and equipment
US20170250913A1 (en) * 2013-11-27 2017-08-31 Beijing University Of Posts And Telecommunications Method for processing downlink signalling of sdn virtualization platform based on openflow
CN107682266A (en) * 2017-09-12 2018-02-09 杭州迪普科技股份有限公司 Matching process and device, the computer-readable recording medium of flow table item
CN109995645A (en) * 2019-03-07 2019-07-09 盛科网络(苏州)有限公司 A kind of flexible chip implementing method for searching FDB list item
US20220124033A1 (en) * 2020-10-21 2022-04-21 Huawei Technologies Co., Ltd. Method for Controlling Traffic Forwarding, Device, and System

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102802206A (en) * 2011-05-23 2012-11-28 中兴通讯股份有限公司 Offload method and offload network element for wireless local area network (WLAN)
CN104580027A (en) * 2013-10-25 2015-04-29 杭州华三通信技术有限公司 OpenFlow message forwarding method and equipment
US20170250913A1 (en) * 2013-11-27 2017-08-31 Beijing University Of Posts And Telecommunications Method for processing downlink signalling of sdn virtualization platform based on openflow
CN104168201A (en) * 2014-08-06 2014-11-26 福建星网锐捷网络有限公司 Multipath forwarding method and device
CN107682266A (en) * 2017-09-12 2018-02-09 杭州迪普科技股份有限公司 Matching process and device, the computer-readable recording medium of flow table item
CN109995645A (en) * 2019-03-07 2019-07-09 盛科网络(苏州)有限公司 A kind of flexible chip implementing method for searching FDB list item
US20220124033A1 (en) * 2020-10-21 2022-04-21 Huawei Technologies Co., Ltd. Method for Controlling Traffic Forwarding, Device, and System

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ZIXIANG MA: "A fast path matching algorithm for indoor positioning systems using magnetic field measurements", 《2017 IEEE 28TH ANNUAL INTERNATIONAL SYMPOSIUM ON PERSONAL, INDOOR, AND MOBILE RADIO COMMUNICATIONS (PIMRC)》 *
孟繁杰,刘庆文,胡,张铁壁: "UCLA网络加速器路由表快速查找改进模型", 计算机工程与应用, no. 27 *

Also Published As

Publication number Publication date
CN114978995B (en) 2023-07-21

Similar Documents

Publication Publication Date Title
CN109617927B (en) Method and device for matching security policy
Mun et al. New approach for efficient ip address lookup using a bloom filter in trie-based algorithms
CN110855629B (en) Matching method of IP address, generating method of matching table and related device
CN108965137B (en) Message processing method and device
CN113438172B (en) Data transmission method and device based on multi-level node network
CN112311674B (en) Message sending method, device and storage medium
US9886513B2 (en) Publish-subscribe system with reduced data storage and transmission requirements
CN107147581B (en) Maintenance method and device for routing table entry
CN113973110B (en) Message generation method and device and electronic equipment
WO2021218984A1 (en) Data routing method and related apparatus
CN113127693B (en) Traffic data packet statistics method, device, equipment and storage medium
CN112187636B (en) ECMP route storage method and device
US20180227184A1 (en) Network policy distribution
CN113132259B (en) Traffic data packet statistical method, device, equipment and storage medium
CN114978995A (en) Message forwarding path selection method and device
CN113347173B (en) Packet filtering method and device and electronic equipment
CN112165428B (en) Traffic cleaning method and device and first boundary routing equipment
CN112637053B (en) Method and device for determining backup forwarding path of route
CN116303343A (en) Data slicing method, device, electronic equipment and storage medium
CN114338809A (en) Access control method, device, electronic equipment and storage medium
CN113918504A (en) Method and device for realizing isolation group
CN114268608A (en) Address segment retrieval method and device, electronic equipment and storage medium
CN109462609B (en) ARP (Address resolution protocol) inhibition table entry generation method and device
CN113922972A (en) Data forwarding method and device based on MD5 identification code
CN109194613B (en) Data packet detection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant