CN116633755A - Network verification method and device - Google Patents

Network verification method and device Download PDF

Info

Publication number
CN116633755A
CN116633755A CN202210135512.3A CN202210135512A CN116633755A CN 116633755 A CN116633755 A CN 116633755A CN 202210135512 A CN202210135512 A CN 202210135512A CN 116633755 A CN116633755 A CN 116633755A
Authority
CN
China
Prior art keywords
network
verification
message
information
verified
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210135512.3A
Other languages
Chinese (zh)
Inventor
汪峰来
吴瑞飞
陈燕妮
周志光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN202210135512.3A priority Critical patent/CN116633755A/en
Publication of CN116633755A publication Critical patent/CN116633755A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0686Additional information in the notification, e.g. enhancement of specific meta-data

Abstract

A network verification method and device are disclosed, which belong to the network technical field. The verification device collects device information for a plurality of network devices in the network, the device information including routing information. When a configuration change instruction for a first network device of the plurality of network devices is received and does not trigger the route re-convergence of the plurality of network devices, the verification device performs network verification based on the configuration change instruction and the device information. The verification device can realize the prior verification, does not need a simulation route convergence process, and has higher verification efficiency.

Description

Network verification method and device
Technical Field
The present application relates to the field of network technologies, and in particular, to a network verification method and device.
Background
The internet is becoming complex and bulky and network management is becoming more difficult. Minor errors in the network upgrade or retrofit process may have a serious impact on the normal operation of the network. Such as network configuration errors, hardware and software implementation errors, network attacks, or unexpected errors in protocol interactions, etc., can affect the usability and security of the network. In order to ensure reliable and efficient operation of the network, it is necessary to timely troubleshoot and locate errors in the operation of the network. Network verification is an important means for performing fault prevention, fault location and fault root cause analysis on a network.
The current network authentication technology mainly comprises two kinds of control plane authentication technology and data plane authentication technology. The control plane verification takes network topology and equipment configuration information as verification input, and can be used for prior verification.
The control plane verification needs to simulate based on network topology and equipment configuration information to obtain a flow propagation relationship in the network, and then network verification is performed based on the flow propagation relationship obtained by simulation, and the time consumed by the process of simulating to obtain the flow propagation relationship is long, so that the verification efficiency of network verification is low.
Disclosure of Invention
The application provides a network verification method and device, which can improve the verification efficiency of network verification and enhance the instantaneity of configuration change.
In a first aspect, a network authentication method is provided, which is applied to an authentication device. The authentication device collects device information of a plurality of network devices in the network. The device information includes routing information. When a configuration change instruction for a first network device of the plurality of network devices is received and does not trigger the route re-convergence of the plurality of network devices, the verification device performs network verification based on the configuration change instruction and the device information.
The configuration change instruction does not trigger the route re-convergence of the plurality of network devices, and it can be understood that after the first network device changes the corresponding configuration based on the configuration change instruction, even if the plurality of network devices in the network re-perform route convergence, the convergence result of re-performing route convergence is consistent with the convergence result before the first network device changes the configuration, so that the network devices do not need to re-perform route calculation.
In the application, when the verification device receives the configuration change instruction which does not trigger the route re-convergence of a plurality of network devices in the network, the verification device can use the route information originally acquired from the network device for network verification before the configuration change instruction is effective, so as to obtain the intention verification result after the configuration change instruction is effective. The scheme of the application can realize the prior verification, thereby realizing the fault prevention. In addition, the scheme of the application does not need a simulation route convergence process, so that compared with a control plane verification scheme, the verification efficiency is higher, and the real-time performance of configuration change can be enhanced.
Optionally, the routing information includes a forwarding table and/or a routing table.
Optionally, the configuration change instruction is configured to instruct one or more of changing the static routing table entry, changing the access control list, or changing the network address translation mapping. In other words, the configuration change instructions include, but are not limited to, instructions for indicating to change the static routing table entry, instructions for indicating to change the access control list, and instructions for indicating to change the network address translation mapping relationship.
Because changing the static routing table entry on the network device does not change the routing table entry and forwarding table entry on the network device, which are obtained through route convergence, changing the access control list on the network device and changing the mapping relation of network address translation does not change the routing table entry and forwarding table entry on the network device, and therefore, the corresponding configuration change instruction does not trigger the route re-convergence of the network device.
Optionally, one implementation manner of the verification device for performing network verification based on the configuration change instruction and the device information includes: the verification device determines changed device information based on the configuration change instruction and the device information. And the verification device determines a first forwarding behavior of the message to be verified on the first network device according to the changed device information.
Since the configuration change instruction is for the first network device, only the device information of the first network device changes compared with the device information before the change. The verification device may determine, according to the changed device information of the first network device, a first forwarding behavior of the message to be verified on the first network device. The message to be verified refers to a virtual message which is used for simulating the transmission of a real message in a network and can reach first network equipment.
Optionally, the device information further comprises configuration information. The verification device performs network verification based on the network topology of the network and the device information after collecting the device information of the plurality of network devices in the network. Network authentication here refers to post authentication of the network.
In the application, after the network starts to run, the verification equipment can perform post verification on the network by adopting a data plane verification technology so as to discover network faults in time and improve the running reliability of the network.
Optionally, the verification device further obtains an original transmission path of the message to be verified in the network. The original transmission path reflects the original forwarding behavior of the message to be verified on the passing network device. The original transmission path includes a first network device. When the first network device is not the first network device on the original transmission path, the verification device uses the transmission path from the first network device on the original transmission path to the first network device as the transmission path from the first network device to the first network device on the target transmission path of the message to be verified in the network. The target transmission path is a transmission path of a message to be verified, which is obtained after network verification is performed based on the configuration change instruction and the equipment information.
Because the forwarding behavior of the network device with unchanged device information to the same message is the same, the transmission path of the message to be verified before reaching the first network device is not affected by the change of the device information of the first network device. Furthermore, the application can start to verify the accessibility of the message to be verified in the network from the first network equipment, thus reducing the verification scale and improving the verification efficiency.
Optionally, the first forwarding behavior is different from an original forwarding behavior of the message to be authenticated on the first network device. After the verification device determines that the first forwarding of the message to be verified on the first network device is based on the changed device information, when the first forwarding is the next hop indicating the message to be verified in the network is the second network device, the verification device determines the second forwarding behavior of the message to be verified on the second network device according to the device information. The verification device may determine a second forwarding behavior of the message to be verified on the second network device according to the device information of the second network device. Further, when the second forwarding behavior indicates that the next hop of the message to be verified in the network is a third network device, the verification device determines a third forwarding behavior of the message to be verified on the third network device according to device information of the third network device. And the like, until the message to be verified does not have a next hop in the network, or the message to be verified is forwarded out of the network, so that a transmission path of the message to be verified in the network can be obtained.
In the implementation manner, the verification device can start to verify the accessibility of the message to be verified in the network from the first network device, so that the verification scale can be reduced, and the verification efficiency is improved.
Optionally, when the message to be verified does not exist in the network in the next hop, the verification device outputs an alarm prompt. The alarm prompt is used for indicating that the message to be verified is transmitted in the network in error.
Because the message to be verified does not have the next hop in the network, the message to be verified cannot leave the network from the correct outgoing interface and finally reach the designated destination host, when the verification device determines that the message to be verified does not have the next hop in the network, an alarm prompt can be directly output to prompt the operation and maintenance personnel that the equipment information of the network equipment which is planned to be changed at present cannot meet the service requirement, so that the operation and maintenance personnel can adjust the configuration information of the network equipment in time. Optionally, the alarm prompt is realized by adopting a popup window display mode, a voice alarm mode or a screen flashing mode and the like.
Optionally, the verification device outputs a verification result corresponding to the message to be verified. The verification result includes a target transmission path and/or reachability result. The reachability result is used for indicating whether the message to be verified is reachable in the network.
In the application, the verification device can output the verification result corresponding to the message to be verified, thereby being beneficial to the network maintenance personnel to carry out fault detection and fault prevention.
Optionally, the network authentication based on the configuration change instruction and the device information is performed in advance based on the change instruction and the device information. The verification device directly verifies the network in advance based on the change instruction and the acquired device information, so that the process of simulating route convergence is avoided, the network verification efficiency is improved, and the real-time performance of configuration change is enhanced.
Optionally, when the configuration change instruction triggers route re-convergence of the plurality of network devices, the verification device collects updated route information, and performs post verification on the network based on the updated route information. The updated device information includes the re-converged routing information.
In the application, when the configuration change instruction does not trigger the route re-convergence, the verification device uses the route information originally acquired from the network device for pre-verification. When the configuration change instruction triggers the route re-convergence of the plurality of network devices, the verification device collects the re-converged route information and performs post verification based on the re-converged route information. Therefore, whether the configuration change instruction triggers the route re-convergence of a plurality of network devices or not, the verification device can verify the network, and the running reliability of the network is guaranteed.
In a second aspect, a network authentication apparatus is provided. The apparatus comprises a plurality of functional modules that interact to implement the method of the first aspect and embodiments thereof described above. The plurality of functional modules may be implemented based on software, hardware, or a combination of software and hardware, and the plurality of functional modules may be arbitrarily combined or divided based on the specific implementation.
In a third aspect, there is provided a network authentication apparatus comprising: a processor and a memory;
the memory is used for storing a computer program, and the computer program comprises program instructions;
the processor is configured to invoke the computer program to implement the method in the first aspect and embodiments thereof.
In a fourth aspect, a computer readable storage medium having instructions stored thereon, which when executed by a processor, implement the method of the first aspect and embodiments thereof described above.
In a fifth aspect, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the method of the first aspect and embodiments thereof described above.
In a sixth aspect, a chip is provided, the chip comprising programmable logic circuits and/or program instructions, which when the chip is run, implement the method of the first aspect and embodiments thereof described above.
Drawings
Fig. 1 is a schematic diagram of an application scenario involved in a network verification method according to an embodiment of the present application;
fig. 2 is a schematic flow chart of a network verification method according to an embodiment of the present application;
fig. 3 is a schematic diagram of a network topology according to an embodiment of the present application;
fig. 4 is a flowchart of an implementation of a network authentication method according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a network verification device according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of another network authentication device according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of yet another network verification device according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of still another network verification apparatus according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a further network authentication device according to an embodiment of the present application;
fig. 10 is a block diagram of a network authentication apparatus according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the embodiments of the present application will be described in further detail with reference to the accompanying drawings.
Network verification is an important means for performing fault prevention, fault location and fault root cause analysis on a network. The network model is obtained by modeling message forwarding processing logic of network equipment in the network, and then network verification is performed based on the network model. Network authentication generally refers to network reachability authentication for authenticating the reachability of a message in a network. After the source interface, destination interface, source internet protocol (Internet Protocol, IP) address and destination IP address to be authenticated are given, a network model may be used to verify whether a header space consisting of the source IP address and the destination IP address can be output from the destination interface after being input from the source interface. The message header space which can be output from the destination interface is the reachable message header space. The message header space which cannot be output from the destination interface is the unreachable message header space. Alternatively, the unreachable reasons include routing loops, leaving the network from the wrong interface, routing black holes, etc. The routing loop refers to the same ingress interface and/or the same egress interface that reach the same node multiple times when the message is forwarded in the network. Leaving the network from the wrong interface means that the message does not reach the designated destination host after being forwarded from a certain outgoing interface of the network. The routing black hole means that the message cannot be forwarded from any outgoing interface of the network. The header space is also called a Header Space (HS), and may represent a message or a group of messages. The source IP address and destination IP address to be verified may be one specific IP address (generally referred to as a host address), or may be a segment address, or may include a plurality of specific IP addresses. For example, the source IP address is 10.0.0.1, which is a host address. The destination IP address is {20.0.0.1,20.0.0.3,20.0.0.4}, which includes 3 host addresses. And verifying the accessibility of a message header space formed by the source IP address and the destination IP address in the network, namely verifying whether messages sent by the hosts with the IP addresses of 10.0.0.1 can reach three hosts with the IP addresses of 20.0.0.1,20.0.0.3 and 20.0.0.4 respectively through the network. For another example, the source IP address is 10.0.0.1, which is a host address. The destination IP address is 0.0.2.0/24 (containing the 256 IP addresses 0.0.2.0-0.0.2.255), and is the network segment address of one subnet. And verifying the accessibility of a message header space formed by the source IP address and the destination IP address in the network, namely verifying whether a message sent by a host with the IP address of 10.0.0.1 can reach a subnet with the IP address range of 0.0.2.0-0.0.2.255 through the network. For another example, if the source IP address and the destination IP address are both equal to the IP address range served by the network, the reachability of the header space formed by the source IP address and the destination IP address in the network is verified, which is also called full-volume verification.
The current network authentication technology mainly comprises two kinds of control plane authentication technology and data plane authentication technology. The control plane verification takes network topology and equipment configuration information as verification input, and can be used for prior verification. The data plane verification takes network topology, device configuration information and device routing information as verification inputs, and can be used for post verification.
Optionally, the control plane verification process includes the following steps S11 to S13.
In step S11, the authentication device acquires the network topology of the network and configuration information of a plurality of network devices in the network.
The configuration information of the network device acquired by the authentication device in this step S11 may be configuration information that has been issued to the network device, which configuration information has been validated or not validated on the network device. Alternatively, the configuration information of the network device acquired by the authentication device in this step S11 may be configuration information that is ready to be delivered to the network device but has not been delivered in practice.
In step S12, the verification device models the network based on the network topology and configuration information of the plurality of network devices, resulting in an intermediate representation.
This step S12 is also a process of translating the network into an intermediate representation (intermediate representation). The intermediate representation is the result of network abstract modeling, and may be, for example, a traffic propagation relationship generated by simulation, formalization, or abstract graph means. In this process, the verification device needs to simulate the routing protocol propagation process based on the network topology and the configuration information of the plurality of network devices, so as to achieve route convergence, so as to obtain the routing information of each network device.
In step S13, the authentication apparatus performs network authentication based on the intermediate representation.
Optionally, the verification device performs network verification based on the intermediate representation in a formalized or graph theory manner, so as to obtain a final verification result. The verification result includes reachable header space and/or unreachable header space. The verification result may further include an reachable path corresponding to the reachable header space and/or an unreachable path corresponding to the unreachable header space.
Based on the verification process of the control plane verification, the control plane verification can be used as the intention verification, and the network verification is performed before the configuration information of the network equipment takes effect, so that the prior verification is realized, and the control plane verification can be used for fault prevention. However, since the control plane verification needs to simulate the routing protocol propagation process based on the network topology and the configuration information of the plurality of network devices, the larger the network scale, the longer it takes to simulate the routing convergence process. For medium and large scale networks, it often takes hours or even days for the simulation to complete route convergence. The verification efficiency of control plane verification is generally low.
Optionally, the verification process of the data plane verification includes the following steps S21 to S23.
In step S21, the authentication device acquires the network topology of the network and configuration information and routing information of a plurality of network devices in the network.
The configuration information of the network device acquired by the verification device in this step S21 is configuration information that has been issued to the network device and validated, and the acquired routing information of the network device is real routing information on the network device after the configuration information is validated and the route convergence is completed. Optionally, the verification device collects configuration information and routing information from the network device.
In step S22, the verification device generates a forwarding graph model according to the network topology and configuration information and routing information of the plurality of network devices.
The forwarding graph model can reflect traffic propagation relationships in the network, for example, a message with a destination address of a specific IP address can be forwarded from which outgoing interface of which network device in the network.
In step S23, the authentication apparatus performs network authentication based on the forwarding graph model.
Optionally, the verification device performs network verification based on the forwarding graph model in a graph searching mode to obtain a final verification result. The verification result includes reachable header space and/or unreachable header space. The verification result may further include an reachable path corresponding to the reachable header space and/or an unreachable path corresponding to the unreachable header space.
The verification process based on the data plane verification can be known that the data plane verification needs to collect the routing information on the network equipment, and the routing information can be collected after the configuration on the network equipment is effective and the routing convergence is completed, so that the data plane verification can only be used for post verification, and the fault prevention can not be realized.
That is, the control plane verification can perform a priori verification, but requires a simulation route convergence process, resulting in low verification efficiency and poor real-time performance of configuration change; the data plane verification performs network verification based on the converged routing information, and can perform post verification, but cannot realize fault prevention.
In view of this, the present application provides a technical solution, after device information of a plurality of network devices in a network is collected, when a configuration change instruction for a first network device is received, and the configuration change instruction does not trigger route re-convergence of the plurality of network devices, network verification is performed based on the configuration change instruction and the device information collected originally. Wherein the first network device may be any one of a plurality of network devices. The device information of the plurality of network devices includes route information obtained after route convergence of the plurality of network devices. The configuration change instruction does not trigger the route re-convergence of the plurality of network devices, and it can be understood that after the first network device changes the corresponding configuration based on the configuration change instruction, even if the plurality of network devices re-perform route convergence, the convergence result of re-performing route convergence is consistent with the convergence result before the first network device changes the configuration, so that the network devices do not need to re-perform route calculation. In the scheme of the application, under the condition that the configuration change instruction does not influence the original route convergence results of a plurality of network devices, the route information originally acquired from the network devices can be used for network verification before the configuration change instruction is effective, so as to obtain the intention verification result after the configuration change instruction is effective. The scheme of the application can realize the prior verification, thereby realizing the fault prevention. In addition, the scheme of the application does not need a simulation route convergence process, so that compared with a control plane verification scheme, the verification efficiency of network verification is improved, and the instantaneity of configuration change is enhanced.
The following describes the technical scheme of the present application in detail from various angles such as application scenario, method flow, software device, hardware device, etc.
Fig. 1 is a schematic diagram of an application scenario involved in a network verification method according to an embodiment of the present application. As shown in fig. 1, the application scenario includes: authentication device 101 and network devices 102A-102C (collectively network devices 102) in a communication network. The number of network devices in fig. 1 is for illustrative purposes only and is not intended as a limitation on the communication networks to which embodiments of the present application relate.
The verification device 101 is a device independent of the network device 102, and may be, for example, a server cluster including several servers, or a cloud computing service center. The server may be a physical device, or may be a Virtual Machine (VM). The network device 102 may be an entity communication device such as a switch, router, or firewall, or may be a virtual communication device such as a virtual switch, virtual router, or virtual firewall.
Optionally, referring to fig. 1, the application scenario further includes a control device 103. The control device 103 is used for managing and controlling the network device 102 in the communication network. The control device 103 may be a network controller, a network management device, a gateway or other device with control capabilities. The control device 103 may be one or more devices. The authentication device 101 and the control device 103 are connected by a wired network or a wireless network. The control device 103 is connected to the network device 102 via a wired network or a wireless network.
Alternatively, the control device 103 has stored therein a network topology of a communication network managed by the control device 103. The control device 103 is also used for collecting device information of the network device 102 in the communication network, including configuration information, routing information, tunnel state information, etc. The configuration information of the network device includes interface configuration information, protocol configuration information, service configuration information, or the like. The interface configuration information includes, for example, which interfaces are on the network devices, which interfaces are connected on one network device to which interfaces are on another network device, and so on. The interface connection relationship between network devices can be determined in combination with the network topology and the interface configuration information of the respective network devices. The interface here may be a physical interface of the network device or may also be a tunnel endpoint. The protocol configuration information includes, for example, virtual extended local area network (virtual extensible local area network, VXLAN) related configuration information, border gateway protocol (Border Gateway Protocol, BGP) status, and open shortest path first (open shortest path first, OSPF) status, etc. VXLAN-related configuration information includes, for example, tunnel endpoints, etc. BGP and OSPF are both routing protocols. The traffic configuration information includes, for example, security control policies embodied as a security access list (access control list, ACL), network address translation (network address translation, NAT) policies, and the like. The routing information of the network device includes a forwarding table (forwarding info base, FIB) or routing table (routing info base, RIB), etc. The tunnel state information of the network device includes an identification of a tunnel endpoint, a state of the tunnel, and the like. The control device 103 may periodically collect device information of the network device 102, or when the device information of the network device 102 is changed, the network device 102 actively transmits the changed device information to the control device 103. The authentication device 101 may acquire the network topology of the communication network and the device information of the network device 102 through the control device 103, and perform network authentication according to the network topology of the communication network and the device information of the network device 102. The verification device 101 and the control device 103 may be separate devices, or the verification device 101 and the control device 103 may be integrated together, which is not limited by the embodiment of the present application.
The communication network provided by the embodiment of the application can be a data center network (data center network, DCN), a metropolitan area network, a wide area network or a campus network, etc., and the type of the communication network is not limited by the embodiment of the application. The communication network may employ a two-tier network architecture or a three-tier network architecture. Under a two-layer network architecture, the communication network includes a convergence layer, which may also be referred to as a two-layer network, that is a high-speed switching backbone of the communication network, and an access layer for accessing the workstation to the communication network. The communication network adopting the two-layer network architecture may be, for example, a fat tree (fat-tree-spine) network. Under a three-layer network architecture, the communication network includes a core layer, which may also be referred to as a three-layer network, a convergence layer, which is a high-speed switching backbone of the communication network, for providing a convergence connection (connecting the access layer and the core layer), and an access layer, which is used for accessing the workstation to the communication network. The workstation may include a terminal, a server, a VM, or the like.
Fig. 2 is a flow chart of a network authentication method according to an embodiment of the present application. The method may be applied to the authentication device 101 in the application scenario as shown in fig. 1. As shown in fig. 2, the method includes:
Step 201, the verification device collects device information of a plurality of network devices in the network.
Wherein the device information includes routing information. Optionally, the routing information includes a forwarding table and/or a routing table. The device information may also include configuration information.
Optionally, in one implementation of step 201, the verification device collects device information from a plurality of network devices. Another implementation of step 201 is that the verification device receives device information acquired from a plurality of network devices, which is sent by other devices. For example, in an application scenario as shown in fig. 1, the authentication device 101 may receive device information of a plurality of network devices 102 transmitted by the control device 103.
Step 202, when a configuration change instruction for a first network device of the plurality of network devices is received, and the configuration change instruction does not trigger route re-convergence of the plurality of network devices, the verification device performs network verification based on the configuration change instruction and the collected device information.
The first network device may be any one of the plurality of network devices. The configuration change instruction does not trigger the route re-convergence of the plurality of network devices, and it can be understood that after the first network device changes the corresponding configuration based on the configuration change instruction, even if the plurality of network devices in the network re-perform route convergence, the convergence result of re-performing route convergence is consistent with the convergence result before the first network device changes the configuration, so that the network devices do not need to re-perform route calculation.
Optionally, when the configuration change instruction is used to indicate one or more of a change static routing table entry, a change access control list, or a change network address translation mapping, the verification device may determine that the configuration change instruction does not trigger a route re-convergence of the plurality of network devices in the network. In other words, the configuration change instructions that do not trigger the re-convergence of routes for the plurality of network devices in the network include, but are not limited to, instructions for indicating to change static routing entries, instructions for indicating to change access control lists, and instructions for indicating to change network address translation mappings.
Optionally, the configuration change instruction is configured to instruct to change the static routing table entry, including: the configuration change instruction is used for indicating to add the static routing table entry, delete the static routing table entry or modify the static routing table entry. Alternatively, static routing entries may be added by BGP injection (BGP import) or by static routing. The static routing table entry is added in a static routing mode, namely, the static routing table entry is directly configured on the network equipment. For example, the routing table collected from the first network device is shown in table 1. The routing table entry on the actual network device may also include other contents such as a next hop, and in the embodiment of the present application, for simplicity and convenience of description, the following is not shown one by one.
TABLE 1
When the configuration change instruction is used for indicating that a static routing table item with a destination address of 12.1.3.0/24 and an output interface of c4 is added, a routing table shown in table 2 can be obtained.
TABLE 2
Destination address Routing protocol Outlet interface
12.1.1.0/24 BGP c3
12.1.2.0/24 OSPF c4
12.1.3.0/24 STATIC (STATIC route) c4
If the static routing table item is configured on the network device, the original static routing table item can be deleted or modified by configuring the change instruction, for example, an outgoing interface in the static routing table item is modified to change the forwarding path of the corresponding message. The embodiments of the present application are not illustrated one by one. Because changing the static routing table entry on the network device does not change the routing table entry and forwarding table entry on the network device that are obtained through route convergence, route re-convergence of the network device is not triggered.
Optionally, the configuration change instruction is configured to instruct to change the access control list, including: the configuration change instruction is used for indicating the newly added ACL table item, deleting the ACL table item or modifying the ACL table item. For example, the ACL policy collected from the first network device is: "rule deny ip destination 12.1.3.0 0.0.0.255rule permit ip". The ACL policy indicates that messages with destination addresses 12.1.3.0/24 are discarded and other messages are allowed to pass through. When the first network device is scheduled to be configured to discard the message with the destination address of 12.1.1.0/24 and allow other messages to pass, namely, the ACL policy on the first network device is scheduled to be changed to: in the case of "rule deny IP destination 12.1.1.0 0.0.0.255rule permit IP", a configuration change instruction may be used to indicate that the destination IP "12.1.3.0 0.0.0.255" in the original ACL entry "rule deny IP destination 12.1.3.00.0.0.255" is modified to "12.1.1.0 0.0.0.255", or to indicate that the original ACL entry "rule deny IP destination 12.1.3.00.0.0.255" is deleted and the ACL entry "rule deny IP destination 12.1.1.0 0.0.0.255" is newly added.
Since changing an ACL on a network device does not change routing and forwarding entries on the network device, route re-convergence of the network device is not triggered.
Optionally, the configuration change instruction is configured to instruct to change the network address translation mapping relationship, including: the configuration change instruction is used for indicating the new NAT mapping relation, deleting the original NAT mapping relation or modifying the NAT mapping relation. The NAT includes a source NAT and a destination NAT. The source NAT is used to translate source IP addresses, such as may be used in a private network to access a public network scenario. The destination NAT is used to translate the destination IP address, and may be used, for example, in a scenario where a public network accesses a private network. NAT here refers to static NAT. For example, NAT configuration information collected from the first network device is: "iptables-t NAT-A POSTROUTING-s12.1.3.0/24-j SNAT-to-source 12.1.3.1", the NAT configuration information reflects the NAT mapping relationship, indicating that the source IP address "12.1.3.0/24" of the message is mapped to "12.1.3.1". When the source IP address "12.1.3.0/24" of the message is scheduled to be mapped to "12.1.3.2" by the first network device, that is, NAT configuration information on the first network device is changed to "iptables-t NAT-a postcount-s 12.1.3.0/24-j snap-to-source 12.1.3.2", a configuration change instruction may be used to instruct "12.1.3.1" in the original NAT mapping relationship to be changed to "12.1.3.2", or instruct deletion of the original NAT mapping relationship, and newly add the NAT mapping relationship "iptables-t NAT-a postcount-s 12.1.3.0/24-j snap-to-source 12.1.3.2".
Since changing the NAT mapping on the network device does not change the routing table and forwarding table on the network device, the route re-convergence of the network device is not triggered.
Optionally, the verification device in step 202 performs a network verification implementation process based on the configuration change instruction and the collected device information, including the following steps 2021 to 2022.
In step 2021, the verification device determines changed device information based on the configuration change instruction and the collected device information.
Since the configuration change instruction is for the first network device, only the device information of the first network device changes compared with the device information before the change. Optionally, when the configuration change instruction is used to instruct to change the static routing table item, the changed device information includes the configuration information in the static routing table item that is changed on the first network device based on the configuration change instruction plan and the device information collected in step 201 and the routing information that is not affected by the configuration change instruction, for example, when the configuration change instruction is used to instruct to add the static routing table item, the changed device information includes the static routing table item that is newly added on the first network device based on the configuration change instruction plan and the device information collected in step 201. The device information may also include configuration information. When the configuration change instruction is used for indicating to change the access control list and/or change the network address conversion mapping relationship, the changed device information includes the changed configuration information and the routing information in the device information collected in step 201. The changed configuration information includes a configuration part which is changed on the first network device based on the configuration change instruction plan and configuration information which is not affected by the configuration change instruction in the device information collected in step 201.
In step 2022, the verification device determines, according to the changed device information, a first forwarding behavior of the message to be verified on the first network device.
The forwarding behavior of the message on the network device comprises the following steps: the message is discarded by the network device or the message is forwarded by the network device from the matched egress interface to the next hop. The implementation manner of step 2022 may be that the verification device determines, according to the changed device information of the first network device, a first forwarding behavior of the message to be verified on the first network device.
Optionally, the verification device obtains a verification requirement, and generates a virtual message according to the verification requirement. The authentication requirements include a source address to be authenticated and a destination address to be authenticated. The source address of the virtual message is determined based on the source address to be verified, and the destination address of the virtual message is determined based on the destination address to be verified. Optionally, the source address of the virtual message is the source address to be verified, and the destination address of the virtual message is the destination address to be verified. The authentication requirements may be entered into the authentication device by a user. The virtual message in the embodiment of the application is not a real message, and is used for simulating the transmission of the real message in the network.
Optionally, the source address to be verified is a network segment address and/or the destination address to be verified is a network segment address. The verification device may generate a virtual message according to the verification requirement, where the source address of the virtual message is the source address to be verified, and the destination address of the virtual message is the destination address to be verified, that is, the source address and/or the destination address of the virtual message may be the network segment address. Alternatively, the verification device may generate a plurality of virtual messages according to the verification requirement. For example, the source address to be verified in the verification requirement is a network segment address, the destination address to be verified is a network segment address, the network segment address includes n valid host addresses, the verification device can generate m×n virtual messages according to the verification requirement, the source address of each virtual message is one valid host address in the source address to be verified, and the destination address is one valid host address in the destination address to be verified. m and n are positive integers. The message to be authenticated in step 2022 refers to a virtual message that can reach the first network device.
Optionally, the verifying device performs network verification based on the configuration change instruction and the device information in step 202 to perform prior verification on the network based on the configuration change instruction and the device information, that is, the network verification is performed before the configuration change instruction for the first network device takes effect. In the embodiment of the present application, after the verification device collects the device information of the plurality of network devices, post verification may be performed, that is, after step 201 is performed, the verification device may perform network verification based on the network topology of the network and the collected device information, where the network verification is post verification, and the specific verification process may refer to the verification process of the data plane verification (step S21 to step S23), which is not described herein again. Optionally, the verification result of the data plane verification includes an original transmission path of the virtual message in the network. The verification device may perform incremental verification on the configuration change instruction for the first network device based on a verification result of the data plane verification after receiving the configuration change instruction.
In the embodiment of the application, incremental verification refers to verifying the accessibility of a message to be verified in a network, wherein the message to be verified possibly changes an original transmission path due to a configuration change instruction. The reachability of the virtual message in the network, the transmission path of which is not affected by the configuration change instruction, can refer to the verification result of the previous data plane verification. This can reduce the verification scale, thereby improving the verification efficiency. For example, configuration change instructions for a first network device may only affect the forwarding behavior of messages arriving at the first network device. For the virtual message of which the original transmission path does not comprise the first network device in all the virtual messages generated according to the verification requirement, the virtual message does not always reach the first network device no matter whether the device information of the first network device is changed or not, so that the configuration change instruction aiming at the first network device does not influence the transmission path of the virtual message. In this case, the result of the verification of the virtual message in the previous data plane verification may be taken as the result of the verification of the virtual message in the network verification triggered by the configuration change instruction for the first network device.
Optionally, when the verification device performs network verification based on the configuration change instruction and the collected device information in step 202, the original transmission path of the message to be verified in the network may be acquired first. The original transmission path reflects the original forwarding behavior of the message to be verified on the passing network device. The original transmission path includes a first network device thereon. When the first network device is not the first network device on the original transmission path, the verification device uses the transmission path from the first network device on the original transmission path to the first network device as the transmission path from the first network device to the first network device on the target transmission path of the message to be verified in the network. The target transmission path is a transmission path of the message to be verified, which is obtained after network verification is performed based on the configuration change instruction and the equipment information. The target transmission path can reflect a first forwarding behavior of the message to be verified on the first network device. Because the forwarding behaviors of the network equipment with unchanged equipment information to the same message are the same, the transmission path of the message to be verified before reaching the first network equipment is not influenced by the change of the equipment information of the first network equipment.
Optionally, the first forwarding behavior of the message to be verified on the first network device is different from the original forwarding behavior of the message to be verified on the first network device. After determining that the first forwarding of the message to be verified on the first network device is issued, when the first forwarding is issued to indicate that the next hop of the message to be verified in the network is the second network device, the verification device determines a second forwarding behavior of the message to be verified on the second network device according to the device information of the second network device. When the second forwarding behavior indicates that the next hop of the message to be verified in the network is third network equipment, the verification equipment determines a third forwarding behavior of the message to be verified on the third network equipment according to equipment information of the third network equipment. And the like, until the message to be verified does not have a next hop in the network, or the message to be verified is forwarded out of the network, so that a transmission path of the message to be verified in the network can be obtained. When the first forwarding is a message indicating that the message to be verified does not have a next hop in the network, the verification device determines that a target transmission path of the message to be verified in the network is a transmission path from the first network device to the first network device on the original transmission path. In this case, the verification device may verify, from the first network device, the reachability of the message to be verified in the network, so that the verification scale may be reduced, thereby improving the verification efficiency.
Or the first forwarding behavior of the message to be verified on the first network device is the same as the original forwarding behavior of the message to be verified on the first network device. When the configuration change instruction is used for indicating to change the static routing table item or change the access control list, the verification device can take the original transmission path of the message to be verified in the network as the target transmission path of the message to be verified in the network. This is the case, i.e. the forwarding behavior of the message to be verified is not changed after the first network device changes the device information based on the configuration change instruction. Because the equipment information of other network equipment through which the message to be verified passes in the network is not changed, and the configuration change instruction does not change the content of the message body to be verified, the forwarding behavior of the message to be verified on other network equipment is not changed, and therefore, the target transmission path of the message to be verified in the network can be determined to be the same as the original transmission path. In this case, the verification device may determine the forwarding behavior of the message to be verified on the first network device only according to the changed device information of the first network device, without determining the forwarding behavior of the message to be verified on other network devices, which has high verification efficiency.
When the configuration change instruction is used for indicating to change the network address conversion mapping relation, the verification device can perform network address conversion on the message to be verified hitting the NAT mapping relation after changing, and a target message is obtained. And then the verification device can judge whether the original transmission path corresponding to the target message and comprising the first network device exists in the verification result based on the verification result of the previous data plane verification. If the original transmission path including the first network device corresponding to the target message exists in the verification result, the verification device can use a subsequent transmission path from the first network device in the original transmission path as a subsequent transmission path of the message to be verified, and can obtain a complete transmission path of the message to be verified in the network by combining the transmission path of the message to be verified from the first network device to the first network device. For example, the original transmission path of the message 1 in the network is: network device 1-network device 2-network device 3-network device 4-network device 5, the original transmission path of the message 2 in the network is: network device 6-network device 3-network device 7-network device 8, message 1 being different from the source address and/or destination address of message 2. Assuming that the message 1 is a message to be verified, after the message 1 is transmitted to the network device 3 in the network, the NAT mapping relationship on the hit network device 3 is converted into the message 2, and then the verification device can obtain a complete transmission path of the message to be verified in the network according to the path of the network device 1-network device 2-network device 3 in the original transmission path of the message 1 and the transmission path of the network device 3-network device 7-network device 8 in the original transmission path of the message 2: network device 1-network device 2-network device 3-network device 7-network device 8. If the original transmission path including the first network device corresponding to the target message does not exist in the verification result, the verification device can determine the next hop of the target message in the network according to the device information of the first network device, then determine the next hop of the target message in the network according to the device information of the next hop, and the like, so as to obtain the subsequent transmission path of the message to be verified from the first network device, and then combine the transmission path of the message to be verified from the first network device to the first network device, so as to obtain the complete transmission path of the message to be verified in the network.
Or after the verification device performs network address conversion on the message to be verified to obtain the target message, the verification device can directly determine the next hop of the target message in the network according to the device information of the first network device without considering the verification result of the previous data plane verification, then determine the next hop of the target message in the network according to the device information of the next hop, and the like, so as to obtain the subsequent transmission path of the message to be verified from the first network device.
Optionally, when the message to be verified does not exist in the network in the next hop, the verification device outputs an alarm prompt. The alarm prompt is used for indicating that the message to be verified is transmitted in the network in error. Because the message to be verified does not have the next hop in the network, the message to be verified cannot leave the network from the correct outgoing interface and finally reach the designated destination host, when the verification device determines that the message to be verified does not have the next hop in the network, an alarm prompt can be directly output to prompt the operation and maintenance personnel that the equipment information of the network equipment which is planned to be changed at present cannot meet the service requirement, so that the operation and maintenance personnel can adjust the configuration information of the network equipment in time. Optionally, the alarm prompt is realized by adopting a popup window display mode, a voice alarm mode or a screen flashing mode and the like.
In one possible implementation, a configuration change instruction for the first network device is used to indicate changing the static routing table entry. For example, the configuration change instruction for the first network device is used to instruct to add the static routing table entry, if the original routing table entry on the first network device has the same target routing table entry as the destination address of the added static routing table entry and the priority of the static routing table entry is higher than that of the target routing table entry, the message hitting the static routing table entry and the target routing table entry will be forwarded based on the static routing table entry, and the message hitting the target routing table entry will be forwarded based on the target routing table entry before the static routing table entry is added. In this case, the message to be verified changes the transmission path due to the addition of the static routing table entry on the first network device. The message to be verified forwarded based on the target routing table entry may reach the destination host, but the message to be verified forwarded based on the static routing table entry may not reach the destination host because there is no next hop in a network device after the first network device. For another example, the configuration change instruction for the first network device is used for indicating to delete a static routing table entry, and a problem that a message to be verified forwarded based on an original static routing table entry may reach a destination host, but after deleting the static routing table entry, the message to be verified does not have a next hop, so that the message to be verified cannot reach the destination host may occur. For another example, the configuration change instruction for the first network device is used for indicating to modify a certain static routing table entry, which may cause that the message to be verified is forwarded based on the modified static routing table entry and changes the transmission path, so that the message to be verified may reach the destination host when forwarded based on the original static routing table entry, but the message to be verified may not reach the destination host when forwarded based on the modified static routing table entry because there is no next hop in a certain network device after the first network device. When these problems occur, the verification device may output an alarm prompt to indicate that the configuration change instruction may cause a message to be transmitted in the network with errors.
In another possible implementation, a configuration change instruction for the first network device is used to indicate a change to the ACL. For example, the configuration change instruction is configured to instruct that a new ACL table entry is added to filter a message with a destination address being other specified IP addresses except for the destination address to be verified, but the specified IP address may be input into the destination address of the message to be verified by mistake due to the content input error of the ACL table entry, so that the message to be verified is discarded after hitting the ACL table entry on the first network device, and further the message to be verified cannot reach the next hop. When such a problem occurs, the verification device may output an alarm prompt to indicate that the configuration change instruction may cause a message to be transmitted in the network with errors.
In yet another possible implementation manner, the configuration change instruction for the first network device is used to instruct to change the NAT mapping relationship. For example, the configuration change instruction is used for indicating that a NAT mapping relationship is added to translate the destination address of the message to be verified. After receiving the message to be verified, the first network device converts the destination address of the message to be verified based on the NAT mapping relation, and then searches the routing table item matched with the converted destination address for forwarding. In this case, there may occur a problem that the first network device or a certain network device after the first network device does not have a routing table entry matched with the converted destination address, resulting in that the message to be verified does not have a next hop. When such a problem occurs, the verification device may output an alarm prompt to indicate that the configuration change instruction may cause a message to be transmitted in the network with errors.
Optionally, after the verification device verifies the accessibility of the message to be verified in the network, the verification device may further output a verification result corresponding to the message to be verified. The verification result includes a target transmission path and/or reachability result. The reachability result is used for indicating whether the message to be verified is reachable in the network. The target transmission path is either an reachable path or an unreachable path. The verification device outputs a verification result corresponding to the message to be verified, and the verification device may display the verification result corresponding to the message to be verified. Or the verification device sends a verification result corresponding to the message to be verified to the device with the display function.
In the embodiment of the application, the verification device can output the verification result corresponding to the message to be verified, thereby being beneficial to the network maintenance personnel to carry out fault detection and fault prevention.
Optionally, the verification device may perform incremental verification for the configuration change instruction based on a verification result of the data plane verification, or perform network verification according to a network topology and device information of a plurality of network devices obtained by changing based on the configuration change instruction, where the verification process is similar to the verification process of the data plane verification, and the embodiments of the present application are not described herein again. The following embodiment of the present application takes the verification result of the verification device based on the data plane verification as an example, and performs incremental verification for the configuration change instruction, to describe the implementation process of the scheme of the present application.
For example, fig. 3 is a schematic diagram of a network topology according to an embodiment of the present application. As shown in fig. 3, network 30 includes network device a-network device I. The interface a1 of the network device a is connected to the VM 1. The interface a2 of the network device a is connected to the interface B1 of the network device B. The interface B2 of the network device B is connected to the interface C1 of the network device C. The interface C2 of the network device C is connected to the interface D2 of the network device D. The interface C3 of the network device C is connected to the interface E2 of the network device E. The interface C4 of the network device C is connected to the interface F1 of the network device F. The interface D1 of the network device D is connected to VM 2. The interface E1 of the network device E is connected to the VM 3. The interface F2 of the network device F is connected to the interface G1 of the network device G. The interface F3 of the network device F is connected to the interface H2 of the network device H. The interface G2 of the network device G is connected to the interface I2 of the network device I. The interface H1 of the network device H is connected to the VM 4. The interface I1 of the network device I is connected to the VM 5. The IP address of VM3 was 12.1.1.0/24. The IP address of VM4 is 12.1.2.0/24. The IP address of VM5 is 12.1.3.0/24. Assume that the verification device needs to verify the reachability of VM1 to VM3, VM2 to VM4, and VM1 to VM 5. The verification device performs data plane verification based on the network topology shown in fig. 3 and the device information acquired from the network device a-network device I, and can obtain the verification result shown in table 3.
TABLE 3 Table 3
Reachability results Destination address Transmission path
VM1→VM3: reachable (can reach) 12.1.1.0/24 A-B-C-E
VM2→VM4: reachable (can reach) 12.1.2.0/24 D-C-F-H
VM1→VM5: unreachable to 12.1.3.0/24 A-B-C
In one example, suppose that forwarding entries on network device a-network device I are sequentially seen in tables 4-12 below. The forwarding table entry on the actual network device may also include other contents such as a next hop, which are not shown for simplicity and convenience in description.
TABLE 4 Table 4
Destination address Outlet interface
12.1.1.0/24 a2
12.1.3.0/24 a2
TABLE 5
Destination address Outlet interface
12.1.1.0/24 b2
12.1.3.0/24 b2
TABLE 6
Destination address Outlet interface
12.1.1.0/24 c3
12.1.2.0/24 c4
12.1.3.0/24 c4
TABLE 7
Destination address Outlet interface
12.1.2.0/24 d2
TABLE 8
TABLE 9
Destination address Outlet interface
12.1.2.0/24 f3
12.1.3.0/24 f2
Table 10
Destination address Outlet interface
12.1.3.0/24 g2
TABLE 11
Destination address Outlet interface
12.1.2.0/24 h1
Table 12
Destination address Outlet interface
12.1.3.0/24 i1
In this example, the authentication device collects forwarding entries shown in tables 4 to 12 from network device a-network device I, respectively, and collects ACL policies from network device C: "rule deny ip destination 12.1.3.0 0.0.0.255rule permit ip". The ACL policy indicates that messages with destination addresses 12.1.3.0/24 are discarded and other messages are allowed to pass through. Based on this ACL policy and the forwarding entries shown in tables 4 to 12, the verification results shown in table 3 can be obtained. At this time, if the ACL policy on the network device C is planned to be changed to: "rule deny ip destination 12.1.1.0 0.0.0.255rule permit ip". The changed ACL policy indicates that the message with the destination address of 12.1.1.0/24 is discarded and other messages are allowed to pass through. The changed ACL policy only affects the forwarding behavior of the message with the destination address of 12.1.1.0/24 and the message with the destination address of 12.1.3.0/24. The verification device only needs to verify the reachability of VM1 to VM3 and the reachability of VM1 to VM5 from the network device C. While the reachability of VM2 to VM4 is not affected by the policy change, the verification result remains unchanged. Before the changed ACL policy is issued to the network device C, the verification device performs network verification based on the changed ACL policy and forwarding table entries as shown in table 6, table 9, table 10 and table 12, and may obtain a verification result as shown in table 13.
TABLE 13
In another example, suppose that forwarding entries on network device a-network device I are seen in sequence in table 4, table 5, table 14, and tables 7-12. The forwarding table entry on the actual network device may also include other contents such as a next hop, which are not shown for simplicity and convenience in description.
TABLE 14
Destination address Outlet interface
12.1.1.0/24 c3
12.1.2.0/24 c4
In this example, the authentication device collects forwarding entries shown in tables 4, 5, 14 and 7 to 12 from the network device a-network device I, respectively, and based on these forwarding entries, the authentication result shown in table 3 can be obtained. At this time, if it is planned to add a static routing table entry with a destination address of 12.1.3.0/24 and an egress interface of C4 to the network device C, a forwarding table entry as shown in table 6 may be obtained. The newly added static routing table entry only affects the forwarding behavior of the message with the destination address 12.1.3.0/24. The verification device need only verify the reachability of VM1 to VM5 from network device C. While the reachability of VM1 to VM3 and the reachability of VM2 to VM4 are not affected by the policy change, the verification result remains unchanged. Before the network device C adds the static routing table entry, the verification device performs network verification based on the forwarding table entries as shown in table 6, table 9, table 10 and table 12, and may obtain a verification result as shown in table 13.
In yet another example, suppose that forwarding entries on network device a-network device I are seen in sequence in table 4, table 5, table 14, and tables 7-12. The forwarding table entry on the actual network device may also include other contents such as a next hop, which are not shown for simplicity and convenience in description.
In this example, the authentication device collects forwarding entries shown in table 4, table 5, table 14, and tables 7 to 12 from network device a-network device I, respectively, and collects NAT configuration information from network device C: "iptables-t nat-APOSTROUTING-s 12.1.3.0/24-j SNAT-to-source 12.1.3.1". The NAT configuration information reflects the NAT mapping relationship, indicating that the source IP address "12.1.3.0/24" of the message is mapped to "12.1.3.1". Based on the forwarding entries shown in tables 4, 5, 14 and 7 to 12, the verification results shown in table 3 can be obtained. At this time, if the source IP address "12.1.3.0/24" of the message is planned to be mapped to "12.1.3.2" by the network device C, the NAT configuration information on the network device C may be changed to "iptables-t NAT-a postcount-s 12.1.3.0/24-j snap-to-source 12.1.3.2". This change does not affect the reachability of VM1 to VM3, the reachability of VM2 to VM4, and the reachability of VM1 to VM5, so the verification device obtains the verification result based on the changed NAT configuration information, which is still shown in table 3.
Further, after the configuration change instruction for the first network device is issued to the first network device and takes effect, the verification device may acquire device information of the plurality of network devices in the network again, and perform data plane verification.
The embodiment of the application can improve the running reliability of the network by fusing the prior verification and the post verification. For example, fig. 4 is a flowchart of an implementation of a network authentication method according to an embodiment of the present application. As shown in fig. 4, the implementation flow includes three phases. The first stage is data surface verification (post verification) in the network operation process, and comprises three steps of data acquisition, modeling and verification and outputting post verification reports. The second stage is the prior verification (the configuration change instruction is not validated) for the received configuration change instruction, and comprises the steps of incremental verification and outputting a prior verification report. The third stage is data surface verification (post verification) after the configuration change instruction is validated, and the third stage comprises three steps of data acquisition, modeling and verification and outputting a post verification report.
Alternatively, the prior verification and the subsequent verification in the embodiment of the present application may be performed by the same verification device, or the prior verification may be performed by one verification device, and the subsequent verification may be performed by another verification device.
Optionally, when the configuration change instruction received in step 202 triggers route re-convergence of the plurality of network devices, the verification device may collect updated device information, and perform post verification on the network according to the updated device information. The updated device information includes the re-converged routing information. The updated device information may be used as a basis for the next configuration change verification. That is, after the updated device information is acquired, the verification device verifies the new configuration change instruction based on the updated device information. In the embodiment of the application, when the received configuration change instruction does not trigger the route re-convergence of a plurality of network devices, the verification device uses the route information originally acquired from the network devices for pre-verification. The method realizes fault prevention, avoids the simulation route convergence process, improves the efficiency of network verification, and enhances the instantaneity of configuration change. When the received configuration change instruction triggers the route re-convergence of the plurality of network devices, the verification device performs post verification based on the updated device information. Thus, the running reliability of the network is ensured.
The sequence of the steps of the network verification method provided by the embodiment of the application can be properly adjusted, and the steps can be correspondingly increased or decreased according to the situation. Any method of modification within the scope of the present disclosure will be readily apparent to those skilled in the art, and are intended to be encompassed within the scope of the present disclosure.
In the network verification method provided by the embodiment of the application, when a configuration change instruction which does not trigger the re-convergence of the routes of a plurality of network devices in the network is received, the verification device can use the route information originally acquired from the network device for network verification before the configuration change instruction is effective, so as to obtain an intention verification result after the configuration change instruction is effective. Because the scheme of the application does not need a simulation route convergence process, compared with a control plane verification scheme, the verification efficiency is higher, and the real-time performance of configuration change can be improved. In addition, the scheme of the application can realize the prior verification and further realize the fault prevention. In addition, the verification device can perform incremental verification on the received configuration change instruction based on the verification result of the previous data plane verification, so as to reduce the verification scale and improve the verification efficiency. The embodiment of the application not only improves the running reliability of the network, but also realizes higher verification efficiency by integrating the prior verification and the post verification.
The authentication device for performing the method of fig. 2 may be the network authentication apparatus 500 of fig. 5. As shown in fig. 5, the apparatus 500 includes an acquisition module 501 and a first verification module 502.
The collection module 501 is configured to collect device information of a plurality of network devices in a network, where the device information includes routing information.
The first verification module 502 is configured to perform network verification based on the configuration change instruction and the device information when the configuration change instruction for a first network device of the plurality of network devices is received and the configuration change instruction does not trigger route re-convergence of the plurality of network devices.
Optionally, the routing information includes a forwarding table and/or a routing table.
Optionally, the configuration change instruction is configured to instruct one or more of changing the static routing table entry, changing the access control list, or changing the network address translation mapping.
Optionally, the first verification module 502 is configured to determine changed device information based on the configuration change instruction and the device information, and determine a first forwarding behavior of the message to be verified on the first network device according to the changed device information.
Optionally, the device information further comprises configuration information. As shown in fig. 6, the apparatus 500 further comprises a second verification module 503. The second verification module 503 is configured to perform network verification based on the network topology of the network and the collected device information of the plurality of network devices after collecting the device information of the plurality of network devices.
Optionally, as shown in fig. 7, the apparatus 500 further comprises an acquisition module 504. The obtaining module 504 is configured to obtain an original transmission path of the message to be verified in the network. The original transmission path reflects the original forwarding behavior of the message to be verified on the passing network device. The original transmission path includes a first network device thereon. The first verification module 502 is configured to, when the first network device is not the first network device on the original transmission path, take the transmission path from the first network device on the original transmission path to the first network device as the transmission path from the first network device to the first network device on the target transmission path of the message to be verified in the network. The target transmission path is a transmission path of a message to be verified, which is obtained after network verification is performed based on the configuration change instruction and the acquired equipment information of the plurality of network equipment.
Optionally, the first forwarding behavior is different from an original forwarding behavior of the message to be authenticated on the first network device. The first verification module 502 is further configured to: and when the first forwarding issue indicates that the next hop of the message to be verified in the network is the second network device, determining a second forwarding behavior of the message to be verified on the second network device according to the device information.
Optionally, as shown in fig. 8, the apparatus 500 further comprises an alarm module 505. The alarm module 505 is configured to output an alarm prompt when the message to be verified does not have a next hop in the network after performing network verification based on the configuration change instruction and the device information. The alarm prompt is used for indicating that the message to be verified is transmitted in the network in error.
Optionally, as shown in fig. 9, the apparatus 500 further comprises an output module 506. The output module 506 is configured to output a verification result corresponding to the message to be verified. The verification result includes a target transmission path and/or reachability result. The reachability result is used for indicating whether the message to be verified is reachable in the network.
Optionally, the network authentication based on the configuration change instruction and the device information is a prior authentication of the network based on the configuration change instruction and the device information.
Optionally, when the configuration change instruction triggers route re-convergence of the plurality of network devices, the collecting module 501 is further configured to collect updated device information, where the updated device information includes the re-converged route information. The first verification module 502 is further configured to perform post verification on the network according to the updated device information.
The specific manner in which the various modules perform the operations in the apparatus of the above embodiments have been described in detail in connection with the embodiments of the method, and will not be described in detail herein.
The authentication device for performing the method shown in fig. 2 may be the network authentication apparatus 1000 shown in fig. 10. As shown in fig. 10, the apparatus 1000 includes: a processor 1001 and a memory 1002.
Memory 1002 for storing a computer program comprising program instructions.
A processor 1001 for invoking the computer program to implement the method performed by the authentication device in fig. 2.
Optionally, the network device 1000 also includes a communication bus 1003 and a communication interface 1004.
Wherein the processor 1001 includes one or more processing cores, the processor 1001 performs various functional applications and data processing by running computer programs.
Memory 1002 may be used to store computer programs. Optionally, the memory may store an operating system and at least one application unit required for functionality. The operating system may be a real-time operating system (Real Time eXecutive, RTX), LINUX, UNIX, WINDOWS, or an operating system such as OS X.
The communication interface 1004 may be multiple, and the communication interface 1004 is used to communicate with other devices.
The memory 1002 and the communication interface 1004 are connected to the processor 1001 through a communication bus 1003, respectively.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present invention, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line (digital subscriber line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a digital versatile disk (digital versatile disc, DVD)), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program for instructing relevant hardware, where the program may be stored in a computer readable storage medium, and the storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
In embodiments of the present application, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
The term "and/or" in the present application is merely an association relation describing the association object, and indicates that three kinds of relations may exist, for example, a and/or B may indicate: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
The foregoing description of the preferred embodiments of the present application is not intended to limit the application, but is intended to cover any modifications, equivalents, alternatives, and improvements within the spirit and principles of the application.

Claims (23)

1. A method of network authentication, the method comprising:
Collecting device information of a plurality of network devices in a network, wherein the device information comprises routing information;
and when a configuration change instruction for a first network device in the plurality of network devices is received and does not trigger route re-convergence of the plurality of network devices, performing network verification based on the configuration change instruction and the device information.
2. The method of claim 1, wherein the configuration change instruction is configured to instruct one or more of changing a static routing table entry, changing an access control list, or changing a network address translation mapping.
3. The method according to claim 1 or 2, wherein the performing network authentication based on the configuration change instruction and the device information includes:
determining changed equipment information based on the configuration change instruction and the equipment information;
and determining a first forwarding behavior of the message to be verified on the first network device according to the changed device information.
4. A method according to any one of claims 1 to 3, wherein the device information further comprises configuration information, and wherein after the collecting device information for a plurality of network devices in the network, the method further comprises:
And performing network verification based on the network topology of the network and the equipment information.
5. A method according to claim 3, characterized in that the method further comprises:
acquiring an original transmission path of the message to be verified in the network, wherein the original transmission path reflects an original forwarding behavior of the message to be verified on passing network equipment, and the original transmission path comprises the first network equipment;
when the first network device is not the first network device on the original transmission path, the transmission path from the first network device on the original transmission path to the first network device is used as the transmission path from the first network device to the first network device on the target transmission path of the message to be verified in the network, wherein the target transmission path is the transmission path of the message to be verified, which is obtained after network verification is performed based on the configuration change instruction and the device information.
6. The method of claim 5, wherein the first forwarding behavior is different from an original forwarding behavior of the message to be authenticated on the first network device, and wherein after determining the first forwarding behavior of the message to be authenticated on the first network device based on the changed device information, the method further comprises:
And when the first forwarding issue indicates that the next hop of the message to be verified in the network is second network equipment, determining second forwarding behavior of the message to be verified on the second network equipment according to the equipment information.
7. The method according to any one of claims 1 to 5, wherein after the network authentication based on the configuration change instruction and the device information, the method further comprises:
and when the message to be verified does not have the next hop in the network, outputting an alarm prompt, wherein the alarm prompt is used for indicating that the message to be verified is transmitted in the network in error.
8. The method according to claim 5 or 6, characterized in that the method further comprises:
outputting a verification result corresponding to the message to be verified, wherein the verification result comprises the target transmission path and/or a reachability result, and the reachability result is used for indicating whether the message to be verified is reachable in the network.
9. The method according to any one of claims 1 to 8, wherein the network authentication based on the configuration change instruction and the device information is a prior authentication of the network based on the configuration change instruction and the device information.
10. The method according to any one of claims 1 to 9, further comprising:
when the configuration change instruction triggers the route re-convergence of the plurality of network devices, collecting updated device information, and performing post verification on the network according to the updated device information;
wherein the updated device information includes re-converged routing information.
11. A network authentication apparatus, the apparatus comprising:
the system comprises an acquisition module, a routing module and a routing module, wherein the acquisition module is used for acquiring equipment information of a plurality of network equipment in a network, and the equipment information comprises routing information;
and the first verification module is used for carrying out network verification based on the configuration change instruction and the equipment information when the configuration change instruction for the first network equipment in the plurality of network equipment is received and does not trigger the route re-convergence of the plurality of network equipment.
12. The apparatus of claim 11, wherein the configuration change instruction is to instruct one or more of a change static routing table entry, a change access control list, or a change network address translation mapping.
13. The apparatus according to claim 11 or 12, wherein the first verification module is configured to:
determining changed equipment information based on the configuration change instruction and the equipment information;
and determining a first forwarding behavior of the message to be verified on the first network device according to the changed device information.
14. The apparatus according to any one of claims 11 to 13, wherein the device information further comprises configuration information, the apparatus further comprising a second authentication module;
and the second verification module is used for carrying out network verification based on the network topology of the network and the equipment information after the equipment information of the plurality of network equipment is acquired.
15. The apparatus of claim 13, further comprising an acquisition module;
the acquisition module is configured to acquire an original transmission path of the message to be verified in the network, where the original transmission path reflects an original forwarding behavior of the message to be verified on a network device that passes through, and the original transmission path includes the first network device;
the first verification module is configured to, when the first network device is not the first network device on the original transmission path, take a transmission path from the first network device on the original transmission path to the first network device as a transmission path from the first network device to the first network device on a target transmission path of the message to be verified in the network, where the target transmission path is a transmission path of the message to be verified, which is obtained after network verification is performed based on the configuration change instruction and the device information.
16. The apparatus of claim 15, wherein the first forwarding behavior is different from an original forwarding behavior of the message to be authenticated on the first network device, the first authentication module further configured to:
and when the first forwarding issue indicates that the next hop of the message to be verified in the network is second network equipment, determining second forwarding behavior of the message to be verified on the second network equipment according to the equipment information.
17. The apparatus according to any one of claims 11 to 15, further comprising an alert module;
and the alarm module is used for outputting an alarm prompt when the message to be verified does not have the next hop in the network after the network verification is carried out based on the configuration change instruction and the equipment information, and the alarm prompt is used for indicating that the message to be verified is transmitted in the network for errors.
18. The apparatus of claim 15 or 16, further comprising an output module;
the output module is configured to output a verification result corresponding to the message to be verified, where the verification result includes the target transmission path and/or a reachability result, and the reachability result is used to indicate whether the message to be verified is reachable in the network.
19. The apparatus according to any one of claims 11 to 18, wherein the network authentication based on the configuration change instruction and the device information is a prior authentication of the network based on the configuration change instruction and the device information.
20. The apparatus of any one of claims 11 to 19, wherein when the configuration change instruction triggers a route re-convergence of the plurality of network devices,
the acquisition module is further used for acquiring updated equipment information, wherein the updated equipment information comprises re-converged routing information;
the first verification module is further configured to perform post verification on the network according to the updated device information.
21. A network authentication apparatus, comprising: a processor and a memory;
the memory is used for storing a computer program, and the computer program comprises program instructions;
the processor is configured to invoke the computer program to implement the network authentication method according to any of claims 1 to 10.
22. A computer readable storage medium having instructions stored thereon which, when executed by a processor, implement the network authentication method of any of claims 1 to 10.
23. A computer program product comprising a computer program which, when executed by a processor, implements a network authentication method as claimed in any one of claims 1 to 10.
CN202210135512.3A 2022-02-14 2022-02-14 Network verification method and device Pending CN116633755A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210135512.3A CN116633755A (en) 2022-02-14 2022-02-14 Network verification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210135512.3A CN116633755A (en) 2022-02-14 2022-02-14 Network verification method and device

Publications (1)

Publication Number Publication Date
CN116633755A true CN116633755A (en) 2023-08-22

Family

ID=87612179

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210135512.3A Pending CN116633755A (en) 2022-02-14 2022-02-14 Network verification method and device

Country Status (1)

Country Link
CN (1) CN116633755A (en)

Similar Documents

Publication Publication Date Title
US11362986B2 (en) Resolution of domain name requests in heterogeneous network environments
CN111600913B (en) Self-adaptive access method and system for real equipment in attack and defense scene of network shooting range
CN106797351B (en) System and method for performing logical network forwarding using a controller
EP3675419A1 (en) Method and apparatus for detecting network fault
US9094308B2 (en) Finding latency through a physical network in a virtualized network
US7826393B2 (en) Management computer and computer system for setting port configuration information
US10305749B2 (en) Low latency flow cleanup of openflow configuration changes
CN109474627B (en) Virtual tenant network isolation method and system based on SDN
JP2014135721A (en) Device and method for distributing traffic of data center network
CN111628934B (en) Method and device for realizing domain name access acceleration in SD-WAN (secure digital-Wide area network)
US11252126B1 (en) Domain name resolution in environment with interconnected virtual private clouds
US10257086B2 (en) Source imposition of network routes in computing networks
US11750490B2 (en) Communication coupling verification method, storage medium, and network verification apparatus
CN106411575B (en) Cloud environment lower network configures method of calibration and relevant device
US20230231806A1 (en) Ghost routing
US11824727B2 (en) Network configuration verification in computing systems
CN116545665A (en) Safe drainage method, system, equipment and medium
CN116633755A (en) Network verification method and device
US11438237B1 (en) Systems and methods for determining physical links between network devices
US11757768B1 (en) Determining flow paths of packets through nodes of a network
Lei et al. Can Host-Based SDNs Rival the Traffic Engineering Abilities of Switch-Based SDNs?
US11616731B1 (en) Determining a time-to-live budget for network traffic
Shiiba et al. Verifying network properties in srv6 based service function chaining
WO2022053007A1 (en) Network reachability verification method and apparatus, and computer storage medium
US20240015072A1 (en) Network configuration verification in computing systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication