CN117278501A

CN117278501A - Message forwarding method, communication device and system

Info

Publication number: CN117278501A
Application number: CN202210676419.3A
Authority: CN
Inventors: 闫朝阳; 陈新隽; 王海波; 胡志波
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2022-06-15
Filing date: 2022-06-15
Publication date: 2023-12-22

Abstract

A message forwarding method, a communication device and a system are provided, and are applied to the technical field of VPN. The method comprises the following steps: the first communication node receives a first VPN route from the second communication node and receives a second VPN route from the third communication node. The second communication node and the third communication node belong to the same virtual private network VPN. In the event that the first derived RT in the first VPN route does not match the second derived RT in the second VPN route, the first communication node may generate a first entry indicating that the first communication node is prohibited from forwarding messages from the second communication node to the third communication node. In the event that the first ingress RT in the first VPN route does not match the second egress RT in the second VPN route, the first communication node may generate a second entry indicating that the first communication node is prohibited from forwarding messages from the third communication node to the second communication node. Thus, traffic isolation of the second communication node and the third communication node can be achieved.

Description

Message forwarding method, communication device and system

Technical Field

The present disclosure relates to the field of communications technologies, and in particular, to a method, a communications device, and a system for forwarding a message.

Background

In the hierarchical virtual private network (hierarchy of virtual private network, hoVPN), functions of a Provider Edge (PE) device may be distributed to multiple devices, where the multiple devices take on different roles and form a hierarchical structure, so as to jointly complete functions of a PE device. The HoVPN may include a user side PE device, an operator side PE device, and a network side PE device.

It should be appreciated that one VPN may serve multiple affiliates simultaneously, and in a HoVPN, different user-side PE devices may correspond to different affiliates. Because of the traffic isolation requirements between different branches, the operator-side PE devices connected to the user-side PE devices need to control the traffic isolation between the different user-side PE devices.

However, in the HoVPN, the PE device at the operator side may issue a default route to each PE device at the user side connected to the PE device at the operator side, where the default route may enable a message sent by the PE device at the user side to reach the PE device at the operator side. The operator side PE device knows the detailed route to each branch, so that the operator side PE device may forward the message with the destination address being the user side PE device to the corresponding user side PE device, and thus the traffic isolation of each user side PE device cannot be achieved. How to isolate the traffic of different user side PE devices in the HoVPN is a problem to be solved.

Disclosure of Invention

The application provides a message forwarding method, a communication device and a system, which are used for solving the problem that the flow of PE equipment at different user sides in a HoVPN cannot be isolated.

In order to achieve the above purpose, the present application adopts the following technical scheme:

in a first aspect, a method for forwarding a message is provided, where a communication device executing the method for forwarding a message may be a first communication node; or may be a module, such as a chip or a system of chips, applied in the first communication node. The following describes an example in which the execution subject is a first communication node. The message forwarding method can comprise the following steps: the first communication node receives a first VPN route from the second communication node, the first VPN route including a first node identification of the second communication node, a first ingress RT and a first egress RT. And the first communication node receives a second VPN route from the third communication node, the second VPN route including a second node identification of the third communication node, a second ingress RT and a second egress RT. The second communication node and the third communication node may belong to the same VPN. Then, the first communication node may generate a first entry in response to the first derived RT and the second derived RT not matching, where the first entry stores a correspondence between the first node identifier, the second node identifier, and first indication information, where the first indication information indicates that the first communication node is prohibited from forwarding a message from the second communication node to the third communication node. And, the first communication node may further generate a second entry in response to the first import RT and the second export RT not matching, the second entry storing a second node identification, the first node identification and the second indication information corresponding to each other, the second indication information indicating that the first communication node is prohibited from forwarding a message from the third communication node to the second communication node.

Based on the scheme, for the scene that the second communication node and the third communication node in the same VPN carry out relay communication based on the first communication node, if the export RT of the second communication node is not matched with the import RT of the third communication node, the first communication node can not forward the message sent from the second communication node to the third communication node according to the first item. If the ingress RT of the second communication node does not match the egress RT of the third communication node, the first communication node may not forward the message from the third communication node to the second communication node based on the second entry. Therefore, the purpose of traffic isolation between the second communication node and the third communication node can be achieved by mismatch of RT configurations of the second communication node and the third communication node. In addition, the first item and the second item in the method are automatically generated by the first communication node according to the VPN routes of the second communication node and the third communication node, manual configuration is not needed, and the workload of deployment can be greatly reduced. In addition, because the entry is automatically generated, when the communication node is newly added in the network, the communication node can also be automatically updated according to the VPN route, and the flexibility is good.

With reference to the first aspect, as a possible implementation manner, if the first import RT and the second import RT do not have the same value, the first import RT and the second import RT do not match.

With reference to the first aspect, as a possible implementation manner, the first VPN route may further include a first VPN identifier of the second communication node, and the second VPN route may further include a second VPN identifier of the third communication node. The message forwarding method may further include: the first communication node may determine, according to the first VPN identifier and the second VPN identifier, that the second communication node and the third communication node belong to the same VPN. Based on this scheme, the message forwarding method of the first aspect may be performed based on the case that the second communication node and the third communication node belong to the same VPN.

With reference to the first aspect, as a possible implementation manner, the first VPN route and the second VPN route are SRv VPN routes. Based on this scheme, the message forwarding method of the first aspect can be applied to the scene of SRv VPN.

With reference to the first aspect, as a possible implementation manner, the first node is identified as part or all of field contents of a source IPv6 address of the second communication node, and the second node is identified as part or all of field contents of a source IPv6 address of the third communication node.

With reference to the first aspect, as a possible implementation manner, the first VPN route includes a first SRv6VPN SID, and the first SRv VPN SID carries a first node identifier. The second VPN route includes a second SRv6VPN SID, the second SRv6VPN SID carrying a second node identification.

With reference to the first aspect, as a possible implementation manner, the first node identifies a location field located in the first SRv6 VPN SID, and the second node identifies a location field located in the second SRv6 VPN SID.

The above gives three possible implementations of the first node identification and the second node identification in the SRv VPN scenario.

With reference to the first aspect, as a possible implementation manner, the first VPN route includes a first SRv6 VPN SID, and the first SRv VPN SID carries a first VPN identifier of the second communication node. The second VPN route includes a second SRv VPN SID, the second SRv VPN SID carrying a second VPN identification for the third communication node.

With reference to the first aspect, as a possible implementation manner, the first VPN identifier is located in a function field or a parameter field in the first SRv VPN SID, and the second VPN identifier is located in a function field or a parameter field in the second SRv6 VPN SID.

The above gives three possible implementations of the first VPN identification and the second VPN identification in the SRv VPN scenario.

With reference to the first aspect, as a possible implementation manner, the first VPN route and the second VPN route are MPLS VPN routes. Based on the scheme, the message forwarding method of the first aspect can be applied to the scene of MPLS VPN.

With reference to the first aspect, as a possible implementation manner, the first node is identified as part or all of field contents of a source IPv4 address of the second communication node, and the second node is identified as part or all of field contents of a source IPv4 address of the third communication node. The scheme provides an implementation mode of the first node identification and the second node identification in the MPLS VPN scene.

With reference to the first aspect, as a possible implementation manner, the first VPN route is carried in a first BGP packet, and the first node identifier is located in a TLV field of the first BGP packet; the second VPN route is carried in a second BGP message, and the second node identifier is located in a TLV field of the second BGP message. The scheme gives one implementation of the first node identification and the second node identification in SRv VPN or MPLS VPN scenarios.

With reference to the first aspect, as a possible implementation manner, the first VPN route is carried in a first BGP packet, and the first VPN identifier is located in a TLV field of the first BGP packet; the second VPN route is carried in a second BGP message, and the second VPN identifier is located in a TLV field of the second BGP message. The scheme gives one implementation of the first VPN identification and the second VPN identification in a SRv VPN or MPLS VPN scenario.

With reference to the first aspect, as a possible implementation manner, the first communication node is an SPE device, and the second communication node and the third communication node are UPE devices. Based on the scheme, the message forwarding method of the first aspect can be used for realizing traffic isolation between UPE devices.

With reference to the first aspect, as a possible implementation manner, the first communication node is a central node, and the second communication node and the third communication node are spoke nodes. Based on the scheme, a network deployment mode is provided.

With reference to the first aspect, as a possible implementation manner, the method for forwarding a packet may further include: the first communication node receives a third VPN route from the second communication node, the third VPN route including a first node identification of the second communication node, a third ingress RT and a third egress RT. The first communication node responds to the matching of the third export RT and the second import RT, the first entry is updated, the updated first entry stores the corresponding relation of the first node identification, the second node identification and third indication information, and the third indication information indicates that the first communication node is allowed to forward the message from the second communication node to the third communication node.

Based on the scheme, the on-off relationship from the second communication node to the third communication node can be updated by updating the RT value of the second communication node.

In a second aspect, a method for forwarding a message is provided, where a communication device executing the method for forwarding a message may be a first communication node; or may be a module, such as a chip or a system of chips, applied in the first communication node. The following describes an example in which the execution subject is a first communication node. The message forwarding method can comprise the following steps: the first communication node receives a first VPN message from the second communication node, the first communication node forwards the next hop of the first VPN message to be a third communication node, and the second communication node and the third communication node belong to the same VPN. The first communication node may then determine to discard the first VPN message based on a first entry, the first entry including a first node identification of the second communication node, a second node identification of the third communication node, and first indication information indicating that the first communication node is prohibited from forwarding messages from the second communication node to the third communication node.

Based on this scheme, even if the second communication node to third communication node route is reachable, the first communication node can still determine not to forward from the first entry. Thus, the method can realize traffic isolation of the second communication node from the third communication node.

With reference to the second aspect, as a possible implementation manner, the first VPN packet carries a first node identifier. Based on this, the first communication node may directly obtain the first node identifier according to the first VPN message.

With reference to the second aspect, as a possible implementation manner, the method for forwarding a packet may further include: the first communication node determines a second node identification according to the first VPN message and routing information stored in the first communication node. Based on this scheme, the first communication node may obtain the second node identification.

With reference to the second aspect, as a possible implementation manner, the routing information stored in the first communication node is SRv VPN routing.

With reference to the second aspect, as a possible implementation manner, the node identifier of the second communication node is carried in a source IPv6 address of the first VPN packet.

With reference to the second aspect, as a possible implementation manner, the first VPN packet carries a first SRv6VPN SID of the second communication node, and the first node identifier is located in the first SRv6VPN SID.

With reference to the second aspect, as a possible implementation manner, the first node identifies a location field located in the first SRv VPN SID.

With reference to the second aspect, as a possible implementation manner, the routing information stored in the first communication node is MPLS VPN routing information.

With reference to the second aspect, as a possible implementation manner, the first node identifier is carried in an extended MPLS label of the first VPN packet. The scheme can be compatible with MPLS VPN scenes and is easy to realize.

With reference to the second aspect, as a possible implementation manner, determining the second node identifier according to the first VPN packet and routing information stored in the first communication node may specifically include: first, the first communication node may query the routing information stored in the first communication node according to the destination IP address of the first VPN message, and determine the second SRv VPN SID of the third communication node. The first communication node may then determine a second node identification of the third communication node based on the second SRv VPN SID. Based on this scheme, a way of determining the identity of the second node in the SRv VPN scenario is presented.

With reference to the second aspect, as a possible implementation manner, the first communication node is an operator side operator edge SPE device, and the second communication node and the third communication node are user side edge UPE devices.

With reference to the second aspect, as a possible implementation manner, the first communication node is a central node, and the second communication node and the third communication node are spoke nodes.

In a third aspect, the present application provides a communication device, which may be a first communication node or a chip or a system of chips in the first communication node, and may be a functional module in the first communication node for implementing any of the possible designs of the method according to the first aspect. The communication device may implement the functions performed by the first terminal device in the above aspects or in each possible design, where the functions may be implemented by hardware executing corresponding software. The hardware or software comprises one or more modules corresponding to the functions. Such as: the communication device may include: a transceiver module and a processing module. Wherein the transceiver module may be configured to receive a first VPN route from the second communication node, the first VPN route including a first node identification of the second communication node, a first ingress RT, and a first egress RT. And the transceiver module may be further configured to receive a second VPN route from the third communication node, where the second VPN route includes a second node identifier of the third communication node, a second ingress RT, and a second egress RT, where the second communication node and the third communication node belong to a same VPN. The processing module may be configured to generate a first entry in response to the first derived RT and the second derived RT not matching, the first entry storing a correspondence of the first node identification, the second node identification, and first indication information indicating that the first communication node is prohibited from forwarding messages from the second communication node to the third communication node. The processing module may be further configured to generate a second entry in response to the first import RT and the second export RT not matching, the second entry storing a second node identification, the first node identification and the second indication information corresponding, the second indication information indicating that the first communication node is prohibited from forwarding messages from the third communication node to the second communication node.

With reference to the third aspect, as a possible implementation manner, if the first import RT and the second import RT do not have the same value, the first import RT and the second import RT do not match.

With reference to the third aspect, as one possible implementation manner, the first VPN route further includes a first VPN identifier of the second communication node, and the second VPN route further includes a second VPN identifier of the third communication node. The processing module may be specifically configured to: and determining that the second communication node and the third communication node belong to the same VPN according to the first VPN identifier and the second VPN identifier.

With reference to the third aspect, as a possible implementation manner, the first VPN route and the second VPN route are each SRv VPN routes.

With reference to the third aspect, as a possible implementation manner, the first node is identified as part or all of field contents of a source IPv6 address of the second communication node, and the second node is identified as part or all of field contents of a source IPv6 address of the third communication node.

With reference to the third aspect, as a possible implementation manner, the first VPN route includes a first SRv6 VPN SID, and the first SRv VPN SID carries a first node identifier. The second VPN route includes a second SRv6 VPN SID, the second SRv6 VPN SID carrying a second node identification.

With reference to the third aspect, as a possible implementation manner, the first node identifies a location field located in the first SRv6 VPN SID, and the second node identifies a location field located in the second SRv6 VPN SID.

With reference to the third aspect, as a possible implementation manner, the first VPN route includes a first SRv6 VPN SID, and the first SRv VPN SID carries a first VPN identifier of the second communication node; the second VPN route includes a second SRv VPN SID, the second SRv VPN SID carrying a second VPN identification for the third communication node.

With reference to the third aspect, as a possible implementation manner, the first VPN identifier is located in a function field or a parameter field in the first SRv6 VPN SID, and the second VPN identifier is located in a function field or a parameter field in the second SRv6 VPN SID.

With reference to the third aspect, as a possible implementation manner, the first VPN route and the second VPN route are MPLS VPN routes.

With reference to the third aspect, as a possible implementation manner, the first node is identified as part or all of field contents of a source IPv4 address of the second communication node, and the second node is identified as part or all of field contents of a source IPv4 address of the third communication node.

With reference to the third aspect, as a possible implementation manner, the first VPN route is carried in a first BGP packet, and the first node identifier is located in a TLV field of the first BGP packet; the second VPN route is carried in a second BGP message, and the second node identifier is located in a TLV field of the second BGP message.

With reference to the third aspect, as a possible implementation manner, the first VPN route is carried in a first BGP packet, and the first VPN identifier is located in a TLV field of the first BGP packet; the second VPN route is carried in a second BGP message, and the second VPN identifier is located in a TLV field of the second BGP message.

With reference to the third aspect, as a possible implementation manner, the first communication node is an SPE device, and the second communication node and the third communication node are UPE devices.

With reference to the third aspect, as a possible implementation manner, the first communication node is a central node, and the second communication node and the third communication node are spoke nodes.

With reference to the third aspect, as a possible implementation manner, the transceiver module is further configured to receive a third VPN route from the second communication node, where the third VPN route includes the first node identifier of the second communication node, the third ingress RT, and the third egress RT. The processing module is further configured to update the first entry in response to the third derived RT matching the second derived RT, the updated first entry storing a correspondence of the first node identification, the second node identification, and third indication information indicating that the first communication node is allowed to forward a message from the second communication node to the third communication node.

The technical effects of the third aspect may refer to the first aspect, and are not repeated herein.

In a fourth aspect, the present application provides a communication device, which may be the first communication node or a chip or a system of chips in the first communication node, and may be a functional module in the first communication node for implementing any one of the possible designs of the method according to the second aspect. The communication device may implement the functions performed by the first terminal device in the above aspects or in each possible design, where the functions may be implemented by hardware executing corresponding software. The hardware or software comprises one or more modules corresponding to the functions. Such as: the communication device may include: a transceiver module and a processing module. The transceiver module may be configured to receive a first VPN message from a second communication node, where the first communication node forwards a next hop of the first VPN message to be a third communication node, and the second communication node and the third communication node belong to the same VPN. The processing module may be configured to determine to discard the first VPN message according to a first entry, where the first entry includes a first node identifier of the second communication node, a second node identifier of the third communication node, and first indication information indicating that the first communication node is prohibited from forwarding a message from the second communication node to the third communication node.

With reference to the fourth aspect, as a possible implementation manner, the first VPN packet carries a first node identifier.

With reference to the fourth aspect, as a possible implementation manner, the determining module may be further configured to determine the second node identifier according to the first VPN packet and routing information stored in the first communication node.

With reference to the fourth aspect, as a possible implementation manner, the routing information stored in the first communication node is SRv VPN routing.

With reference to the fourth aspect, as a possible implementation manner, the node identifier of the second communication node is carried in a source IPv6 address of the first VPN packet.

With reference to the fourth aspect, as a possible implementation manner, the first VPN packet carries a first SRv6 VPN SID of the second communication node, and the first node identifier is located in the first SRv6 VPN SID.

With reference to the fourth aspect, as a possible implementation manner, the first node identifies a location field located in the first SRv VPN SID.

With reference to the fourth aspect, as a possible implementation manner, the routing information stored in the first communication node is MPLS VPN routing information.

With reference to the fourth aspect, as a possible implementation manner, the first node identifier is carried in an extended MPLS label of the first VPN packet.

With reference to the fourth aspect, as a possible implementation manner, when determining the second node identifier according to the first VPN packet and the routing information stored in the first communication node, the processing module may specifically be configured to: first, the processing module may query the routing information stored in the first communication node according to the destination IP address of the first VPN message, and determine the second SRv VPN SID of the third communication node. And then, the processing module determines a second node identifier of the third communication node according to the second SRv VPN SID.

With reference to the fourth aspect, as a possible implementation manner, the first communication node is an SPE device, and the second communication node and the third communication node are UPE devices.

With reference to the fourth aspect, as a possible implementation manner, the first communication node is a central node, and the second communication node and the third communication node are spoke nodes.

The technical effects of the fourth aspect may refer to the second aspect, and are not described herein.

In a fifth aspect, there is provided a communication apparatus comprising: a processor and a memory; the memory is configured to store computer-executable instructions that, when executed by the communication device, cause the communication device to perform the message forwarding method according to any one of the first or second aspects.

In a sixth aspect, there is provided a communication apparatus comprising: a processor; the processor is configured to couple to the memory, and execute the method according to any one of the first aspect or the second aspect according to the instruction after reading the instruction in the memory.

In one possible implementation, the communication device further includes a memory; the memory is used to store computer instructions.

In one possible implementation, the communication device further includes a communication interface; the communication interface is used for the communication device to communicate with other equipment. By way of example, the communication interface may be a transceiver, an input/output interface, an interface circuit, an output circuit, an input circuit, a pin or related circuit, or the like.

In one possible implementation, the communication device may be a chip or a system-on-chip. When the communication device is a chip system, the communication device may be formed by a chip, or may include a chip and other discrete devices.

In one possible implementation, when the communication device is a chip or a chip system, the communication interface may be an input/output interface, an interface circuit, an output circuit, an input circuit, a pin, or related circuitry, etc. on the chip or the chip system. The processor described above may also be embodied as processing or logic circuits.

In a seventh aspect, there is provided a computer readable storage medium having instructions stored therein which, when run on a computer, cause the computer to perform the message forwarding method of any one of the first or second aspects above.

In an eighth aspect, there is provided a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of forwarding a message according to any of the first or second aspects above.

A ninth aspect provides a communication system comprising the first communication node, the second communication node and the third communication node of the first aspect or the second aspect.

The technical effects of any one of the designs in the fifth aspect to the ninth aspect may be referred to the technical effects of the different designs in the first aspect to the fourth aspect, and are not described herein.

Drawings

Fig. 1 is a schematic architecture diagram of a HoVPN according to an embodiment of the present application;

fig. 2 is a schematic diagram of an intelligent cloud network for deploying a HoVPN according to an embodiment of the present application;

fig. 3 is a schematic diagram of a communication system according to an embodiment of the present application;

Fig. 4 is a schematic diagram of another communication system according to an embodiment of the present application;

fig. 5 is a schematic structural diagram of a communication device according to an embodiment of the present application;

fig. 6 is a flowchart of a method for forwarding a message according to an embodiment of the present application;

fig. 7 is a schematic field structure diagram of an SRV6 SID according to an embodiment of the present application;

fig. 8 is a schematic diagram of a field structure of another SRV6 SID according to an embodiment of the present application;

fig. 9 is a flowchart of another method for forwarding a message according to an embodiment of the present application;

fig. 10 is a flowchart of another method for forwarding a message according to an embodiment of the present application;

fig. 11 is a flowchart of another method for forwarding a message according to an embodiment of the present application;

fig. 12 is a flowchart of another method for forwarding a message according to an embodiment of the present application;

fig. 13 is a schematic structural diagram of another communication device according to an embodiment of the present application.

Detailed Description

Prior to introducing the embodiments of the present application, technical terms and related techniques related to the present application are explained. It should be noted that the following explanation is for easier understanding of the embodiments of the present application, and should not be construed as limiting the scope of protection claimed by the embodiments of the present application.

VPN: is a point-to-point proprietary network that is virtualized over a public data network by tunneling technology. The basic principle of VPN is to package VPN message in tunnel by tunnel technique and to establish special data transmission channel by VPN backbone network to realize special transmission of message.

In VPN, network devices in a network can be divided into: customer Edge (CE) devices, service Provider Edge (PE) and service provider (P) devices.

CE device: the method is an edge device which is directly connected with a service provider in a site at a user side, and only a common IP forwarding function is required to be supported. The CE device may be a router or a switch or a host.

PE equipment: the PE equipment is directly connected with CE equipment of a user for the edge equipment in the operator network to complete the main function of VPN realization.

P equipment: in order to ensure that the equipment in the operator network which is not directly connected with the CE does not sense whether the VPN exists or not, only the basic MPLS forwarding capability is required.

In this embodiment of the present application, the PE device may be abbreviated as PE, the CE device may be abbreviated as CE, and the P device may be abbreviated as P.

Site (Site): a site refers to a group of IP systems that have IP connectivity with each other, and the IP connectivity of the group of IP systems need not be implemented through a service provider network. Devices in one site may belong to multiple VPNs, in other words, one site may belong to multiple VPNs. The Site is connected to the service provider network through CEs, and one Site may contain a plurality of CEs, but one CE belongs to only one Site.

For a plurality of stations connected to the same service provider network, by making a policy, the stations can be divided into different sets (sets), and only stations belonging to the same set can visit each other through the service provider network, and the divided sets are VPNs, so that stations belonging to the same set can be considered to belong to the same VPN.

VPN example (VPN-instance): in a VPN, routing isolation between different VPNs is achieved by VPN instances. The PE may establish and maintain a specific VPN instance for each directly connected site. VPN membership and routing rules for the corresponding sites are included in the VPN instance. If a user at a site belongs to multiple VPNs at the same time, then the site's VPN instance will include information for the multiple VPNs. The VPN instance may also be referred to as a VPN route forwarding (VPN routing forwarding, VRF) instance.

Route Target (RT): may also be referred to as a routing label. RT can be used to control the release of VPN route information, to realize the import and export of routes, let the PE sending routes know which VPN clients to send, and let the PE receiving routes know which VRFs to import routes.

The RT may include an import RT (import RT) and an export RT (export RT). The routing information sent by the sender PE may carry the derived RT of the sender PE. The incoming RT of the receiving end PE is used to match with the outgoing RT of the sending end PE in the received routing information, the outgoing RT of the sending end PE must match with the incoming RT of the receiving end PE, and the receiving end PE will add the received route to the routing table of the VRF.

MPLS L3VPN: refers to a layer 3 (L3) VPN established using multiprotocol label forwarding (MPLS) and multi-protocol label switching. MPLS L3VPN uses Border Gateway Protocol (BGP) to advertise VPN routes over the service provider backbone and MPLS to forward VPN messages over the service provider backbone. MPLS L3VPN is a VPN technology currently in common use.

MPLS L3VPN is a planar model where PE devices are peer-to-peer in the overall framework, and the performance requirements for the PE devices are the same regardless of where in the network. With the evolution of network architecture, more and more networks adopt layered structures, such as a typical metropolitan area network structure is a core-convergence-access three-layer model, the requirements on the performance of equipment are sequentially reduced, and the network scale is sequentially enlarged. The PE equipment is connected with a user and needs a large number of interfaces, and the processing of user messages needs a large capacity of memory and forwarding capacity, and the PE equipment of each layer is difficult to simultaneously have high performance and a large number of interfaces, so that the problem of expansibility exists no matter which layer is deployed with PE. The problem of this plane structure in MPLS L3VPN is that if some of the PEs have performance and scalability problems, the wide coverage and further scalability of the entire network VPN traffic are also limited.

To accommodate the hierarchical and hierarchical structure of the network, and solve the problem of scalability, a hierarchical VPN (homevpn) solution has been developed.

HoVPN: is a VPN technology that can be applied in a hierarchical network. The HoVPN can divide PE into any multiple layers, and infinite expansion and extension are realized. The proposal of the HoVPN solution realizes the distribution of the functions of the PE to a plurality of PE devices, the PE devices bear different roles and form a hierarchical structure, and the functions of one PE are completed together. The routing capability and forwarding performance requirements for devices at higher levels are higher, while the corresponding requirements for devices at lower levels are lower, and the method is applicable to hierarchical and hierarchical network models. The scheme can reduce the performance requirement on PE equipment in VPN.

The architecture of the HoVPN may include: a user-end PE (UPE) device, a service provider-end PE (SPE) device, and a network provider-end PE (NPE) device. In the embodiment of the application, the UPE device may be referred to as UPE, the SPE device may be referred to as SPE, and the NPE device may be referred to as NPE. This is described herein in detail.

By way of example, FIG. 1 shows a schematic architecture of a HoVPN that may include site A, site B, UPE a, UPE 101b, SPE 102a, SPE 102b, NPE 103a, and NPE 103b. Wherein site a may be connected to UPE 101a and site B may be connected to UPE 101B. UPE 101a may be coupled to SPE 102a and SPE 102b, and UPE 101b may be coupled to SPE 102a and SPE 102 b. SPE 102a and SPE 102b may interoperate. NPE 103a may be coupled to SPE 102a and SPE 102b, and NPE 103b may be coupled to SPE 102a and SPE 102 b.

In the HoVPN, the UPE equipment is PE equipment directly connected with CE equipment of a user, and the UPE equipment mainly completes the user access function. For example, as shown in FIG. 1, UPE 101a may be connected to CE devices in site A and UPE 101B may be connected to CE devices in site B. Alternatively, UPE devices may also be referred to as upper layer PE (underlayer PE) devices.

SPE devices are devices that are connected to UPE and located inside the network. SPE mainly completes VPN route management and release. Alternatively, the SPE device may also be referred to as an upper layer PE (superstratum PE) device.

The NPE equipment is PE equipment which is connected with the SPE and faces to the network side. The role of the NPE is primarily to connect SPE devices and learn the route from UPE devices.

It should be appreciated that in contrast to MPLS L3 VPNs, hoVPNs are those where the functionality of PE devices in an MPLS L3VPN is distributed across multiple PE devices (UPE, SPE, and NPE).

Currently, a great deal of HoVPN schemes are deployed in the intelligent cloud network. By way of example, fig. 2 shows a schematic diagram of an intelligent cloud network deploying a HoVPN. As shown in fig. 2, the network may include branch office 1, branch office 2, customer premise equipment (customer premise equipment, CPE) 201a, CPE 201b, network PE 202a, network PE 202b, cloud PE 203a, and cloud PE 203b. Branch office 1 may be connected to network PE 202a via CPE 201a and branch office 2 may be connected to network PE 202b via CPE 201 b. Network PE 202a and network PE 202b may interwork. Cloud PE 203a may be connected to network PE 202a and network PE 202b, and cloud PE 203b may be connected to network PE 202a and network PE 202 b. Cloud PE 203a and cloud PE 203b may be connected to a cloud. In the intelligent cloud network shown in fig. 2, branch office 1 and branch office 2 may be sites in a HoVPN, CPE 201a and CPE 201b may be UPE nodes in the HoVPN, network PE 202a and network PE 202b may be SPE nodes in the HoVPN, and cloud PE 203a and cloud PE 203b may be NPE nodes in the HoVPN.

Alternatively, CPE may be connected to a CE device in branch office, e.g., CPE 201a may be connected to a CE device in branch office 1 and CPE 201b may be connected to a CE device in branch office 2 as shown in fig. 2.

Alternatively, CPE may be connected to a network PE through a slice private network or a metropolitan network, for example, as shown in fig. 2, CPE 201a may be connected to network PE 202a and network PE 202b through a slice private network, and CPE 201b may be connected to network PE 202a and network PE 202b through a metropolitan network. In particular, referring to fig. 2, the cpe may be connected to an Access Router (AR) in a slice private network or a metropolitan area network, and the network PE may be connected to a Core Router (CR) in the slice private network or the metropolitan area network.

Alternatively, as shown in fig. 2, cloud PEs (e.g., cloud PE 203a and cloud PE 203 b) may be connected to network PEs (e.g., network PE 202a and network PE 202 b) through an operator backbone network. Specifically, referring to fig. 2, the cloud PE may connect with the network PE through a P device in the operator backbone network.

When a HoVPN is deployed in an intelligent cloud network, VPN-related attributes also need to be configured. For example, RT attributes (including import RT and export RT) may be configured for CPE, network PE, and cloud PE. It should be appreciated that since the network PE is connected to both CPE and cloud PE, the RT attribute of the network PE should match both CPE and cloud PE.

Illustratively, as shown in fig. 2, the ingress RT of CPE 201a and CPE 201b may be 200: 1. export RT may be 100:1, ingress RT of network PE 202a and network PE 202b may comprise 100:1 and 9999:1. deriving RT may include 200:1 and 9999:1, the import RT of cloud PE 203a and cloud PE 203b may be 9999:1. export RT may be 9999:1. wherein, ingress RT "100 of network PE 202a and network PE 202 b: 1 "derived RT with CPE 201a and CPE 201 b" 100:1 "match, import RT"9999 for network PE 202a and network PE 202 b: 1 "export RT with cloud PE 203a and cloud PE 203 b" 9999:1 "match, export RT"200 of network PE 202a and network PE 202 b: 1 "import RT with CPE 201a and CPE 201 b" 200:1 "match, export RT"9999 for network PE 202a and network PE 202 b: 1 "import RT with cloud PE 203a and cloud PE 203 b" 9999:1 "match.

In the scenario that the HoVPN is deployed in the intelligent cloud network, the requirements of traffic isolation among different branch institutions in the same VPN are equal to the requirements of isolation among CPEs corresponding to the branch institutions. For example, in the intelligent cloud network for deployment of a HoVPN shown in FIG. 2, branch 1 and branch 2 may be the same VPN, although branch 1 and branch 2 may also have traffic isolation requirements, so CPE 201a and CPE 201b need to be isolated from each other.

As one possible implementation, the configuration mismatch of both the export RT and the import RT of CPE corresponding to a branch office may be such that the CPE corresponding to the branch office cannot learn routing information to other branch offices. In general, if a CPE corresponding to a branch office cannot learn routing information to other branch offices, the CPE cannot forward to other CPE on the forwarding plane, so that isolation is achieved between different branch offices.

Taking the smart cloud network for deploying the HoVPN as shown in fig. 2 as an example, the imported RT of the CPE 201a is 200: 1. export RT will be 100:1, the ingress RT of cpe 201b is 200: 1. export RT is 100:1. it can be seen that the incoming RT of CPE 201a and the outgoing RT of CPE 201b do not match, nor do the outgoing RT of CPE 201a and the incoming RT of CPE 201 b. Thus, CPE 201a does not learn a route to CPE 201b nor does CPE 201b learn a route to CPE 201 a. The message sent by CPE 201a destined for CPE 201b will not find the corresponding routing information, nor will the message sent by CPE 201b destined for CPE 201 a.

However, in a HoVPN, an SPE (e.g., a network PE in FIG. 2) issues a default route (default route) to a UPE (e.g., a CPE in FIG. 2). The default route is a route selected by the router when the router cannot find other routes according to the destination address of the message, and all messages of which the destination is not in the routing table of the router can be forwarded by using the default route. Therefore, when the SPE issues the default route to the UPE, the message sent by the UPE can still be sent to the SPE according to the default route even if the corresponding route information cannot be queried in the route table. And SPE can communicate with any UPE, so that messages sent by UPE to other UPE can still reach other UPE smoothly, and isolation between UPE is not realized yet.

Illustratively, taking the smart cloud network for deploying a HoVPN as shown in FIG. 2 as an example, network PE 202a and network PE 202b may publish default routes to CPE 201a and CPE 201b. Based on this, even if the packet sent by CPE 201a and destined for CPE 201b cannot find the corresponding routing information locally at CPE 201a, CPE 201a can still send the packet destined for CPE 201b to network PE 202a or network PE 202b according to the default route. Subsequently, the network PE 202a or the network PE 202b may query the routing information according to the destination address of the packet, and forward the packet to the CPE 201b. It can be seen that even if the RT values of CPE 20a and CPE 201b are configured as not matched, the message sent by CPE 201a to CPE 201b can still successfully reach CPE 201b, and CPE 201a and CPE 201b still cannot achieve isolation.

In order to realize traffic isolation between different branches in an intelligent cloud network for deploying a HoVPN, the application provides a possible implementation manner, an access point name (access point name, APN) Identification (ID) can be configured on a CPE, APNIDs of different CPEs are different, and the CPE can carry the APNID of the CPE in a message when sending a VPN message. And, the APNID mutual access table of the branch office can be configured statically in the network PE node, and the APNID mutual access table indicates which APNID CPEs can be accessed mutually, and which APNID CPEs cannot be accessed mutually. Therefore, the network PE can control the forwarding of VPN messages based on the APNID mutual access table, so that the mutual access control between CPEs can be realized, and the mutual access control between branch institutions is also realized. It should be understood that, as long as the APNID configurations corresponding to the CPEs are not mutually communicated, traffic isolation between the CPEs can be achieved, and also traffic isolation between branches corresponding to the CPEs can be achieved.

Alternatively, the APNID may be encapsulated in a header of the VPN message. As one implementation, the VPN message is an internet protocol version 6 (internet protocol version, IPv 6) message, and the APNID may be encapsulated in an IPv6 extension header.

Illustratively, taking fig. 2 as an example, assume CPE 201a is configured with apid 1, CPE 201b is configured with apid 2, cloud PE 203a is configured with apid 3, and cloud PE 203b is configured with apid 4. An apid interview table may be configured in the network PE to control whether interviews are allowed between apids. Taking the CPE 201a to send a VPN message, where the VPN message is an IPv6 message as an example, when the CPE 201a sends the VPN message to the network PE 202a or the network PE 202b, the APNID1 may be encapsulated in an IPv6 extension header. After receiving the VPN message from the CPE 201a, the network PE 202a or the network PE 202b may first obtain the apid 1 from the IPv6 extension header of the VPN message, and may consider the apid 1 as the source apid. Then, the network PE 202a or the network PE 202b may determine the next hop of the VPN packet according to the routing information, and further determine the apid corresponding to the next hop as the destination apid. For example, if the VPN message is a message destined for CPE 201b, then network PE 202a or network PE 202b may determine that the destination apid is apid 2; if the VPN message is a message destined for cloud PE 203a, then network PE 202a or network PE 202b may determine that the destination apid is apid 3. Further, network PE 202a or network PE 202b may query the apid mutual access table according to the source apid and the destination apid to determine whether to forward the VPN message to the device corresponding to the destination apid. If forwarding to the destination APNID is not allowed as specified in the APNID mutual access table, the network PE 202a or the network PE 202b discards the VPN packet destined for the device corresponding to the destination APNID; if forwarding to the destination APNID is allowed as specified in the APNID mutual access table, network PE 202a or network PE 202b forwards the VPN message to the device corresponding to the destination APNID.

Although the method for performing intercommunication control through the APNID can realize isolation among different branches, the method needs to configure the APNID at each CPE and statically configure a large number of APNID mutual access entries on network PE, and has heavy configuration work. And, if a new branch office is connected to the network PE (i.e., a new CPE is connected to the network PE), the interworking control table in the network PE needs to be actively updated. Based on the implementation mode, the network PE also needs to maintain a local APNID mutual access table in real time, and has high implementation difficulty and cost and is not flexible and convenient.

Based on this, the present application further provides a message forwarding method, where the first communication node may receive the first VPN route from the second communication node, and receive the second VPN route from the third communication node. The second communication node and the third communication node belong to the same VPN. In the event that the first derived RT in the first VPN route does not match the second derived RT in the second VPN route, the first communication node may generate a first entry indicating that the first communication node is prohibited from forwarding messages from the second communication node to the third communication node. In the event that the first ingress RT in the first VPN route does not match the second egress RT in the second VPN route, the first communication node may generate a second entry indicating that the first communication node is prohibited from forwarding messages from the third communication node to the second communication node. Therefore, when the message is forwarded, the first communication node can discard the message sent from the second communication node to the third communication node according to the first item and discard the message sent from the third communication node to the second communication node according to the second item, so that the traffic isolation of the second communication node and the third communication node can be realized. In addition, the first item and the second item in the method are automatically generated by the first communication node according to the VPN routes of the second communication node and the third communication node, manual configuration is not needed, and the workload of deployment can be greatly reduced. In addition, because the entry is automatically generated, when the communication node is newly added in the network, the communication node can also be automatically updated according to the VPN route, and the flexibility is good.

The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. Wherein, in the description of the present application, "/" means that the related objects are in a "or" relationship, unless otherwise specified, for example, a/B may mean a or B; the term "and/or" in this application is merely an association relation describing an association object, and means that three kinds of relations may exist, for example, a and/or B may mean: there are three cases, a alone, a and B together, and B alone, wherein a, B may be singular or plural. Also, in the description of the present application, unless otherwise indicated, "a plurality" means two or more than two. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b, or c may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or plural. In addition, in order to clearly describe the technical solutions of the embodiments of the present application, in the embodiments of the present application, the words "first", "second", and the like are used to distinguish the same item or similar items having substantially the same function and effect. It will be appreciated by those of skill in the art that the words "first," "second," and the like do not limit the amount and order of execution, and that the words "first," "second," and the like do not necessarily differ. Meanwhile, in the embodiments of the present application, words such as "exemplary" or "such as" are used to mean serving as examples, illustrations, or descriptions. Any embodiment or design described herein as "exemplary" or "for example" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion that may be readily understood.

Firstly, a service scenario or a communication system to which the message forwarding method provided by the application is applied is introduced.

First, a schematic diagram of a communication system provided in an embodiment of the present application may be shown in fig. 3, where the communication system may include a first communication node 301, a second communication node 302, and a third communication node 303, and the second communication node 302 and the third communication node 303 may be connected through the first communication node 301.

Alternatively, the first communication node 301, the second communication node 302, and the third communication node 303 may employ a hub-spoke (hub-spoke) networking manner, where the first communication node 301 may be a hub node, and the second communication node 302 and the third communication node 303 may be spoke nodes. The spoke nodes need to communicate with each other through the hub node, for example, the second communication node 302 and the third communication node 303 may communicate through the first communication node 301.

Alternatively, the communication system shown in fig. 3 may be a HoVPN. Wherein the first communication node 301 may be an SPE node, and the second communication node 302 and the third communication node 303 may be UPE nodes.

In addition, the message forwarding method provided by the application can also be applied to the network shown in fig. 1 or fig. 2. Taking fig. 1 as an example, SPE 102a or SPE 102b may be used as a first communication node, UPE 101a may be used as a second communication node, and UPE 101b may be used as a third communication node. Alternatively, SPE 102a or SPE 102b may act as a first communication node, UPE 101b may act as a second communication node, and UPE 101a may act as a third communication node. Taking fig. 2 as an example, network PE 202a or network PE 202b may serve as a first communication node, CPE 201a may serve as a second communication node, and CPE 201b may serve as a third communication node. Alternatively, network PE 202a or network PE 202b may act as a first communication node, CPE 201b may act as a second communication node, and CPE 201a may act as a third communication node.

In addition, a schematic diagram of a communication system may be shown in fig. 4, and referring to fig. 4, the communication system may include a branch office 1, a branch office 2, a branch office 3, a branch office 4, a CPE 401a, a CPE 401b, a CPE 401c, a CPE 401d, a network PE 402a, a network PE 402b, a cloud PE 403a, and a cloud PE 403b. Branch 1 may be connected to network PE 402a via CPE 401a, branch 2 may be connected to network PE 402a via CPE 401b, branch 3 may be connected to network PE 402b via CPE 401c, and branch 4 may be connected to network PE 402b via CPE 401 d. Network PE 402a and network PE 402b may interwork. Cloud PE 403a may be connected to network PE 402a and network PE 402b, and cloud PE 403b may be connected to network PE 402a and network PE 402 b. Cloud PE 403a and cloud PE 403b may be connected to a cloud.

Alternatively, as shown in fig. 4, CPE may be connected to a network PE through a slice private network or a metropolitan area network, for example, CPE 401a he CPE 401b may be connected to a network PE 402a and a network PE 402b through a slice private network, and CPE 401c and CPE 401d may be connected to a network PE 402a and a network PE 402b through a metropolitan area network. In particular, referring to fig. 2, the cpe may be connected to an Access Router (AR) in a slice private network or a metropolitan area network, and the network PE may be connected to a Core Router (CR) in the slice private network or the metropolitan area network. Cloud PEs (e.g., cloud PE 403a and cloud PE 403 b) may connect with network PEs (e.g., network PE 402a and network PE 402 b) through an operator backbone network. Specifically, referring to fig. 2, the cloud PE may connect with the network PE through a P device in the operator backbone network. CPE may be connected to CE equipment in branch office 1, e.g., CPE 401a is connected to CE equipment in branch office 1, CPE 401b is connected to CE equipment in branch office 2, CPE 401c is connected to CE equipment in branch office 3, and CPE 401d is connected to CE equipment in branch office 4.

Alternatively, the communication system shown in fig. 4 may be a HoVPN, the branch office 1, the branch office 2, the branch office 3, and the branch office 4 may be sites in the HoVPN, the CPEs 401a, 401b, 401c, and 401d may be UPE nodes in the HoVPN, the network PEs 402a and 402b may be SPE nodes in the HoVPN, and the cloud PEs 403a and 403b may be NPE nodes in the HoVPN. The incoming RT of CPE 401a may be 200: 1. export RT may be 100:1, the ingress RT of cpe 401b may include 200:1 and 1000: 1. deriving RT may include 100:1 and 1000:1, the ingress RT of cpe 401c may be 200: 1. export RT may be 100:1, the ingress RT of cpe 401d may include 200:1 and 1000: 1. deriving RT may include 100:1 and 1000:1, ingress RT of network PE 202a and network PE 202b may comprise 100:1 and 9999:1. deriving RT may include 200:1 and 9999:1, the import RT of cloud PE 203a and cloud PE 203b may be 9999:1. export RT may be 9999:1. the RT attributes of cloud PEs (e.g., cloud PE 403a and cloud PE 403 b) and CPEs (e.g., CPE 401a, CPE 401b, CPE 401c, and CPE 401 d) are matched to the RT of network PEs (e.g., network PE 402a and network PE 402 b).

In this embodiment, the network PE 402a and the network PE 402b may be first communication nodes, and any two of the CPE 401a, the CPE 401b, the CPE 401c, and the CPE 401d may be first UPE nodes and second UPE nodes.

Alternatively, in fig. 4, network PE 402a and network PE 402b may act as hub nodes, CPE 401a, CPE 401b, CPE 401c, and CPE 401d may act as spoke nodes, and network PE 402a or network PE 402b may form hub-spoke structures with CPE 401a, CPE 401b, CPE 401c, and CPE 401 d. Cloud PE 403a and cloud PE 403b may act as hub nodes, network PE 402a or network PE 402b may form a hub-hub structure with cloud PE 403a, and network PE 402a or network PE 402b may form a hub-hub structure with cloud PE 403 b.

It should be noted that, the network architecture and the service scenario described in the embodiments of the present application are for more clearly describing the technical solutions of the embodiments of the present application, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application. The architecture and number of devices of the communication system shown in fig. 1-3 described above is merely an exemplary description. Of course, other numbers of devices in the communication system are possible, as well as other connections. For example, an SPE node may include multiple SPE nodes, each of which may be coupled to both a UPE node and an NPE node. As can be known to those skilled in the art, with the evolution of the network architecture and the appearance of new service scenarios, the technical solution provided in the embodiments of the present application is also applicable to similar technical problems.

Alternatively, the first communication node, the second communication node, and the third communication node in the embodiments of the present application may be a communication device, and the first communication node, the second communication node, and the third communication node may adopt the constituent structures shown in fig. 5 or include the components shown in fig. 5. Fig. 5 is a schematic structural diagram of a communication device according to an embodiment of the present application, as shown in fig. 5, where the communication device 50 includes one or more processors 501, a communication line 502, and at least one communication interface (fig. 5 is merely exemplary and includes a communication interface 503, and a processor 501 is illustrated as an example). Optionally, a memory 504 may also be included.

The processor 501 may be a general purpose central processing unit (central processing unit, CPU), microprocessor, application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of the programs of the present application.

The communication line 502 may include a pathway for communication between different components.

The communication interface 503, which may be a transceiver module, is used to communicate with other devices or communication networks, such as ethernet, RAN, wireless local area network (wireless local area networks, WLAN), etc. For example, the transceiver module may be a device such as a transceiver, or the like. Optionally, the communication interface 503 may also be a transceiver circuit located in the processor 501, so as to implement signal input and signal output of the processor.

The memory 504 may be a device having a memory function. For example, but not limited to, a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (random access memory, RAM) or other type of dynamic storage device that can store information and instructions, an electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), a compact disc read-only memory (compact disc read-only memory) or other optical disk storage, optical disk storage (including compact discs, laser discs, optical discs, digital versatile discs, blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory may be self-contained and coupled to the processor via communication line 502. The memory may also be integrated with the processor.

The memory 504 is used for storing computer-executable instructions for executing the embodiments of the present application, and is controlled by the processor 501 to execute the instructions. The processor 501 is configured to execute computer-executable instructions stored in the memory 504, thereby implementing the multi-hop transmission method provided in the embodiment of the present application.

Alternatively, in the embodiment of the present application, the processor 501 may perform a function related to processing in the multi-hop transmission method provided in the embodiment of the present application, where the communication interface 503 is responsible for communicating with other devices or a communication network, and this embodiment of the present application is not limited specifically.

Alternatively, the computer-executable instructions in the embodiments of the present application may be referred to as application program codes, which are not specifically limited in the embodiments of the present application.

In a particular implementation, as one embodiment, processor 501 may include one or more CPUs, such as CPU0 and CPU1 in FIG. 5.

In a particular implementation, as one embodiment, the communication device 50 may include a plurality of processors, such as processor 501 and processor 507 in fig. 5. Each of these processors may be a single-core processor or a multi-core processor. The processor herein may include, but is not limited to, at least one of: a central processing unit (central processing unit, CPU), microprocessor, digital Signal Processor (DSP), microcontroller (microcontroller unit, MCU), or artificial intelligence processor, each of which may include one or more cores for executing software instructions to perform operations or processes.

In a specific implementation, as an embodiment, the communication apparatus 50 may further include an output device 505 and an input device 506. The output device 505 communicates with the processor 501 and may display information in a variety of ways. For example, the output device 505 may be a liquid crystal display (liquid crystal display, LCD), a light emitting diode (light emitting diode, LED) display device, a Cathode Ray Tube (CRT) display device, or a projector (projector), or the like. The input device 506 is in communication with the processor 501 and may receive user input in a variety of ways. For example, the input device 506 may be a mouse, a keyboard, a touch screen device, a sensing device, or the like.

The above-described communication apparatus 50 may also be sometimes referred to as a communication device, and may be a general-purpose device or a dedicated device. For example, the communication apparatus 50 may be a network device such as a router, a switch, a gateway, or the like, or a device having a similar structure as in fig. 5. The embodiments of the present application are not limited in the type of communication device 50.

The following describes a message forwarding method provided in an embodiment of the present application with reference to fig. 1 to 5. Wherein the apparatus in the embodiments described below may have the components shown in fig. 5. In which, the terms and the like related to the embodiments of the present application may refer to each other without limitation. In the embodiment of the present application, the name of the message or the name of the parameter in the message is just an example, and other names may be used in the specific implementation without limitation.

In a possible embodiment, taking a communication system as a HoVPN as an example, a flowchart of a message forwarding method provided in the embodiment of the present application may be shown in fig. 6. Referring to fig. 6, the message forwarding method may include the steps of:

in step 601, the first UPE node sends a first VPN route to the target SPE node, and accordingly, the target SPE node receives the first VPN route from the first UPE node. The first VPN route includes a first node identification (node ID) of the first UPE node, a first VPN identification (VPN ID), a first ingress RT, and a first egress RT.

In step 602, the second UPE node sends the second VPN route to the target SPE node, and accordingly, the target SPE node receives the second VPN route from the second UPE node. The second VPN route includes a second node identification of the second UPE node, a second VPN identification, a second ingress RT, and a second egress RT.

Illustratively, taking fig. 1 as an example, SPE 102a and/or SPE 102b may be target SPE nodes. The UPE 101a may be a first UPE node and the UPE 101b may be a second UPE node. Alternatively, the UPE 101b can be a first UPE node and the UPE 101a can be a second UPE node. Based on this, SPE 102a and/or SPE 102b may receive VPN routes from UPE 101a and UPE 101 b.

Also for example, taking fig. 2 as an example, network PE 202a and/or network PE 202b may be target SPE nodes. CPE 201a may be a first UPE node and CPE 201b may be a second UPE node. Alternatively, CPE 201b may be a first UPE node and CPE 201a may be a second UPE node. Network PE 202a and/or network PE 202b may receive VPN routes from CPE 201a and CPE 201 b.

Also illustratively, taking fig. 3 as an example, the target SPE node may be the first communication node. The first UPE node may be a second communication node and the second UPE node may be a third communication node. Alternatively, the first UPE node may be a third communication node and the second UPE node may be a second communication node. The first communication node may receive VPN routes from the second communication node and the third communication node.

Also for example, taking fig. 4 as an example, network PE 402a and/or network PE 402b may be target SPE nodes. CPE 401a may be a first UPE node and CPE 401b, 401c, and 401d may be a second UPE node. Alternatively, CPE 401b may be a first UPE node and CPE 401a, 401c, and 401d may be a second UPE node. Alternatively, CPE 401c may be a first UPE node and CPE 401a, 401b, and 401d may be a second UPE node. Alternatively, CPE 401d may be a first UPE node and CPE 401a, 401b, and 401c may be a second UPE node. Network PE 402a and/or network PE 402b may receive VPN routes from CPE 401a, CPE 401b, CPE 401c, and CPE 401 d.

Optionally, the first UPE node and the second UPE node are spoke nodes, and the target SPE node is hub node.

Optionally, if the target SPE node is based on an MPLS forwarding message, the first VPN route and the second VPN route may be MPLS VPN routes. The MPLS VPN route may be a VPN-IPv4 route (VPNv 4 route for short).

Alternatively, if the target SPE node forwards the message based on the segment route (segment routing IPv, SRV 6) of the IPv6 forwarding plane, the first VPN route and the second VPN route may be SRV6 VPN routes. The SRV6 VPN route may include a VPNv4 route and an SRV6 VPN Segment ID (SID), among others.

Alternatively, the BGP running between the SPE node and UPE node may be a multiprotocol extension of BGP (multiprotocol extensions for BGP, MP-BGP). The first VPN route may be carried in a first BGP message and the second VPN route may be carried in a second BGP message.

In this embodiment, the first node identifier is an identifier defined for a first UPE node, where the first node identifier is used to identify the first UPE node. The second node identification is an identification defined for a second UPE node, the second node identification being used to identify the second UPE node.

As one possible implementation, the first node identifier may be part or all of the field content of the IP address of the first UPE node, and the second node identifier may be part or all of the field content of the IP address of the second UPE node, where the IP address may be an IPv4 address or an IPv6 address. For example, if the target SPE node is based on an MPLS forwarding message, the first node identifier may be part or all of the field content of the IPv4 address of the first UPE node, and the second node identifier may be part or all of the field content of the IPv4 address of the second UPE node. If the target SPE node is based on SRv6 forwarding, the first node identifier may be part or all of the field content of the IPv6 address of the first UPE node, and the second node identifier may be part or all of the field content of the IPv6 address of the second UPE node. Optionally, the configuration instruction may indicate to the first UPE node that the first node identifier of the first UPE node is part or all of the field content of the IP address of the first UPE node, so that the first UPE node may use its IP address as the first node identifier to carry the published routing or forwarding message.

Alternatively, the first VPN route may carry the IP address of the first UPE node. As a possible implementation manner, part or all of field contents of the IP address of the first UPE node may be indicated to the target SPE node in advance to be the first node identifier, so that the target SPE node may directly obtain the first node identifier according to the IP address of the first UPE node in the first VPN route, and the first UPE node does not need to additionally indicate the first node identifier to the target SPE node. Wherein the IP address of the first UPE node may be carried in a next hop (next hop) field of the first VPN route. As another possible implementation, even if the first node identifier is part or all of the field content of the IP address of the first UPE node, the first node identifier may still be carried in an extension type-length-value (TLV) field of the first BGP message, where the first node identifier is indicated to the target SPE node through the TLV. Likewise, the second VPN route may also carry an IP address of the second UPE node, and the indication manner of the second node identifier may refer to the description of the indication manner of the first node identifier.

Alternatively, if the target SPE node is based on an SRV6 forwarding message, the first UPE node may have a first SRV6 VPN SID. As another possible implementation, the first node identification may be part or all of a location (locator) field in the first SRV6 VPN SID of the first UPE node. Similarly, if the target SPE node is based on the SRV6 forwarding message, the second UPE node may have a second SRV6 VPN SID, and the second node identifier may be part or all of the content of the locator field in the second SRV6 VPN SID of the second UPE node.

Alternatively, where the first VPN route is an SRV6 VPN route, the first VPN route may include the first SRV6 VPN SID. As a possible implementation manner, a target SPE node may agree that part or all of the content of the locator field in the first SRV6 VPN SID is the first node identifier, so that the target SPE node may directly obtain the first node identifier according to the first SRV6 VPN SID carried by the first VPN route, without additionally indicating the first node identifier. As one possible implementation, even if the first node identifier is part or all of the locator field in the first SRV6 VPN SID, the first node identifier may still be carried in the extended TLV field of the first BGP message, and indicates, through the TLV, the first node identifier to the target SPE node. Likewise, the second VPN route may also include a second SRV6 VPN SID, and the indication of the second node identity may refer to the description of the indication of the first node identity.

The SRV6 VPN SID is one of SRV6 SIDs, the SRV6 SID may include a plurality of kinds, and various SRV6 SIDs are divided according to functions, and field structures are similar. For example, fig. 7 shows a schematic diagram of a field structure of an SRV6 SID, and as shown in fig. 7, the SRV6 SID may include three fields of a location (locator), a function (function), and parameters (parameters), where the locator is a field for identifying a node location, the function is a field for identifying a service and a function, and the parameters are fields for storing related parameters. Alternatively, the structures of the first SRV6 VPN SID and the second SRV6 VPN SID may be as shown in fig. 7.

The SRV6 SID is in the form of an IPv6 address, and the locator field in the SRV6 SID may also be referred to as an SRV6 locator address.

Alternatively, the IPv6 address and the SRV6 locator address may be structured, with many fields being identical in a fixed network, and indeed uniquely identifying only a portion of a device. Thus, a first UPE node may be identified by taking a partial field from the IPv6 address of the first UPE node or the locator address in the SRV6 VPN SID, and a second UPE node may be identified by taking a partial field from the IPv6 address of the second UPE node or the locator address in the SRV6 VPN SID. This way the complexity of the first node identification and the second node identification can be simplified.

By way of example, taking the SRV6 locator address as an example, fig. 8 shows another field structure schematic diagram of the SRV6 SID, and as shown in fig. 8, the SRV6 SID may include three fields of locator, function and indexes, where the locator field may specifically include fields of a fixed prefix, a type, a provincial identifier, a reservation, a network domain, a fragment reservation, a node identifier, and the like. In general, the province identifier+node identifier in the locator field can uniquely identify a certain device in a certain province. Assuming that the structure of the first SRV6 VPN SID is as shown in fig. 8, the provincial identifier+node identifier in the locator field of the first SRV6 VPN SID may be used as the first node identifier. Assuming that the structure of the second SRV6 VPN SID is as shown in fig. 8, the provincial identifier+node identifier in the locator field of the second SRV6 VPN SID may be used as the second node identifier.

It should be noted that, because the VPN packet sent by the first UPE node on the forwarding plane will carry the IP address of the first UPE node and the first SRV6 VPN SID, the first UPE node identification is made by using the IP address of the first UPE node or a part or all of the fields of the locator fields in the first SRV6 VPN SID, so that the target SPE node can conveniently identify the first UPE node. Similarly, the VPN message sent by the second UPE node on the forwarding plane may carry the IP address of the second UPE node and the second SRV6 VPN SID, and the second UPE node identifier is a part or all of fields of the locator field in the IP address of the second UPE node or the second SRV6 VPN SID, so that the target SPE node may conveniently identify the second UPE node.

As a further possible implementation, the first node identification and the second node identification may not multiplex existing fields, but rather preconfigured special values. In this case, the first node identification may be carried in an extension TLV field of the first BGP message and the second node identification may be carried in an extension TLV field of the second BGP message.

In this embodiment of the present application, the first import RT and the first export RT may be RT values configured for the first UPE node, and the second import RT and the second export RT may be RT values configured for the second UPE node.

Illustratively, in connection with fig. 4, taking the example of the first UPE node being CPE 401a and the second UPE node being CPE 401b, then the first imported RT may be 200:1, the first derived RT may be 100:1, the second import RT may include 200:1 and 1000:1, the second derived RT may comprise 100:1 and 1000:1.

alternatively, the first ingress RT and the first egress RT may be located in an extended community attribute of the first BGP message, and the second ingress RT and the second egress RT may be located in an extended community attribute of the second BGP message.

In this embodiment of the present application, the first VPN identifier is a VPN identifier configured for the first UPE node, where the first VPN identifier is used to identify a VPN to which the first UPE node belongs. The second VPN identifier is a VPN identifier configured for the second UPE node, where the second VPN identifier is used to identify a VPN to which the second UPE node belongs. Alternatively, the first VPN identification and the second VPN identification may be pre-configured special values.

As one possible implementation, the first VPN identification may be carried in an extension TLV field of the first BGP message and the second VPN identification may be carried in an extension TLV field of the second BGP message.

As another possible implementation, where the first VPN route is an SRV6 VPN route, the first VPN route includes a first SRv VPN SID, the first VPN identification may be carried in a function or parameters field in the first SRv VPN SID. In the case where the second VPN route is an SRV6 VPN route, the second VPN route includes a second SRv VPN SID, the second VPN identification may be carried in a function or fragments field in the second SRv VPN SID.

Alternatively, the first node identification and the first VPN identification may be located in different extension TLV fields of the first BGP message, and the second node identification and the second VPN identification may be located in different extension TLV fields of the second BGP message.

Alternatively, if the first UPE node and the second UPE node belong to the same VPN, the first VPN identification and the second VPN identification may be the same. If the first UPE node and the second UPE node belong to different VPNs, the first VPN identification and the second VPN identification may be different.

It should be noted that, if the first UPE node and the second UPE node that perform step 601 and step 602 are default to belong to the same VPN, the first VPN identifier may not be included in the first VPN route, and the second VPN identifier may not be included in the second VPN route. The target SPE node may default to processing in accordance with the first UPE node and the second UPE node belonging to the same VPN.

Step 603, the target SPE node determines whether the first UPE node and the second UPE node belong to the same VPN according to the first VPN identifier and the second VPN identifier.

If the first VPN identification is the same as the second VPN identification, the target SPE node may determine that the first UPE node and the second UPE node belong to the same VPN. If the first VPN identification and the second VPN identification are different, the target SPE node may determine that the first UPE node and the second UPE node belong to different VPNs.

It should be noted that, the target SPE node will only continue to execute the subsequent steps if it is determined that the first UPE node and the second UPE node belong to the same VPN. Optionally, if the SPE node determines that the first UPE node and the second UPE node do not belong to the same VPN, the SPE node may store the first VPN route and the second VPN route, and no additional processing is performed.

It should be noted that if the first UPE node and the second UPE node belong to the same VPN by default, step 603 may not be performed.

After performing step 603, the target SPE node may compare the first exported RT in the first VPN route with the second imported RT in the second VPN route, performing step 604 or step 606 described below. And the target SPE node may compare the first incoming RT in the first VPN route with the second outgoing RT in the second VPN route, performing step 605 or step 607 described below. It should be noted that step 604 or step 606 may be performed first, and then step 605 or step 607 may be performed; step 605 or step 607 may be performed first, and then step 604 or step 606 may be performed, which is not limited in this application, and step 604 or step 606 is illustrated in fig. 6 as an example.

Steps 604 through 607 are as follows:

in step 604, the target SPE node responds to the mismatch between the first export RT and the second import RT, and generates a first entry, where the first entry stores a first node identifier, and the second node identifier corresponds to first indication information, where the first indication information indicates that the target SPE node is prohibited from forwarding a message from the first UPE node to the second UPE node.

In the event that the first import RT does not have the same value as the second import RT, the target SPE node may determine that the first export RT and the second import RT are not matched.

Illustratively, in connection with fig. 4, taking the example of the target SPE being network PE 402a or network PE 402b, the first UPE node being CPE 401a, and the second UPE node being CPE 401b, then the first derived RT may be 100:1, the second import RT may include 200:1 and 1000:1. the first export RT does not have the same value as the second import RT, and either network PE 402a or network PE 402b may determine that the first export RT and the second import RT do not match. Alternatively, taking the example of the first UPE node being CPE 401a and the second UPE node being CPE 401c, the first derived RT may be 100:1, the second import RT may be 200:1. neither the first import RT nor the second import RT have the same value, either network PE 402a or network PE 402b may determine that the first export RT and the second import RT do not match.

In the embodiment of the application, if the first export RT and the second import RT are not matched, the target SPE node may consider that communication in the direction from the first UPE node to the second UPE node is prohibited. The target SPE node generating the first entry may be configured to determine not to forward based on the first entry when the target SPE node forwards a message received from the first UPE node to the second UPE node.

Alternatively, the first entry may be stored in the form of a forwarding relationship from the source node to the destination node. For example, the first entry may be as shown in table 1, the first node identification may be located in the source node entry, the second node identification may be located in the destination node entry, and the first indication information may be located in the forwarding relationship entry.

TABLE 1

Source node	Purpose(s)Node	Forwarding relationships
			First node identification	Second node identification	Forbidden forwarding

Illustratively, in connection with fig. 4, taking the first UPE node as CPE 401a and the second UPE node as CPE 401b as an example, assuming that the node identifier of CPE 401a is CPE 401a and the node identifier of CPE 401b is CPE 401b, the first entry generated by network PE 402a or network PE 402b may be as shown in table 2.

TABLE 2

Source node	Destination node	Forwarding relationships
			CPE 401a	CPE 401b	Forbidden forwarding

As another example, in connection with fig. 4, taking the first UPE node as CPE 401a and the second UPE node as CPE 401c as an example, assuming that the node identifier of CPE 401a is CPE 401a and the node identifier of CPE 401c is CPE 401c, the first entry generated by network PE 402a or network PE 402b may be as shown in table 3.

TABLE 3 Table 3

Source node	Destination node	Forwarding relationships
			CPE 401a	CPE 401c	Forbidden forwarding

In step 605, the target SPE node responds to the mismatch between the first import RT and the second export RT, and generates a second entry, where the second entry stores a second node identifier, and the second instruction indicates that the target SPE node is prohibited from forwarding the message from the second UPE node to the first UPE node.

In the event that the first import RT does not have the same value as the second export RT, the target SPE node may determine that the first import RT and the second export RT are not matched.

Illustratively, in connection with fig. 4, taking the example of the first UPE node being CPE 401a and the second UPE node being CPE 401b, then the first imported RT may be 200:1, the second derived RT may comprise 100:1 and 1000:1. the first imported RT does not have the same value as the second imported RT, and the first imported RT and the second imported RT do not match. Alternatively, taking the example of the first UPE node being CPE 401a and the second UPE node being CPE 401c, the first import RT may be 200:1, the second derived RT may be 100:1. the first imported RT does not have the same value as the second imported RT either, and the first imported RT and the second imported RT do not match.

In the embodiment of the application, if the first import RT and the second export RT are not matched, the target SPE node may consider that communication in the direction from the second UPE node to the first UPE node is prohibited. The target SPE node may generate a second entry from which it is determined not to forward when the target SPE node forwards a message received from the second UPE node to the first UPE node.

Alternatively, the second entry may be stored in the form of a forwarding relationship from the source node to the destination node. For example, the second entry may be as shown in table 4, the second node identification may be in the source node entry, the first node identification may be in the destination node entry, and the second indication information may be in the forwarding relationship entry.

TABLE 4 Table 4

Source node	Destination node	Forwarding relationships
			Second node identification	First node identification	Forbidden forwarding

Of course, the second entry may have other storage forms, which the present application is not limited to.

Illustratively, in connection with fig. 4, taking the first UPE node as CPE 401a and the second UPE node as CPE 401b as an example, assuming that the node identifier of CPE 401a is CPE 401a and the node identifier of CPE 401b is CPE 401b, the second entry generated by network PE 402a or network PE 402b may be as shown in table 5.

TABLE 5

Source node	Destination node	Forwarding relationships
			CPE 401b	CPE 401a	Forbidden forwarding

As another example, in connection with fig. 4, taking the first UPE node as CPE 401a and the second UPE node as CPE 401c as an example, assuming that the node identifier of CPE 401a is CPE 401a and the node identifier of CPE 401c is CPE 401c, the second entry generated by network PE 402a or network PE 402b may be as shown in table 6.

TABLE 6

Source node	Destination node	Forwarding relationships
			CPE 401c	CPE 401a	Forbidden forwarding

In step 606, the target SPE node responds to the matching of the first export RT and the second import RT to generate a third entry, where the third entry stores the correspondence between the first node identifier, the second node identifier and third indication information, and the third indication information indicates that the target SPE node is allowed to forward the message from the first UPE node to the second UPE node.

In the event that the first imported RT and the second imported RT have the same value, the target SPE node may determine that the first exported RT and the second imported RT are matched.

Illustratively, in connection with fig. 4, taking the first UPE node as CPE 401b and the second UPE node as CPE 401d as an example, the first derived RT may include 100:1 and 1000:1, the second import RT may include 200:1 and 1000:1. the first import RT has the same value as the second import RT: "1000:1", so that the first export RT and the second import RT are matched.

In the embodiment of the application, if the first export RT and the second import RT are matched, the target SPE node may consider that communication in the direction from the first UPE node to the second UPE node is allowed. The target SPE node may generate a third entry from which it may determine to forward when it forwards a message received from the first UPE node to the second UPE node.

Alternatively, the first entry may be stored in the form of a forwarding relationship from the source node to the destination node. For example, the third entry may be as shown in table 7, the first node identification may be located in the source node entry, the second node identification may be located in the destination node entry, and the third indication information may be located in the forwarding relationship entry.

TABLE 7

Source node	Destination node	Forwarding relationships
			First node identification	Second node identification	Allowing forwarding

By way of example, in connection with fig. 4, taking the first UPE node as CPE 401b and the second UPE node as CPE 401d as an example, assuming that the node identifier of CPE 401b is CPE 401b and the node identifier of CPE 401d is CPE 401d, the third entry generated by network PE 402a or network PE 402b may be as shown in table 8.

TABLE 8

Source node	Destination node	Forwarding relationships
			CPE 401b	CPE 401d	Allowing forwarding

In step 607, the target SPE node generates a fourth entry in response to the matching of the first import RT and the second export RT, where the fourth entry stores the second node identifier, and the corresponding relationship between the first node identifier and fourth indication information, where the fourth indication information indicates that the target SPE node is allowed to forward the message from the second UPE node to the first UPE node.

In the event that the first import RT and the second export RT have the same value, the target SPE node may determine that the first import RT and the second export RT are matched.

Illustratively, in connection with fig. 4, taking the first UPE node as CPE 401b and the second UPE node as CPE 401d as an example, the first imported RT may include 200:1 and 1000:1, the second derived RT may comprise 100:1 and 1000:1. the same value exists in the first import RT and the second export RT: "1000:1", so that the first import RT and the second export RT are matched.

In the embodiment of the application, if the first import RT and the second export RT are matched, the target SPE node may consider that communication in the direction from the second UPE node to the first UPE node is allowed. The fourth entry may be generated by the target SPE node for forwarding according to the first entry determination when the target SPE node forwards a message received from the second UPE node to the first UPE node.

Alternatively, the second entry may be stored in the form of a forwarding relationship from the source node to the destination node. For example, the fourth entry may be as shown in table 9, the second node identification may be located in the source node entry, the first node identification may be located in the destination node entry, and the fourth indication information may be located in the forwarding relationship entry.

TABLE 9

Source node	Destination node	Forwarding relationships
			Second node identification	First node identification	Allowing forwarding

By way of example, in connection with fig. 4, taking the first UPE node as CPE 401b and the second UPE node as CPE 401d as an example, assuming that the node identifier of CPE 401b is CPE 401b and the node identifier of CPE 401d is CPE 401d, the fourth entry generated by network PE 402a or network PE 402b may be as shown in table 10.

Table 10

Source node	Destination node	Forwarding relationships
			CPE 401d	CPE 401b	Allowing forwarding

Step 604 and step 606 are two parallel steps in different cases, step 605 and step 607 are two parallel steps in different cases, and the target SPE node will execute only one of the two parallel steps. For example, the target SPE node may generate a first entry or a third entry from the first exporting RT and the second importing RT, only one of which may exist. And the target SPE node may generate a second entry or a fourth entry from the first import RT and the second export RT, where only one entry may exist.

In summary, in the method for forwarding a packet provided in the present application, the first VPN route sent by the first UPE node to the target SPE may include a first node identifier of the first UPE node, a first VPN identifier, a first import RT and a first export RT, and the second VPN route sent by the second UPE node to the target SPE may include a second node identifier of the second UPE node, a second VPN identifier, a second import RT and a second export RT. The target SPE node may determine whether the first UPE node and the second UPE node belong to the same VPN based on the first VPN identification and the second VPN identification. In the case where the first UPE node and the second UPE node belong to the same VPN: if the first and second import RTs do not match, the target SPE node may generate an indication that the first entry indicates that forwarding of messages from the first UPE node to the second UPE node is not allowed. If the first import RT and the second export RT do not match, the target SPE node may generate an indication second entry indicating that forwarding of messages from the second UPE node to the first UPE node is not allowed. If the first and second import RTs do not match, the target SPE node may generate an indication that the first entry indicates that forwarding of messages from the first UPE node to the second UPE node is not allowed. If the first import RT and the second export RT do not match, the target SPE node may generate an indication second entry indicating that forwarding of messages from the second UPE node to the first UPE node is not allowed.

Based on the scheme, in the scene that the first UPE node and the second UPE node perform relay communication based on the target SPE node, if the export RT of the first UPE node is not matched with the import RT of the second UPE node, the target SPE node can not forward the message sent from the first UPE node to the second UPE node according to the first item. If the import RT of the first UPE node does not match the export RT of the second UPE node, the target SPE node may not forward the message from the second UPE node to the first UPE node according to the second entry. Thus, communication reachability between the first UPE and the second UPE may be controlled by configuring RT of the first UPE node and the second UPE node. By mismatch of export RT and import RT configurations of different UPEs, the purpose of flow isolation of different UPEs can be achieved.

It should be noted that, the solution of the present application is also applicable in the case where a Route Reflector (RR) is deployed between a UPE (e.g., the first UPE and the second UPE) and an SPE (e.g., the target SPE), and the application flexibility of the solution of the present application is better.

Optionally, after performing step 604 above, the method may further include:

in step 608, the first UPE node sends the third VPN route to the target SPE node, and accordingly, the target SPE node receives the third VPN route from the first UPE node. The third VPN route includes a first node identification of the first UPE node, a third ingress RT, and a third egress RT.

Wherein the third import RT may be different from the first import RT and the third export RT may be different from the first export RT. In other words, the first UPE node updates the RT.

Step 609, the target SPE node responds to the matching of the third export RT and the second import RT, updates the first entry, and the updated first entry stores the corresponding relationship between the first node identifier, the second node identifier and the third indication information, where the third indication information indicates that the target SPE node is allowed to forward the message from the first UPE node to the second UPE node.

In this embodiment of the present application, in a case where a first export RT previously sent by a first UPE node does not match a second import RT of a second UPE node, a third export RT updated subsequently by the first UPE node may match the second import RT of the second UPE node.

Illustratively, in connection with FIG. 4, taking the example of the first UPE node as CPE 401a and the second UPE node as CPE 401b, assume a first derived RT for the first UPE node: "100:1 "update to third export RT"100:1 and 1000:1". Then, the updated third export RT of the first UPE node "100:1 and 1000:1 "second import RT with second UPE node" 200:1 and 1000:1 "there are identical values: "1000:1". Thus, the third imported RT and the second imported RT match.

In this case, the target SPE node may update the first entry previously generated indicating that forwarding of the message from the first UPE node to the second UPE node is prohibited to the first entry indicating that forwarding of the message from the first UPE node to the second UPE node is allowed.

Illustratively, the first entry may be updated from the contents shown in Table 1 to the contents shown in Table 11 below. It can be seen that the updated first entry has changed in indication information compared to the first entry before the update, and the indication information in the first entry is updated from the first indication information to the third indication information.

TABLE 11

In step 610, the target SPE node responds to the matching of the third imported RT and the second exported RT, updates the second entry, and stores the second node identifier in the updated second entry, where the first node identifier corresponds to fourth indication information, and the fourth indication information indicates that the target SPE node is allowed to forward the message from the second UPE node to the first UPE node.

In this embodiment of the present application, in a case where a first import RT previously sent by a first UPE node does not match a second export RT of a second UPE node, a third import RT updated subsequently by the first UPE node may match the second export RT of the second UPE node.

Illustratively, in connection with FIG. 4, taking the example of the first UPE node as CPE 401a and the second UPE node as CPE 401b, assume a first import RT for the first UPE node: "200:1 "update to third import RT"200:1 and 1000:1". Then, the updated third import RT of the first UPE node 200:1 and 1000:1 "second export RT with second UPE node" 100:1 and 1000:1 "there are identical values: "1000:1". Thus, the third import RT and the second export RT match.

In this case, the target SPE node may update the previously generated second entry indicating that forwarding of the message from the second UPE node to the first UPE node is prohibited to the second entry indicating that forwarding of the message from the second UPE node to the first UPE node is allowed.

Illustratively, the second entry may be updated from the contents shown in Table 4 to the contents shown in Table 12 below. It can be seen that the updated second entry has changed in indication information compared to the second entry before the update, and the indication information in the second entry is updated from the second indication information to the fourth indication information.

Table 12

As can be seen from steps 608 through 610, in the case where the first UPE is isolated from the second UPE, the first UPE and the second UPE can be made to be mutually accessible by reconfiguring the RT of the first UPE.

It should be noted that, the foregoing embodiment of the method corresponding to fig. 6 is depicted in terms of standing on the control plane, and the following describes another method for forwarding a message provided in the present application in terms of standing on the forwarding plane. Fig. 9 shows a flowchart of another method for forwarding a message provided in the present application, and as shown in fig. 9, the method may include the following steps.

Step 901, the first UPE node sends a first VPN message to the target SPE node, and accordingly, the target SPE node receives the first VPN message from the first UPE node. The next-hop node of the first VPN message is a second UPE node, and the first UPE node and the second UPE node belong to the same VPN.

Illustratively, taking fig. 4 as an example, the target SPE node may be a network PE 402a or a network PE 402b, the first UPE node may be a CPE 401a, and the second UPE node may be a CPE 401b. Network PE 402a or network PE 402b may receive a first VPN message from CPE 401a to CPE 401b.

Optionally, the target SPE node, the first UPE node and the second UPE node are Hub-spoke networking modes, the target SPE node may be a Hub node, and the first UPE node and the second UPE node may be spoke nodes. Messages transmitted between the first UPE node and the second UPE node need to be forwarded from the target SPE node.

It should be understood that, because the next-hop node of the first VPN packet is the second UPE node, the target SPE node may determine, after receiving the first VPN packet, a forwarding tunnel to the second UEP node according to the routing information.

However, in the embodiment of the present application, after determining the next hop of the first VPN packet according to the routing information, the target SPE node may not immediately forward the first VPN packet, and may also check the locally stored entry information to determine whether to forward the first VPN packet to the next hop.

For a received first VPN message from a first UPE node to a second UPE node, the target SPE node may perform step 902 or step 903 described below. Step 902 and step 903 are as follows:

if the target SPE node locally stores the first entry, the target SPE node determines to discard the first VPN packet according to the first entry, where the first entry includes a first node identifier of the first UPE node, a second node identifier of the second UPE node, and first indication information, and the first indication information indicates that the target SPE node is prohibited from forwarding a packet from the first UPE node to the second UPE node.

Illustratively, taking fig. 4 as an example, the target SPE node is a network PE 402a or a network PE 402b, the first UPE node is a CPE 401a, the second UPE node is a CPE 401b, and the first entry stored in the network PE 402a or the network PE 402b may be as shown in table 2. After receiving the packet sent from CPE 401a to CPE 401b, network PE 402a or network PE 402b may determine the outgoing tunnel to CPE 401b according to the routing information, but since the first entry shown in table 2 is locally stored, network PE 402a or network PE 402b may determine not to forward the packet any more, and may discard the packet.

If the target SPE node locally stores a third entry, the target SPE node determines to forward the first VPN message according to the third entry, where the third entry includes a first node identifier of the first UPE node, a second node identifier of the second UPE node, and third indication information, and the third indication information indicates that the target SPE node is allowed to forward the message from the first UPE node to the second UPE node.

Illustratively, taking fig. 4 as an example, the target SPE node is a network PE 402a or a network PE 402b, the first UPE node is a CPE 401b, the second UPE node is a CPE 401d, and the third entry stored in the network PE 402a or the network PE 402b may be as shown in table 8. After receiving a message sent from CPE 401b to CPE 401d, network PE 402a or network PE 402b may determine an outbound tunnel to CPE 401d according to the routing information. And, either network PE 402a or network PE 402b may determine from the third entry that forwarding of the message to CPE 401d is allowed. Thus, either network PE 402a or network PE 402b can forward the message to CPE 401d according to the egress tunnel.

It should be noted that, the first entry and the third entry are both queried by the target SPE node according to the first node identifier and the second node identifier.

Optionally, prior to step 902 or step 903, the target SPE node may also perform:

Step 904, the target SPE node obtains a first node identifier of the first UPE node and a second node identifier of the second UPE node.

The first node identifier may be carried in a first VPN message, and the target SPE node may directly obtain the first node identifier according to the first VPN message. The first node identification may refer to the associated description of the first node identification in step 602.

The carrying manner of the first node identifier may be as follows:

(1) Scene of message forwarding based on SRv: as a possible implementation manner, the first VPN packet may carry a first VPN SID of the first UPE node, the first node identifier may be carried in a locator field of the first VPN SID, and the first node identifier may be part or all of field contents of the locator field in the first VPN SID.

As another possible implementation manner, the first node identifier may be carried in a source IPv6 address of the first VPN message, and the first node identifier may be part or all of field contents of the source IPv6 address of the first VPN message.

As another possible implementation, the first node identification may be encapsulated in an IPv6 extension header of the first VPN message.

(2) Scene of message forwarding based on MPLS: as one possible implementation, the first node identification may be carried in an extended MPLS label of the first VPN message. The target SPE node may obtain the first node identity through label switching. The first node identifier carried in the extended MPLS label may be part or all of the IPv4 address of the first UPE node, or a preconfigured value. The extended MPLS label is a label added in a message, and is specifically used for carrying a first node identifier, compared with the prior art.

For the second node identifier, the target SPE node may determine the second node identifier according to the first VPN message and the routing information stored in the target SPE node.

(1) Scene of message forwarding based on SRv: after receiving the first VPN message, the target SPE node may first find a VRF corresponding to the first UPE node according to the first SRv VPN SID. And then, the route information in the VRF can be queried according to the destination address of the first VPN message, and the information of the next hop node (namely the information of the second UPE node) is determined. The information of the second UPE node obtained by the target SPE node according to the routing information may include the second SRv VPN SID. Further, the target SPE node may determine a second node identification of the second UPE node from the second SRv VPN SID.

(2) Scene of message forwarding based on MPLS: firstly, after receiving a first VPN message, a target SPE node may find a VRF corresponding to a first UPE node according to a label of the first VPN message (the label is a label encapsulated by the first UPE node). The routing information in the VRF may then be queried based on the destination address to determine information for the next hop node (i.e., information for the second UPE node). The information of the second node obtained by the target SPE node according to the routing information may include a label corresponding to the second UPE node. Further, the target SPE node may determine, according to the label corresponding to the second UPE node, a second node identifier of the second UPE node.

It should be appreciated that in the scenario of packet forwarding based on SRv, the routing information stored in the target SPE node is SRv VPN routing. In the scene of message forwarding based on MPLS, the route information stored in the target SPE node is MPLS VPN route.

Fig. 10 shows a flowchart of yet another method for forwarding a message provided in the present application, and as shown in fig. 10, the method may include the following steps.

In step 1001, the second UPE node sends a second VPN message to the target SPE node, and accordingly, the target SPE node receives the second VPN message from the second UPE node. The next-hop node of the second VPN message is a first UPE node, where the first UPE node and the second UPE node belong to the same VPN.

Illustratively, taking fig. 4 as an example, the target SPE node may be a network PE 402a or a network PE 402b, the second UPE node may be a CPE 401b, and the first UPE node may be a CPE 401a. Network PE 402a or network PE 402b may receive a first VPN message from CPE 401b to CPE 401a.

It should be understood that, because the next-hop node of the second VPN packet is the first UPE node, after receiving the second VPN packet, the target SPE node may determine, according to the routing information, a forwarding tunnel to the first UEP node.

However, in the embodiment of the present application, after determining the next hop of the second VPN packet according to the routing information, the target SPE node may not immediately forward the second VPN packet, and may also check the locally stored entry information to determine whether to forward the second VPN packet to the next hop.

For a received second VPN message from a second UPE node to a first UPE node, the target SPE node may perform step 1002 or step 1003 described below. Steps 1002 and 1003 are as follows:

step 1002, if the target SPE node locally stores a second entry, the target SPE node determines to discard the second VPN packet according to the second entry, where the second entry includes a second node identifier of the second UPE node, a first node identifier of the first UPE node, and second indication information, and the second indication information indicates that the target SPE node is prohibited from forwarding a packet from the second UPE node to the first UPE node.

Illustratively, taking fig. 4 as an example, the target SPE node is a network PE 402a or a network PE 402b, the second UPE node is a CPE 401b, the first UPE node is a CPE 401a, and the third entry stored in the network PE 402a or the network PE 402b may be as shown in table 5. After receiving the packet sent from CPE 401b to CPE 401a, network PE 402a or network PE 402b may determine the outgoing tunnel to CPE 401a based on the routing information, but since the third entry shown in table 5 is stored locally, network PE 402a or network PE 402b may determine that the packet is no longer forwarded and may discard the packet.

In step 1003, if the target SPE node locally stores a fourth entry, the target SPE node determines to forward the second VPN packet according to the fourth entry, where the fourth entry includes a second node identifier of the second UPE node, a first node identifier of the first UPE node, and fourth indication information, and the fourth indication information indicates that the target SPE node is allowed to forward the packet from the second UPE node to the first UPE node.

Illustratively, taking fig. 4 as an example, the target SPE node is a network PE 402a or a network PE 402b, the second UPE node is a CPE 401d, the first UPE node is a CPE 401b, and the fourth entry stored in the network PE 402a or the network PE 402b may be as shown in table 10. After receiving a message sent from CPE 401d to CPE 401b, network PE 402a or network PE 402b may determine an outbound tunnel to CPE 401b according to the routing information. And, either network PE 402a or network PE 402b may determine from the fourth entry that forwarding of the message to CPE 401b is allowed. Thus, either network PE 402a or network PE 402b can forward the message to CPE 401b according to the egress tunnel.

It should be noted that, the second entry and the fourth entry are both queried by the target SPE node according to the first node identifier and the second node identifier.

Optionally, prior to step 1002 or step 1003, the target SPE node may also perform: step 1004, the target SPE node obtains a first node identifier of the first UPE node and a second node identifier of the second UPE node.

The second node identifier may be carried in a second VPN message, and the first node identifier may be determined by the target SPE node according to the second VPN message and routing information stored in the target SPE node.

Step 1004 may refer to the description of step 904. The second node identifier may refer to the related description of the first node identifier in step 904, and the first node identifier may refer to the related description of the second node identifier in step 904, which is not described herein.

According to the method embodiments corresponding to fig. 9 and fig. 10, it can be seen that, in the method for forwarding a message provided in the present application, when a target SPE node receives a message transmitted between different UPE nodes (such as a first UPE node and a second UPE node), the target SPE node does not directly forward according to the routing information after querying the routing information, and also needs to query locally stored entry information. Forwarding is performed only when the entry information indicates that forwarding is permitted. The entry information indicates that forwarding is not allowed, and the message is discarded. Based on the method, traffic isolation between different UPE nodes can be realized according to configuration.

Optionally, for the HoVPN scenario, even if the SPE node sends a default route to the UPE node so that any message arrives at the SPE node, the SPE node may also view the entry information before forwarding the message, so that traffic isolation between UPE nodes may be implemented, and traffic isolation between different branches may also be implemented.

It should be noted that the foregoing embodiments are several exemplary descriptions of the packet forwarding method provided in the present application.

Based on the above exemplary method embodiment, the present application further proposes a message forwarding method, which may be applied to a first communication node, as shown in fig. 11, and the method includes the following steps:

step 1101, the first communication node receives a first VPN route from the second communication node, the first VPN route comprising a first node identification of the second communication node, a first ingress RT and a first egress RT.

Step 1102, the first communication node receives a second VPN route from the third communication node, the second VPN route including a second node identification of the third communication node, a second ingress RT and a second egress RT. The second communication node and the third communication node belong to the same VPN.

Alternatively, the first communication node may be a target SPE node in the embodiment shown in fig. 6, 9 or 10, the second communication node may be a first UPE node in the embodiment shown in fig. 6, 9 or 10, and the third communication node may be a second UPE node in the embodiment shown in fig. 6, 9 or 10. Thus, the first communication node may refer to the description of the target SPE node in the above embodiment, the second communication node may refer to the description of the first UPE node in the above embodiment, and the third communication node may refer to the description of the second UPE node in the above embodiment.

Steps 1101 and 1102 may refer to the descriptions of steps 601 and 602, for example, the first node identifier, the second node identifier, the first import RT, the first export RT, the second import RT, and the second export RT may refer to the descriptions in the above embodiments.

Note that, the message forwarding method corresponding to fig. 11 is a scheme for a case where the second communication node and the third communication node belong to the same VPN.

Optionally, the first VPN route may also include a first VPN identification of the second communication node, and the second VPN route may also include a second VPN identification of the third communication node. In this case, the first communication node may determine, according to the first VPN identifier and the second VPN identifier, that the second communication node and the third communication node belong to the same VPN. The first VPN identification and the second VPN identification may each be referred to the description in the above embodiments.

In step 1103, the first communication node generates a first entry in response to the first derived RT and the second derived RT not matching, where the first entry stores a correspondence between the first node identifier, the second node identifier and first indication information, and the first indication information indicates that the first communication node is prohibited from forwarding a message from the second communication node to the third communication node.

Step 1103 may refer to the relevant description of step 604, and will not be described in detail herein. Wherein the first item may refer to the related description of the first item in the above embodiment.

In step 1104, the first communication node generates a second entry in response to the first import RT and the second export RT not matching, where the second entry stores a second node identifier, and the first node identifier corresponds to second indication information, and the second indication information indicates that the first communication node is prohibited from forwarding a message from the third communication node to the second communication node.

Step 1104 may refer to the relevant description of step 605 and is not repeated here. Wherein the second item may refer to the relevant description of the second item in the above embodiments.

Optionally, after step 1103, the method may further comprise steps 1105 and 1106.

In step 1105, the first communication node receives a third VPN route from the second communication node, the third VPN route including the first node identification of the second communication node, a third ingress RT and a third egress RT.

This step 1105 may refer to the relevant description of step 608, and will not be described in detail here. Wherein the third VPN route may refer to the description of the third VPN route in step 608.

In step 1106, the first communication node responds to the matching of the third derived RT and the second derived RT, updates the first entry, and the updated first entry stores the corresponding relationship between the first node identifier, the second node identifier and the third indication information, where the third indication information indicates that the first communication node is allowed to forward the message from the second communication node to the third communication node.

This step 1106 may be described with reference to step 609, and will not be described in detail herein. Wherein updating the first entry may refer to updating the description of the first entry in step 609.

Based on the method embodiment corresponding to fig. 11, in the case that the RT values of the second communication node and the third communication node are not matched, the first communication node can generate a first entry and a second entry for prohibiting message forwarding between the second communication node and the third communication node, so that the method can realize isolation between the second communication node and the third communication node.

It should be noted that, the first entry and the second entry are independent from the routing information, and the first communication node queries the entry after querying the routing information during data forwarding, so that the first communication node can still isolate the second communication node from the third communication node even if the second communication node and the third communication node are reachable.

The method embodiment corresponding to fig. 11 is described by taking the case that the first communication node generates the first entry and the second entry as an example. Alternatively, the first communication node may also generate the third entry and the fourth entry. For example, step 1107 may be performed instead of step 1104 described above. The first communication node responds to the matching of the first lead-out RT and the second lead-in RT, a third entry is generated, the third entry stores the corresponding relation of the first node identification, the second node identification and third indication information, and the third indication information indicates that the first communication node is allowed to forward a message from the second communication node to the third communication node. For another example, step 1108 may be performed instead of performing step 1105 described above: the first communication node responds to the matching of the first import RT and the second export RT to generate a fourth entry, the fourth entry stores the corresponding relation between the second node identification and fourth indication information, and the fourth indication information indicates that the first communication node is allowed to forward the message from the third communication node to the second communication node. Wherein, the third entry may refer to the third entry in the above embodiment, the content of the step 1107 may refer to the related description of the step 606, the fourth entry may refer to the fourth entry in the above embodiment, and the content of the step 1108 may refer to the related description of the step 607.

Based on the above exemplary method embodiment, the present application further proposes a message forwarding method, which may be applied to a first communication node, as shown in fig. 12, and the method includes the following steps:

step 1201, the first communication node receives a first VPN message from the second communication node, and the first communication node forwards a next hop of the first VPN message to be a third communication node, where the second communication node and the third communication node belong to the same VPN.

The first communication node may be a target SPE node in the above method embodiment, the second communication node may be a first UPE node in the above method embodiment, and the third communication node may be a second UPE node in the above method embodiment. The content of this step 1201 can be referred to the relevant description in step 901.

Step 1202, the first communication node determines to discard the first VPN message according to a first entry, where the first entry includes a first node identifier of the second communication node, a second node identifier of the third communication node, and first indication information, and the first indication information indicates that the first communication node is prohibited from forwarding a message from the second communication node to the third communication node.

The first entry may be the first entry in the above embodiment, and the content of the step 1202 may be described with reference to step 902.

Illustratively, taking fig. 1 as an example, the first communication node may be SPE 102a or SPE 102b, the second communication node may be UPE 101a, and the third communication node may be UPE 101b, then SPE 102a or SPE 102b may discard the message sent from UPE 101a to UPE 101 b. The second communication node may also be UPE 101b and the third communication node may be UPE 101a, then SPE 102a or SPE 102b may discard the message sent from UPE 101b to UPE 101 a. Thus, based on this approach, isolation of UPE 101a from UPE 101b can be achieved.

Based on the method embodiment corresponding to fig. 12, when forwarding the message, the first communication node can determine to discard the message from the second communication node to the third communication node according to the locally generated first entry. It should be appreciated that querying the entry information is performed after querying the routing information, independent of routing reachability. Isolation of the first communication node from the second communication node may be controlled based on the method.

The method embodiment corresponding to fig. 12 is described by taking the case where the first communication node generates the first entry. Alternatively, if the first communication node generates the third entry, step 1202 may not be performed as described above, but step 1203 may be performed: the first communication node determines to forward the first VPN message according to a third entry, wherein the third entry comprises a first node identifier of the second communication node, a second node identifier of the third communication node and first indication information, and the third indication information indicates that the first communication node is allowed to forward the message from the second communication node to the third communication node. The third entry may be the third entry in the above embodiment, and the content of the step 1203 may refer to the related description of the step 903.

It should be noted that, in the above-mentioned method embodiment, the action of the first communication node may be called by the processor 501 in the communication device 50 shown in fig. 5 to call the application code stored in the memory 504 to instruct the first communication node to execute, the action of the second communication node may be called by the processor 501 in the communication device 50 shown in fig. 5 to call the application code stored in the memory 504 to instruct the second communication node to execute, and the action of the third communication node may be called by the processor 501 in the communication device 50 shown in fig. 5 to call the application code stored in the memory 504 to instruct the third communication node to execute.

It will be appreciated that in the above embodiments, the method and/or steps implemented by the first communication node may also be implemented by a component (e.g. a chip or a circuit) available to the first communication node, the method and/or steps implemented by the second communication node may also be implemented by a component (e.g. a chip or a circuit) available to the second communication node, the method and/or steps implemented by the third communication node may also be implemented by a component (e.g. a chip or a circuit) available to the third communication node.

Optionally, the embodiment of the application further provides a communication device, which is used for implementing the various methods. The communication device may be the first communication node in the above-described method embodiment, or a device comprising the first communication node, or a component usable with the first communication node. The communication device may also be the second communication node in the above-mentioned method embodiment, or a device comprising the second communication node, or a component usable for the second communication node. The communication device may also be the third communication node in the above embodiment of the method, or a device comprising the third communication node, or a component that may be used in the third communication node. It will be appreciated that the communication device, in order to achieve the above-described functions, comprises corresponding hardware structures and/or software modules performing the respective functions. Those of skill in the art will readily appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is implemented as hardware or computer software driven hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

In the embodiment of the present application, the functional modules of the communication device may be divided according to the above embodiment of the method, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated modules may be implemented in hardware or in software functional modules. It should be noted that, in the embodiment of the present application, the division of the modules is schematic, which is merely a logic function division, and other division manners may be implemented in actual implementation.

Fig. 13 shows a schematic structural diagram of a communication device 130. The communication device 130 includes a transceiver module 1301 and a processing module 1302. The transceiver module 1301 may also be referred to as a transceiver unit, and may be, for example, a transceiver circuit, a transceiver, or a communication interface.

Taking the communication device 130 as the first communication node in the above method embodiment as an example:

the transceiver module 1301 may be configured to receive a first VPN route from a second communication node, the first VPN route including a first node identification of the second communication node, a first ingress RT, and a first egress RT. And, the transceiver module 1301 may be further configured to receive a second VPN route from the third communication node, where the second VPN route includes a second node identifier of the third communication node, a second incoming RT, and a second outgoing RT, where the second communication node and the third communication node belong to the same VPN. The processing module 1302 may be configured to generate, in response to the first derived RT and the second derived RT not matching, a first entry, where the first entry stores a correspondence between the first node identifier, the second node identifier, and first indication information, where the first indication information indicates that the first communication node is prohibited from forwarding a message from the second communication node to the third communication node. The processing module 1302 may be further configured to generate a second entry in response to the first import RT and the second export RT not matching, the second entry storing a second node identification, the first node identification and second indication information corresponding to each other, the second indication information indicating that the first communication node is prohibited from forwarding a message from the third communication node to the second communication node.

Optionally, the first VPN route further comprises a first VPN identification of the second communication node, and the second VPN route further comprises a second VPN identification of the third communication node. The processing module 1302 may be specifically configured to: and determining that the second communication node and the third communication node belong to the same VPN according to the first VPN identifier and the second VPN identifier.

Optionally, the transceiver module 1301 is further configured to receive a third VPN route from the second communication node, where the third VPN route includes the first node identification of the second communication node, a third ingress RT and a third egress RT. The processing module 1302 is further configured to update the first entry in response to the third derived RT matching the second derived RT, where the updated first entry stores a correspondence between the first node identifier, the second node identifier, and third indication information indicating that the first communication node is allowed to forward a message from the second communication node to the third communication node.

Optionally, the transceiver module 1301 may be configured to receive a first VPN packet from a second communication node, where the first communication node forwards a next hop of the first VPN packet to be a third communication node, and the second communication node and the third communication node belong to the same VPN. The processing module 1302 may be configured to determine to discard the first VPN message based on a first entry, where the first entry includes a first node identification of the second communication node, a second node identification of the third communication node, and first indication information indicating that the first communication node is prohibited from forwarding a message from the second communication node to the third communication node.

Optionally, in determining the second node identifier according to the first VPN packet and the routing information stored in the first communication node, the processing module 1302 may specifically be configured to: first, the processing module 1302 may query routing information stored in the first communication node according to the destination IP address of the first VPN message, and determine the second SRv VPN SID of the third communication node. Thereafter, the processing module 1302 determines a second node identification of the third communication node based on the second SRv VPN SID.

It should be noted that, all relevant contents of each step related to the above method embodiment may be cited to the functional description of the corresponding functional module, which is not described herein. Since the communication device 130 provided in the present embodiment can execute the above-mentioned message transmission method, the technical effects obtained by the method can be referred to the above-mentioned method embodiment, and will not be described herein.

Alternatively, the first communication node, the second communication node, or the third communication node in the embodiments of the present application may also be referred to as a communication apparatus, which may be a general-purpose device or a special-purpose device, which is not specifically limited in the embodiments of the present application.

In the present embodiment, the communication device 130 is presented in a form in which the respective functional modules are divided in an integrated manner. A "module" herein may refer to a particular ASIC, an electronic circuit, a processor and memory that execute one or more software or firmware programs, an integrated logic circuit, and/or other device that can provide the described functionality. In a simple embodiment, one skilled in the art will appreciate that the communication device 130 may take the form of the communication device 50 shown in fig. 5.

For example, the processor 501 in the communication device 50 shown in fig. 5 may cause the communication device 50 to execute the message transmission method in the above-described method embodiment by calling the computer-executable instructions stored in the memory 504.

Specifically, the functions/implementation of the transceiver module 1301 and the processing module 1302 in fig. 10 may be implemented by the processor 501 in the communication apparatus 50 shown in fig. 5 invoking computer-executed instructions stored in the memory 504. Alternatively, the functions/implementation of the transceiver module 1301 in fig. 10 may be implemented by the communication interface 503 in the communication apparatus 50 shown in fig. 5, and the functions/implementation of the processing module 1302 in fig. 10 may be implemented by the processor 501 in the communication apparatus 50 shown in fig. 5 invoking computer-executed instructions stored in the memory 504.

Since the communication device 130 provided in the present embodiment can execute the above-mentioned message transmission method, the technical effects obtained by the method can be referred to the above-mentioned method embodiment, and will not be described herein.

It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.

In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other ways. For example, the above-described device embodiments are merely illustrative, e.g., the division of the elements is merely a logical functional division, and there may be additional divisions when actually implemented, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interface, indirect coupling or communication connection of devices or units, electrical, mechanical, or other form.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using a software program, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present application are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line (Digital Subscriber Line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device including one or more servers, data centers, etc. that can be integrated with the medium. The usable medium may be a magnetic medium (e.g., a floppy Disk, a hard Disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.

As used in this application, the terms "component," "module," "system," and the like are intended to refer to a computer-related entity, either hardware, firmware, a combination of hardware and software, or software in execution. For example, the components may be, but are not limited to: a process running on a processor, an object, an executable, a thread of execution, a program, and/or a computer. By way of example, both an application running on a computing device and the computing device can be a component. One or more components may reside within a process and/or thread of execution and a component may be localized on one computer and/or distributed between two or more computers. Furthermore, these components can execute from various computer readable media having various data structures thereon. The components may communicate by way of local and/or remote processes such as in accordance with a signal having one or more data packets (e.g., data from one component interacting with another component in a local system, distributed system, and/or across a network such as the internet with other systems by way of the signal).

The present application presents various aspects, embodiments, or features about systems that may include multiple devices, components, modules, etc. It is to be understood and appreciated that the various systems may include additional devices, components, modules, etc. and/or may not include all of the devices, components, modules etc. discussed in connection with the figures. Furthermore, combinations of these schemes may also be used.

In addition, in the embodiments of the present application, the term "exemplary" is used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, the term use of an example is intended to present concepts in a concrete fashion.

In the embodiment of the present application, information, signals, messages, channels may be mixed in some cases, and it should be noted that, when the distinction is not emphasized, the meaning to be expressed is consistent. "of", "corresponding" and "corresponding" are sometimes used in combination, and it should be noted that the meaning of the expression is consistent when the distinction is not emphasized. "System" and "network" are sometimes used interchangeably, and are intended to be synonymous when de-emphasizing their distinction, e.g., "communication network" refers to "communication system".

The network architecture and the service scenario described in the embodiments of the present application are for more clearly describing the technical solution of the embodiments of the present application, and do not constitute a limitation on the technical solution provided in the embodiments of the present application, and those skilled in the art can know that, with the evolution of the network architecture and the appearance of the new service scenario, the technical solution provided in the embodiments of the present application is also applicable to similar technical problems.

The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A method of forwarding a message, performed by a first communication node, the method comprising:

receiving a first VPN route from a second communication node, the first VPN route comprising a first node identification of the second communication node, a first ingress RT and a first egress RT;

receiving a second VPN route from a third communication node, wherein the second VPN route comprises a second node identifier, a second import RT and a second export RT of the third communication node, and the second communication node and the third communication node belong to the same VPN;

Generating a first entry in response to the first derived RT and the second derived RT not matching, the first entry storing a correspondence of the first node identification, the second node identification and first indication information indicating that the first communication node is prohibited from forwarding messages from the second communication node to the third communication node;

and generating a second entry in response to the first import RT and the second export RT not matching, wherein the second entry stores the second node identifier, and the corresponding relation between the first node identifier and second indication information indicates that the first communication node is forbidden to forward the message from the third communication node to the second communication node.

2. The method of claim 1, wherein the first export RT and the second import RT do not match if the first export RT does not have the same value as the second import RT.

3. The method according to claim 1 or 2, wherein the first VPN route further comprises a first VPN identification of the second communication node, the second VPN route further comprises a second VPN identification of the third communication node; the method further comprises the steps of:

And determining that the second communication node and the third communication node belong to the same VPN according to the first VPN identifier and the second VPN identifier.

4. A method according to any of claims 1-3, wherein the first VPN route and the second VPN route are both internet protocol version 6 segment routes SRv, VPN, routes.

5. The method of claim 4, wherein the first node is identified as part or all of the field content of the source IPv6 address of the second communication node and the second node is identified as part or all of the field content of the source IPv6 address of the third communication node.

6. The method of claim 4, wherein the first VPN route comprises a first SRv6 VPN SID, the first SRv VPN SID carrying the first node identification; the second VPN route includes a second SRv6 VPN SID, the second SRv VPN SID carrying the second node identification.

7. The method of claim 6, wherein the first node identifies a location field located in the first SRv VPN SID and the second node identifies a location field located in the second SRv VPN SID.

8. The method of any of claims 4-7, wherein the first VPN route comprises a first SRv VPN SID, the first SRv VPN SID carrying a first VPN identification for the second communication node; the second VPN route includes a second SRv6 VPN SID, the second SRv VPN SID carrying a second VPN identification for the third communication node.

9. The method of claim 8, wherein the first VPN identification is located in a function field or a parameter field in the first SRv VPN SID and the second VPN identification is located in a function field or a parameter field in the second SRv VPN SID.

10. A method according to any of claims 1-3, wherein the first VPN route and the second VPN route are multiprotocol label switching, MPLS, VPN routes.

11. The method of claim 10, wherein the first node is identified as part or all of the field content of the source IPv4 address of the second communication node and the second node is identified as part or all of the field content of the source IPv4 address of the third communication node.

12. The method according to any of claims 1-4 or 10, wherein the first VPN route is carried in a first border gateway protocol BGP message, and wherein the first node identification is located in a type-length-value TLV field of the first BGP message; the second VPN route is carried in a second BGP message, and the second node identification is located in a TLV field of the second BGP message.

13. The method of any of claims 3-7, 10-11, wherein the first VPN route is carried in a first BGP message, and wherein the first VPN identification is located in a TLV field of the first BGP message; the second VPN route is carried in a second BGP message, and the second VPN identifier is located in a TLV field of the second BGP message.

14. The method of any of claims 1-13, wherein the first communication node is an operator-side operator edge SPE device and the second communication node and the third communication node are user-side operator edge UPE devices.

15. The method of any one of claims 1-14, wherein the first communication node is a central node and the second communication node and the third communication node are spoke nodes.

16. The method according to any one of claims 1-15, further comprising:

receiving a third VPN route from the second communication node, the third VPN route comprising a first node identification of the second communication node, a third ingress RT and a third egress RT;

and in response to the third derived RT and the second derived RT being matched, updating the first entry, wherein the updated first entry stores the first node identifier, the second node identifier and the corresponding relation of third indication information, and the third indication information indicates that the first communication node is allowed to forward the message from the second communication node to the third communication node.

17. A method of forwarding a message, performed by a first communication node, the method comprising:

receiving a first Virtual Private Network (VPN) message from a second communication node, wherein the first communication node forwards the next hop of the first VPN message to be a third communication node, and the second communication node and the third communication node belong to the same VPN;

and determining to discard the first VPN message according to a first entry, wherein the first entry comprises a first node identifier of the second communication node, a second node identifier of the third communication node and first indication information, and the first indication information indicates that the first communication node is forbidden to forward the message from the second communication node to the third communication node.

18. The method of claim 17, wherein the first VPN message carries the first node identification.

19. The method according to claim 17 or 18, characterized in that the method further comprises:

and determining the second node identification according to the first VPN message and the route information stored in the first communication node.

20. The method of claim 19, wherein the routing information stored in the first communication node is an internet protocol version 6 segment route SRv VPN route.

21. The method of claim 20, wherein the node identification of the second communication node is carried in a source IPv6 address of the first VPN message.

22. The method of claim 20, wherein the first VPN message carries a first SRv VPN segment identification SID of the second communication node, the first node identification being located in the first SRv VPN SID.

23. The method of claim 22, wherein the first node identification is located in a location field in the first SRv VPN SID.

24. A method according to any of claims 17-19, wherein the routing information stored in the first communication node is multiprotocol label switching, MPLS, VPN, routing information.

25. The method of claim 24, wherein the first node identification is carried in an extended MPLS label of the first VPN message.

26. The method according to any of claims 20-23, wherein determining the second node identity from the first VPN message and routing information stored in the first communication node comprises:

inquiring the route information stored in the first communication node according to the destination IP address of the first VPN message, and determining a second SRv VPN SID of the third communication node;

And determining a second node identification of the third communication node according to the second SRv VPN SID.

27. The method of any of claims 17-26, wherein the first communication node is an operator side operator edge SPE device and the second communication node and the third communication node are user side edge UPE devices.

28. The method of any one of claims 17-27, wherein the first communication node is a central node and the second communication node and the third communication node are spoke nodes.

29. A communication device, the communication device comprising: a processor and a memory;

the memory is configured to store computer-executable instructions that, when executed by the processor, cause the communication device to perform the method of any of claims 1-16 or 17-28.

30. A communication device for performing the method of any of claims 1-16 or 17-28.

31. A computer readable storage medium, having stored thereon a computer program which, when executed by a processor, implements the method of any of claims 1-16 or 17-28.

32. A computer program product comprising a computer program which, when executed by a processor, implements the method of any of claims 1-16 or 17-28.