CN117425129A - Security control method, device, equipment and medium for cloud network multicast - Google Patents
Security control method, device, equipment and medium for cloud network multicast Download PDFInfo
- Publication number
- CN117425129A CN117425129A CN202311198484.0A CN202311198484A CN117425129A CN 117425129 A CN117425129 A CN 117425129A CN 202311198484 A CN202311198484 A CN 202311198484A CN 117425129 A CN117425129 A CN 117425129A
- Authority
- CN
- China
- Prior art keywords
- multicast
- message
- network
- target
- processed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 65
- 230000008569 process Effects 0.000 claims abstract description 13
- 238000012545 processing Methods 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 5
- 239000000758 substrate Substances 0.000 claims 2
- 230000008901 benefit Effects 0.000 abstract description 4
- 238000007726 management method Methods 0.000 description 22
- 238000004891 communication Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 230000009870 specific binding Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/06—Selective distribution of broadcast services, e.g. multimedia broadcast multicast service [MBMS]; Services to user groups; One-way selective calling services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Abstract
The invention provides a security control method, a device, equipment and a medium for cloud network multicast, wherein the method is applied to a multicast gateway and comprises the following steps: receiving a multicast message to be processed; matching the multicast message to be processed with rules in a preset access control list, wherein the access control list corresponds to a target multicast network; determining a matched target rule in the rules; executing a target strategy corresponding to the target rule, wherein the target strategy comprises any one of the following: discarding the multicast message to be processed, or determining that the multicast message to be processed meets the security control requirement of the target multicast network, and continuing to process the multicast message to be processed. Therefore, compared with the traditional physical network multicast, the method has the advantages that the safety control is set at the access position, the safety control is realized at the multicast gateway through the matching with the rules in the access control list, the resources can be saved, the matching efficiency is improved, and in addition, the safety control on a plurality of multicast networks can be independently realized.
Description
Technical Field
The embodiment of the invention relates to the technical field of cloud computing, in particular to a security control method, device, equipment and medium for cloud network multicasting.
Background
Multicasting, also known as multi-target broadcasting, multicasting, is a method of communicating between a sender and multiple receivers. In a point-to-multipoint network communication scenario, the multicast communication mode may reduce server load and increase bandwidth utilization relative to the unicast and broadcast communication modes. With the rapid development of cloud computing, multicasting is gradually developing applications in cloud networks. However, because of such "one-to-many" and "many-to-many" communication characteristics, multicast communication is more vulnerable to network attacks than unicast communication. An attacker does not need much information, and can launch the attack only by multicasting the group address, no matter whether the address is valid or not. More seriously, the scope of attack is rapidly enlarged due to the "scaling" effect of the multicast model, with serious consequences.
Therefore, in the cloud network multicast scenario, compared with the traditional physical network, new requirements are put on multicast security control. However, since the multicast communication mode is not widely applied in the cloud computing network at present, the multicast security problem in the multicast network is hardly taken into consideration. If the currently disclosed physical network multicast security control method is directly applied to the cloud network, the problems of multicast network isolation, hierarchical control and the like in the cloud computing multicast network cannot be effectively solved, and the processing efficiency is low.
Disclosure of Invention
The embodiment of the invention provides a security control method, a device, equipment and a medium for cloud network multicast, which are used for solving the technical problems that the currently disclosed security control method for physical network multicast cannot be directly applied to a cloud network and cannot effectively solve the isolation and hierarchical control of a multicast network in the cloud computing multicast network.
In a first aspect, an embodiment of the present invention provides a security control method for cloud network multicast, where the method is applied to a multicast gateway, and the method includes:
receiving a multicast message to be processed;
matching the multicast message to be processed with rules in a preset access control list, wherein the access control list corresponds to a target multicast network;
determining a matched target rule in the rules;
executing a target strategy corresponding to the target rule, wherein the target strategy comprises any one of the following: discarding the multicast message to be processed, or determining that the multicast message to be processed meets the security control requirement of the target multicast network, and continuing to process the multicast message to be processed.
Optionally, after receiving the pending multicast message, the method further includes:
determining the category of the multicast message to be processed as a multicast member management message or a multicast data message, wherein the multicast member management message comprises: and the membership report message is sent by a request device and used for requesting to join the target multicast network, and the multicast data message is sent by a multicast source and used for requesting to send information to multicast members of the target multicast network.
Optionally, when the multicast message to be processed is the membership report message, the access control list is a member registration control list, and the target policy is that the processing of the multicast message to be processed is continued, the processing of the multicast message to be processed further includes:
and adding the request equipment into a multicast routing table of the target multicast network.
Optionally, when the multicast message to be processed is the multicast data message, the access control list is a data message control list, and the target policy is that the processing of the multicast message to be processed is continued, the processing of the multicast message to be processed further includes:
and sending the multicast data message to the multicast member.
Optionally, the membership report message carries the following information: the IP address of the request equipment and the IP address of the target multicast network;
the rule in the preset access control list is a membership report message corresponding to the request equipment, wherein the membership report message corresponds to the request equipment, and the membership report message corresponds to the second preset network segment, and the policy corresponds to the rule.
Optionally, the multicast data packet carries at least one of the following information: an IP address of a multicast source and an IP address of the target multicast network;
the rule in the preset access control list is a multicast source with the IP address of the multicast source between third preset network segments and the IP address of the target multicast network corresponding to the multicast source between fourth preset network segments, and the strategy corresponding to the rule is executed.
Optionally, before receiving the multicast message to be processed, the method further includes:
receiving the preset access control list from a Software Defined Network (SDN) controller;
the preset access control list is configured on the SDN controller by a user.
In a second aspect, an embodiment of the present invention provides a security control apparatus for cloud network multicast, where the apparatus is applied to a multicast gateway, and the apparatus includes:
the receiving module is used for receiving the multicast message to be processed;
the execution module is used for matching the multicast message to be processed with rules in a preset access control list, wherein the access control list corresponds to a target multicast network;
determining a matched target rule in the rules;
executing a target strategy corresponding to the target rule, wherein the target strategy comprises any one of the following: discarding the multicast message to be processed, or determining that the multicast message to be processed meets the security control requirement of the target multicast network, and continuing to process the multicast message to be processed.
Optionally, the executing module is further configured to determine, after receiving the pending multicast message, that a class of the pending multicast message is a multicast member management message or a multicast data message, where the multicast member management message includes: and the membership report message is sent by a request device and used for requesting to join the target multicast network, and the multicast data message is sent by a multicast source and used for requesting to send information to multicast members of the target multicast network.
Optionally, when the multicast message to be processed is the membership report message, the access control list is a member registration control list, and the target policy is that the multicast message to be processed is continuously processed, the executing module is further configured to add the request device to a multicast routing table of the target multicast network.
Optionally, when the multicast message to be processed is the multicast data message, the access control list is a data message control list, and the target policy is that the multicast message to be processed is continuously processed, the execution module is further configured to send the multicast data message to the multicast member.
Optionally, the membership report message carries the following information: the IP address of the request equipment and the IP address of the target multicast network;
the rule in the preset access control list is a membership report message corresponding to the request equipment, wherein the membership report message corresponds to the request equipment, and the membership report message corresponds to the second preset network segment, and the policy corresponds to the rule.
Optionally, the multicast data packet carries at least one of the following information: an IP address of a multicast source and an IP address of the target multicast network; the rule in the preset access control list is a multicast source with the IP address of the multicast source between third preset network segments and the IP address of the target multicast network corresponding to the multicast source between fourth preset network segments, and the strategy corresponding to the rule is executed.
Optionally, the receiving module is further configured to receive the preset access control list from the software defined network SDN controller before receiving the multicast packet to be processed; the preset access control list is configured on the SDN controller by a user.
In a third aspect, an embodiment of the present invention provides an electronic device, including: a processor, a memory, and a program stored on the memory and executable on the processor, which when executed by the processor, implements the steps of a method of security control for cloud network multicasting according to the first aspect.
In a fourth aspect, an embodiment of the present invention provides a computer readable storage medium, where a computer program is stored, where the computer program, when executed by a processor, implements the steps of a security control method for cloud network multicast according to the first aspect.
Therefore, compared with the traditional physical network multicast, the method has the advantages that the safety control is set at the access position, the safety control is realized at the multicast gateway through the matching with the rules in the access control list, the resources can be saved, the matching efficiency is improved, and in addition, the access control list corresponds to the target multicast network, and the independent safety control on a plurality of multicast networks can be realized.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:
fig. 1 is a flowchart of a security control method for cloud network multicast according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a correspondence between a multicast network and an access control list according to an embodiment of the present invention;
fig. 3 is a flowchart of a security control method for cloud network multicast according to an embodiment of the present invention;
fig. 4 is a structural block diagram of a security control device for cloud network multicast according to an embodiment of the present invention;
fig. 5 is a block diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Fig. 1 shows a security control method for cloud network multicast according to an embodiment of the present invention, where the method is applied to a multicast gateway, as shown in fig. 1, and the method includes:
step S101, receiving a multicast message to be processed;
step S102, matching the multicast message to be processed with rules in a preset access control list;
wherein the access control list corresponds to the target multicast network;
step S103, determining a matched target rule in the rules;
step S104, executing a target strategy corresponding to the target rule;
wherein the target policy includes any one of the following: discarding the multicast message to be processed, or determining that the multicast message to be processed meets the security control requirement of the target multicast network, and continuing to process the multicast message to be processed.
In one possible implementation manner, before receiving the multicast message to be processed in step S101, the method further includes: receiving a preset access control list from a Software Defined Network (SDN) controller; the preset access control list is configured on the SDN controller by a user.
It should be noted that, setting the access control list on the SDN (Software Defined Network ) controller is an exemplary illustration, and is not limited to an SDN controller, but may be any module/component that is global, centralized, and capable of being flexibly controlled to carry the multicast security control function.
In one possible implementation manner, after receiving the pending multicast packet in step S101, the method further includes: determining the category of the multicast message to be processed as a multicast member management message or a multicast data message, wherein the multicast member management message comprises: membership report message sent by request equipment for requesting to join target multicast network, multicast data message sent by multicast source for requesting to send information to multicast member of target multicast network.
In one possible implementation manner, when the multicast message to be processed is a membership report message, the access control list is a member registration control list, and the target policy is to continue processing the multicast message to be processed, continuing to process the multicast message to be processed includes: adding the request equipment into a multicast routing table of a target multicast network; when the multicast message to be processed is a multicast data message, the access control list is a data message control list, and the target policy is to continue processing the multicast message to be processed, the step of continuing processing the multicast message to be processed includes: and sending the multicast data message to the multicast member.
It should be noted that, the method shown in the embodiment of the present invention may be mainly divided into 3 parts: the multicast message identification classification, the security control of the multicast member management message and the security control of the multicast data message.
Multicast message identification classification: the multicast message identification classification module (virtual module) operates on a multicast router (or device acting as a multicast router, also referred to as a multicast gateway) rather than on a multicast message access device (typically a virtual switch). Since the IANA (The Internet Assigned Numbers Authority, internet digital allocation mechanism) allocates the D-class address space to IPv4 (Internet Protocol version, internet protocol version 4) for multicast use, and marks the IPv6 (Internet Protocol Version6 ) address at the beginning of FF as a multicast address, multicast messages can be screened out through three-layer target IP, and further, multicast management messages and multicast data messages can be grouped through a packet network layer protocol zone and forwarded to a corresponding security control module (virtual module).
Safety control of multicast member management messages: the multicast membership management message mainly comprises messages of IPv4 membership management protocol IGMP (Internet Group Management Protocol ) and IPv6 membership management protocol MLD (Multicast Listener Discovery, multicast interception discovery protocol). Through evolution, there are 3 versions of IGMP and 2 versions of MLD. In the embodiment of the invention, the membership report message is mainly controlled, and only legal members are allowed to register. Unlike traditional physical network multicasting to synchronize all legal member information to all access switches, the method disclosed by the embodiment of the invention only needs to define legal member lists (member registration control lists) in SDN controllers, supports flexible configuration, saves table item resources and improves rule matching efficiency.
And (3) safety control of multicast data messages: by issuing an access control list (configuration of the access control list by a user) at least comprising the multicast group IP and the corresponding legal multicast source IP to the SDN controller, the multicast data message is forwarded to each multicast member after passing through the data message control list, and the data message control list supports flexible configuration, thereby saving list resources and improving the matching efficiency of the control rules.
It should be noted that, because the SDN controller is a centralized controller, the access control list can be set in a global view, and compared with the conventional physical network multicast where security control is set at the access point, the scheme based on the SDN controller can perform rule merging, save table resource and improve rule matching efficiency. In addition, based on the SDN controller, a plurality of multicast networks can independently perform security control, flexible addition of control list items (rules) is supported, and differentiated security control is realized. A safety control method based on the SSM multicast model can also be realized.
In one possible implementation, the membership report message carries the following information: the IP address of the request equipment and the IP address of the target multicast network; the rule in the preset access control list is a membership report message corresponding to the request equipment, wherein the membership report message corresponds to the request equipment, the IP address of the target multicast network requested by the request equipment is between the first preset network segments, and the policy corresponding to the rule is executed.
In one possible implementation, the multicast data message carries at least one of the following information: an IP address of the multicast source and an IP address of the target multicast network; the rule in the preset access control list is a multicast source with the IP address of the multicast source between the third preset network segments and the IP address of the target multicast network corresponding to the multicast source between the fourth preset network segments, and the strategy corresponding to the rule is executed.
It should be noted that, because the target IP of the multicast member management message, the multicast data message, and the common unicast broadcast message have obvious differences, the multicast member management message and the multicast data message can be screened out only by setting a simple screening rule, and led to the corresponding processing module. The multicast membership management message can be classified into a membership report message and a membership leave message, wherein the membership report message is led to a membership registration control module (virtual module), the membership leave message is processed according to the normal flow in the prior art, and the multicast data message is led to a data message control module (virtual module).
It should be noted that the access control list includes: a member registration control list and a data message control list. The member registration control module performs security control management on the multicast members through the member registration control list. Because the cloud network has multiple tenants, the resources among the tenants are independent and isolated, and therefore the multicast security control list also needs to support the isolation of the multicast network, and it is required to be noted that in the cloud network, the network among each tenant is isolated independently. The same tenant may further divide its VPC (Virtual Private Cloud ) resources into multicast networks, each of which is embodied as a respective specific access control list (access control list includes a member registration control list and a data message control list), as shown in fig. 2. The list items of the preset rules in the access control list can comprise member IP network segments, multicast source IP network segments, strategies, priorities and the like, and can be selected in a combined way according to the security level requirement.
In a specific application scenario, the rule in the member registration control list is a membership report message corresponding to the request device, in which the IP address of the target multicast network requested by the request device is between the first preset network segments, and the membership report message corresponding to the request device between the second preset network segments, and a policy corresponding to the rule is executed. Namely: in case the policy is allowed, the requesting device is determined to be a multicast member and updates the multicast routing table, and if the policy is rejected, the membership report message is directly discarded (as shown in fig. 3). In addition, by adding the multicast source IP item, the SSM multicast model can be supported to realize safety control.
The setting of the member registration control list and the matching of the membership report message and the member registration control list will now be exemplarily described.
TABLE 1
Table 1 shows a member registration control list configured with 5 rules, the last one being a default reject rule. When a membership report message is received, the membership report message is matched with a member registration control list shown in table 1, rules can be matched from top to bottom in sequence, the rule is successfully matched with the rule, the rule is executed according to the rule, when the rule is allowed, the subscription relation is updated to a multicast routing table (a request device for sending the membership report message is added into a multicast membership group corresponding to a multicast network and the multicast routing table is updated), and when the rule is refused, the membership report message is discarded (as shown in fig. 3).
In the embodiment of the invention, the multicast gateway can receive the preset member registration control list from the SDN controller, and the problem that the network resources occupy more because the SDN is a centralized controller and the access control strategy is set at all access ports is avoided, and the IP in the list is set into a network segment form, so that rules similar to the network segment and the strategy can be combined, the rule matching efficiency is improved while the list items are saved, and the list item saving rate and the rule matching efficiency are improved more along with the increase of the access members.
In one possible implementation, the SSM (Source-Specific Multicast ) model provides services for Source-specific and group-specific binding data streams, and the receiver host may specify which sources of data are received only when joining the multicast group. After joining the multicast group, the host will only receive the data sent to the group by the designated source. In general large multicast networks, SSM model is used when multiplexing multicast addresses. And in the member registration control list, the security control of source selection can be realized by adding a multicast source IP column.
Assuming an SSM multicast network using an IPv4 network segment, a member registration control list as shown in table 2 may be set.
TABLE 2
As shown in table 2, when receiving a membership report message sent by 192.168.1.1, if there is a subscription group IP of 239.0.0.1 and a multicast source IP of 192.168.2.1, updating the multicast routing table, and subscribing other group IP/other source combinations to discard the message; when receiving a membership report message sent by 192.168.1.2, if a subscription group IP is 239.0.0.1, updating a multicast routing table when a multicast source IP is in 192.168.2.0/24 network segments; otherwise, discarding the message.
In addition, it should be noted that the security control of the membership report message may be implemented by using a precise control list or a fuzzy control list. In addition, it should be noted that, in a specific application scenario, a rule (table entry) of the access control list may be flexibly set according to an actual matching requirement, for example: only a small number of dangerous hosts need to be removed, and the rest hosts are allowed to send multicast data messages. Or only a small number of security hosts are trusted, and the rest are not allowed to send multicast data messages and the like.
The setting of the data message control list and the matching of the multicast data message and the data message control list are illustrated.
The data message control module performs security control on the multicast data message through the data message control list. And as with the member management control, each multicast network is provided with an independent data message control list, and when the multicast data message passes through the data message control module, the corresponding data message control list is applied to carry out safety control. Similarly, the regular entries in the data message control list may include multicast source IP network segments, multicast IP network segments, policies, priorities, etc. Multicast data messages are forwarded after passing through the data message control list (policy is allowed), if not, the multicast data messages are directly discarded (policy is refused). It should be noted that, when planning the network, the source IP allocation of the multicast network is considered in advance, and the safety control management of the multicast source can be realized by simply setting the data message control list of the SDN controller.
In addition, it should be noted that the precise control list or the fuzzy control list can be applied to realize the safety control of the multicast source, and through reasonable multicast source IP and multicast group IP planning, the simple table entry can be used to realize the safety control of the multicast source. As shown in table 3 (precisely controlled data message control list) and table 4 (fuzzy controlled data message control list) below.
TABLE 3 Table 3
| Multicast source IP network segment | Group IP network segment | Strategy |
| 192.168.2.1/32 | 239.0.0.1/32 | Allow for |
| 192.168.2.2/32 | 239.0.0.2/32 | Allow for |
| 192.168.2.4/32 | 239.0.0.3/32 | Allow for |
| 192.168.2.5/32 | 239.0.0.4/32 | Allow for |
| 192.168.2.7/32 | 239.0.0.5/32 | Allow for |
| 0.0.0.0/0 | 224.0.0.0/8 | Refusing |
TABLE 4 Table 4
| Multicast source IP network segment | Group IP network segment | Strategy |
| 192.168.2.1/28 | 239.0.0.0/29 | Allow for |
| 0.0.0.0/0 | 224.0.0.0/8 | Refusing |
The method provided by the embodiment of the invention provides independent control capability of the multicast network, provides management control capability of multicast member registration and multicast message source forwarding through SDN centralized forced control mode on the basis, and can flexibly configure member control rules and multicast source control rules in an SDN controller, support rule aggregation and priority setting, provide powerful and low-overhead safety control for the multicast network, prevent the multicast network system from being attacked maliciously, ensure that multicast data is not stolen and safely forwarded to legal subscription members.
The method disclosed by the embodiment of the invention adopts SDN centralized control, an access control list is arranged at the SDN controller side, rules in the access control list are arranged in the form of IP network segments, and compared with the decentralized rules arranged in the form of IP addresses, the decentralized rules can be combined, so that occupation of rule storage space is reduced, and rule matching efficiency is improved; the control list items can be flexibly combined and configured, so that advanced functions such as supporting safety control of an SSM model are realized, and differentiated safety control requirements are met through different list item combinations; based on the global SDN controller, the problem of safety control of cloud network multicast with large scale, multi-tenant and rapid topology change can be easily solved.
The method has a wide market prospect, the current head cloud manufacturer has introduced a multicast function, and the application of multicast in a cloud network is wider and wider along with the development of services such as cloud computing industry, video live broadcast and the like. In recent years, network security and information security become key problems of the most concern in the Internet era, and the security and reliability become important consideration factors for manufacturers to select cloud computing manufacturers to develop multicast services. In summary, the scheme has great commercial value and wide application prospect.
Fig. 4 shows a security control apparatus for cloud network multicast according to an embodiment of the present invention, as shown in fig. 4, an apparatus 40 includes:
a receiving module 401, configured to receive a multicast message to be processed;
an execution module 402, configured to match a multicast message to be processed with a rule in a preset access control list, where the access control list corresponds to a target multicast network;
determining a matched target rule in the rules;
executing a target strategy corresponding to the target rule, wherein the target strategy comprises any one of the following: discarding the multicast message to be processed, or determining that the multicast message to be processed meets the security control requirement of the target multicast network, and continuing to process the multicast message to be processed.
In a possible implementation manner, the execution module 402 is further configured to determine, after receiving the pending multicast message, a class of the pending multicast message as a multicast member management message or a multicast data message, where the multicast member management message includes: membership report message sent by request equipment for requesting to join target multicast network, multicast data message sent by multicast source for requesting to send information to multicast member of target multicast network.
In one possible implementation, in a case where the multicast message to be processed is a membership report message, the access control list is a member registration control list, and the target policy is to continue processing the multicast message to be processed, the execution module 402 is further configured to add the request device to a multicast routing table of the target multicast network.
In a possible implementation manner, in the case that the multicast message to be processed is a multicast data message, the access control list is a data message control list, and the target policy is to continue to process the multicast message to be processed, the module is executed, 402, and is further configured to send the multicast data message to the multicast member.
In one possible implementation, the membership report message carries the following information: the IP address of the request equipment and the IP address of the target multicast network;
the rule in the preset access control list is a membership report message corresponding to the request equipment, wherein the membership report message corresponds to the request equipment, the IP address of the target multicast network requested by the request equipment is between the first preset network segments, and the policy corresponding to the rule is executed.
In one possible implementation, the multicast data message carries at least one of the following information: an IP address of the multicast source and an IP address of the target multicast network; the rule in the preset access control list is a multicast source with the IP address of the multicast source between the third preset network segments and the IP address of the target multicast network corresponding to the multicast source between the fourth preset network segments, and the strategy corresponding to the rule is executed.
In a possible implementation manner, the receiving module 401 is further configured to receive a preset access control list from the software defined network SDN controller before receiving the multicast packet to be processed; the preset access control list is configured on the SDN controller by a user.
The device disclosed by the embodiment of the invention can perform security control on a cloud network multicast scene and support independent security control under a multicast network; based on SDN centralized controller application control rules, can save storage resources and improve rule matching efficiency through table entry combination; the access control list can be flexibly set, the table items (table items in the rule) can be freely added and combined, and the access control list with different complexity can be set according to different security levels; supporting the multicast source security control of membership report messages in an SSM multicast scene; the SDN controller can flexibly design the security control list item, and is suitable for large-scale cloud network multicasting with rapid topology change.
The embodiment of the invention also provides an electronic device 50, as shown in fig. 5, including: the method comprises a processor 501, a memory 502 and a program stored in the memory 502 and capable of running on the processor 501, wherein the program realizes the steps of a security control method for cloud network multicast as shown in the above embodiment when being executed by the processor.
The embodiment of the present invention further provides a computer readable storage medium, where a computer program is stored, where the computer program when executed by a processor implements each process of the method embodiment shown in fig. 1 and achieves the same technical effects, and is not repeated herein. Wherein the computer readable storage medium is selected from Read-Only Memory (ROM), random access Memory (Random Access Memory, RAM), magnetic disk or optical disk.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The embodiments of the present invention have been described above with reference to the accompanying drawings, but the present invention is not limited to the above-described embodiments, which are merely illustrative and not restrictive, and many forms may be made by those having ordinary skill in the art without departing from the spirit of the present invention and the scope of the claims, which are to be protected by the present invention.
Claims (10)
1. A security control method for cloud network multicast, wherein the method is applied to a multicast gateway, and the method comprises the following steps:
receiving a multicast message to be processed;
matching the multicast message to be processed with rules in a preset access control list, wherein the access control list corresponds to a target multicast network;
determining a matched target rule in the rules;
executing a target strategy corresponding to the target rule, wherein the target strategy comprises any one of the following: discarding the multicast message to be processed, or determining that the multicast message to be processed meets the security control requirement of the target multicast network, and continuing to process the multicast message to be processed.
2. The method of claim 1, wherein after receiving the pending multicast message, the method further comprises:
determining the category of the multicast message to be processed as a multicast member management message or a multicast data message, wherein the multicast member management message comprises: and the membership report message is sent by a request device and used for requesting to join the target multicast network, and the multicast data message is sent by a multicast source and used for requesting to send information to multicast members of the target multicast network.
3. The method of claim 2, wherein, in the case where the pending multicast message is the membership report message, the access control list is a member registration control list, and the target policy is the continuing processing of the pending multicast message, the continuing processing of the pending multicast message comprises:
and adding the request equipment into a multicast routing table of the target multicast network.
4. The method of claim 2, wherein, in the case where the multicast message to be processed is the multicast data message, the access control list is a data message control list, and the target policy is the continue processing the multicast message to be processed, the continue processing the multicast message to be processed includes:
and sending the multicast data message to the multicast member.
5. The method of claim 2, wherein the step of determining the position of the substrate comprises,
the membership report message carries the following information: the IP address of the request equipment and the IP address of the target multicast network;
the rule in the preset access control list is a membership report message corresponding to the request equipment, wherein the membership report message corresponds to the request equipment, and the membership report message corresponds to the second preset network segment, and the policy corresponds to the rule.
6. The method of claim 2, wherein the step of determining the position of the substrate comprises,
the multicast data message carries at least one of the following information: an IP address of a multicast source and an IP address of the target multicast network;
the rule in the preset access control list is a multicast source with the IP address of the multicast source between third preset network segments and the IP address of the target multicast network corresponding to the multicast source between fourth preset network segments, and the strategy corresponding to the rule is executed.
7. The method according to any of claims 1-6, wherein prior to receiving a pending multicast message, the method further comprises:
receiving the preset access control list from a Software Defined Network (SDN) controller;
the preset access control list is configured on the SDN controller by a user.
8. A security control device for cloud network multicast, wherein the device is applied to a multicast gateway, and the device comprises:
the receiving module is used for receiving the multicast message to be processed;
the execution module is used for matching the multicast message to be processed with rules in a preset access control list, wherein the access control list corresponds to a target multicast network;
determining a matched target rule in the rules;
executing a target strategy corresponding to the target rule, wherein the target strategy comprises any one of the following: discarding the multicast message to be processed, or determining that the multicast message to be processed meets the security control requirement of the target multicast network, and continuing to process the multicast message to be processed.
9. An electronic device, comprising: a processor, a memory and a program stored on the memory and executable on the processor, which when executed by the processor implements the steps of a method of security control of cloud network multicasting according to any one of claims 1 to 7.
10. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of a method for security control of cloud network multicasting according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311198484.0A CN117425129A (en) | 2023-09-18 | 2023-09-18 | Security control method, device, equipment and medium for cloud network multicast |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311198484.0A CN117425129A (en) | 2023-09-18 | 2023-09-18 | Security control method, device, equipment and medium for cloud network multicast |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117425129A true CN117425129A (en) | 2024-01-19 |
Family
ID=89521813
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311198484.0A Pending CN117425129A (en) | 2023-09-18 | 2023-09-18 | Security control method, device, equipment and medium for cloud network multicast |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117425129A (en) |
-
2023
- 2023-09-18 CN CN202311198484.0A patent/CN117425129A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8571028B2 (en) | Methods and apparatus for managing multicast traffic | |
| US8713169B2 (en) | Distributed IPv6 neighbor discovery for large datacenter switching systems | |
| US8184630B2 (en) | Method for managing multicast traffic in a data network and network equipment using said method | |
| US20150222446A1 (en) | Discovering IP Multicast Group Memberships in Software Defined Networks | |
| US20060146857A1 (en) | Admission control mechanism for multicast receivers | |
| US20070115975A1 (en) | Method and system for controlling the multicast source | |
| US20050195817A1 (en) | Switching device and multicast packet processing method therefor | |
| EP3451585B1 (en) | Auto-configuring multicast protocol parameters of a network device | |
| US20100054167A1 (en) | Communication method and wireless communication system | |
| WO2018068588A1 (en) | Method and software-defined networking (sdn) controller for providing multicast service | |
| CN110391919B (en) | Multicast traffic forwarding method and device, and electronic device | |
| JP2008060631A (en) | Communication equipment and multicast user authentication method | |
| Doi et al. | Protocol design for anycast communication in IPv6 network | |
| CN117425129A (en) | Security control method, device, equipment and medium for cloud network multicast | |
| WO2017124712A1 (en) | Message generating method, message forwarding method and device | |
| US11902148B2 (en) | Weighted multicast join load balance | |
| US8625456B1 (en) | Withholding a data packet from a switch port despite its destination address | |
| CN107948273A (en) | A kind of load balancing and safety access method and system based on SDN | |
| US20200021450A1 (en) | Managing multicast scaling | |
| US11025536B1 (en) | Support for flooding in encapsulation and inter-VLAN communication via proxy-ARP | |
| WO2014059864A1 (en) | Network switching apparatus | |
| CN111654558A (en) | ARP interaction and intranet flow forwarding method, device and equipment | |
| RU2291580C1 (en) | Method for sending broadcast messages | |
| CN113596059B (en) | Method and system for realizing real-time three-layer network isolation in identification network | |
| US10069762B1 (en) | Group based multicast in networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |