CN117728978A - Message processing method and device - Google Patents
Message processing method and device Download PDFInfo
- Publication number
- CN117728978A CN117728978A CN202311508170.6A CN202311508170A CN117728978A CN 117728978 A CN117728978 A CN 117728978A CN 202311508170 A CN202311508170 A CN 202311508170A CN 117728978 A CN117728978 A CN 117728978A
- Authority
- CN
- China
- Prior art keywords
- instance
- message
- virtual logic
- srv
- new
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title abstract description 14
- 238000001514 detection method Methods 0.000 claims abstract description 21
- 238000000034 method Methods 0.000 claims description 37
- 238000004590 computer program Methods 0.000 claims description 8
- 239000000284 extract Substances 0.000 claims description 4
- 238000004891 communication Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 8
- 230000009471 action Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000002265 prevention Effects 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
Abstract
The application provides a message processing method and a message processing device, which are applied to network security equipment, wherein the network security equipment comprises a plurality of virtual logic instances, and the network security equipment is configured with segment identifiers respectively corresponding to the plurality of virtual logic instances; the network security device receives SRv message; and if the outer layer destination IP address in the SRv message is a segment identifier corresponding to a target virtual logic instance, calling the target virtual logic instance to extract an inner layer message from the SRv message by the target virtual logic instance, and performing security detection processing on the inner layer message by utilizing a security policy corresponding to the target virtual logic instance. Therefore, the inner layer message of the SRv message is safely identified, and the aim of safety protection is fulfilled.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a method and an apparatus for processing a message.
Background
In SRv service chaining, when a network security device such as a firewall device is used as an intermediate node, the network security device can only make security service (such as security policy) on the outer layer message of the SRv tunnel, and does not care about the information of the inner layer message. That is, the network security device in SRv networking generally replaces the destination address of the tunnel outer layer message according to the SL information in the outer layer message, and then makes security policies and services such as intrusion prevention (ips) and anti-virus (av) cited under the security policies on the outer layer message. Thus, when the inner layer message contains attack flow or virus, the functions of intrusion prevention (ips), virus prevention (av) and the like of the network security equipment cannot be identified and intercepted, and the network security equipment cannot be safely protected.
Therefore, how to perform security identification on the inner layer message of the SRv message to achieve the purpose of security protection is one of the technical problems to be considered.
Disclosure of Invention
In view of this, the present application provides a method and apparatus for processing a message, which are used to perform security identification on an inner layer message in a SRv network, so as to achieve the purpose of security protection.
Specifically, the application is realized by the following technical scheme:
according to a first aspect of the present application, a method for processing a message is provided, which is applied to a network security device, where the network security device includes a plurality of virtual logic instances, and the network security device is configured with segment identifiers corresponding to the plurality of virtual logic instances respectively, and the method includes:
receiving SRv message;
if the outer layer destination IP address in the SRv message is a segment identifier corresponding to a target virtual logic instance, calling the target virtual logic instance to extract an inner layer message from the SRv message by the target virtual logic instance, and performing security detection processing on the inner layer message by utilizing a security policy corresponding to the target virtual logic instance;
wherein the target virtual logic instance is one of the plurality of virtual logic instances.
According to a second aspect of the present application, there is provided a packet processing apparatus provided in a network security device, the network security device including a plurality of virtual logic instances, and the network security device being configured with segment identifiers corresponding to the plurality of virtual logic instances, respectively, the apparatus comprising:
the receiving module is used for receiving SRv messages;
the calling module is used for calling the target virtual logic instance if the outer layer destination IP address in the SRv6 message is the segment identifier corresponding to the target virtual logic instance, so that the target virtual logic instance extracts an inner layer message from the SRv message, and safety detection processing is carried out on the inner layer message by utilizing a safety strategy corresponding to the target virtual logic instance;
wherein the target virtual logic instance is one of the plurality of virtual logic instances.
According to a third aspect of the present application there is provided an electronic device comprising a processor and a machine-readable storage medium storing a computer program executable by the processor, the processor being caused by the computer program to perform the method provided by the first aspect of the embodiments of the present application.
According to a fourth aspect of the present application there is provided a machine-readable storage medium storing a computer program which, when invoked and executed by a processor, causes the processor to perform the method provided by the first aspect of the embodiments of the present application.
The beneficial effects of the embodiment of the application are that:
in the message processing method and device provided by the embodiment of the application, the network security equipment receives SRv message; if the outer layer destination IP address in the SRv message is the segment identifier corresponding to the target virtual logic instance, the target virtual logic instance is called to extract the inner layer message from the SRv message by the target virtual logic instance, and the security detection processing is carried out on the inner layer message by utilizing the security policy corresponding to the target virtual logic instance; therefore, since each virtual logic instance is provided with a corresponding security policy, and each virtual logic instance corresponds to a segment identifier for forwarding the SRv message, when the outer layer destination IP address in the received SRv message is confirmed to be the segment identifier corresponding to the target virtual logic instance, it is indicated that security protection needs to be performed on the SRv6 message, that is, security detection processing is performed on the inner layer message in the SRv message by the security policy corresponding to the target virtual logic instance, so that the purpose of security protection is achieved.
Drawings
Fig. 1 is a flow chart of a message processing method provided in an embodiment of the present application;
fig. 2 is an application scenario schematic diagram of a message processing method provided in an embodiment of the present application;
fig. 3 is a schematic structural diagram of a message processing apparatus according to an embodiment of the present application;
fig. 4 is a schematic hardware structure of an electronic device for implementing a message processing method according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with aspects as described herein.
The terminology used in the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the present application. As used in this application, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the corresponding listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first message may also be referred to as a second message, and similarly, a second message may also be referred to as a first message, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
The message processing method provided in the present application is described in detail below.
Referring to fig. 1, fig. 1 is a flowchart of a message processing method provided in the present application, where the method may be applied to a network security device, where the network security device includes a plurality of virtual logic instances, and the network security device is configured with segment identifiers corresponding to the plurality of virtual logic instances respectively; the network security device may be, but not limited to, a firewall device or the like, and when implementing the method, the network security device may include the following steps:
s101, receiving SRv message.
S102, if the outer layer destination IP address in the SRv message is a segment identifier corresponding to a target virtual logic instance, calling the target virtual logic instance to extract an inner layer message from the SRv message by the target virtual logic instance, and performing security detection processing on the inner layer message by utilizing a security policy corresponding to the target virtual logic instance;
wherein the target virtual logic instance is one of the plurality of virtual logic instances.
Specifically, after the last hop network device obtains the SRv message, the next hop identifier SID is obtained from the routing extension header SRH in the SRv message, and then the SID is used as the outer layer destination IP address in the SRv message, so that the SRv message can be sent to the next hop. If the next hop SID is the SID configured by the network security device, the last hop network device may send the SRv message to the network security device.
On this basis, after the network security device receives the SRv message, in order to perform security identification on the inner layer message in the SRv message, virtual logic division processing is performed on the network security device to divide a plurality of virtual logic instances, and then a segment identifier is configured for each virtual logic instance so as to prepare for subsequent security identification. Specifically, when the network security device receives the SRv message, an outer layer IPv6 header may be found from the SRv message, and then an outer layer destination IP address, that is, an outer layer destination IPv6 address, is extracted from the outer layer IPv6 header; and then matching the external destination IP address with the segment identifiers corresponding to the virtual logic instances in the network security equipment, and when the segment identifier is matched, obtaining the virtual logic instance corresponding to the segment identifier as the target virtual logic instance.
Because each virtual logic instance is configured with a corresponding security policy, the network security device can invoke the target virtual logic instance. That is, the SRv message may be sent to the target virtual logic instance, so that after the target virtual logic instance receives the SRv message, the inner layer message may be parsed from the SRv message, and then the security policy on the inner layer message is invoked to perform security detection processing on the inner layer message. Specifically, after the target virtual logic instance receives the SRv message, the message is parsed, that is, the IPv6 extension header is skipped, so that information such as a quintuple of the inner layer message can be obtained, then the security service under the target virtual logic instance, such as a security policy and the ips, av and other services under the security policy, is operated, and the inner layer message is released or discarded according to the processing result of the security service. Therefore, the inner layer message in the received SRv message is safely identified, and the aim of safety protection is achieved.
Further, when the target virtual logic instance performs security identification on the SRv message, and when the message is identified to have no potential safety hazard, forwarding service of the SRv message can be executed; when the potential safety hazard exists in the message, the SRv6 message can be blocked to ensure the safety of the network.
In addition, the security policies corresponding to different virtual logic instances may be the same or different, may be partially the same, and so on. Thus, in order to save storage space, all security policies corresponding to each virtual logic instance may be placed in the storage space, and then access paths corresponding to the security policies may be stored on each virtual logic instance. Thus, after each virtual logic instance receives the SRv message, the required security policy can be invoked through the corresponding access path, and security detection is performed on the SRv message according to the invoked security policy. Therefore, the purpose of saving the storage space is achieved.
Furthermore, a registration function can be set in the method, so that the security policy corresponding to each security service can register callback among virtual logic instances, and the purpose of better security protection is achieved.
It should be noted that, the virtual logic instance generally only performs security protection detection, so, in order to successfully implement forwarding of the SRv message after performing security protection detection, before forwarding the SRv message to the target virtual logic instance, the outer layer destination IP address of the SRv6 message may be replaced, that is, the SID of the next hop network device is extracted from the routing extension header of the SRv message, and then the SID is used as a new outer layer destination IP address, so as to obtain a modified SRv message, and then the SRv6 message is sent to the target virtual logic instance.
It is noted that in performing steps S101 and S102, it may be implemented by software; when the software confirms that the external destination IP address in the SRv message is the segment identifier corresponding to the target virtual logic instance, after the target IPv6 address is replaced before the SRv message is sent to the target virtual logic instance, the instance identifier of the target virtual logic instance and the SRv message can be sent to the target virtual logic instance, so that the target virtual logic instance finds that the instance identifier is consistent with the instance identifier thereof after receiving the SRv message and the instance identifier, the target virtual logic instance is required to perform security protection processing on the SRv message, and then the target virtual logic instance can extract the internal layer message from the SRv message and call the security policy thereon to perform security detection processing on the internal layer message, thereby achieving the purpose of security protection.
If the instance identifier carried in the SRv message is found to be inconsistent with the own instance identifier, which indicates that the target virtual logic instance is not required to process the message, an error indication may be sent to the software at this time, so that the software sends the SRv message to the correct virtual logic instance.
It should be noted that, when the external destination IP address is different from the segment identifier corresponding to each virtual logic instance, it indicates that the SRv message may not need to be subjected to security protection processing, and then the forwarding operation may be executed according to the existing processing flow of the SRv message.
In the message processing method provided by the application, network security equipment receives SRv messages; if the outer layer destination IP address in the SRv message is the segment identifier corresponding to the target virtual logic instance, the target virtual logic instance is called to extract the inner layer message from the SRv message by the target virtual logic instance, and the security detection processing is carried out on the inner layer message by utilizing the security policy corresponding to the target virtual logic instance; therefore, since each virtual logic instance is provided with a corresponding security policy, and each virtual logic instance corresponds to a segment identifier for forwarding the SRv message, when the outer layer destination IP address in the received SRv message is confirmed to be the segment identifier corresponding to the target virtual logic instance, it is indicated that security protection needs to be performed on the SRv6 message, that is, security detection processing is performed on the inner layer message in the SRv message by the security policy corresponding to the target virtual logic instance, so that the purpose of security protection is achieved.
Optionally, the outer destination IP address in the SRv message may be determined as a segment identifier corresponding to the target virtual logical instance according to the following method: obtaining a forwarding table, wherein the forwarding table records the corresponding relation between each segment identifier and the instance identifier of the virtual logic instance; querying the forwarding table by using the outer layer destination IP address; and when the outer layer destination IP address hits in the segment identifier corresponding to the target instance identifier in the forwarding table, determining that the outer layer destination IP address in the SRv message is the segment identifier corresponding to the target virtual logic instance corresponding to the target instance identifier.
Specifically, in order to facilitate quick matching and reduce configuration complexity, the present application maintains the above correspondence in a forwarding table (IPv 6 FIB) dedicated for outer layer IPv6 address matching. In addition, the SID in this embodiment belongs to an end.an type SID, which is used to identify a certain destination address prefix in the network. The forwarding action corresponding to the End SID is to subtract 1 from the SL value in the SRH, take out the next SID from the SRH according to the SL, update the destination address to the IPv6 message header, and then look up the forwarding table according to the IPv6 destination address for forwarding. Based on this principle, when writing the SID corresponding to the virtual logic instance into the FIB table, the SID can be adapted to the FIB table; in addition, in order to facilitate security protection, the application writes the instance identifier of the virtual logic instance corresponding to the SID into the FIB table, so that when the SID is matched, the virtual logic instance for performing security detection on the inner layer message in the SRv message can be quickly obtained, and further, the subsequent security protection flow is executed; moreover, the instance identifier is written in the FIB table, and the FIB table does not need to be greatly adjusted.
On the basis, after receiving SRv message, extracting the target IPv6 address from the IPv6 message header of the message, then matching the address with the FIB table, when the target IPv6 address hits a certain SID in the FIB table, the instance identifier corresponding to the SID is the target virtual logic instance, and correspondingly, the SID of the target IPv6 address hits the target virtual logic instance is also indicated, so that the SRv message can be confirmed that the target virtual logic instance is required to carry out safety protection.
Optionally, based on any of the foregoing embodiments, in this embodiment, each virtual logic instance and its corresponding segment identifier corresponds to a service path.
Specifically, the network security device may provide security protection processing for a plurality of routes, and each route corresponds to one service path, that is, the network security device may correspond to a plurality of service paths. In order to realize that the network security device provides security services rapidly, the embodiment proposes that a virtual logic instance is configured for each service path, and accordingly, the corresponding relationship among the virtual logic instance, the segment identifier and the service path is formed.
On this basis, when route learning is performed, the SID corresponding to each service path can be learned. Therefore, when SRv messages under each service path reach the network security equipment, the network security equipment can determine and process the virtual logic instance under the service path based on the FIB table, and further the determined virtual logic instance executes security protection processing on the inner layer message in the SRv messages, so that the security of the network is ensured.
Optionally, based on any one of the foregoing embodiments, the method for processing a message provided in this embodiment may further include the following process: after a new virtual logic instance is created on the network security equipment, a new segment identifier is allocated for the new virtual logic instance; assigning a new service path to the new virtual logical instance, the new segment identification being a segment identification used by the network security appliance in the new service path; and writing the new segment identification and the instance identification of the new virtual logic instance into a forwarding table.
Specifically, the new SID may be configured in the form of a command line, and the new virtual logic instance is bound to the new SID in the form of a command line, where specific examples are as follows:
configuration locator: [ xxx-segment-routing-ipv6] locator aaa ipv6-prefix 300::1:0:0 120static 8
Configuring end.an type opcode: [ xxx-segment-routing-ipv6-locator-aaa ] op code 3end-an vsys a
In the command line, vsys a is used for representing the instance identifier of the virtual logic instance; the IPv6-prefix is used for indicating that the IPv6 prefix is 300:1:0:0, and the new SID is 300:1:0:3 by combining the opcodes. On the basis, after the command line is configured, a SID with the address of 300:1:0:3 is generated, and meanwhile, the new SID and vsys ID (vsys a) are issued to the forwarding table FIB, and the corresponding relation between the new SID and the instance identifier of the new virtual logic instance is added in the IPv6 FIB table.
It should be noted that the security policies on different virtual logic instances may be the same or different, may be partially the same, and so on, and may be specifically configured according to the actual situation. And different virtual logic instances correspond to different SIDs. Therefore, different SIDs can be carried according to the SRv message, so that different security services can be carried out on the inner layer message in the message, the service path can be better adapted, and security protection can be better carried out.
Therefore, the network security equipment can realize the security detection of the inner layer message in the SRv message, and the purpose of security protection is achieved.
In order to better understand the present embodiment, an application scenario of the message processing method shown in fig. 2 may be taken as an example, where fig. 2 includes 2 service paths, and correspondingly, 2 virtual logic instances are required to be respectively corresponding to the two service paths in the network security device, and similarly, 2 SIDs are required to be respectively corresponding to the two service paths in the network security device. It should be noted that, the network security device may be provided with service chain management software, which may be denoted as a service chain module, to manage each current virtual logic instance.
On this basis, the network security device can create 2 virtual logic instances, and the respective instance identifications are respectively recorded as: vsys a and vsys b. Accordingly, the created 2 end.an types of SIDs are respectively noted as: 2000:2 and 2000:4. And then binding the SID with the virtual logic instance in a command line mode, for example, binding the SID of 2000:2 with the virtual logic instance of vsys a, binding the SID of 2000:4 with the virtual logic instance of vsys b, and respectively issuing the binding to an IPv6 FIB table.
On this basis, the service path 2 is taken as an example, and the SRv message is SRv tunnel message. When SRv tunnel message passes through the network security device, the network security device checks the FIB table with the destination IPv6 address in SRv tunnel message, if the destination IPv6 address is 2000::2, and further it can be confirmed that the instance identifier corresponding to 2000::2 is vsys a, then replace the destination IPv6 address with the next address in SL, and after the replacement, deliver the vsys carried by SRv tunnel message to the service chain module.
After receiving SRv tunnel message, the service chain module unpacks the message, takes in the information of five-tuple and the like of the inner layer message of the tunnel, and sends the inner layer message to the corresponding virtual logic instance according to vsys a, so that the virtual logic instance can make security policy and ips, av and other services under the security policy for the inner layer message.
If the inner layer message does not pass the security policy detection, discarding the whole SRv tunnel message; if the inner layer message passes the detection, the network security equipment continues to forward the message, so that the function of performing security service on the SRv tunnel inner layer message is achieved, and the security protection on the inner layer message is realized.
Based on the same inventive concept, the application also provides a message processing device corresponding to the message processing method. The implementation of the message processing apparatus may refer to the above description of the message processing method, and will not be discussed here.
Referring to fig. 3, fig. 3 is a message processing apparatus provided in an exemplary embodiment of the present application, where the network security device includes a plurality of virtual logic instances, and the network security device is configured with segment identifiers corresponding to the plurality of virtual logic instances, and the apparatus includes:
a receiving module 301, configured to receive a SRv message;
a calling module 302, configured to call a target virtual logic instance if an outer layer destination IP address in the SRv6 packet is a segment identifier corresponding to the target virtual logic instance, so that the target virtual logic instance extracts an inner layer packet from the SRv6 packet, and performs security detection processing on the inner layer packet by using a security policy corresponding to the target virtual logic instance;
wherein the target virtual logic instance is one of the plurality of virtual logic instances.
Optionally, based on the foregoing embodiment, the message processing apparatus provided in this embodiment may further include:
an obtaining module (not shown in the figure) for obtaining a forwarding table, where the forwarding table records a correspondence between each segment identifier and an instance identifier of a virtual logic instance;
a query module (not shown in the figure) for querying the forwarding table by using the external destination IP address;
a determining module (not shown in the figure) configured to determine that the outer destination IP address in the SRv message is the segment identifier corresponding to the target virtual logical instance corresponding to the target instance identifier when the outer destination IP address hits the segment identifier corresponding to the target instance identifier in the forwarding table.
Optionally, based on any of the foregoing embodiments, in this embodiment, each virtual logic instance and its corresponding segment identifier corresponds to a service path.
Optionally, based on any one of the foregoing embodiments, the message processing apparatus provided in this embodiment may further include:
a creation module (not shown) for creating a new virtual logical instance on the network security appliance;
an allocation module (not shown) for allocating a new segment identifier to the new virtual logical instance; assigning a new service path to the new virtual logical instance, the new segment identification being a segment identification used by the network security appliance in the new service path;
a writing module (not shown in the figure) for writing the new segment identifier and the instance identifier of the new virtual logical instance into a forwarding table.
Therefore, the network security equipment can realize the security detection of the inner layer message in the SRv message, and the purpose of security protection is achieved.
Based on the same inventive concept, the embodiment of the application provides an electronic device, which can be the network security device. As shown in fig. 4, the electronic device includes a processor 401 and a machine-readable storage medium 402, where the machine-readable storage medium 402 stores a computer program executable by the processor 401, and the processor 401 is caused by the computer program to perform a message processing method provided in any of the embodiments of the present application. The electronic device further comprises a communication interface 403 and a communication bus 404, wherein the processor 401, the communication interface 403 and the machine readable storage medium 402 communicate with each other via the communication bus 404.
The communication bus mentioned above for the electronic devices may be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface is used for communication between the electronic device and other devices.
The machine-readable storage medium 402 may be a Memory, which may include random access Memory (Random Access Memory, RAM), DDR SRAM (Double Data Rate Synchronous Dynamic Random Access Memory, double rate synchronous dynamic random access Memory), or Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but also digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
For the electronic device and the machine-readable storage medium embodiments, the description is relatively simple, and reference should be made to the description of the method embodiments for relevant points, since the method content involved is substantially similar to that of the method embodiments described above.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The implementation process of the functions and roles of each unit/module in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be repeated here.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The above described apparatus embodiments are merely illustrative, wherein the units/modules illustrated as separate components may or may not be physically separate, and the components shown as units/modules may or may not be physical units/modules, i.e. may be located in one place, or may be distributed over a plurality of network units/modules. Some or all of the units/modules may be selected according to actual needs to achieve the purposes of the present application. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
The foregoing description of the preferred embodiments of the present invention is not intended to limit the invention to the precise form disclosed, and any modifications, equivalents, improvements and alternatives falling within the spirit and principles of the present invention are intended to be included within the scope of the present invention.
Claims (10)
1. A method for processing a message, which is applied to a network security device, wherein the network security device includes a plurality of virtual logic instances, and the network security device is configured with segment identifiers corresponding to the plurality of virtual logic instances, respectively, the method comprising:
receiving SRv message;
if the outer layer destination IP address in the SRv message is a segment identifier corresponding to a target virtual logic instance, calling the target virtual logic instance to extract an inner layer message from the SRv message by the target virtual logic instance, and performing security detection processing on the inner layer message by utilizing a security policy corresponding to the target virtual logic instance;
wherein the target virtual logic instance is one of the plurality of virtual logic instances.
2. The method of claim 1, wherein the outer destination IP address in the SRv message is determined as a segment identifier corresponding to the target virtual logical instance according to the following method:
obtaining a forwarding table, wherein the forwarding table records the corresponding relation between each segment identifier and the instance identifier of the virtual logic instance;
querying the forwarding table by using the outer layer destination IP address;
and when the outer layer destination IP address hits in the segment identifier corresponding to the target instance identifier in the forwarding table, determining that the outer layer destination IP address in the SRv message is the segment identifier corresponding to the target virtual logic instance corresponding to the target instance identifier.
3. The method of claim 1, wherein each virtual logical instance and its corresponding segment identifier corresponds to a service path.
4. The method as recited in claim 1, further comprising:
after a new virtual logic instance is created on the network security equipment, a new segment identifier is allocated for the new virtual logic instance;
assigning a new service path to the new virtual logical instance, the new segment identification being a segment identification used by the network security appliance in the new service path;
the writing writes the new segment identification and the instance identification of the new virtual logical instance into a forwarding table.
5. A message processing apparatus, disposed in a network security device, the network security device including a plurality of virtual logical instances, and the network security device configured with segment identifiers corresponding to the plurality of virtual logical instances, the apparatus comprising:
the receiving module is used for receiving SRv messages;
the calling module is used for calling the target virtual logic instance if the outer layer destination IP address in the SRv6 message is the segment identifier corresponding to the target virtual logic instance, so that the target virtual logic instance extracts an inner layer message from the SRv message, and safety detection processing is carried out on the inner layer message by utilizing a safety strategy corresponding to the target virtual logic instance;
wherein the target virtual logic instance is one of the plurality of virtual logic instances.
6. The apparatus as recited in claim 5, further comprising:
the acquisition module is used for acquiring a forwarding table, wherein the forwarding table records the corresponding relation between each segment identifier and the instance identifier of the virtual logic instance;
the query module is used for querying the forwarding table by utilizing the outer layer destination IP address;
and the determining module is used for determining that the outer layer destination IP address in the SRv message is the segment identifier corresponding to the target virtual logic instance corresponding to the target instance identifier when the outer layer destination IP address hits the segment identifier corresponding to the target instance identifier in the forwarding table.
7. The apparatus of claim 5, wherein each virtual logic instance and its corresponding segment identifier corresponds to a service path.
8. The apparatus as recited in claim 5, further comprising:
a creation module for creating a new virtual logic instance on the network security appliance;
an allocation module, configured to allocate a new segment identifier to the new virtual logical instance; assigning a new service path to the new virtual logical instance, the new segment identification being a segment identification used by the network security appliance in the new service path;
and the writing module is used for writing the new segment identification and the instance identification of the new virtual logic instance into a forwarding table.
9. An electronic device comprising a processor and a machine-readable storage medium storing a computer program executable by the processor, the processor being caused by the computer program to perform the method of any one of claims 1-4.
10. A machine-readable storage medium storing a computer program which, when invoked and executed by a processor, causes the processor to perform the method of any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311508170.6A CN117728978A (en) | 2023-11-09 | 2023-11-09 | Message processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311508170.6A CN117728978A (en) | 2023-11-09 | 2023-11-09 | Message processing method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117728978A true CN117728978A (en) | 2024-03-19 |
Family
ID=90209658
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311508170.6A Pending CN117728978A (en) | 2023-11-09 | 2023-11-09 | Message processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117728978A (en) |
-
2023
- 2023-11-09 CN CN202311508170.6A patent/CN117728978A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11374863B2 (en) | Segment routing extension headers | |
| US8559429B2 (en) | Sequential frame forwarding | |
| CN104734964B (en) | Message processing method, node and system | |
| CN106412142B (en) | Resource equipment address obtaining method and device | |
| CN110932934B (en) | Network packet loss detection method and device | |
| JPWO2005036831A1 (en) | Frame relay device | |
| US8615015B1 (en) | Apparatus, systems and methods for aggregate routes within a communications network | |
| CN112887229B (en) | Session information synchronization method and device | |
| US11838318B2 (en) | Data plane with connection validation circuits | |
| CN113472917B (en) | Network address conversion method, equipment and medium for data message | |
| CN112351034B (en) | Firewall setting method, device, equipment and storage medium | |
| CN112187665A (en) | Message processing method and device | |
| US10541918B2 (en) | Detecting stale memory addresses for a network device flow cache | |
| CN117728978A (en) | Message processing method and device | |
| CN109450767B (en) | Message processing method and device | |
| CN115174474B (en) | SRv 6-based SFC implementation method and device in private cloud | |
| CN111245700A (en) | Loop detection method and device | |
| CN113556345B (en) | Message processing method, device, equipment and medium | |
| CN115280745B (en) | Stream following detection method and electronic equipment | |
| CN115150106B (en) | Safety protection method of physical machine and network node equipment | |
| CN111770049B (en) | Global cache variable and message information storage method and device | |
| CN111988446B (en) | Message processing method and device, electronic equipment and storage medium | |
| CN107547687B (en) | Message transmission method and device | |
| US10917385B1 (en) | Sharing matching filters among interfaces of a network device | |
| CN115086272B (en) | ARP (Address resolution protocol) answering substituting method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |