CN117749688A - Message transmission method, device and storage medium - Google Patents

Message transmission method, device and storage medium Download PDF

Info

Publication number
CN117749688A
CN117749688A CN202311823602.2A CN202311823602A CN117749688A CN 117749688 A CN117749688 A CN 117749688A CN 202311823602 A CN202311823602 A CN 202311823602A CN 117749688 A CN117749688 A CN 117749688A
Authority
CN
China
Prior art keywords
message
transmission path
address
network device
source
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311823602.2A
Other languages
Chinese (zh)
Inventor
刘紫千
贾献博
孟坤
佟欣哲
杨成
张熹
于鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianyi Safety Technology Co Ltd
Original Assignee
Tianyi Safety Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianyi Safety Technology Co Ltd filed Critical Tianyi Safety Technology Co Ltd
Priority to CN202311823602.2A priority Critical patent/CN117749688A/en
Publication of CN117749688A publication Critical patent/CN117749688A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a message transmission method, a message transmission device and a storage medium. Relates to the technical field of networks. The method is applicable to a first network device in a transmission path, and specifically comprises the following steps: the first network device receives a first downlink message fed back for a first uplink message, wherein the first network device is used for carrying out security detection on the message, and the first uplink message is a message sent from a source IP address to a destination IP address. The first network equipment acquires first information in a first downlink message; wherein the first information includes a source IP address and a destination IP address. The first network equipment determines a first transmission path from pre-stored first system configuration information according to the first information, wherein the first transmission path is a transmission path adopted by a first uplink message. And the first network equipment sends the first downlink message to the second network equipment corresponding to the source IP address according to the first transmission path. The method is used for ensuring the stable transmission of the message.

Description

Message transmission method, device and storage medium
Technical Field
The present invention relates to the field of network technologies, and in particular, to a method, an apparatus, and a storage medium for transmitting a message.
Background
SRv6 (Segment Routing over IPv, IPv6 based segment routing) is a new generation IP bearer protocol. The method adopts the existing IPv6 forwarding technology, and realizes the network programming through a flexible IPv6 extension head.
Based on the service chaining technique of SRv, services on different network devices can be logically connected together to form an ordered service combination. For example, service nodes including an intrusion prevention system IPS (Intrusion Prevention System), a Firewall FW (Firewall) and the like may be connected in series, and when a data packet is transmitted in a network, the data packet passes through each service node according to a pre-planned transmission path, thereby providing a safe, fast and stable service to a user.
However, in this scenario, the security policy of network access generally requires that uplink access data and corresponding response data pass through the service node of the same transmission path, for example, there are currently a transmission path 1 and a transmission path 2, and if the response message of the uplink access data passes through the check of the firewall of the transmission path 1, it may be intercepted by the firewall of the transmission path 2, resulting in abnormal transmission of the message. Therefore, how to ensure stable transmission of the message in the scene is a worth of deep investigation.
Disclosure of Invention
The application provides a message transmission method, a message transmission device and a storage medium, which are used for ensuring stable message transmission.
In a first aspect, the present application provides a method for transmitting a message. The method is applicable to a first network device in a transmission path, and specifically comprises the following steps: the first network device receives a first downlink message fed back for a first uplink message, wherein the first network device is used for carrying out security detection on the message, and the first uplink message is a message sent from a source IP address to a destination IP address. The first network equipment acquires first information in a first downlink message; wherein the first information includes a source IP address and a destination IP address. The first network device determines a first transmission path from prestored first system configuration information according to first information, wherein the first system configuration information comprises a plurality of transmission paths, and the first transmission path is a transmission path adopted by a first uplink message. And the first network equipment sends the first downlink message to the second network equipment corresponding to the source IP address according to the first transmission path.
In this embodiment of the present application, before the first downlink packet fed back for the first uplink packet is transmitted, the first network device may determine the first transmission path from the pre-stored first system configuration information according to the first information in the first downlink packet. The first transmission path is a transmission path adopted by the first uplink message. The first network device sends the first downlink message to the second network device corresponding to the source IP address according to the first transmission path, so that the first uplink message and the first downlink message pass through the same transmission path without being abnormally intercepted, and stable transmission of the messages is ensured.
Optionally, the first network device determines a first transmission path from the pre-stored first system configuration information according to the first information, including: the first network device performs hash calculation on the first information to obtain a hash value. The first network device determines an index of a transmission path consistent with the hash value from the pre-stored first system configuration information according to the hash value. The first network device determines a transmission path corresponding to the index as a first transmission path.
In the embodiment of the present application, hash value may be obtained by performing hash calculation in advance according to the first information including the source IP address and the destination IP address. And taking the hash value as an index of the transmission path, so that when the first network equipment matches the corresponding transmission path according to the first downlink message, hash calculation is carried out according to the source IP address and the destination IP address to obtain the first transmission path. And because the source IP address and the destination IP address corresponding to the first uplink message and the first downlink message are the same, the first network device can be matched to the same transmission path as the first uplink message according to the first downlink message, so as to realize bidirectional traffic sharing.
Optionally, the first transmission path corresponds to N different source IP addresses and destination IP addresses, N is in a preset range, and N is an integer greater than or equal to one.
In this embodiment of the present application, the first transmission path may correspond to N different source IP addresses and destination IP addresses, where N is in a preset range, that is, the number of different source IP addresses and destination IP addresses corresponding to one transmission path is in a reasonable range, so that the load of the transmission path is relatively balanced.
Optionally, before the first network device determines the first transmission path from the pre-stored first system configuration information according to the first information, the method further includes: the first network device acquires second system configuration information, and the second system configuration information further comprises at least one drainage policy, wherein the drainage policy is used for respectively guiding uplink messages or downlink messages in network traffic. The first network device matches a first drainage policy from second system configuration information according to second information of the first downlink message, wherein the first drainage policy is used for conducting drainage on the downlink message, and the second information comprises a source IP address, a source IP address port, a destination IP address port and a protocol type of the first downlink message. The first network equipment determines a plurality of transmission paths through a first drainage strategy, wherein the plurality of transmission paths comprise a first transmission path, and the plurality of transmission paths are used for sharing the load of downlink messages in network traffic.
Optionally, the method further comprises the step that the first network equipment detects the first downlink message and judges whether the first downlink message is a network attack or not through detection. If the first downlink message is a network attack, discarding the first downlink message.
Optionally, the first network device sends the first downlink message to the second network device corresponding to the source IP address according to the first transmission path, including: the first network device becomes a node in the first transmission path by configuring an SF proxy function, and the plurality of network devices form a data transmission channel by configuring a plurality of nodes formed by the SF proxy function. The first network device sends the first downlink message to the second network device corresponding to the source IP address through the SF proxy function.
In a second aspect, the present application provides a message transmission apparatus. The apparatus is applicable to a first network device in a transmission path, the apparatus comprising: the device comprises a receiving module, an obtaining module, a determining module and a sending module. The receiving module is used for receiving a first downlink message fed back for a first uplink message, the first network device is used for carrying out safety detection on the message, and the first uplink message is a message sent from a source IP address to a destination IP address. The acquisition module is used for acquiring first information in the first downlink message; wherein the first information includes a source IP address and a destination IP address. The determining module is configured to determine a first transmission path from pre-stored first system configuration information according to first information, where the first system configuration information includes a plurality of transmission paths, and the first transmission path is a transmission path adopted by a first uplink packet. The sending module is used for sending the first downlink message to the second network equipment corresponding to the source IP address according to the first transmission path.
Optionally, the determining module is specifically configured to: and carrying out hash calculation on the first information to obtain a hash value. The first network device determines an index of a transmission path consistent with the hash value from the pre-stored first system configuration information according to the hash value. The transmission path corresponding to the index is determined as the first transmission path.
Optionally, the first transmission path corresponds to N different source IP addresses and destination IP addresses, N is in a preset range, and N is an integer greater than or equal to one.
Optionally, the determining module is further configured to: and acquiring second system configuration information, wherein the second system configuration information further comprises at least one drainage strategy, and the drainage strategy is used for respectively guiding uplink messages or downlink messages in the network traffic. And matching the second information of the first downlink message to a first drainage strategy from second system configuration information, wherein the first drainage strategy is used for conducting drainage on the downlink message, and the second information comprises a source IP address, a source IP address port, a destination IP address port and a protocol type of the first downlink message. And determining a plurality of transmission paths through a first drainage strategy, wherein the plurality of transmission paths comprise a first transmission path, and the plurality of transmission paths are used for sharing the load of downlink messages in network traffic.
Optionally, the determining module is further configured to detect the first downlink packet, and determine whether the first downlink packet is a network attack through the detection. If the first downlink message is a network attack, discarding the first downlink message.
Optionally, the sending module is specifically configured to: by configuring the SF proxy function to be a node in the first transmission path, the plurality of network devices form a data transmission channel by configuring a plurality of nodes formed by the SF proxy function. And sending the first downlink message to the second network equipment corresponding to the source IP address through the SF proxy function.
In a third aspect, embodiments of the present application provide an electronic device that includes a processor and a memory communicatively coupled to the processor. Wherein the memory stores computer-executable instructions that are executed by the processor to enable the processor to perform the method of any one of the first aspects.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium storing computer-executable instructions that, when executed by a processor, cause the processor to perform the method of any one of the first aspects.
Drawings
Fig. 1 is an application scenario schematic diagram of a message transmission method provided in an embodiment of the present application;
fig. 2 is a flow chart of a message transmission method provided in an embodiment of the present application;
fig. 3 is a message format based on SRv transmission technology according to an embodiment of the present application;
fig. 4 is a schematic diagram of an architecture for configuring packet transmission according to an embodiment of the present application;
FIG. 5 is a schematic diagram of a proxy function configured by SF proxy according to an embodiment of the present application;
fig. 6 is a schematic diagram of a message transmission architecture according to a first embodiment of the present application;
fig. 7 is a schematic diagram of a transmission path of an uplink packet according to a first embodiment of the present application;
fig. 8 is a schematic diagram of a transmission path of a downlink message in the first embodiment of the present application;
fig. 9 is a schematic structural diagram of a message transmission device provided in an embodiment of the present application;
fig. 10 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The application aims to solve the problem of message transmission, and for convenience of understanding, a message transmission scene in the application is briefly described.
As shown in fig. 1, the terminal devices include portable computers, mobile phones, personal computers, etc., and IP addresses of different terminal devices and servers are different. For example, as shown in FIG. 1, the IP address of the portable computer is 1.1.1.1/32, the IP address of the mobile phone is 1.1.1.2/32, the IP address of the personal computer is 1.1.1.3/32, and the IP address of the back-end server is 2.2.2.2/32, 3.3.3/32, and 4.4.4.4/32, respectively. The terminal device may initiate access to the server over the network. When an access is initiated to a server, the device encapsulates the IP address of the server to be accessed into an access message and sends the message to the network. And each node of the network forwards the message layer by layer according to the IP address of the server to be accessed by the equipment, and finally the message is sent to the server to be accessed. Typically, before the message arrives at the server, the message passes through a security service node such as an intrusion prevention system IPS (Intrusion Prevention System) and a Firewall FW (Firewall). By taking a firewall as an example, by configuring a security policy, detection and forwarding of network traffic can be realized, and abnormal traffic in the network can be intercepted.
The firewall may configure the security policy based on the IP address of the terminal device, that is, the IP address within one segment may be set to a trusted IP address and the IP addresses within other segments may be set to an untrusted IP address. Different firewalls may be configured with different security policies. For example, firewall unit 1 may set IP address 1.1.1.1/32 of the portable computer to a trusted IP address, and firewall unit 2, 3 both set the IP address to an untrusted IP address.
In this case, the portable computer needs to forward the message to the firewall unit 1, and then forward the message to the server after the detection of the firewall unit 1, otherwise, the message will be intercepted by the firewall unit 2 or the firewall unit 3. In addition, the server has randomness in carrying out load routing when sending the message, and if the response message of the portable computer is sent through any transmission path, if the response message is transmitted through the transmission paths of the firewall unit 2 and the firewall unit 3, the response message may be intercepted.
For this reason, the embodiment of the application provides a message transmission method. And constructing a transmission path based on SRv technology, and encapsulating a source IP address and a target IP address of the uplink message into the downlink message for the downlink message fed back by the server aiming at the uplink message. After receiving the downlink message, the network device may determine, according to the first information in the downlink message including the source IP address and the destination IP address, a first transmission path from the pre-stored first system configuration information, where the first transmission path is a transmission path adopted by the uplink message. In this way, the network device can feed back the downlink message to the network device corresponding to the source IP address through the same transmission path as the uplink message.
It should be noted that, in the embodiment of the present application, the foregoing fig. 1 is only a simplified schematic diagram for easy understanding, and the transmission scenario is described to more clearly illustrate the technical solution of the embodiment of the present application, and does not constitute a limitation on the technical solution provided by the embodiment of the present application, and as one of ordinary skill in the art can know that, with evolution of the network architecture and appearance of a new service scenario, the technical solution provided by the embodiment of the present application is equally applicable to similar technical problems.
In order to facilitate understanding of the scheme, related terms referred to in the embodiments of the present application are explained below.
1) A transmission path. SRv6 the network path is divided into segments and SID (Segment ID) is assigned to the segments and network devices in the network, each of which constitutes a transmission path. Each network device acts as a node in the transmission path, and each node's network device is assigned a SID. It should be understood that the transmission path of the message referred to in this application has directionality, and may be referred to as a head node for a first node that the message passes through on the transmission path, and may be referred to as a tail node for a last node that the message passes through on the transmission path. That is, the head node is different for different directions of the same transmission path.
2) SRv6 TE (SRv 6 Traffic Engineering ), which is SRv6 based traffic engineering tunneling, enables scheduling of traffic forwarding paths by SRv TE technology. A SRv TE Policy (or SRv TE Policy, hereinafter referred to as SR Policy) is generally used to define a transmission path of a message. One SR Policy may have multiple transmission paths. Message forwarding can be realized by importing the data message in the network traffic into the corresponding SR Policy.
In a SRv network, information in SR Policy may be configured with the head node, tail node, and Color values of the transmission path. Each SR Policy may correspond to multiple transmission paths, including a Candidate Path, where the Candidate Path is divided into an Active Path and a Standby Path, and different signaling protocols issue different Candidate paths. Each transmission path is configured with a Segment List (Segment List), where the Segment List is used to identify a specific forwarding path, for example, the Segment List may be "PE1- > P2- > PE3", and the token packet is sent to P2 by PE1 and then forwarded to PE3 by P2.
Referring to fig. 2, a flowchart of a message transmission method provided in an embodiment of the present application is shown. In the following description, an example will be described in which the method is executed by the first network device in the transmission path. It should be appreciated that the first network device may be any electronic device having processing capabilities, including, but not limited to, a desktop computer, a server, a network device, a smart phone, a tablet computer, etc., and embodiments of the present application are not particularly limited. The terminal device includes, but is not limited to, a portable computer, a mobile phone, a personal computer, etc. as shown in fig. 1. It should be understood that, unless specifically stated otherwise, reference to "first," "second," etc. ordinal words of the embodiments herein are used for distinguishing between multiple objects and are not used for limiting the order, timing, priority, or importance of the multiple objects. For example, the first network device and the second network device are merely for distinguishing between different network devices, and are not intended to represent differences in the structure, priority, importance, etc. of the two network devices.
S201, a first network device receives a first downlink message fed back for a first uplink message, wherein the first network device is used for carrying out security detection on the message, and the first uplink message is a message sent from a source IP address to a destination IP address.
The terminal device may send a message to the server to access the server, and accordingly, the server may feed back the message to the terminal device. In this application, the IP address of the terminal device may be regarded as a source IP address, and the IP address of the server may be regarded as a destination IP address. The message sent by the terminal device to the server may be represented as a message sent from the source IP address to the destination IP address, which is called an uplink message. The message sent by the server to the terminal device may be expressed as a message sent from the destination IP address to the source IP address, which is called a downlink message. In the following description, an uplink message sent from a source IP address to a destination IP address is taken as an example, and a downlink message sent from a destination IP address to a source IP address is taken as an example.
The uplink message and the downlink message between the terminal equipment and the server can be transmitted through one transmission path of a plurality of transmission paths. It should be understood that the transmission paths have directivity, and that the directions of the transmission paths may be distinguished according to an uplink message or a downlink message for the same transmission path. One or more network devices may be present on a transmission path, which may constitute different network nodes on the transmission path.
In this embodiment of the present application, the first network device refers to a head node device on a transmission path, and in general, no matter an uplink message or a downlink message, before entering the transmission path for transmission, configuration such as load sharing, transmission path selection, etc. of packet transmission is required. The first network device can realize the configuration functions of load sharing, transmission path selection and the like of message transmission.
The nodes of one transmission path comprise network security service nodes, the network security service nodes comprise security service nodes such as an Intrusion Prevention System (IPS), a Firewall (FW) and the like, and when a message passes through the nodes on the transmission path, the security service nodes can perform security detection on the message. Each node of the network security service may correspond to a network device. That is, if the first network device corresponds to a device in the security service node, the security detection may be performed on the first uplink message or the first downlink message.
Since the nodes of the network security service on the transmission path can perform security detection on the uplink message or the downlink message, and security policies configured by the nodes of the network security service on different transmission paths may be different, the message may be intercepted. For example, if the node firewall 1 of the network security service configures the first uplink message to be a secure access message according to the source IP address and the destination IP address of the message, the terminal device sends the first uplink message to the server through the transmission path 1, and the server can successfully receive the first uplink message. The server feeds back a first downlink message aiming at the first uplink message. The server feeds back the first downlink message aiming at the first uplink message, if the first downlink message is fed back through the transmission path 2, and the node firewall 2 of the network security service in the transmission path 2 configures the source IP address as an unreliable IP address, the first downlink message is intercepted, and the transmission of the first downlink message is failed.
S202, the first network equipment acquires first information in a first downlink message, wherein the first information comprises a source IP address and a destination IP address.
In the embodiment of the application, when the terminal device or the server sends the message, the source IP address and the destination IP address corresponding to the terminal device and the server can be encapsulated into the message, so that the transmission path can be selected according to the source IP address and the destination IP address in the message. Because the source IP address and the destination IP address corresponding to the uplink message and the downlink message are the same, the uplink message and the downlink message can pass through the same transmission path by selecting the transmission path based on the source IP address and the destination IP address. Thus, the safe transmission of the downlink message fed back aiming at the uplink message can be ensured.
As shown in fig. 3, a message format based on the SRv transmission technology in an embodiment of the present application is shown. The message format is based on the addition of extension headers (segment routing header, SRH) based on IPv6 headers. Wherein, the extension header SRH includes the following information: next Header, hdr Ext Len, routing Type, segments Left, last Entry, flags, tag, segment list, etc. Wherein the Next Header identifies the type of Header immediately following the SRH. The Hdr Ext Len identifies the length of the SRH header. Routing Type identifies the Routing header Type. The Segments Left identifies the number of intermediate nodes that should still be accessed before reaching the destination node. The Last Entry identifies the index that contains the Last element of the segment list in the segment list. The Flags are some identification of the data packet. Tag identifies the same group of packets.
Of these, most important are Segment lists, where each Segment list corresponds to a 128-bit IPv6 address. The Segment list is used for storing the transmission path information of the IPv6 and guiding the forwarding of the message. Where Segment List [0] is the last first Segment of the path, segment List [1] is the last second Segment of the path, and Segment List [ n ] is the first Segment of the path. Therefore, the source IP address and the destination IP address of the message transmission can be encapsulated into the SR extension header of the message.
Taking the first downlink message as an example, the source IP address and the destination IP address of the first downlink message may be referred to as first information, and when the server sends the first downlink message, the first information is encapsulated into the first downlink message. After receiving the first downlink message, the first network device may acquire first information in the first downlink message, and perform load sharing, transmission path selection, and the like for transmission of the first downlink message according to the first information.
S203, the first network device determines a first transmission path from pre-stored first system configuration information according to the first information, wherein the first system configuration information comprises a plurality of transmission paths, and the first transmission path is a transmission path adopted by a first uplink message.
Referring to fig. 4, the first network device may configure load sharing and transmission path selection of packet transmission through the control plane, the forwarding plane and the system memory. The first network device may configure the drainage policy through the control plane. The drainage strategy is used for respectively draining the uplink messages or the downlink messages in the network traffic. The first network device may configure at least one drainage policy. For example, for an uplink packet in the network traffic, one drainage policy may be configured, which is called a second drainage policy, and a correspondence between the second drainage policy and the uplink packet is established. When the first network device detects an uplink message through the port, the first network device can be matched with a drainage policy configured by the control plane, if the message is matched with the second drainage policy, the message is indicated to be the uplink message, and the first network device can further select a corresponding transmission path for the message from a plurality of transmission paths in the uplink direction. Accordingly, for the downlink message in the network traffic, a drainage policy may be configured, which is called a first drainage policy. When the first network device detects a downlink message through the port, if the downlink message is matched with the first drainage policy, the first network device further matches a transmission path in a downlink direction for the message, wherein the message is indicated to be the downlink message.
With continued reference to fig. 4, a transmission path Segment List may also be configured in SR policy by the control plane. For SR policy1 in the uplink direction, a plurality of transmission paths in the uplink direction may be configured to form a load sharing path in the uplink direction, and the load sharing paths are named as SL1, SL2, …, SLn-1, and SLn, respectively, according to the sequence of configuration. The number of nodes included in each transmission path may be determined according to actual requirements. For SR policy2 in the downlink direction, a plurality of transmission paths in the downlink direction may be configured to form a load sharing path in the downlink direction, and the load sharing paths are also named as SL1, SL2, …, SLn-1, and SLn, respectively, according to the sequence of configuration.
For the transmission paths named the same in SR policy1 and SR policy2, the nodes included in the transmission paths are the same and correspond one-to-one. For example, the order of the functional nodes of SL1 in SR policy1 and the order of the functional nodes of SL1 in SR policy2 are in inverse one-to-one correspondence, the order of the functional nodes of SL2 in SR policy1 and the order of the functional nodes of SL2 in SR policy2 are in inverse one-to-one correspondence, and so on. In this way, the first network device matches the transmission path SLn of the first uplink packet from the SR policy1 and matches the transmission path SLn of the first downlink packet from the SR policy2, and if the SLn is the same, it can be ensured that the first uplink packet and the first downlink packet pass through the same node during transmission.
In the embodiment of the application, the configured drainage policy and SR policy may be stored in the same system configuration information, so that after the first network device receives the first downlink packet, the first network device may match the drainage policy and transmission path corresponding to the first downlink packet by querying the system configuration information once. Or, the configured transmission paths corresponding to the drainage policy and the SR policy may be stored respectively, the configured SR policy may be stored in the first system configuration information, the drainage policy may be stored in the second system configuration information, and a mapping relationship between the first system configuration information and the second system configuration information may be established. The first network device may first match a drainage policy corresponding to the first downlink packet, and then determine an SR policy and a transmission path thereof corresponding to the first downlink packet according to a mapping relationship between the first system configuration information and the second system configuration information.
The first network device may acquire second system configuration information, and may match the first drainage policy from the second system configuration information according to the second information of the first downlink packet. The second information includes a source IP address, a source IP address port, a destination IP address port, and a protocol type of the first downlink message. The first network device may drain the first downlink packet according to the first drainage policy, and drain the first downlink packet to multiple transmission paths of the first drainage policy to form load sharing. Further, the first network device may determine a transmission path corresponding to the first downlink packet.
In this embodiment of the present application, in order to make the transmission path to which the first downlink packet is matched the same as the transmission path corresponding to the first uplink packet, a symmetric hash algorithm may be used to establish a correspondence between the first information and the transmission path. The symmetric hash algorithm is a commonly used distributed hash algorithm that achieves load balancing by treating the hash space as a ring and mapping both nodes and data onto the ring. For the same first information, the hash values obtained by the hash calculation are the same, and since the first downlink message is a feedback message for the first uplink message, the source IP address and the destination IP address corresponding to the first downlink message are the same, that is, the first information is the same, the hash values obtained by the hash calculation according to the first information of the first uplink message and the first information of the first downlink message are the same. If the hash value is used as an index of the transmission path in the first system configuration information, the same transmission path can be obtained according to the first information of the first uplink message and the first information of the first downlink message. Accordingly, the first network device may calculate the hash value according to the first information, and determine indexes of a plurality of transmission paths consistent with the hash value from the first system configuration information according to the hash value. The first network device may determine a transmission path corresponding to the determined index as the first transmission path.
In addition, in order to ensure that a plurality of transmission paths in the transmission paths uniformly share the load in the network, when the first system configuration information is configured, a corresponding relationship can be established between N different first information and the transmission paths, that is, N different source IP addresses and destination IP addresses and one transmission path. N is in a preset range, namely, the number of different source IP addresses and destination IP addresses corresponding to different transmission paths is in the preset range, so that the loads of the transmission paths are balanced, and the stability of message transmission is ensured.
S204, the first network device sends the first downlink message to the second network device corresponding to the source IP address according to the first transmission path.
After determining the first transmission path corresponding to the first downlink message, the first network device may encapsulate the first transmission path into the first downlink message, and send the first downlink message to the second network device corresponding to the source IP address according to the first transmission path. The transmission of the first downlink message may be layer-by-layer forwarding. After receiving the first downlink message, the node in the first transmission path can acquire node information corresponding to the first transmission path in the first downlink message, and forward the first downlink message to the next node according to the node information corresponding to the first transmission path until reaching the second network device corresponding to the source IP address.
In the embodiment of the application, the data transmission can be realized by configuring the SF proxy function. In the application, the network security service node such as the intrusion prevention system IPS, the firewall FW and the like does not support the Service Function (SF) of SRv6 by default, and the device of the network security service node can support the service function of SRv by configuring the SF proxy function. For a plurality of network devices in the first transmission path, each network device may enable SRv6 messaging techniques by configuring SF proxy functionality. Each network device constitutes a node in the first transmission path, each node may be assigned a SID. The plurality of network devices form a data transmission channel through a plurality of nodes formed by configuring an SF proxy function, so that the first network device can send the first downlink message to the second network device corresponding to the source IP address.
Referring to fig. 5, the network device corresponding to the upstream header node/downstream tail node in the transmission path may send information to the network device corresponding to the downstream header node through the SF proxy function, and correspondingly, the network device corresponding to the downstream header node/upstream tail node may send information to the network device corresponding to the upstream header node through the SF proxy function.
The upstream head node/downstream tail node corresponding to the first network device may configure SR policy in the upstream direction (i.e. SR policy 1), and configure information in SR policy1, including the head node, the tail node, and the Color value of the transmission path. Multiple transmission path Segment lists may be corresponding between the head node and the tail node of the transmission path. The first network device may also configure a "source IP address" based drainage policy. The first network device may store the information in the configured SR policy1 and the drainage policy to the system memory. Accordingly, if the first network device configures SR policy (i.e., SR policy 2) in the downlink direction corresponding to the downlink head node/uplink tail node, and configures information in SR policy2, including the head node, the tail node, and the Color value of the transmission path. Multiple transmission path Segment lists may be corresponding between the head node and the tail node of the transmission path. The first network device may also configure a "destination IP address" based drainage policy. The first network device may store the information in the configured SR policy2 and the drainage policy to the system memory.
Embodiment 1,
Referring to fig. 6, in this embodiment, the functions of the upstream/downstream head node, SF Proxy, and upstream/downstream tail node are deployed on the same virtual machine, so that the functions of multiple nodes can be implemented on the same virtual machine.
The source IP address is 1.1.1.1/32, and the access can be initiated to the target IP addresses 2.2.2.2/32 and 3.3.3.3/32 for the IP address of the terminal equipment initiating the access. Accordingly, the destination IP addresses 2.2.2.2/32 and 3.3.3.3/32 can also feed back messages to the source IP address.
One of the functions of the virtual machine is to connect two sets of network security nodes of security atomic capability (intrusion prevention system) IPS1, (firewall) FW1 and IPS2, FW2 as SF Proxy.
The second function of the virtual machine is to configure SR Policy in the uplink direction as a head node, and includes a transmission path 1: IPS1→fw1 and transmission path 2: IPS2→FW2. And configures a drainage policy based on the source IP address "1.1.1.1/32". When an access message sent by a source IP address 1.1.1.1/32 reaches a head node, the access message is guided to enter a plurality of transmission paths in the uplink direction through a drainage strategy, and a corresponding transmission path is selected from SR Policy in the uplink direction, so that the access message passes through the IPS and FW nodes in the transmission path.
One of the functions of the virtual machine is to configure a "downstream" SRv Policy as a downstream head node, comprising two sets of load sharing paths: FW1→IPS1 and FW2→IPS2, and a drainage policy based on the destination IP of "1.1.1.1/32" is configured to ensure that the reply message returned to 1.1.1.1/32 passes through the segmented routing nodes of the downstream SRv6, namely FW and IPS in the load sharing path.
Referring to fig. 7, the flow of the uplink message transmission is as follows. The source IP address is 1.1.1.1/32, and the access message is sent to access the target IP address 2.2.2.2/32. The access message reaches VRouter, and is processed by the drainage strategy of the uplink head node, and the access message is guided to a plurality of transmission paths in the uplink direction. The upstream head node determines a transmission path 1 from the first system configuration information by using the source IP address and the target IP address of the message of '1.1.1.1/32+2.2.2/32'. The uplink head node encapsulates the transmission path 1 into SRv message, and the message is safely detected by the SF Proxy through the network security nodes of the IPS1 and the FW 1.
And accessing the message to an uplink tail node, and separating SRv message header by the uplink tail node to restore the message to a common message. And routed to the destination IP address 2.2.2.2/32.
Referring to fig. 8, the flow of message transmission in the downlink direction is as follows. And the target IP address is 2.2.2.2/32, and a feedback message is sent and fed back to the source IP address 1.1.1.1/32.
The access data message reaches VRouter, and is processed by the drainage strategy of the downstream head node, and the access message is guided to a plurality of transmission paths in the downstream direction. The downstream head node determines a transmission path 1 from the first system configuration information by using a source IP address and a target IP address of '1.1.1.1/32+2.2.2.2/32', namely, the transmission paths of the downstream message and the upstream message are consistent in reverse order. The downlink header node encapsulates the transmission path 1 into a SRv message, and the message is safely detected by the SF Proxy and the network security nodes of FW1 and IPS1 successively.
The access message reaches the downstream tail node, and the downstream tail node separates SRv message header and restores the message header into a common message. Routed to the source node 1.1.1.1/32.
In the embodiment of the application, before the first downlink packet fed back for the first uplink packet is transmitted, the first network device may determine the first transmission path from the pre-stored first system configuration information according to the first information in the first downlink packet. The first transmission path is a transmission path adopted by the first uplink message. The first network device sends the first downlink message to the second network device corresponding to the source IP address according to the first transmission path, so that the first uplink message and the first downlink message pass through the same transmission path without being abnormally intercepted, and stable transmission of the messages is ensured.
Referring to fig. 9, based on the same inventive concept, a message transmission apparatus 900 is provided in an embodiment of the present application. The apparatus 900 is applicable to a first network device in a transmission path, the apparatus 900 comprising: a receiving module 901, an acquiring module 902, a determining module 903 and a transmitting module 904. The receiving module 901 is configured to receive a first downlink packet fed back for a first uplink packet, where the first network device is configured to perform security detection on the packet, and the first uplink packet is a packet sent from a source IP address to a destination IP address. The acquiring module 902 is configured to acquire first information in a first downlink packet; wherein the first information includes a source IP address and a destination IP address. The determining module 903 is configured to determine a first transmission path from pre-stored first system configuration information according to first information, where the first system configuration information includes a plurality of transmission paths, and the first transmission path is a transmission path adopted by a first uplink packet. The sending module 904 is configured to send the first downlink message to a second network device corresponding to the source IP address according to the first transmission path.
Optionally, the determining module 903 is specifically configured to: and carrying out hash calculation on the first information to obtain a hash value. The first network device determines an index of a transmission path consistent with the hash value from the pre-stored first system configuration information according to the hash value. The transmission path corresponding to the index is determined as the first transmission path.
Optionally, the first transmission path corresponds to N different source IP addresses and destination IP addresses, N is in a preset range, and N is an integer greater than or equal to one.
Optionally, the determining module 903 is further configured to: and acquiring second system configuration information, wherein the second system configuration information further comprises at least one drainage strategy, and the drainage strategy is used for respectively guiding uplink messages or downlink messages in the network traffic. And matching the second information of the first downlink message to a first drainage strategy from second system configuration information, wherein the first drainage strategy is used for conducting drainage on the downlink message, and the second information comprises a source IP address, a source IP address port, a destination IP address port and a protocol type of the first downlink message. And determining a plurality of transmission paths through a first drainage strategy, wherein the plurality of transmission paths comprise a first transmission path, and the plurality of transmission paths are used for sharing the load of downlink messages in network traffic.
Optionally, the determining module 903 is further configured to detect the first downlink packet, and determine whether the first downlink packet is a network attack through the detection. If the first downlink message is a network attack, discarding the first downlink message.
Optionally, the sending module 904 is specifically configured to: by configuring the SF proxy function to be a node in the first transmission path, the plurality of network devices form a data transmission channel by configuring a plurality of nodes formed by the SF proxy function. And sending the first downlink message to the second network equipment corresponding to the source IP address through the SF proxy function.
Referring to fig. 10, based on the same inventive concept, an embodiment of the present application provides an electronic device including at least one processor 1001 and a memory 1002 communicatively connected to the at least one processor. The memory stores instructions that are executed by the at least one processor to enable the at least one processor to perform the message transmission method of any of the embodiments described above.
In the embodiment of the present application, the specific connection medium between the processor 1001 and the memory 1002 is not limited, and in fig. 10, the connection between the processor 1001 and the memory 1002 by the bus 1000 is taken as an example, the bus 1000 is shown by a thick line in fig. 10, and the connection manner between other components is only schematically illustrated and not limited. The bus 1000 may be divided into an address bus, a data bus, a control bus, etc., and is shown with only one thick line in fig. 10 for convenience of illustration, but does not represent only one bus or one type of bus.
The computing device in the embodiments of the present application may further include a communication interface 1003, where the communication interface 1003 is, for example, a network port, and the computing device may receive data or transmit data through the communication interface 1003.
The processor 1001 is a control center of a computing device, and may use various interfaces and lines to connect various parts of the entire device, and by executing or executing instructions stored in the memory 1002 and invoking data stored in the memory 1002, various functions of the computing device and process data, thereby performing overall monitoring of the computing device. Alternatively, the processor 1001 may include one or more processing units, and the processor 1001 may integrate an application processor and a modem processor, wherein the application processor mainly processes an operating system and an application program, etc., and the modem processor mainly processes wireless communication. It will be appreciated that the modem processor described above may not be integrated into the processor 1001. In some embodiments, the processor 1001 and the memory 1002 may be implemented on the same chip, and in some embodiments they may be implemented separately on separate chips.
Alternatively, the processor 1001 may be a general-purpose processor, such as a central processing unit, an application specific integrated circuit (in english: application Specific Integrated Circuit, abbreviated as ASIC), one or more integrated circuits for controlling program execution, a hardware circuit developed using a field programmable gate array (in english: field Programmable Gate Array, abbreviated as FPGA), or other programmable logic device, discrete gate or transistor logic, or discrete hardware components, which may implement or execute the methods, steps, or logic blocks disclosed in the embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the message transmission method disclosed in connection with the embodiments of the present application may be directly embodied in a hardware processor for execution, or may be executed by a combination of hardware and software modules in the processor.
The code corresponding to the message transmission method described in the foregoing embodiment may be cured into the chip by programming the processor 1001, so that the chip can execute the steps of the foregoing message transmission method during operation, and how to program the processor 1001 is a technology known to those skilled in the art, which is not repeated herein.
Optionally, in the embodiment of the present application, the memory 1002 stores instructions executable by the at least one processor 1001, and the at least one processor 1001 may execute the steps included in the foregoing packet transmission method by executing the instructions stored in the memory 1002. The memory 1002 is a non-volatile computer-readable storage medium that can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. The Memory 1002 may include at least one type of storage medium, and may include, for example, flash Memory, hard disk, multimedia card, card Memory, random access Memory (Random Access Memory, RAM), static random access Memory (Static Random Access Memory, SRAM), programmable Read-Only Memory (Programmable Read Only Memory, PROM), read-Only Memory (ROM), charged erasable programmable Read-Only Memory (Electrically Erasable Programmable Read-Only Memory, EEPROM), magnetic Memory, magnetic disk, optical disk, and the like. Memory 1002 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory 1002 in the embodiments of the present application may also be circuitry or any other device capable of implementing a memory function for storing program instructions and/or data. The number of memories 1002 is one or more. The memory 1002 is also shown in fig. 10, but it should be noted that the memory 1002 is not an essential functional block, and is therefore shown in fig. 10 by a broken line.
Based on the same inventive concept, the embodiments of the present application provide a computer storage medium storing a computer program for executing the message transmission method in any of the above embodiments. In a specific implementation, the computer readable storage medium includes: a universal serial bus flash disk (Universal Serial Bus flash drive, USB), a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk or an optical disk, or the like, which can store program codes.
In some possible embodiments, aspects of the message transmission method provided herein may also be implemented in the form of a program product comprising program code for causing a computing device to perform the steps of the message transmission method according to various exemplary embodiments of the present application as described herein when the program product is run on the computing device.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional modules is illustrated, and in practical application, the above-described functional allocation may be performed by different functional modules according to needs, i.e. the internal structure of the apparatus is divided into different functional modules to perform all or part of the functions described above. The specific working processes of the above-described systems, devices and units may refer to the corresponding processes in the foregoing method embodiments, which are not described herein.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the modules or units is merely a logical functional division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution, in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor (processor) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a universal serial bus flash disk (Universal Serial Bus flash disk), a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk or an optical disk, or other various media capable of storing program codes.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.

Claims (10)

1. A method for transmitting a message, comprising:
the method comprises the steps that first network equipment receives a first downlink message fed back for a first uplink message, wherein the first network equipment is used for carrying out safety detection on the message, and the first uplink message is a message sent from a source IP address to a destination IP address;
the first network device obtains first information in the first downlink message; wherein the first information includes the source IP address and a destination IP address;
the first network device determines a first transmission path from pre-stored first system configuration information according to the first information, wherein the first system configuration information comprises a plurality of transmission paths, and the first transmission path is a transmission path adopted by the first uplink message;
and the first network equipment sends the first downlink message to second network equipment corresponding to the source IP address according to the first transmission path.
2. The method of claim 1, wherein the first network device determining a first transmission path from pre-stored first system configuration information based on the first information comprises:
the first network device performs hash calculation on the first information to obtain a hash value;
The first network device determines an index of a transmission path consistent with the hash value from the pre-stored first system configuration information according to the hash value;
the first network device determines a transmission path corresponding to the index as the first transmission path.
3. The method of claim 2, wherein the first transmission path corresponds to N different source IP addresses and destination IP addresses, N being within a preset range, N being an integer greater than or equal to 1.
4. A method according to any of claims 1-3, wherein before the first network device determines a first transmission path from pre-stored first system configuration information based on the first information, the method further comprises:
the first network equipment acquires second system configuration information, wherein the second system configuration information further comprises at least one drainage strategy, and the drainage strategy is used for respectively guiding uplink messages or downlink messages in network traffic;
the first network device matches a first drainage policy from the second system configuration information according to second information of the first downlink message, wherein the second information comprises a source IP address, a source IP address port, a destination IP address port and a protocol type of the first downlink message;
The first network device determines a plurality of transmission paths through the first drainage policy, wherein the plurality of transmission paths comprise the first transmission path, and the plurality of transmission paths are used for sharing the load of the downlink message in the network traffic.
5. A method according to any one of claims 1-3, wherein the method further comprises:
the first network device detects the first downlink message and judges whether the first downlink message is a network attack or not through detection;
and if the first downlink message is a network attack, discarding the first downlink message.
6. A method according to any one of claims 1-3, wherein the first network device sending the first downlink message to the second network device corresponding to the source IP address according to the first transmission path, comprising:
the first network equipment becomes a node in the first transmission path by configuring an SF proxy function, and a plurality of network equipment forms a data transmission channel by configuring a plurality of nodes formed by the SF proxy function;
and the first network equipment sends the first downlink message to second network equipment corresponding to the source IP address through the SF proxy function.
7. A message transmission apparatus, comprising:
the receiving module is used for receiving a first downlink message fed back for a first uplink message, the first network equipment is used for carrying out safety detection on the message, and the first uplink message is a message sent from a source IP address to a destination IP address;
the acquisition module is used for acquiring first information in the first downlink message; wherein the first information includes the source IP address and a destination IP address;
the determining module is used for determining a first transmission path from prestored first system configuration information according to the first information, wherein the first system configuration information comprises a plurality of transmission paths, and the first transmission path is a transmission path adopted by the first uplink message;
and the sending module is used for sending the first downlink message to the second network equipment corresponding to the source IP address according to the first transmission path.
8. The apparatus of claim 7, wherein the determining module is specifically configured to:
carrying out hash calculation on the first information to obtain a hash value;
determining an index of a transmission path consistent with the hash value from the pre-stored first system configuration information according to the hash value;
And determining a transmission path corresponding to the index as the first transmission path.
9. An electronic device, comprising: a processor, and a memory communicatively coupled to the processor;
the memory stores computer-executable instructions;
the processor executes computer-executable instructions stored in the memory to implement the method of any one of claims 1-6.
10. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are adapted to carry out the method of any one of claims 1-6.
CN202311823602.2A 2023-12-27 2023-12-27 Message transmission method, device and storage medium Pending CN117749688A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311823602.2A CN117749688A (en) 2023-12-27 2023-12-27 Message transmission method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311823602.2A CN117749688A (en) 2023-12-27 2023-12-27 Message transmission method, device and storage medium

Publications (1)

Publication Number Publication Date
CN117749688A true CN117749688A (en) 2024-03-22

Family

ID=90283207

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311823602.2A Pending CN117749688A (en) 2023-12-27 2023-12-27 Message transmission method, device and storage medium

Country Status (1)

Country Link
CN (1) CN117749688A (en)

Similar Documents

Publication Publication Date Title
US20190356596A1 (en) Service link selection control method and device
CN106878194B (en) Message processing method and device
CN113326228B (en) Message forwarding method, device and equipment based on remote direct data storage
EP3016332B1 (en) Multi-connection system and method for service using internet protocol
US20150049640A1 (en) Data transmission controlling device and method for controlling data transmission
EP4068704A1 (en) Packet sending method, routing table entry generation method, device, and storage medium
CN110166450B (en) Data transmission method and device based on industrial Ethernet and communication equipment
CN113691490A (en) Method and device for checking SRv6 message
US20140040477A1 (en) Connection mesh in mirroring asymmetric clustered multiprocessor systems
CN116094978A (en) Information reporting method, information processing method and information processing equipment
CN112272134B (en) IPSec tunnel establishment method and device, branch equipment and center-end equipment
CN113497752B (en) Message sending method, first network equipment and network system
CN101909011B (en) Message transmission method and system, client and proxy gateway
CN116016725B (en) Information transmission method, computer device and storage medium
CN117749688A (en) Message transmission method, device and storage medium
CN114499969B (en) Communication message processing method and device, electronic equipment and storage medium
EP4287550A1 (en) Packet processing method, client end device, server end device, and computer-readable medium
WO2022227484A1 (en) Data communication method and apparatus, computer device, and storage medium
CN104869118A (en) Method and system for achieving DDoS defense based on technology of dynamic tunnels
CN112242943B (en) IPSec tunnel establishment method and device, branch equipment and center-end equipment
CN116192721A (en) Path perception method, device and system
CN112804130A (en) Message processing method, device, system, storage medium and electronic equipment
EP3808119A1 (en) A technique for authenticating data transmitted over a cellular network
CN112839009B (en) Method, device and system for processing message
US20240048644A1 (en) Message transmission method and system, and network device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination