CN1498368A

CN1498368A - System, method and apparatus that employ virtual private networks to resist IPQoS denial of service attacks

Info

Publication number: CN1498368A
Application number: CNA028068203A
Authority: CN
Inventors: D��E��˴�ɣ; D·E·麦克戴桑
Original assignee: Worldcom Inc
Current assignee: Verizon Business Global LLC
Priority date: 2001-03-20
Filing date: 2002-03-20
Publication date: 2004-05-19
Also published as: EP1374057A1; JP2004533149A; MXPA03008421A; CA2441712A1; WO2002075548A1; EP1374057A4; BR0208223A

Abstract

A network architecture (30) in accordance with the present invention includes a communication network that supports one or more network-based Virtual Private Networks (VPNs) (44, 46). The communication network includes a plurality of boundary routers (40, 42) that are connected by access links (35) to CPE edge routers (34) belonging to the one or more VPNs (44, 46). To prevent traffic from outside a customer's VPN (e.g., traffic from other VPNs or the Internet at large) from degrading the QoS (Quality of service) provided to traffic from within the customer's VPN, the present invention gives precedence to intra-VPN traffic over extra-VPN traffic on each customer's access link through access link prioritization or access link capacity allocation, such that extra-VPN traffic cannot interfere with inter-VPN traffic. Granting precedence to intra-VPN traffic over extra-VPN traffic in this manner entails special configuration of network elements and protocols, including partitioning between intra-VPN and extra-VPN traffic on the physical access link using layer 2 multiplexing and the configuration of routing protocols to achieve logical traffic separation. By configuring the access networks, the VPN boundary routers (40, 42) and CPE edge routers (34) and the routing protocols of the edge and boundary routers in this manner, the high-level service of DoS (Denial of Service) attack prevention is achieved.

Description

Use system, the method and apparatus of VPN (virtual private network) opposing IP QoS Denial of Service attack

The present invention relates to communication network, specially refer in prevention Denial of Service attack such as public communication networks such as the Internets.The present invention is specifically related to prevent in the communication network with shared network infrastructure by will in the distribution of the inner access capacity to the website business of a VPN (virtual private network) (VPN) and/or priorization and another VPN or the public network distribution of the access capacity of website and/or priorization being separated method, system and the equipment of Denial of Service attack.

For Internet Service Provider, the key of considering in network design and management is that access capacity and Internet resources are suitably distributed in business and the source from the VPN customer rs site between the business of VPN outside (for example being from the Internet or other VPN) in the source.During subscribing with respect to it, this consideration comprises that request Internet Service Provider provides minimal communications bandwidth or assurance special service quality (Quality of Service) SLA (Service Level Agreement) those VPN clients' (SLA) (QoS) professional particular importance.This service provides needs network structure that Internet Service Provider provides and agreement can realize the QoS that stipulates, and guarantee to have enough access capacities and Internet resources to be used for communicating with other VPN website, these communications separate with communicating by letter of those main frames that do not belong to this VPN part.

In Internet Protocol (IP) network, for obtaining QoS and realize and can serve the access control that speech for example or Asynchronous Transfer Mode (ATM) compare favourably with connection-oriented network, it is the information flow that the example of switching piecemeal (hop-by-hop switching paradigm) that the identical signal resource of imitation keeps is used for the IP grouping of requirement QoS that a kind of direct scheme is arranged.In fact, the IP signaling standard of (IETF) (Intserv) being worked out for integrated service (Integrated Services) by internet engineering task group (Internet Engineering Task Force) exactly is applicable to this scheme.According to IETF, people such as RFC 1633[R.Branden " Integrated Services in the InternetArchitecture:an Overview (integrated service in the Internet architecture: general introduction) " in June, 1994] described in, Intserv is a kind of IP QoS structure by information flow, allows application program to select for its packet in the middle of a plurality of control categories of the service of transmitting.In order to support this ability, Intserv allows to use in the application program of transmitter one end of grouping information stream " ResourceReSerVation Protocol (RSVP)-Version 1 Functional specification " in September, 1997 of people such as IETF RFC 2205[R.Branden] the known RSVP (Resource ReSerVation Protocol) of defined (RSVP) provides required QoS rank along the path of the receiver that flows to grouping information from all-network element requests capacity categories in accordance with regulations.After the RSVP RESV message of RSVP PATH message that receives a request resource reservation from a upstream node and the reservation of an affirmation resource, take measures to control QoS and the capacity that divides into groups in the information flow that offer along the individual networks element in this path.

Fig. 1 represents to utilize conventional Intserv scheme to carry out the synoptic diagram of access control.As shown in Figure 1, the IP network 10 of an example comprises N identical node (for example being the service supplier boundary router) 12, the customer premise equipment (Customer PremisesEquipment) that the link that has L bar capacity separately and be an X is connected to L individual customer (CPE) 14.In a kind of connection-oriented scheme of pressing information flow, each node 12 will be guaranteed can not transship to the link of any network path of destination from originating from.From access capacity, can directly limit input stream on each inlet access link by the scheme of information flow, make the summation of all information flow capacity can not surpass the capacity X of arbitrary outlet access link (for example being the link 1 of node 12a).Similarly scheme can be used for connecting the link of the core router that does not illustrate in the IP network 10.

Although conceptive very simple, there are many shortcomings in the admission control technique shown in Fig. 1.Most importantly adopt the scalability of Intserv access control of RSVP limited, because in ISP's border and core router (boundary and core routers), need to handle intensive signaling (processing-intensivesignaling) RSVP.Especially, RSVP needs end-to-end signaling to ask to be in the suitable resources allocation of each network element between the transmitter and receiver, the policy lookup that needs Ingress node 12b-12d to be determining which information flow can access and correspondingly administration is relevant professional, and many other handshake messages.Therefore, the required processing of Intserv RSVP signaling can compare with the processing of phone or atm signaling, and on each border or core I P router interior need high-performance (just expensive) processor parts and handle the required a large amount of works of treatment of this signaling.The RSVP signaling is a kind of soft state, mean signaling process is frequently refreshed (being defaulted as per 30 seconds once), might change because cross over the forward path of IP network, thereby must periodically notify about the information that information flow is required about QoS and capacity.The extra process that this so-called soft state operator scheme produces router is loaded even is also bigger than the load of ATM exchange.In addition, if the processor of a border router transships because of a large amount of invalid RSVP requests, processor might collapse, thereby can cause the service disruption of all information flows of handled all clients of out of order this router of processor.

Recognize with adopting conventional Intserv RSVP signaling and realize these problems that access control is relevant, IETF issued in people such as RFC 2475[S.Blake, " An Architecture for Differentiated Services " in Dec, 1998] middle difference service (Differentiated Services) (Diffserv or the DS) agreement that defines.Diffserv is a kind of IP QoS structure that realizes scalability by a set of transmission Classification of Businesses in a DS field (for example being IPv4 COS (TOS) byte or IPv6 class of service byte) of each IP-layer packet header.The first six digits of DS field is to a Diffserv code-point (DSCP) coding, and this Diffserv code-point is to stipulate the service of classification or press section behavior (Per HopBehavior) (PHB) along one of its path request in the grouping of each node in a Diffserv territory.

In a Diffserv territory, with the set (aggregate) of Resource Allocation in Networks to stream of packets, the business in the DSCP mark of service provision policy management when entering the Diffserv territory and professional adjusting and the Diffserv territory transmits according to the service provision policy.Only need on the Diffserv network boundary, take mark (i.e. classification) and regulate operation.Therefore, between transmitter and receiver, do not need to set up information flow with specific QoS with end-to-end signaling, only need check and/or do the border note to the title of each IP grouping, Diffserv just can provide QoS for the information flow of gathering with an inlet boundary router.

Although the Diffserv standard can be with the intensive signaling of processing that simply substitutes Intserv by the marking operation of grouping that is easy to be carried out by hardware, thus the restriction that solves the Intserv scalability, and still there is dissimilar problems in the enforcement of Diffserv agreement.Particularly because Diffserv allows main frame that service type is made marks, if there are many main frames to transmit grouping with the DS field that is arranged on high priority to this link, the link of Diffserv network client will be subjected to denial of service (DoS) and attack.Should be noted that one group of main frame can be by being provided with DSCP directly or surpass the reservation capacity of Diffserv service type indirectly by the business of having submitted to be classified by some other router or equipment to a specific DSCP.In Diffserv, an IP network can only be protected its other resources by take strategy on ingress router, can not surpass the reservation capacity of each Diffserve service type to guarantee each customer interface.Yet, do to prevent DoS attack like this.

Fig. 2 be illustrated in an illustration IP network 10 carrying out conventional Diffserv agreement ' in the dos attack situation.In Fig. 2, it is the business of target with the single link of an Egress node (for example being the outlet border router) 12a ' that many Ingress nodes (for example being the inlet boundary router) 12b '-12d ', each node admit (admit).Although each Ingress node 12 ' administration (police) input grouping is to guarantee that the client can not surpass its reservation resource on each DSCP, the set of the information flow that is allowed to still can surpass the capacity X of the outbound 1 of node 12a ', and the service that causes being distributed to customer rs site by this link is rejected.

Implement incidental restriction from the routine of Intserv and Diffserv standard, the present invention recognizes, provide a kind of like this and can support that a kind of data communications method, system and equipment of communication protocol can be effective and desirable, different with the Intserv scheme of routine, it has the scalability of height and can also take precautions against conventional Diffserv and the DoS attack of other network vulnerable influence.

Comprise a communication network supporting one or more based on network VPN (virtual private network) (VPN) according to network structure of the present invention.Communication network comprises a plurality of border routers (boundary router), and they are coupled to the CPE edge router (edge router) that belongs to one or more VPN by access link.In order to prevent that the business (for example being the business from other VPN or whole the Internet) from client VPN outside from damageeing the QoS that offers from the business of client VPN inside, the present invention by access link priorization or access link capacity allocation on each client's access link, give in the VPN professional than VPN outer professional higher right of priority, make the outer business of VPN can not disturb business in the VPN.Give the interior business of VPN in such a way and be better than the special configuration that the outer professional right of priority of VPN needs network element and agreement, comprise and adopt layer 2 exchange and be multiplexed on physics access link and the access network division between professional and the outer business of VPN in VPN, and on VPN border router and CPE edge router for realizing the configuration of the Routing Protocol of the logic business isolation between the business outside the business and VPN in the VPN.Dispose the Routing Protocol of access network, VPN border router and CPE edge router and edge and border router in this manner, just can realize the high-level service of DoS attack prevention.

Just can understand other purpose of the present invention, feature and advantage according to following detailed description.

In subsidiary claims, described and embodied specific characteristic of the present invention.Yet, below reading in conjunction with the accompanying drawings the detailed description of most preferred embodiment is helped the optimal mode of deep the present invention of understanding and application thereof, further purpose and advantage, in the accompanying drawings:

Fig. 1 represents to adopt integrated service (Intserv) network of RSVP execution by a kind of routine of the QoS of information flow;

Fig. 2 represents a kind of difference service (Diffserv) network of routine, utilize DSCP in each packet header to be marked on the Business Stream of set and realize QoS, and thereby be vulnerable to denial of service (DoS) and attack;

Fig. 3 represents the routine communication network according to most preferred embodiment of the present invention, by the membership qualification in the reference VPN (virtual private network) (VPN) distribution of access capacity and/or priorization is divided and resists DoS attack;

Fig. 4 represents to provide a kind of VPN scheme based on CPE to solve a routine network structure of DoS attack problem;

Fig. 5 is the details block diagram of the CPE edge router known of a kind of QoS-that can adopt in the network structure shown in Fig. 4 and 7;

Fig. 6 A is the details block diagram of the border router known of a kind of QoS-that does not have the VPN function that can adopt in the network structure shown in Fig. 4 and 7;

Fig. 6 B is the details block diagram of the border router known of a kind of QoS-with VPN function that can adopt in network structure shown in Figure 4;

Fig. 7 is expressed as and solves the routine network structure that the DoS attack problem provides a kind of based on network vpn solution; And

Fig. 8 is the details block diagram of the VPN border router known of a kind of QoS-that can adopt in network structure shown in Figure 7.

Still with reference to accompanying drawing; Fig. 3 particularly; expression provides a kind of telescopic method according to the high level block diagram of of the present invention one routine network structure 20 among the figure, and protection VPN (virtual private network) (VPN) client's access and junction network link are not subjected to DoS attack when providing QoS for selected business.With the network class of prior art among Fig. 2 seemingly, the network structure 20 of Fig. 3 comprises a Diffserv network 21 with N service supplier boundary router (BR) 22, router each has L access link.The difference of network structure 20 is that Diffserv network 21 is supported a plurality of VPN examples, represented wherein two in the drawings, the access link of CPE edge router (ER) that is used for the first network services client 24 and the border router 22 of an ER who is used for the second network services client 25 is coupled at each place that is shown in four websites that each personal alphabetical a represents to d.Each CPE ER provides services on the Internet for client's Local Area Network.The based on network VPN of ISP can support than two much more clients shown in the figure.

In a routine communication plan shown in Figure 3, be coupled to CPE edge router 24b-24d a VPN client LAN inside main frame, be coupled to that the 2nd VPN client's of CPE edge router 25a-25d the main frame and being coupled to of LAN inside links with border router 22a-22d other not have the website of illustrated CPE edge router might be that the destination sends grouping information stream with the LAN that is coupled to a VPN client CPE edge router 24a all.If adopt the conventional Diffserv network with reference to the described prior art of Fig. 2, the external access link 1 that is coupled to the border router 22a of CPE edge router 24a collapses because of converging of these information flows with regard to easy, causes DoS.Yet, according to the present invention, the Diffserv network 21 of Fig. 3 is by first logic port 27 on the physics access link 1 of business in the VPN being guided into border router 22a, and will guide second logic port 28 on the physics access link 1 of border router 22a into from the business of other VPN or other website, can prevent DoS attack from the website of VPN outside.

In order to prevent to damage the QoS that provides for business (for example being business) from other main frame in the same industrial and commercial enterprises from relevant client group inside from the business (for example being business) beyond the relevant client group from other VPN or whole the Internet, the present invention makes the interior business of VPN that the outer professional higher right of priority than VPN be arranged, or distribute the access link capacity like this, make the outer business of VPN can not disturb in the VPN professional.In other words, as mentioned below, each border router 22 will give the business that starts from the source of client VPN inside in the right of priority on the client access link separately, a VPN is defined as a set of the node that is connected by shared network foundation structure herein, Internet resources wherein and/or communication are to divide according to the membership qualification of node set.Give in such a way that business is better than the outer professional priority request network element of VPN and the special configuration of agreement in the VPN, comprise adopt that layer 2 is multiplexed in the physics between professional and the outer business of VPN inserts in the VPN division and Routing Protocol be configured to realize the logic business isolation.In a word, as described in detail later, the high-level service that realizes preventing DoS attack jointly by the configuration of the Routing Protocol that adopts in CPE edge router, access network, based on network VPN border router and edge and the border router.By contrast, can not to separate with the website in the same VPN be the business (be VPN in professional) of destination and the business (being business VPN outside) that sends from other zone of the Internet to the IP VPN scheme based on IPsec of Chang Gui Diffserv and CPE edge router.

Referring to Fig. 4-8, the overall network architecture 20 shown in Fig. 3 can be divided at least two class schemes.Particularly may be implemented as a kind of VPN scheme based on CPE according to network of the present invention, it is described to see below Fig. 4-6, or a kind of based on network VPN scheme, and it is described to see below Fig. 7-8.

At first referring to Fig. 4, a routine network structure 30 of representing among the figure is to adopt the VPN based on CPE to resist DoS attack.Shown network structure comprises IP VPN network that Diffserv allows 44, get about (besteffort) IP public network 46 and a plurality of client's Local Area Network 32.Client's LAN (Local Area Network) LAN32 comprises one or more main frames 48 separately, can be used as transmitter and/or the receiver of carrying out packet communication on one of

network

44 and 46 or both sides.According to embodiment shown in Figure 4 is that hypothesis client LAN32a belongs to same relevant group (being VPN) with 32b, for example is industrial and commercial enterprises.

Each client LAN32 is coupled to each access network (for example being a L2 access network) 38 by CPE edge router 34 and physics access link 35 separately.The L2 that access

network

38a and 38b have the border router (BR) 40 of the IPVPN network 44 that Diffserv is allowed separately inserts logic and is connected, is connected with the 2nd L2 access logic to the border router (BR) 42 of the IP public network 46 of getting about.As shown in Figure 4, with synteny not represent in the VPN and VPN outer professional, CPE edge router 34a that VPN-knows and 34b only transmit those groupings with the IP address prefix that belongs to this IP VPN by the IP VPN network 44 that Diffserv allows, and transmit every other business by the IP public network 46 of getting about.In order to strengthen the security of client LAN32,

CPE edge router

34a and 34b back and forth transmit all business by fire wall 36a and the 36b separately and the IP public network 46 of getting about.

In network structure shown in Figure 4, the source is stoped by the configuration of border router 40a-40b and 42a-42b from the DoS attack of IP VPN outside, so that suitably utilize two logics of

access network

38a and 38b to be connected professional accord priority in the VPN.For example in first kind of configuration, insert logic for the L2 of the IP VPN network 44 that Diffserv is allowed and connect distribution ratio and the L2 of the IP public network 46 of getting about is inserted logic connect higher right of priority.Support the L2 access network of this priorization of access link 35 to comprise Ethernet (for example being to adopt the Ethernet right of priority), ATM (for example being to adopt atm class of service) and various frame relay (FR) network plan.These schemes all are technology commonly known in the art.According to this configuration, each border router 40 of the IP VPN network 44 that Diffserv allows will divide into groups to its transfer rate that is connected with the logic of access network 38 finishing (shape) to a value that is lower than this access link transfer rate, to prevent that the L2 of the IP public network 46 of getting about is inserted the resource shortage that logic connects.Perhaps, according to second kind of configuration, configure boundaries router four 0a-40b and 42a-42b separately, to be trimmed to the speed of regulation with the business that each L2 access network logic is connected to target, and make the summation of these speed be less than or equal to the transmission capacity that the physics that links CPE border router 34 and access network 38 inserts media.No matter be above any configuration, border router 40 and 42 all comes operation dispatching and priorization according to the DSCP mark of grouping, and is trimmed to the capacity of the access network connection of distributing to this IP vpn service.

As known to a person skilled in the art, selecting any configuration to implement is the problem of considering in the design alternative, because each configuration all respectively has excellent, shortcoming.For example, according to first kind of configuration, the match ratio between the

network

44 and 46 in the access network configuration is easier to.Yet if access network 38 is only implemented strict right of priority, the IP vpn service of the IP VPN network 44 that allows from Diffserv will cause that the service resources of getting about of communication lacks on IP public network 46.Second kind of configuration is to distribute a part of access link capacity to solve this problem by the network insertion (being in the VPN and outside the VPN) for every type.Yet if border router 40 and 42 is repaired business according to second kind of configuration, the access capacity of the not usefulness in the network 44 and one of 46 just can not be used for inserting for another network.That is to say,, only may carry out the scheduling of non task conservation (non-work-conserving) on border router 40 and 42 because finishing is carried out separately.

Referring to Fig. 5, the details block diagram of the CPE edge router 34 that a kind of QoS-that has represented among the figure to use in the network structure shown in Fig. 4 knows.As shown in the figure, CPE edge router 34 comprises many LAN ports 60, for corresponding many client LAN32 provide connection.For example in Fig. 5, LAN port 60a is coupled to a client LAN32, and client LAN32 comprises the many main frames 48 that have been assigned with IP address, 32-position " a.b.c.d., ", " a.b.c.e., " and " a.b.c.f. " separately.

Each LAN port also is coupled to a kind of function 62 of passing on, and this function is at LAN port 60 and reside in forward packets between one or more logic ports (LP) 66 on one or more wide area network (WAN) physical port 64 (only having represented among the figure).The LP 66 that comprises layer-2 sub-interface separately for example may be implemented as an ethernet virtual lan (VLAN), FR data link connection identifier device (DLCI), ATM pseudo channel and connects (VCC) or operate in PPP(Point-to-Point Protocol)/High-Level Data Link Control (HDLC) on a kind of time division multiplexing (TDM) channel.WAN physical port 64 adopts a scheduler 68 to be multiplexed on the transmission medium of access network 38 from the grouping of logic port 64, and utilizes and pass on function 70 and will be transferred to each logic port from the grouping that access network 38 receives.

If a LAN port 60 of CPE edge router 34 receives grouping from a client LAN32, this grouping at first will be passed through a sorter 80, and it determines with reference to sorted table 82 how CPE edge router 34 should handle each grouping.As shown in Figure 5, sorted table 82 can have many index, comprises source address (sa) and destination address (DA), source port (SP) and destination interface (DP), protocol type (PT), DSCP or from other fields of grouped link, network or transport layer title.According to a grouping to values one or more in these index, sorted table 72 obtain to be used for to handle this grouping those CPE edge router 34 inside administration device (policer) (P), marker (M), destination LP and destination LP formation (Q) equivalence.According to alternative embodiment of the present invention, can be with passing on function 62 replacement sorters, 80 execution searching to destination-LP and destination LP formation inlet.

As shown in the figure, can utilize a prefix or scope or null value (with "-" expression) to stipulate or partly stipulate the table entry value in the sorted table 82 fully.For example, utilize IP address, the 32-position SA of the main frame 48 of regulation LAN32 fully, utilize the 24-position IP address prefix of discerning specific IP network to stipulate the DA of several destination hosts, and many index values and an administration value are null values.In a word, can identical administration device, marker and/or the trimming value of grouping information stream regulation of difference classification be extracted from RSVP RESV message for these values of Intserv information flow.For example, sorted table 82 has stipulated that administration device P1 and marker M1 will handle from the grouping of the SA of any DSCP of being marked with " 101 " and have the grouping of a SA " a.b.c.e " who is marked with DSCP " 010 ".Yet sorted table 82 is to distinguish by business (being that VPN is outer professional) the destination LP value that regulation is different of the main frame in other places for the business (being professional in the VPN) that has DA in the VPN and in the address is the Internet to have the information flows that difference is classified.Therefore, since the IP address prefix " r.s.t; " " w.x.y; " " l.m.n " all belongs to same VPN with network 32, the business that is complementary with these DA is sent to other websites in the same VPN on the IPVPN network 44 that Diffserv allows by LP-166a, and every other business is sent to the IP public network 46 of getting about by LP-2 66b.

Can dynamically determine logic port 66 and the LP formation that grouping will be transferred to by static configuration or by Routing Protocol.Which kind of situation no matter, if CPE router three 4 is equipped with two kinds of routes for IP address, same destination, then the VPN route all should be more preferential than the Internet route.Can obtain this right of priority with number of ways, comprise that (1) use Interior Gateway Protocol (IGP) (being OSPF and IS-IS) that the VPN route is installed, and use ERGP or static routing that the Internet route is installed, or (2) use EBGP installs VPN route and the Internet route, gives higher local first power to the VPN route.

After classification,, exchange to separately

logic port

66a or 66b according to the regulation of question blank by passing on function 62 then according to administration device P0, P1 and marker M0, M1, M2 suitable administration and mark being carried out in grouping shown in the sorted table 82.In the logic port 66 of regulation, grouping is guided into the LP formation Q0-Q02 that stipulates by sorted table 82.LP formation Q0-Q2 is according to effectively buffer capacity or thresholding are carried out access control, for example random early detection (red).Scheduler 90 is served LP formation Q0-Q2 according to selected dispatching algorithm then, for example first in first out (FIFO), right of priority, weighted round-robin (WRR), weighted fair queuing (wfq) or category queuing (CBQ).For example, in illustrated embodiment, scheduler 90 bases and the relevant weighting w of each LP formation i of LP-2 66a _iOverall WFQ scheduler speed r with logic port 2 ₂Implement WFQ, thereby speed r is arrived in business reorganization ₂At last, as mentioned above, serve various logic port 66, in order to the transfer rate of control to access network 38 with the scheduler 68 of physics WAN port 64.

CPE edge router 34 receives grouping from access network 38 on WAN physical port 64, pass on function 70 grouping is transferred to

suitable logic port

66a or 66b according to utilizing shown in the configuration of access network 38 when it is mapped to logic port then.On each logic port 66, grouping is by a sorter 100, and it can adopt the one or more index in the same index set discussed above to visit sorted table 102 usually.In a typical embodiment, the lookup result of sorter 100 is simpler than the result of sorter 80, does not administer continually and makes marks because do not need.Therefore, in the present embodiment, grouping is passed on the sorter 100 of function 62 from logic port 66 and directly is transferred to particular queue Q0-Q2 according to the LAN port 60a of appointment the table searched of DSCP of grouping.As mentioned above, the formation Q0-Q2 of LAN port 60a is by implementing WFQ and grouping being sent to scheduler 102 services of client LAN32.

Referring to Fig. 6 A, expression for example can be used in the network structure of Fig. 4 the details block diagram of the border router that a kind of QoS-that does not have the VPN function as border router 42 knows among the figure.As shown in the figure, the border router 42 of Fig. 6 A comprise a plurality of physical ports 116, by be used to import grouping pass on that function 112 and being used to exports that packet scheduling device 114 is coupled to a plurality of logic ports 110 of access network 38 and between logic port 110 and physical port 116 forward packets pass on function 118.The embodiment of a plurality of physical ports 116 allows the fault-tolerant connection to the network core router, and the embodiment that is coupled to a plurality of logic ports of access network 38 allows the logic port that allows as Diffserv-with a logic port (being LP-1 110a) and with the get about configuration of logic port of one second logic port (being LP-2110b) conduct.

Like this, for passing through the service communication of the LP-2 110b of border router 42 to network core from access network 38, the sorter 124 of LP-2 110b is guided all groupings into marker M0 according to sorted table 126.Marker M0 makes marks to all groupings that receive at LP-2 110b again with DSCP000, thereby identifies as the professional grouping of getting about.Otherwise, the sorter 120 of LP-1 110a utilize sorted table 122 will be at the formation Q0-Q2 of those input packet map that receive the DSCP mark on the credible CPE (for example being CPE edge router 34) to the PHY-1 116a by ISP's management, these formations are associated with different QoS ranks separately.Because grouping has been carried out the classification of multiword section, mark and finishing by credible CPE, border router 42 does not need grouping is made marks again.Yet, not a credible CPE if send the CPE edge router, border router 42 just still needs again the grouping of reception on mark and the administration LP-1 110a.

In classification (and at the mark that receives on the LP-2 110b under the professional situation) afterwards, the function 118 of passing on arrives suitable physical port 116 or logic port 110 with service transfer.The edge router of searching 34 is different with utilizing sorter to carry out among Fig. 5 all to pass on, border router 42 adopts another kind of design proposal, wherein, pass on table 128 by passing on function 118 by one of the DA visit of grouping, thereby determine output port, in this example just LP-1110a, LP-2 110b or PHY-1 116a.For the situation of non-vpn routers, fill in by general purpose I P Routing Protocol (for example being Border Gateway Protocol (BGP)) or static configuration (for example being 24 IP address prefixs " d.e.f. " and the relation of LP-2110b) and to pass on table 128.Another embodiment is IP to be set to search and pass on function passing on to concentrate in the function 62.Hypothetical boundary router four 2 only is at a physical port 116 that is coupled to core router for all scopes of business that network core transmits among the embodiment shown in Figure 6.In other embodiments certainly might be on each physical port 116 the balance traffic load.In addition, described design proposal also can directly expand to the scheme of omitting core router or one or more core routers being adopted one or more logic ports.

For the business that sends to access network 38 by border router 42, sorter 132 utilizes the DSCP visit sorted table 134 of grouping, so that guide each grouping among the formation Q0-Q-2 suitable formation according to the indicated QoS of DSCP of grouping.Client for having bought the logic port 110 that Diffserv allows can obtain desirable QoS because source CPE has administered with suitable DSCP value and mark information flow.The client can receive more high-quality business although get about, and prevents this unidirectional difference service to need obviously to increase the complicacy of sorter, and comprises by Routing Protocol each edge router distribution QoS information in ISP's network.

Referring to Fig. 6 B, the details block diagram of the VPN border router 40 that a kind of QoS-of expression knows among the figure can be for the VPN that Diffserv-allows and DoS-protects is provided in network structure shown in Figure 4 service.As shown in the figure, border router 40 comprise the core router that is used for being coupled to the IP VPN network 44 that Diffserv-allows a plurality of physical ports 226, export the logic port 224 that a plurality of Diffserv-that packet scheduling device 222 is coupled to an access network 38 allow and be used for of between logic port 224 and physical port 226 forward packets and pass on function 228 by the function 220 and being used to of passing on that is used to import grouping.

The logic port 224 that each Diffserv-on the border router 40 allows is used as among a plurality of VPN separately.For example, the logic port LP-A 224a that Diffserv-allows is used as a customer rs site that belongs to VPN A, and it comprises the customer rs site with 24 IP address prefixs " a.b.c. " and " a.b.d. ".Equally, the logic port LP-B 224b that Diffserv-allows is used as a customer rs site that belongs to VPN B, and it comprises two customer rs sites with 24 IP address prefixs " b.c.d " and " b.c.e ".The logic port 224 that Diffserv-allows can not be as the website that belongs to the IP public network 46 of getting about, because this business is via border router 42, as shown in Figure 4.

It can also be seen that in Fig. 6 B each physical port 226 towards core is logically divided into a plurality of sub-interfaces that are embodied as logical tunnel (tunnel) 240 in the border router 40.As known to a person skilled in the art, can utilize various technology to realize the tunnel, comprise IP-over-IP tunnel, general route packing (GenericRouting Encapsulation) (GRE) tunnel, assess a bid for tender by cutting of the IPsec of tunnel mode work, one group of storehouse more and to sign exchange (MPLS) label, layer 2 tunnel protocol (L2TP) or null value tunnel.This tunnel is that with the difference of logic port the routing iinformation of a plurality of VPN can be associated with a tunnel by nested mode.For example, in " BGP/MPLS VPNs " in March, 1999 of people such as IETF RFC2547[E.Rosen] described in Border Gateway Protocol (BGP)/MPLS VPNs in, determine the destination border router by highest MPLS label, and the lowermost level label is determined destination VPN.

In operation, the sorter 230 on the logic port 224 that allows of each Diffserv-is classified to the grouping of the network core of the IPVPN network 44 that flows to the Diffserv permission from access network 38 by border router 40 according to the DSCP value of grouping with reference to separately sorted table 232.As shown in the figure, utilize DSCP to visit sorted table 232a and 232b, for a suitable formation among the formation Q0-Q2 on physical port PHY-1 226a is determined in each grouping as index.Being classified by the grouping that 250 pairs of physical ports 226 of sorter are received with reference to sorted table 254 equally, is a suitable formation among the definite formation Q0-Q2 of each grouping on the logic port 224.In classification (and according to do shown in the LP-B224b optionally (again) mark) afterwards, pass on function 228 with reference to separately and the VPN that interrelates of corresponding VPN pass on table 234a-234n and between logic port 224 and physical port 226, exchange grouping.Like this, for example, VPN passes on table 234a and passes on route for VPN A provides, and VPN passes on table 234b and passes on route for VPN B provides.

Utilize source port and DA to visit VPN and pass on table 234 as index.For example passing in the represented routine network configuration of table 34a, by way of TNL-1 240a, and the business that receives at TNL-1 240b is drawn towards LP-A 224a with the business in the VPN A of the DA addressing with 24 IP address prefixs " a.b.d. ".In VPN routing table 234b, can see between TNL-2 240b and LP-B 224b having identical route.As mentioned above, can or utilize Routing Protocol dynamically to fill in VPN and pass on table 234 with static configuration.

Passing on after the processing of function 178, each divides into groups according to the directed output port queue of its DSCP value.For example, the grouping that is marked with the QoS classification relevant with DSCP101 is positioned in Q2, and the grouping that indicates the QoS classification relevant with DSCP 010 is positioned in Q1, and the business that indicates DSCP 000 is positioned in Q0.Realize the QoS that requires from the output of the grouping of formation Q0-Q2 by scheduler 236 and 252 scheduling then.

Referring to Fig. 7, the based on network VPN that the routine network structure 150 shown in the figure is provided can solve the DoS attack problem.In Fig. 7, adopt identical label and service symbol to discern and the corresponding feature of the feature of network structure shown in Fig. 4 30.

Network structure 150 shown in Figure 7 and the network structure of Fig. 4 30 be the same to comprise IPVPN network that a Diffserv-allows 44, get about IP public network 46 and a plurality of client's Local Area Network 32.As mentioned above,

client LAN

32a and 32b belong to same VPN, and comprise the one or more transmitter of grouping and/or main frames 48 of receiver of can be used as separately.Each client LAN32 is coupled to separately access network (for example being L2 or L3 access network) 154 by a CPE edge router 34 and physics access link 153.With among Fig. 4 QoS and the business of getting about to be had an access network 38 that independent logic is connected different, access network 154 only is coupled to the border router 156 of the IP VPN network 44 of Diffserv-permission, and this network has independent logic connection to the border router 42 of the IP public network 46 of getting about.Therefore, the outer business of VPN professional and network-oriented 46 all can be carried out Route Selection by border router 156 in the VPN of network-oriented 44, so just can help guaranteeing between two class business the scheduling of task conservation.Yet consequently, the complicacy of border router 156 can increase, because the client that each border router 156 is necessary for each connection provides the independent comprehensive the Internet can sharing between table and the client of passing on to pass on table.

Referring to Fig. 8; the details block diagram of representing the VPN border router that a QoS-knows among the figure is wherein administered device, truing device, scheduler, the connection of logic port access network and the table that passes on and is configured to provide in network structure shown in Figure 7 the VPN with the DoS-protection of Diffserv-permission to serve.As shown in the figure, border router 156 comprise a plurality of physical ports 176 of being coupled to the network core router, by be used to import grouping pass on that function 170 and being used to is exported logic port 174 that a plurality of Diffserv-that packet scheduling device 172 is coupled to access network 154 allow and between logic port 174 and physical port 176 forward packets pass on function 178.

Because each CPE edge router 34 only is coupled to a border router 156 via a single access link by access network 154, so each network client website is accepted the service of the logic port 174 of a pair of Diffserv-permission on border router 156, one is used for business in the VPN, and one is used for the outer business of VPN.For example, logic port LP-A1 174a and LP-A2 174 that Diffserv-allows serve the single customer rs site that belongs to VPN A, and VPN A comprises at least two customer rs sites with 24-position IP address prefix " a.b.c " and " a.b.d ".In illustrated embodiment, LP-A1 174a provides access for the IP VPN network 44 of crossing over the Diffserv-permission with the QoS business that the website that belongs to VPN A intercoms mutually, and LP-A2 174b provides access for the business of getting about with IP public network 46 dealings of getting about.

Shown in Fig. 8 was further, each physical port 176 towards core was logically divided into a plurality of sub-interfaces that are embodied as logical tunnel 180 in the border router 156.As known to a person skilled in the art, can adopt various technology to realize the tunnel, comprise the IP-over-IP tunnel, the multiprotocol label switching (mpls) label or the null value tunnel of general route packing (GRE) tunnel, the IPsec that presses tunnel mode work, one group of storehouse.This tunnel is that with the difference of logic port the routing iinformation of a plurality of VPN can be associated with a tunnel by nested mode.For example, in the Border Gateway Protocol described in the IETF RFC 2547 (BGP)/MPLS VPNs, determine the destination border router by highest MPLS label, and the lowermost level label is determined destination VPN.

In operation, the sorter 182 on the logic port 174 that allows of each Diffserv-with reference to separately sorted table 190 according to the DSCP value of grouping to classifying by the grouping that border router 156 flows to network core from access network 154.As shown in the figure, utilize DSCP to visit sorted table 190a and 190b, for a suitable formation among the formation Q0-Q2 on physical port PHY-1 176a is determined in each grouping as index.Being classified by the grouping that 198 pairs of physical ports 176 of sorter are received with reference to sorted table 192 equally, is a suitable formation among the definite formation Q0-Q2 of each grouping on the logic port 174.In classification (and as carrying out optionally (again) mark shown in the LP-A2 174b) afterwards, pass on function 178 with reference to separately and corresponding VPN and shared the Internet pass on VPN that table 195 interrelates and pass on table 194a-194n and between logic port 174 and physical port 176, exchange grouping.For example, the table 194a that passes on is included as VPN A and provides and pass on the inlet of route, and the Internet passes on table 195 and is included as regulation and provides as the grouping in source with LP-A2 or TNL-2 (that is, inserting the logic interfacing of configuration for the Internet) and pass on the inlet of route.

Utilize source port and DA to pass on table 194 as index accesses.For example, professional in the VPN with DA addressing with passing in the illustration network configuration of table 194A representative by way of INL-1180a with 24 IP address prefixs " a.b.d ", and VPN outer (being the Internet) is professional by way of TNL-2 180b (it can be the null value tunnel).Business be guided LP-A1 174a in the VPN that the table 194a further indication of passing on will receive by TNL-1 180a, and be sent to LP-A2 174b by all other business with DA addressing with 24 IP address prefixs " a.b.c " that tunnel TNL-2 180b arrives from the Internet.With other port on the border router 156 is other port (shown in LP-x) that the business (business that promptly has local DA) of destination is sent to border router 156.In other words, passing on the inlet that table is marked with " this locality " among the 194a has stipulated to be different from those address prefixs (for example a.b.c/24) of distributing to the VPN that is assigned to the interface on the border router 156.

Passing on after the processing of function 178, grouping is guided into the output port queue of corresponding its DSCP value separately.For example, the grouping that is marked with the QoS classification relevant with DSCP 101 is positioned in Q2, and the grouping that is marked with the QoS classification relevant with DSCP010 is positioned in Q1, and the business of getting about that is marked with DSCP000 is positioned in Q0.From formation Q0-Q2, dispatch the grouping of output then by scheduler 196, with the QoS that realizes requiring.

As mentioned above, the invention provides a kind of improved network structure, be used to the interior business of VPN that QoS is provided, and protect this information flow not to be subjected to the DoS attack that starts from the source of VPN outside.The present invention adopts based on network VPN service and a kind of Internet service of getting about to provide DoS the QoS of protection for selected information flow, and the L2 access network that usefulness has a Routing Protocol of the suitable configuration Internet service of will getting about is coupled to a CPE edge router.Be in the edge and be labeled as selected information flow QoS is provided by the Diffserv that based on network VPN core is handled, logically divide simultaneously the professional and outer business of VPN in the VPN, a VPN network client website is formed DoS in case surpassed the access capacity of website because of the business of source from client's VPN outside.If according to " A Framework for Integrated ServicesOperation over Diffserv Networks " in November, 2000 of people such as IETF RFC 2998[Y.Bemet] Intserv administration control that described employing is implemented on the border router that CPE edge router and/or QoS-know, can also further protect the business of source from client's VPN inside.

In based on CPE and based on network embodiment, can realize network structure of the present invention.Be convenient to be configured to link the access network of CPE edge router and ISP's border router based on the scheme of CPE, and be convenient to realize offering the QoS of VPN website, and need not in whole ISP's network, to implement Diffserv.Based on network structure can provide effectively and allow the outer professional scheduling that utilizes the task conservation of distributing to extra access capacity professional in the VPN of VPN.

Although various embodiment of the present invention more than has been discussed, should be understood that they only be used for for example and and unrestricted.Therefore, scope of the present invention should be not limited only to the above embodiments, but should only be subjected to the restriction of following claims and equivalent thereof.For example, although the present invention describes with reference to its most preferred embodiment, be to implement based on network VPN therein a Diffserv network internal, also should be understood that, the present invention is not limited only to adopt the Diffserv network, can also change other based on network VPN into, according to the guidance among the RFC2547, it can utilize BGP/MPLS to implement, or according to " A Core MPLS IP VPN Architecture " in September, 2000 of people such as RFC2917[K.Muthukrishnan] in guidance, utilize virtual router to implement.In addition, utilize being connected of an access link to a VPN network and the network of getting about although in Fig. 3,4 and 7, represented from each CPE edge router, should understand easily, for redundancy, can the CPE edge router be coupled to one or more access networks with a plurality of access link, for one or more border routers of each VPN provide logic to be connected with the network of getting about.In this " dual boot " scheme, by in the service supplier boundary router, static routing being installed, or utilize Routing Protocol (for example being EBGP) to come dynamic-configuration service supplier boundary router, no matter be mainly/can both realize the multiple access link in the standby or load sharing structure.Do like this and require the CPE edge router to realize VPN and access address space, the Internet a plurality of are passed on the independent example of table and Routing Protocol.The implementation of class of this CPE edge router is similar to Fig. 8 and the scheme described in the relevant chapters and sections, and the Internet route is only adopted a single VPN table and a single table.

Claims

1. network system, opposing are to the Denial of Service attack on the access link of the destination host that belongs to a VPN (virtual private network) (VPN), and described network system comprises:

One or more outlet border routers, has connection to an access network that comprises access link, wherein, described one or more outlet border router in being used for VPN with send in the access network logic of professional separation outside the VPN is connected in the VPN in the source of VPN inside professional and from business outside the VPN in the source of VPN outside; And

A plurality of inlet boundaries router, be coupled to one or more outlet border routers, be used to utilize and a kind ofly logically divide in the VPN and the based on network VPN agreement of the outer business of VPN is communicated by letter, the Denial of Service attack on the described access link that makes it possible to prevent start from the source of VPN outside.

2. according to the network system of claim 1, further comprise at least one the inlet boundary router in the router of a plurality of inlet boundaries of coupling and the difference service network of at least one the outlet border router in one or more outlet border router.

3. according to the network system of claim 1, further comprise a plurality of customer premise equipments (CPE) edge router, each customer premise equipment (CPE) edge router is coupled to the inlet boundary router of correspondence in the router of described a plurality of inlet boundaries.

4. according to the network system of claim 1, further comprise access network.

5. according to the network system of claim 4, further comprise a customer premise equipment (CPE) edge router to access link.

6. according to the network system of claim 5, described CPE edge router has a physical port that is coupled to described access link, and described physical port is business realizing first logic port in the VPN, and is pragmatic existing second logic port of VPN field operation.

7. according to the network system of claim 1, at least one the inlet boundary router among the router of described a plurality of inlet boundaries is implemented in to be divided in the VPN and the outer professional a plurality of tunnels of VPN in logic.

8. according to the network system of claim 1, described one or more outlet border routers provide multiple different service quality for business in the described VPN.

9. network system comprises:

An access network, has access link to a destination host that belongs to a VPN (virtual private network) (VPN), wherein, described access link support is used for connecting with the outer second professional logic of VPN that is used for from the source of VPN outside from first professional in the VPN in the source of the VPN inside logic and is connected;

One or more outlet border routers, has connection to access network, wherein, described one or more outlet border routers connect in destination host sends VPN professional by first logic, and connect outside destination host sends VPN professional by second logic; And

10. according to the network system of claim 9, further comprise the difference service network of at least one outlet border router among at least one inlet boundary router among the router of a plurality of inlet boundaries of coupling and the one or more outlet border router.

11. network system according to claim 9, further comprise a plurality of customer premise equipments (CPE) edge router, each customer premise equipment (CPE) edge router is coupled to the inlet boundary router of correspondence among the router of described a plurality of inlet boundaries.

12., further comprise a customer premise equipment (CPE) edge router to access link according to the network system of claim 9.

13. according to the network system of claim 12, described CPE edge router has a physical port that is coupled to described access link, described physical port is business realizing first logic port in the VPN, and is pragmatic existing second logic port of VPN field operation.

14. according to the network system of claim 9, wherein, at least one the inlet boundary router among the router of described a plurality of inlet boundaries is implemented in to be divided in the VPN and the outer professional a plurality of tunnels of VPN in logic.

15. according to the network system of claim 9, wherein, described one or more outlet border routers provide multiple different service quality for business in the described VPN.

16. a protection is not subjected to the method for Denial of Service attack to the access link of the destination host that belongs to a VPN (virtual private network) (VPN), described method comprises:

In comprising an access network of access link, for providing first logic to connect, and provide second logic to connect for the outer business of VPN from the source of VPN outside from business in the VPN in the source of VPN inside;

Transmitting with described destination host from a plurality of inlet boundaries router to one or more outlet border routers is in the VPN of destination and the outer business of VPN, wherein, utilize one logically divide in the VPN and the outer professional based on network VPN agreement of VPN to send in the described VPN business and described VPN outer professional;

Connect from described one or more outlet border routers professional in destination host sends VPN by first logic, and connect from described one or more outlet border routers by second logic and to send the outer business of VPN to destination host, make the Denial of Service attack that hinders on the described access link that can prevent to start from the source of VPN outside.

17. according to the method for claim 16, wherein, described transmission comprises that utilization difference service agreement transmits.

18. according to the method for claim 16, wherein, a customer premise equipment (CPE) edge router is coupling between described access network and the described destination host, described method further comprises:

On the physical port of the CPE edge router that is coupled to access link, provide first and second logic ports; And

On first logic port, receive business in the VPN, and on second logic port, receive outside the VPN professional.

19., further comprise by at least one the inlet boundary router among the router of a plurality of inlet boundaries and utilize a plurality of tunnels logically to divide in the VPN and the outer business of VPN according to the method for claim 16.

20., further comprise by described one or more outlet border routers providing multiple different service quality for business in the described VPN according to the method for claim 16.