WO2014117360A1 - Trill网络中处理报文的方法和装置 - Google Patents

Trill网络中处理报文的方法和装置 Download PDF

Info

Publication number
WO2014117360A1
WO2014117360A1 PCT/CN2013/071194 CN2013071194W WO2014117360A1 WO 2014117360 A1 WO2014117360 A1 WO 2014117360A1 CN 2013071194 W CN2013071194 W CN 2013071194W WO 2014117360 A1 WO2014117360 A1 WO 2014117360A1
Authority
WO
WIPO (PCT)
Prior art keywords
dhcp
packet
snooping
trusted
dynamic host
Prior art date
Application number
PCT/CN2013/071194
Other languages
English (en)
French (fr)
Inventor
刘树名
谢莹
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to EP13873843.0A priority Critical patent/EP2940944B1/en
Priority to CN201380000086.1A priority patent/CN104137492B/zh
Priority to PCT/CN2013/071194 priority patent/WO2014117360A1/zh
Publication of WO2014117360A1 publication Critical patent/WO2014117360A1/zh
Priority to US14/811,591 priority patent/US9800591B2/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/64Hybrid switching systems
    • H04L12/6418Hybrid transport
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • the present invention relates to the field of communications, and in particular, to a method and apparatus for processing a message in a Transparent Interconnect of Lots of Links (TRILL) network.
  • TRILL Transparent Interconnect of Lots of Links
  • TRILL Transparent Interconnect of Lots of Links
  • the switch in the network has both Layer 2 forwarding and Layer 3 routing functions. It is usually called Routing Bridge (English: Routing Bridge, Abbreviation: RBridge or RB) ).
  • TRILL runs on the data link layer (English: data link layer), which is the second layer in the Open System Interconnection (OSI) model. It links the link state (English: link-state routing) ) Used in the data link layer.
  • OSI Open System Interconnection
  • a common way to defend against packet attacks is dynamic host configuration protocol snooping (English: Dynamic Host Configuration Protocol snooping, abbreviated: DHCP snooping).
  • the network device performing DHCP snooping pre-sets some physical ports on the network device for the transmission of traffic on the network side, and sets other physical ports to be used for the transmission of traffic on the user side.
  • DHCP snooping When a network device that performs DHCP snooping performs security check, it does not perform security check on traffic from the network side, and performs security check on traffic from the user side. Only the Internet protocol from the DHCP snooping binding table is allowed.
  • IP Internet Protocol
  • the packets for attacking are generally from the traffic of the user side. Therefore, the method for performing security check on the traffic on the user side is used. Can defend against attacks to a certain extent.
  • the topology of the TRILL network may be a ring or a mesh.
  • a physical port on the network device may receive both the user-side traffic and the network side. Traffic.
  • the network device cannot be based on The physical port distinguishes between the traffic on the user side and the traffic on the network side. Therefore, the attack cannot be effectively performed. Summary of the invention
  • the invention provides a method and a device for processing a message in a TRILL network, which can effectively prevent network packet attacks and improve network security.
  • the first aspect provides a method for processing a message in a TRILL network, where the method includes: receiving a packet sent by a device in a network;
  • the message from the device is checked for security.
  • the determining that the device is a trusted routing bridge includes:
  • the received packet is a TRILL packet and the TRILL packet is a TRILL packet sent by a trusted routing bridge.
  • the method before the receiving the packet sent by the device in the network, the method further includes:
  • the performing security check on the packet from the device includes:
  • the DHCP-Snooping binding table includes the DHCP-Snooping binding entry.
  • the method before the receiving the packet sent by the device in the network, the method further includes:
  • the performing security check on the packet from the device includes:
  • the DHCP-Snooping binding table includes the DHCP-Snooping binding entry.
  • the second aspect provides an apparatus for processing a message in a TRILL network, where the apparatus includes: a receiving unit, configured to receive a packet sent by a device in a network; and a security checking unit, configured to determine that the device is trusted And RB, the security check is performed on the packet from the device; if it is determined that the device is not a trusted RB, the security check is performed on the packet from the device.
  • the device further includes a determining unit, where the determining unit is configured to: determine that the received packet is a TRILL packet, and the TRILL packet is sent by a trusted RBridge TRILL message.
  • the device further includes: a binding entry establishing unit,
  • the receiving unit is configured to receive a dynamic host configuration protocol response message
  • the binding entry establishing unit is configured to: according to the dynamic host configuration protocol response received by the receiving unit, only after determining that the device that sends the dynamic host configuration protocol response message is a trusted RB Establish a DHCP-Snooping binding entry.
  • the security checking unit is specifically configured to: according to the DHCP-Snooping binding table, the device from the device The packet is subjected to DHCP-Snooping, and the DHCP-Snooping binding table includes the DHCP-Snooping binding entry.
  • the device further includes a binding entry establishing unit,
  • the receiving unit is configured to receive a dynamic host configuration protocol response message
  • the binding entry establishing unit is configured to establish a dynamic host configuration protocol snooping (DHCP-Snooping) binding entry according to the dynamic host configuration protocol response message received by the receiving unit.
  • DHCP-Snooping dynamic host configuration protocol snooping
  • the security check unit is specifically configured to: And performing DHCP-Snooping on the packet from the device according to the DHCP-Snooping binding table, where the DHCP-Snooping binding table includes the DHCP-Snooping binding entry.
  • an RB in a third aspect, includes a processor, a communication interface, a memory, and a bus;
  • the processor, the communication interface, and the memory complete communication with each other through a bus; the communication interface is configured to communicate with an external device; and the memory is configured to store a program;
  • the processor is configured to execute the program; the processor is configured to read a program in the memory, and execute: receiving a message sent by a device in a network; and determining that the device is a trusted RB And performing a security check on the packet from the device; if it is determined that the device is not a trusted RB, performing security check on the packet from the device.
  • the processor is further configured to: determine that the received packet is a TRILL packet, and the TRILL packet is a TRILL packet sent by a trusted RBridge.
  • the processor is further configured to: before receiving a packet sent by a device in the network, Receiving a dynamic host configuration protocol response message, and establishing a DHCP-Snooping binding according to the dynamic host configuration protocol response message only if it is determined that the device that sends the dynamic host configuration protocol response message is a trusted RB. Entry.
  • the processor is further configured to: perform, according to the DHCP-Snooping binding table, the device from the device
  • the DHCP-Snooping binding table includes the DHCP-Snooping binding entry.
  • the processor is further configured to: receive a dynamic host before receiving a packet sent by the device in the network A protocol-based response packet is configured, and a dynamic host configuration protocol snooping (DHCP-Snooping) binding entry is established according to the dynamic host configuration protocol response packet.
  • DHCP-Snooping dynamic host configuration protocol snooping
  • the processor is configured to: perform DHCP-Snooping on the packet from the device according to the DHCP-Snooping binding table, where the DHCP-Snooping binding table includes the DHCP-Snooping binding Entry.
  • the method and device for processing a message in the TRILL network do not perform security check based on a physical port, but determine whether to perform a security check based on the RB.
  • the packet from the trusted RB is not checked for security.
  • the packet is checked for security. In this way, because the trusted RB is pre-configured by the user, the packet security can be ensured to the maximum extent, the network packet attack can be effectively defended, and the security of the network can be improved.
  • FIG. 1 is a flow chart of a method for processing a message in a TRILL network according to an embodiment of the present invention
  • FIG. 2A is a structural block diagram of an apparatus for processing a message in a TRILL network according to an embodiment of the present invention
  • FIG. 2B is another structural block diagram of an apparatus for processing a message in a TRILL network according to an embodiment of the present invention
  • FIG. 2C is another structural block diagram of an apparatus for processing a message in a TRILL network according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram of an RB according to an embodiment of the present invention.
  • edge RB refers to an RB set at the edge of the TRILL network.
  • the edge RB is in the TRILL network, and other networks outside the TRILL network, such as Ethernet, adjacent RBs.
  • the edge RB is connected to the terminal device and the network side device through other networks, such as Ethernet, and is connected to the RB in the TRILL network through the TRILL network.
  • the packets sent by the terminal device belong to the traffic of the user side, and the packets sent by the network device belong to the traffic of the network.
  • the DHCP snooping technology is used in the TRILL network, and the setting of the physical port of the traditional DHCP snooping is replaced by the setting of the RB, which can effectively defend against network packet attacks and improve network security.
  • the edge RB that performs the security check enables the DHCP snooping function, that is, the edge RB performs DHCP snooping, and some edge RBs in the TRILL network are pre-configured as trusted RBs in the edge RB performing the security check, where the trusted RBs It can be specified by the user according to the networking situation. For example, configure an edge RB that connects only network-side devices in a TRILL network as a trusted RB.
  • the edge RB of the TRILL network connected only to the network side device is configured as a trusted RB, and all the terminal devices connected in the TRILL network are The edge RB of the terminal device operated by the trusted user is configured as a trusted RB.
  • the traffic received by the edge RB from the trusted RB is not checked for security.
  • the "trusted RB" is the RB that does not need to be checked by the traffic sent to the edge RB.
  • the edge RB broadcasts the DHCP discovery packet after receiving the DHCP discovery packet.
  • the DHCP server After receiving the DHCP discovery packet, the DHCP server sends a DHCP (English: offer) message;
  • the edge RB forwards the DHCP provision to the DHCP client.
  • the DHCP client sends a DHCP request (English: request) message;
  • the edge RB forwards the DHCP request packet to the DHCP server.
  • the DHCP server After receiving the DHCP request message, the DHCP server sends a DHCP response (English: acknowledgement) to the message;
  • the edge RB establishes a DHCP-Snooping binding entry according to the field of your IP address (English: your IP address, yiaddr) in the DHCP response message, and forwards the DHCP response message to the DHCP.
  • the DHCP-Snooping binding entry is an entry in the DHCP-Snooping binding table.
  • the edge RB can establish a DHCP-Snooping binding entry, and the DHCP-Snooping binding entry includes the IP address assigned by the DHCP server to the DHCP client, and further, the edge RB determines that the packet is not from the content.
  • a trusted RB can perform security check on the packet according to the DHCP-Snooping binding entry. In this way, network packet attacks can be effectively defended to improve network security.
  • FIG. 1 is a flow chart of a method for processing a message in a TRILL network according to an embodiment of the present invention.
  • an embodiment of the present invention provides a method for processing a message in a TRILL network, where the method is described based on an edge RB, including:
  • the "network" in the embodiment of the present invention is not limited, and may be a TRILL network or an Ethernet.
  • the device in the network may be a terminal device in an Ethernet connected to the edge RB, such as a personal computer, a tablet computer, a mobile phone, an IP phone, a network printer, and a personal digital assistant.
  • a terminal device in an Ethernet connected to the edge RB such as a personal computer, a tablet computer, a mobile phone, an IP phone, a network printer, and a personal digital assistant.
  • PDA personal computer
  • MID mobile Internet device
  • e-book reader English: e-book reader
  • a security check on the scorpion text includes DHCP snooping on the ⁇ .
  • the RB may determine whether the device is a trusted RB according to the received packet.
  • the trusted RB is the edge RB whose packets are sent without security check.
  • the edge RB performing the security check is performed in the case that the packet received by the edge RB performing the security check is a TRILL packet, and the TRILL packet is a TRILL packet sent by the trusted RB.
  • the device is determined to be a trusted RB.
  • the edge RB that performs the security check determines the location. The device is not a trusted RB.
  • the edge RB in the TRILL network adds a TRILL header to the transcript to form a TRILL packet when the RB is forwarded from the other network.
  • the RBridge nickname in the TRILL header is (ingress RBridge nickname).
  • the nickname of the edge RB In the process of TRILL packets being transmitted in the TRILL network, the entry RB nickname in the TRILL header will not be changed. In this way, the edge RB that performs the security check can determine whether the packet is a TRILL packet by determining whether the packet includes a TRILL header.
  • the edge RB performing the security check may be pre-stored with the nickname of the trusted RB, and determine whether the device transmitting the message is trusted by determining whether the entry RB nickname in the TRILL header is a pre-stored nickname of the trusted RB. Any RB.
  • the edge RB performing the security check may refer to the entry RB as a search object, and perform a search in the nickname of the trusted RB stored in advance, and if the entry RB nickname can be found, determine the device. Is a trusted RB, otherwise it is not a trusted RB.
  • the method for processing a message in a TRILL network provided by the embodiment of the present invention may further include: pre-storing a nickname of the trusted RB.
  • the pre-stored trusted RB may be specified by the user according to the networking situation.
  • the security check of the packets from the devices that are not trusted RBs may be: Performing DHCP-Snooping on the packets according to the DHCP-Snooping binding table.
  • the DHCP-Snooping binding table includes DHCP-Snooping binding entries.
  • the edge RB that performs the security check establishes a DHCP-Snooping binding entry based on the DHCP response packet. Specifically, the edge RB that performs the security check establishes a DHCP-Snooping binding entry according to the yiaddr field in the DHCP response message.
  • the edge RB that performs the security check after receiving the DHCP response message, the edge RB that performs the security check establishes DHCP-Snooping according to the DHCP response message only after determining that the device that sends the DHCP response message is a trusted RB. Bind the entry.
  • the edge RB that performs the security check After receiving the DHCP response message, the edge RB that performs the security check discards the DHCP response message and discards the establishment of DHCP-Snooping when it determines that the device that sends the DHCP response message is not a trusted RB. Bind the entry.
  • the performing DHCP-Snooping on the text from the device may include:
  • the packet is subjected to DHCP-Snooping; if the packet is a TRILL packet, the inner packet carried by the TRILL packet is DHCP-Snooping.
  • the edge RB that performs the security check determines whether the device that sends the packet is a trusted RB, and if the device is not a trusted RB, the pair is from the RB. The packets of the device are checked for security.
  • the packet from the device may be regarded as a packet on the user side, and a security check is required; if the device is a trusted RB, The packet from the device can be regarded as a packet on the network side, and no security check is required.
  • the method for processing a message in a TRILL network provided by the embodiment of the present invention does not perform security check based on a physical port, but determines whether to perform a security check based on the RB. When the packet is from a trusted RB, the packet from the trusted RB is not checked for security. When the packet is not from the trusted RB, the packet is checked for security.
  • an embodiment of the present invention further provides an apparatus 20 for processing a message in a TRILL network, where the apparatus 20 includes a receiving unit 21 and a security checking unit 22. among them:
  • the receiving unit 21 is configured to receive a packet sent by a device in the network.
  • the security checking unit 22 is configured to: if it is determined that the device is a trusted RB, abandon the security check on the packet from the device; if it is determined that the device is not a trusted RB, the pair is from Performing a security check on the message of the device.
  • the apparatus for processing a message in the TRILL network provided by the embodiment of the present invention does not perform security check based on a physical port, but determines whether to perform a security check based on the RB. When the packet is from a trusted RB, the packet from the trusted RB is not checked for security. When the packet is not from the trusted RB, the packet is checked for security.
  • the device 20 may further include a determining unit 23 in addition to the receiving unit 21 and the security checking unit 22.
  • the determining unit 23 is configured to: determine that the received packet is a TRILL packet, and the TRILL packet is a TRILL packet sent by a trusted RBridge.
  • the apparatus 20 for processing a message in the TRILL network provided by the embodiment of the present invention may further include a binding entry establishing unit 24.
  • the receiving unit 21 is configured to receive a dynamic host configuration protocol response message
  • the binding entry establishing unit 24 is configured to determine to send only The DHCP-Snooping binding entry is established according to the dynamic host configuration protocol response message received by the receiving unit 21 when the device of the dynamic host configuration protocol response packet is a trusted RB.
  • the security check unit 22 is specifically configured to: perform a DHCP-Snooping binding table according to the binding entry establishment unit 24, and perform DHCP-Snooping on the packet from the device, where the DHCP -
  • the Snooping binding table includes the DHCP-Snooping binding entry.
  • DHCP-Snooping dynamic host configuration protocol snooping
  • the security checking unit 22 may be specifically configured to: perform DHCP-Snooping on the packet from the device according to the DHCP-Snooping binding table established by the binding entry establishing unit 24,
  • the DHCP-Snooping binding table includes the DHCP-Snooping binding entry.
  • the workflow of the apparatus for processing a message in the TRIL network corresponds to the method for processing a message in the TRILL network described in the foregoing, because the method for processing the message in the TRILL network has been performed in the foregoing.
  • the related description in the foregoing method embodiments is also applicable to the embodiments of the foregoing apparatus, and thus, details are not described herein again.
  • FIG. 3 is a schematic diagram of an RB according to an embodiment of the present invention.
  • the RB 300 provided by the embodiment of the present invention may be an edge RB node, and the RB 300 may include: a processor 510, a communication interface 520, a memory 530, and a bus 540.
  • the processor 510, the communication interface 520, and the memory 530 complete communication with each other through the bus 540.
  • the communication interface 520 is configured to communicate with an external device.
  • the memory 530 is used to store the program 532.
  • the memory 530 may be a volatile memory, such as a random access memory (English: random-access memory, abbreviation: RAM), or may be non-volatile.
  • Non-volatile memory such as disk storage.
  • program 532 can include computer operating instructions.
  • the processor 510 is a central processing unit (English: central processing unit, abbreviated: CPU) or a network processor (English: network processor, abbreviation: NP).
  • the processor 510 is configured to read the program 532, and execute: receiving a message sent by a device in the network; if the device is determined to be a trusted RB, discarding the report from the device Performing a security check; if it is determined that the device is not a trusted RB, performing a security check on the packet from the device.
  • the RB provided by the embodiment of the present invention does not perform security check based on the physical port, but determines whether to perform security check based on the RB.
  • the security check is not performed on the packet from the trusted RB.
  • the packet is checked for security. In this way, because the trusted RB is pre-configured by the user, the packet security can be ensured to the maximum extent, the network packet attack can be effectively defended, and the security of the network can be improved.
  • the processor 510 is further configured to: determine that the received message is a TRILL message and the TRILL message is a TRILL message sent by a trusted RBridge.
  • the processor 510 is further configured to: receive a dynamic host configuration protocol response message before receiving a packet sent by the device in the network, and only determine to send the dynamic host configuration.
  • the DHCP-Snooping binding entry is established based on the dynamic host configuration protocol response packet when the device that the protocol replies with the packet is a trusted RB.
  • the processor 510 is further configured to: perform DHCP-Snooping on the packet from the device according to the DHCP-Snooping binding table, where the DHCP-Snooping binding table includes the DHCP -Snooping binding entry.
  • the processor 510 is further configured to: receive a dynamic host configuration protocol response message, and send a response message according to the dynamic host configuration protocol, before receiving a message sent by the device in the network.
  • the dynamic host configuration protocol snooping (DHCP-Snooping) binding entry is established.
  • the processor 510 is further configured to: perform DHCP-Snooping on the packet from the device according to the DHCP-Snooping binding table, where the DHCP- The DHCP snooping binding entry includes the DHCP-Snooping binding entry.
  • the computer readable medium can be a computer readable signal medium or a computer readable storage medium.
  • the computer readable storage medium includes, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or any suitable combination of the foregoing, such as a random access memory, a read-only memory (English: read-only memory, Abbreviations: ROM), erasable programmable read only memory (English: erasable programmable read only memory, abbreviation: EPROM).
  • a random access memory such as a random access memory, a read-only memory (English: read-only memory, Abbreviations: ROM), erasable programmable read only memory (English: erasable programmable read only memory, abbreviation: EPROM).
  • the processor in the computer reads the computer readable program code stored in the computer readable medium, such that the processor can perform the functional actions specified in each step or combination of steps in the flowchart; A device that functions as specified in each block, or combination of blocks.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

本发明提供一种TRILL网络中处理报文的方法,涉及通信领域,能够有效防御网络报文攻击。所述方法包括:接收网络中的设备发送的报文;若确定所述设备为受信任的RB,则放弃对来自于所述设备的所述报文进行安全检查;若确定所述设备不为受信任的RB,则对来自于所述设备的所述报文进行安全检查。本发明还提供相应的装置。

Description

TRILL网络中处理报文的方法和装置
技术领域 本发明涉及通信领域,尤其涉及多链接透明互联 (英文: Transparent Interconnect of Lots of Links , 缩写: TRILL)网络中处理才艮文的方法和装 置。 背景技术
多链接透明互联 (英文: Transparent Interconnect of Lots of Links , 缩写: TRILL)网络中的交换机同时具备二层转发功能和三层路由功能, 通常称为路由桥(英文: Routing Bridge , 缩写: RBridge或 RB)。 TRILL 运行在数据链路层 (英文: data link layer ) , 即开放式系统互联(英文: Open System Interconnection , 缩写: OSI )模型中的第二层, 将链路状态 路由 (英文: link-state routing ) 用在数据链路层。
一种通常的防御报文攻击的方式为动态主机配置协议窥探(英文: Dynamic Host Configuration Protocol snooping , 缩写: DHCP snooping)。 执行 DHCP snooping的网络设备将网络设备上的一些物理端口预先设置 为用于网络侧流量的传输, 将另一些物理端口预先设置为用于用户侧的 流量的传输。 执行 DHCP snooping的网络设备在进行安全检查时, 对来 自于网络侧的流量不进行安全检查, 对来自于用户侧的流量进行安全检 查, 只允许来自 DHCP snooping 绑定表中的网际协议 (英文: Internet Protocol , 缩写: IP ) 地址的 ^艮文通过。 由于网络侧的流量和用户侧的流 量是用不同的物理端口进行传输的, 而进行攻击的报文一般来自于用户 侧的流量, 因而, 釆用此种对用户侧的流量进行安全检查的方式能够一 定程度地防御攻击。
但是, TRILL 网络的拓朴结构可以为环形或网状, 在拓朴结构为环 形或网状的 TRILL网络中, 网络设备上的某个物理端口可能既接收到用 户侧的流量也接收到网络侧的流量。 这种情况下, 该网络设备无法基于 物理端口对用户侧的流量和网络侧的流量进行区分, 因而, 无法有效 4氐 御攻击。 发明内容
本发明提供一种 TRILL网络中处理报文的方法和装置, 能够有效防 御网络报文攻击, 提高网络的安全性。 第一方面,提供一种 TRILL网络中处理报文的方法,所述方法包括: 接收网络中的设备发送的报文;
若确定所述设备为受信任的 RB ,则放弃对来自于所述设备的所述报 文进行安全检查;
若确定所述设备不为受信任的 RB ,则对来自于所述设备的所述报文 进行安全检查。
在第一方面的第一种实现方式中, 所述确定所述设备为受信任的路 由桥包括:
确定接收的所述报文是 TRILL报文并且该 TRILL报文是受信任的路 由桥发出的 TRILL报文。
结合第一方面或第一方面的第一种可能实现方式, 在第一方面的第 二种可能实现方式中, 在所述接收网络中的设备发送的报文之前, 所述 方法还包括:
接收动态主机配置协议应答报文, 只有在确定发送所述动态主机配 置协议应答报文的设备为受信任的 RB 的情况下才根据所述动态主机配 置协议应答报文建立 DHCP-Snooping绑定表项。
结合第一方面的第二种可能实现方式, 在第一方面的第三种可能实 现方式中, 所述对来自于所述设备的所述报文进行安全检查包括:
根据 DHCP-Snooping 绑定表, 对来自于所述设备的所述报文进行 DHCP-Snooping,所述 DHCP-Snooping绑定表中包括所述 DHCP-Snooping 绑定表项。
结合第一方面或第一方面的第一种可能实现方式, 在第四种可能的 实现方式中, 在所述接收网络中的设备发送的报文之前, 所述方法还包 括:
接收动态主机配置协议应答报文, 根据所述动态主机配置协议应答 报文建立动态主机配置协议窥探 (DHCP-Snooping ) 绑定表项。 结合第一方面的第四种可能的实现方式, 在第五种可能的实现方式 中, 所述对来自于所述设备的所述报文进行安全检查包括:
根据 DHCP-Snooping 绑定表, 对来自于所述设备的所述报文进行 DHCP-Snooping,所述 DHCP-Snooping绑定表中包括所述 DHCP-Snooping 绑定表项。
第二方面, 提供一种 TRILL网络中处理报文的装置, 所述装置包括: 接收单元, 用于接收网络中的设备发送的报文; 安全检查单元, 用于若确定所述设备为受信任的 RB , 则放弃对来自 于所述设备的所述报文进行安全检查; 若确定所述设备不为受信任的 RB , 则对来自于所述设备的所述报文进行安全检查。
在第二方面的第一种实现方式中, 所述装置还包括确定单元, 所述确定单元用于: 确定接收的所述报文是 TRILL 报文并且该 TRILL报文是受信任的路由桥发出的 TRILL报文。
结合第二方面或第二方面的第一种可能实现方式, 在第二方面的第 二种可能实现方式中, 所述装置还包括: 绑定表项建立单元,
所述接收单元, 用于接收动态主机配置协议应答报文;
所述绑定表项建立单元, 用于只有在确定发送所述动态主机配置协 议应答报文的设备为受信任的 RB 的情况下才根据所述接收单元接收的 动态主机配置协议应答^艮文建立 DHCP-Snooping绑定表项。
结合第二方面的第二种可能实现方式, 在第二方面的第三种可能实 现方式中, 所述安全检查单元具体用于: 根据 DHCP-Snooping绑定表, 对来自于所述设备的所述报文进行 DHCP-Snooping,所述 DHCP-Snooping 绑定表中包括所述 DHCP-Snooping绑定表项。
结合第二方面或第二方面的第一种可能实现方式, 在第四种可能的 实现方式中, 所述装置还包括绑定表项建立单元,
所述接收单元, 用于接收动态主机配置协议应答报文;
所述绑定表项建立单元, 用于根据所述接收单元接收的动态主机配 置协议应答报文建立动态主机配置协议窥探( DHCP-Snooping )绑定表项。
结合第二方面的第四种可能的实现方式, 在第五种可能的实现方式 中, 所述安全检查单元具体用于: 根据 DHCP-Snooping 绑定表, 对来自于所述设备的所述报文进行 DHCP-Snooping,所述 DHCP-Snooping绑定表中包括所述 DHCP-Snooping 绑定表项。
第三方面, 提供一种 RB , 所述 RB包括处理器, 通信接口, 存储器 和总线;
其中, 处理器、 通信接口、 存储器通过总线完成相互间的通信; 所述通信接口, 用于与外部设备通信; 所述存储器, 用于存放程序;
所述处理器, 用于执行所述程序; 所述处理器, 用于读取所述存储器中的程序, 执行: 接收网络中的 设备发送的报文; 若确定所述设备为受信任的 RB , 则放弃对来自于所述 设备的所述报文进行安全检查; 若确定所述设备不为受信任的 RB , 则对 来自于所述设备的所述报文进行安全检查。
在第三方面的第一种实现方式中, 所述处理器还用于执行: 确定接 收的所述报文是 TRILL报文并且该 TRILL报文是受信任的路由桥发出的 TRILL报文。
结合第三方面或第三方面的第一种可能实现方式, 在第三方面的第 二种可能实现方式中, 所述处理器还用于执行: 在接收网络中的设备发 送的报文之前, 接收动态主机配置协议应答报文, 只有在确定发送所述 动态主机配置协议应答报文的设备为受信任的 RB 的情况下才根据所述 动态主机配置协议应答^艮文建立 DHCP-Snooping绑定表项。
结合第三方面的第二种可能实现方式, 在第三方面的第三种可能实 现方式中, 所述处理器还用于执行: 根据 DHCP-Snooping绑定表, 对来 自于所述设备的所述 4艮文进行 DHCP-Snooping, 所述 DHCP-Snooping绑 定表中包括所述 DHCP-Snooping绑定表项。
结合第三方面或第三方面的第一种可能实现方式, 在第四种可能的 实现方式中, 所述处理器还用于执行: 在接收网络中的设备发送的报文 之前, 接收动态主机配置协议应答报文, 根据所述动态主机配置协议应 答报文建立动态主机配置协议窥探 (DHCP-Snooping ) 绑定表项。
结合第三方面的第四种可能的实现方式, 在第五种可能的实现方式 中, 所述处理器用于执行: 根据 DHCP-Snooping绑定表, 对来自于所述 设备的所述报文进行 DHCP-Snooping , 所述 DHCP-Snooping绑定表中包 括所述 DHCP-Snooping绑定表项。
釆用上述技术方案后, 本发明提供的 TRILL网络中处理报文的方法 和装置, 不基于物理端口来进行安全检查, 而是基于 RB来确定是否进行 安全检查。 当报文是来自受信任的 RB时, 不对来自该受信任的 RB的报 文进行安全检查,当报文不是来自受信任的 RB时,对报文进行安全检查。 如此一来, 由于受信任的 RB是由用户预先配置的, 因而, 能够最大限度 地确保报文安全, 有效防御网络报文攻击, 提高网络的安全性。
附图说明 为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将 对实施例或现有技术描述中所需要使用的附图作简单地介绍, 显而易见 地, 下面描述中的附图仅仅是本发明的一些实施例, 对于本领域普通技 术人员来讲, 在不付出创造性劳动的前提下, 还可以根据这些附图获得 其他的附图。 图 1为本发明实施例提供的一种 TRILL网络中处理报文的方法的流 程图;
图 2A为本发明实施例提供的 TRILL网络中处理报文的装置的一结 构框图;
图 2B为本发明实施例提供的 TRILL网络中处理报文的装置的另一 结构框图; 图 2C为本发明实施例提供的 TRILL网络中处理报文的装置的另一 结构框图; 图 2D为本发明实施例提供的 TRILL网络中处理报文的装置的另一 结构框图; 图 3为本发明实施例提供的 RB的示意图。 具体实施方式 下面将结合本发明实施例中的附图, 对本发明实施例的技术方案进 行清楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明的一部分实 施例, 而不是全部的实施例。 基于本发明中的实施例, 本领域普通技术 人员在没有做出创造性劳动的前提下所获得的所有其它实施例, 都属于 本发明保护的范围。
本发明实施例提供一种 TRILL 网络中处理报文的方法, 可应用于 TRILL网络中的边缘 RB。 在本发明实施例中, "边缘 RB" 是指设置在 TRILL 网络的边缘处的 RB , 换言之, 边缘 RB是 TRILL 网络中的, 与 TRILL网络外的其他网络, 例如以太网, 相邻的 RB。 边缘 RB通过其他 网络, 例如以太网, 连接到终端设备和网络侧设备, 并且通过 TRILL网 络连接到 TRILL网络中的 RB。其中, 终端设备发送的 4艮文属于用户侧的 流量, 网络侧设备发送的报文属于网络侧的流量。 本发明实施例通过在 TRILL网络中利用 DHCP snooping技术, 并且 用 RB的设置来代替传统 DHCP snooping中物理端口的设置, 可以有效 防御网络报文攻击, 提高网络的安全性。
为更好地理解本发明, 下面对本发明实施例中应用于 TRILL网络中 的 DHCP snooping进行简要说明。 配置阶段:
执行安全检查的边缘 RB开启 DHCP snooping功能, 即该边缘 RB 执行 DHCP snooping, TRILL网络中的部分边缘 RB在该执行安全检查的 边缘 RB中被预先配置为受信任的 RB , 其中, 受信任的 RB可由用户根 据组网情况指定。 例如, 把 TRILL 网络中只连接网络侧设备的边缘 RB 配置为受信任的 RB。 又例如, 在边缘 RB连接的终端设备由可信任的用 户操作的情况下, 把 TRILL网络中只连接网络侧设备的边缘 RB配置为 受信任的 RB ,把 TRILL网络中连接的所有终端设备都是由可信任的用户 操作的终端设备的边缘 RB配置为受信任的 RB。 在本发明实施例中, 边 缘 RB接收的来自于受信任的 RB的流量不进行安全检查, 换言之, "受 信任的 RB" 为那些发送给边缘 RB的流量不需要被安全检查的 RB。 交互阶段: 1、 DHCP客户端广播 DHCP发现(英文: discover)报文;
2、边缘 RB接收到所述 DHCP发现报文后广播所述 DHCP发现报文;
3、 DHCP服务器接收到所述 DHCP发现报文之后, 发送 DHCP提供 (英文: offer)报文;
4、 所述边缘 RB将所述 DHCP提供 文转发给所述 DHCP客户端;
5、 DHCP客户端发送 DHCP请求(英文: request)报文;
6、 边缘 RB将所述 DHCP请求报文转发给 DHCP服务器;
7、 DHCP服务器接收到所述 DHCP请求报文之后, 发送 DHCP应答 (英文: acknowledgement)才艮文;
8、 所述边缘 RB根据 DHCP应答报文中的你的 IP地址(英文: your IP address , 缩写: yiaddr ) 字段建立 DHCP-Snooping绑定表项, 将所述 DHCP应答报文转发给所述 DHCP客户端。 DHCP-Snooping绑定表项为 DHCP-Snooping绑定表中的表项。
经过上述过程, 边缘 RB即可建立 DHCP-Snooping绑定表项, 所述 DHCP-Snooping绑定表项中包含 DHCP服务器分配给 DHCP客户端的 IP 地址等内容, 进而, 边缘 RB在确定报文不是来自受信任的 RB时, 即可 根据 DHCP-Snooping 绑定表项, 对所述报文进行安全检查。 如此, 可有 效防御网络报文攻击, 提高网络的安全性。
图 1为本发明实施例提供的一种 TRILL网络中处理报文的方法的流 程图。 参照图 1 , 本发明实施例提供一种 TRILL网络中处理报文的方法, 所述方法基于边缘 RB而描述, 包括:
11、 接收网络中的设备发送的报文。 本发明实施例中的 "网络" 不作限定, 可以是 TRILL网络, 也可以 是以太网等。
其中, 所述网络中的设备可以为边缘 RB 所相邻连接的以太网中的 终端设备, 例如个人计算机、 平板电脑、 移动电话、 IP 电话、 网络打印 机、 个人数码助理 (英文: personal digital assistant, 缩写: PDA ) , 移 动互联网设备 (英文: mobile Internet device , 缩写: MID ) 和电子书阅 读器 (英文: e-book reader ) 等, 也可以为 TRILL网络中的 RB。
12、 若确定所述设备为受信任的 RB , 则放弃对来自于所述设备的所 述报文进行安全检查。 对才艮文进行安全检查包括对 4艮文进行 DHCP snooping。
执行安全检查的边缘 RB 在接收到所述报文后, 可根据接收的所述 报文, 确定所述设备是否为受信任的 RB。
其中, 受信任的 RB 是指其所发出的报文不需要进行安全检查的边 缘 RB。
在本发明实施例中, 在执行安全检查的边缘 RB 接收的所述报文是 TRILL报文, 并且该 TRILL报文是受信任的 RB发出的 TRILL报文的情 况下, 执行安全检查的边缘 RB确定所述设备为受信任的 RB。 在所述报 文不是 TRILL 报文的情况下, 以及在所述报文是 TRILL 报文并且该 TRILL报文不是受信任的 RB发出的 TRILL报文的情况下, 执行安全检 查的边缘 RB确定所述设备不为受信任的 RB。
TRILL 网络中的边缘 RB在转发来自于其他网络的 4艮文时, 为该才艮 文添加 TRILL头以构成 TRILL报文, 所述 TRILL头中的入口 RBridge 昵称(英文: ingress RBridge nickname)为该边缘 RB的昵称。 在 TRILL 报文被在 TRILL网络中传递的过程中, TRILL头中的该入口 RB昵称不 会被改变。 这样, 执行安全检查的边缘 RB 可通过确定报文是否包括 TRILL头来确定该报文是否为 TRILL报文。 执行安全检查的边缘 RB中 可被预先存储受信任的 RB 的昵称, 并通过确定 TRILL头中的入口 RB 昵称是否为预先存储的受信任的 RB 的昵称来确定发送该报文的设备是 否为受信任的 RB。
其中,执行安全检查的边缘 RB可将所述入口 RB昵称作为查找对象, 在预先存储的所述受信任的 RB的昵称中进行查找,若能够查找到所述入 口 RB昵称, 则确定所述设备为受信任的 RB , 否则不为受信任的 RB。
13、 若确定所述设备不为受信任的 RB , 则对来自于所述设备的所述 报文进行安全检查。 在本发明实施例中,在步骤 11所述接收网络中的设备发送的报文之 前, 本发明实施例提供的 TRILL网络中处理报文的方法还可包括: 预先存储受信任的 RB 的昵称。 在本发明实施例中, 所述预先存储 的受信任的 RB可以由用户根据组网情况进行指定。 在本发明实施例中, 对来自于那些不为受信任的 RB 的设备的报文 进行安全检查具体可以为: 根据 DHCP-Snooping绑定表来对这些报文进 行 DHCP-Snooping。 DHCP-Snooping绑定表中包括 DHCP-Snooping绑定 表项。执行安全检查的边缘 RB根据 DHCP应答报文建立 DHCP-Snooping 绑定表项。具体的,执行安全检查的边缘 RB根据 DHCP应答报文中 yiaddr 字段建立 DHCP-Snooping绑定表项。 可选的, 执行安全检查的边缘 RB 在接收到 DHCP应答报文后, 只有在确定发送所述 DHCP应答报文的设 备为受信任的 RB的情况下才根据该 DHCP应答报文建立 DHCP-Snooping 绑定表项。 执行安全检查的边缘 RB在接收到 DHCP应答报文后, 在确 定发送所述 DHCP应答报文的设备不为受信任的 RB 的情况下, 则丟弃 该 DHCP应答报文并放弃建立 DHCP-Snooping绑定表项。
其中, 所述对来自于所述设备的所述 文进行 DHCP-Snooping可具 体包括:
若所述报文不为 TRILL报文, 则对所述报文进行 DHCP-Snooping; 若所述报文为 TRILL报文,则对所述 TRILL报文承载的内层报文进 行 DHCP-Snooping。 可见, 在本发明实施例中, 执行安全检查的边缘 RB 在应用 DHCP snooping之后, 会确定发送报文的设备是否为受信任的 RB , 只要所述设 备不为受信任的 RB , 则对来自于所述设备的报文都进行安全检查。 换句 话说, 若所述设备不为受信任的 RB , 则可将来自于所述设备的报文视为 用户侧的报文, 需要进行安全检查; 若所述设备为受信任的 RB , 则可将 来自于所述设备的报文视为网络侧的报文, 不需要进行安全检查。 本发明实施例提供的 TRILL网络中处理报文的方法, 不基于物理端 口来进行安全检查, 而是基于 RB来确定是否进行安全检查。 当报文是来 自受信任的 RB时, 不对来自该受信任的 RB的报文进行安全检查, 当报 文不是来自受信任的 RB时, 一律对报文进行安全检查。 如此一来, 由于 受信任的 RB是由用户预先配置的,因而,能够最大限度地确保报文安全, 有效防御网络报文攻击, 提高网络的安全性。 与上述方法相对应, 参照图 2A, 本发明实施例还提供一种 TRILL 网络中处理报文的装置 20 , 所述装置 20 包括接收单元 21、 安全检查单 元 22。 其中:
接收单元 21 , 用于接收网络中的设备发送的报文;
安全检查单元 22 , 用于若确定所述设备为受信任的 RB , 则放弃对 来自于所述设备的所述报文进行安全检查; 若确定所述设备不为受信任 的 RB , 则对来自于所述设备的所述报文进行安全检查。 本发明实施例提供的 TRILL网络中处理报文的装置, 不基于物理端 口来进行安全检查, 而是基于 RB来确定是否进行安全检查。 当报文是来 自受信任的 RB时, 不对来自该受信任的 RB的报文进行安全检查, 当报 文不是来自受信任的 RB时, 一律对报文进行安全检查。 如此一来, 由于 受信任的 RB是由用户预先配置的,因而,能够最大限度地确保报文安全, 有效防御网络报文攻击, 提高网络的安全性。 可选地, 在本发明的一个实施例中, 参照图 2B , 所述装置 20除了 包括接收单元 21、 安全检查单元 22之外, 还可包括确定单元 23。 其中: 所述确定单元 23用于: 确定接收的所述报文是 TRILL报文并且该 TRILL报文是受信任的路由桥发出的 TRILL报文。
本发明实施例提供的 TRILL 网络中处理报文的装置 20还可包括绑 定表项建立单元 24。
参照图 2C , 可选地, 在本发明的一个实施例中, 所述接收单元 21 , 用于接收动态主机配置协议应答报文; 所述绑定表项建立单元 24 , 用于 只有在确定发送所述动态主机配置协议应答报文的设备为受信任的 RB 的情况下才根据所述接收单元 21接收的动态主机配置协议应答报文建立 DHCP-Snooping绑定表项。
其中, 所述安全检查单元 22具体用于: 根据所述绑定表项建立单元 24所建立 DHCP-Snooping绑定表, 对 来自于所述设备的所述报文进行 DHCP-Snooping , 所述 DHCP-Snooping 绑定表中包括所述 DHCP-Snooping绑定表项。
参照图 2D ,可选地,在本发明的另一个实施例中,所述接收单元 21 , 用于接收动态主机配置协议应答报文; 绑定表项建立单元 24 , 用于根据 所述接收单元 21接收的动态主机配置协议应答报文建立动态主机配置协 议窥探 (DHCP-Snooping ) 绑定表项。
进一步地, 所述安全检查单元 22可具体用于: 根据所述绑定表项建立单元 24所建立的 DHCP-Snooping绑定表, 对来自于所述设备的所述报文进行 DHCP-Snooping ,所述 DHCP-Snooping 绑定表中包括所述 DHCP-Snooping绑定表项。 值得注意的是, 上述 TRIL 网络中处理报文的装置实施例中, 所包 括的各个单元只是按照功能逻辑进行划分的, 但并不局限于上述的划分, 只要能够实现相应的功能即可; 另外, 各功能单元的具体名称也只是为 了便于相互区分, 并不用于限制本发明的保护范围。
本发明实施例提供的 TRIL 网络中处理报文的装置的工作流程与本 文中所述 TRILL 网络中处理报文的方法中相对应, 由于在前文中已对 TRILL 网络中处理 ^艮文的方法进行了详细描述, 上述方法实施例中的相 关说明, 也同样适用于上述装置的实施例, 因而, 在此处不再赘述。
图 3为本发明实施例提供的 RB的示意图。 请参考图 3 , 本发明实施 例提供的 RB 300可以为边缘 RB节点,所述 RB 300可包括:处理器 510 , 通信接口 520 , 存储器 530和总线 540。
其中, 处理器 510、 通信接口 520、 存储器 530通过总线 540完成相 互间的通信。 所述通信接口 520 , 用于与外部设备进行通信。
所述存储器 530 , 用于存放程序 532 , 存储器 530可以是易失性存储 器 (英文: volatile memory) , 例如随机存取存储器 (英文: random-access memory,缩写: RAM) ,也可以是非易失性存储器( non-volatile memory ) , 例如磁盘存储器。 具体地, 程序 532可以包括计算机操作指令。
处理器 510是中央处理器(英文: central processing unit ,缩写: CPU ) 或网络处理器 (英文: network processor, 缩写: NP ) 。 所述处理器 510 , 用于读取所述程序 532 , 执行: 接收网络中的设备 发送的报文; 若确定所述设备为受信任的 RB , 则放弃对来自于所述设备 的所述报文进行安全检查; 若确定所述设备不为受信任的 RB , 则对来自 于所述设备的所述报文进行安全检查。
本发明实施例提供的 RB , 不基于物理端口来进行安全检查, 而是基 于 RB来确定是否进行安全检查。 当报文是来自受信任的 RB时, 不对来 自该受信任的 RB的报文进行安全检查,当报文不是来自受信任的 RB时, 一律对报文进行安全检查。如此一来, 由于受信任的 RB是由用户预先配 置的, 因而, 能够最大限度地确保报文安全, 有效防御网络报文攻击, 提高网络的安全性。
在一个实施例中, 所述处理器 510还用于执行: 确定接收的所述报 文是 TRILL报文并且该 TRILL报文是受信任的路由桥发出的 TRILL报 文。
可选地, 在一个实施例中, 所述处理器 510还用于执行: 在接收网 络中的设备发送的报文之前, 接收动态主机配置协议应答报文, 只有在 确定发送所述动态主机配置协议应答报文的设备为受信任的 RB 的情况 下才根据所述动态主机配置协议应答报文建立 DHCP-Snooping 绑定表 项。
进一步地, 所述处理器 510还用于执行: 根据 DHCP-Snooping绑定 表, 对来自 于所述设备的所述报文进行 DHCP-Snooping , 所述 DHCP-Snooping绑定表中包括所述 DHCP-Snooping绑定表项。
可选地, 在一个实施例中, 所述处理器 510还用于执行: 在接收网 络中的设备发送的报文之前, 接收动态主机配置协议应答报文, 根据所 述动态主机配置协议应答报文建立动态主机配置协议窥探 ( DHCP-Snooping ) 绑定表项。
在上一实施例中, 进一步地, 所述处理器 510还用于执行: 根据所述 DHCP-Snooping绑定表, 对来自于所述设备的所述报文进 行 DHCP-Snooping , 所述 DHCP-Snooping 绑 定表中 包括所述 DHCP-Snooping绑定表项。 计算机可读介质可以是计算机可读信号介质或者计算机可读存储介 质。 计算机可读存储介质包含但不限于电子、 磁性、 光学、 电磁、 红外 或半导体系统、 设备或者装置, 或者前述的任意适当组合, 如随机存取 存储器、 只读存储器 (英文: read-only memory , 缩写: ROM)、 可擦除 可编程只读存储器 (英文: erasable programmable read only memory,缩写: EPROM)等。
计算机中的处理器读取存储在计算机可读介质中的计算机可读程序 代码, 使得处理器能够执行在流程图中每个步骤、 或各步骤的组合中规 定的功能动作; 生成实施在框图的每一块、 或各块的组合中规定的功能 动作的装置。
以上所述, 仅为本发明的具体实施方式, 但本发明的保护范围并不 局限于此, 任何熟悉本技术领域的技术人员在本发明揭露的技术范围内, 可轻易想到变化或替换, 都应涵盖在本发明的保护范围之内。 因此, 本 发明的保护范围应以权利要求的保护范围为准。

Claims

权 利 要 求 书
1. 一种多链接透明互联( TRILL ) 网络中处理 4艮文的方法, 其特征 在于, 所述方法包括:
接收网络中的设备发送的报文;
若确定所述设备为受信任的路由桥, 则放弃对来自于所述设备的所 述报文进行安全检查;
若确定所述设备不为受信任的路由桥, 则对来自于所述设备的所述 报文进行安全检查。
2. 如权利要求 1所述的方法, 其特征在于, 所述确定所述设备为受 信任的路由桥包括:
确定接收的所述报文是 TRILL报文并且该 TRILL报文是受信任的路 由桥发出的 TRILL报文。
3. 如权利要求 1或 2所述的方法, 其特征在于,在所述接收网络中 的设备发送的报文之前, 所述方法还包括:
接收动态主机配置协议应答报文, 只有在确定发送所述动态主机配 置协议应答报文的设备为受信任的路由桥的情况下才根据所述动态主机 配置协议应答报文建立动态主机配置协议窥探( DHCP-Snooping )绑定表 项。
4. 如权利要求 3所述的方法, 其特征在于, 所述对来自于所述设备 的所述报文进行安全检查包括:
根据 DHCP-Snooping 绑定表, 对来自于所述设备的所述报文进行 DHCP-Snooping,所述 DHCP-Snooping绑定表中包括所述 DHCP-Snooping 绑定表项。
5. 如权利要求 1或 2所述的方法, 其特征在于,在所述接收网络中 的设备发送的报文之前, 所述方法还包括:
接收动态主机配置协议应答报文, 根据所述动态主机配置协议应答 才艮文建立 DHCP-Snooping绑定表项。
6. 如权利要求 5所述的方法, 其特征在于, 所述对来自于所述设备 的所述报文进行安全检查包括:
根据 DHCP-Snooping 绑定表, 对来自于所述设备的所述报文进行 DHCP-Snooping,所述 DHCP-Snooping绑定表中包括所述 DHCP-Snooping 绑定表项。
7. 一种多链接透明互联 (TRILL)网络中处理报文的装置, 其特征在 于, 所述装置包括:
接收单元, 用于接收网络中的设备发送的报文;
安全检查单元, 用于若确定所述设备为受信任的路由桥, 则放弃对 来自于所述设备的所述报文进行安全检查; 若确定所述设备不为受信任 的路由桥, 则对来自于所述设备的所述报文进行安全检查。
8. 如权利要求 7所述的装置, 其特征在于, 所述装置还包括确定单 元,
所述确定单元用于: 确定接收的所述报文是 TRILL 报文并且该 TRILL报文是受信任的路由桥发出的 TRILL报文。
9. 如权利要求 7或 8所述的装置, 其特征在于, 所述装置还包括绑 定表项建立单元,
所述接收单元, 用于接收动态主机配置协议应答报文;
所述绑定表项建立单元, 用于只有在确定发送所述动态主机配置协 议应答报文的设备为受信任的路由桥的情况下才根据所述接收单元接收 的动态主机配置协议应答报文建立动态主机配置协议窥探 ( DHCP-Snooping ) 绑定表项。
10. 如权利要求 9所述的装置, 其特征在于,
所述安全检查单元具体用于: 根据 DHCP-Snooping绑定表, 对来自 于所述设备的所述 文进行 DHCP-Snooping, 所述 DHCP-Snooping绑定 表中包括所述 DHCP-Snooping绑定表项。
11. 如权利要求 7或 8所述的装置, 其特征在于, 所述装置还包括绑 定表项建立单元,
所述接收单元, 用于接收动态主机配置协议应答报文;
所述绑定表项建立单元, 用于根据所述接收单元接收的动态主机配 置协议应答报文建立 DHCP-Snooping绑定表项。
12. 如权利要求 11 所述的装置, 其特征在于, 所述安全检查单元具 体用于:
根据 DHCP-Snooping 绑定表, 对来自于所述设备的所述报文进行 DHCP-Snooping,所述 DHCP-Snooping绑定表中包括所述 DHCP-Snooping 绑定表项。
13. 一种路由桥, 其特征在于, 所述路由桥包括处理器, 通信接口, 存储器和总线;
其中, 处理器、 通信接口、 存储器通过总线完成相互间的通信; 所述通信接口, 用于与外部设备通信;
所述存储器, 用于存放程序;
所述处理器, 用于执行所述程序;
所述处理器, 用于读取所述存储器中的程序, 执行: 接收网络中的 设备发送的报文; 若确定所述设备为受信任的路由桥, 则放弃对来自于 所述设备的所述报文进行安全检查; 若确定所述设备不为受信任的路由 桥, 则对来自于所述设备的所述报文进行安全检查。
14. 如权利要求 13 所述的路由桥, 其特征在于, 所述处理器还用于 执行: 确定接收的所述报文是多链接透明互联(TRILL)报文并且该 TRILL 报文是受信任的路由桥发出的 TRILL报文。
15. 如权利要求 13或 14所述的路由桥, 其特征在于, 所述处理器还 用于执行: 在接收网络中的设备发送的报文之前, 接收动态主机配置协 议应答报文, 只有在确定发送所述动态主机配置协议应答报文的设备为 受信任的路由桥的情况下才根据所述动态主机配置协议应答报文建立动 态主机配置协议窥探 ( DHCP-Snooping ) 绑定表项。
16. 如权利要求 15 所述的路由桥, 其特征在于, 所述处理器还用于 执行: 根据 DHCP-Snooping绑定表, 对来自于所述设备的所述报文进行 DHCP-Snooping,所述 DHCP-Snooping绑定表中包括所述 DHCP-Snooping 绑定表项。
17. 如权利要求 13或 14所述的路由桥, 其特征在于, 所述处理器还 用于执行:
在接收网络中的设备发送的报文之前, 接收动态主机配置协议应答 报文, 根据所述动态主机配置协议应答报文建立 DHCP-Snooping绑定表 项。
18. 如权利要求 17 所述的路由桥, 其特征在于, 所述处理器用于执 行:
根据 DHCP-Snooping 绑定表, 对来自于所述设备的所述报文进行 DHCP-Snooping,所述 DHCP-Snooping绑定表中包括所述 DHCP-Snooping 绑定表项。
PCT/CN2013/071194 2013-01-31 2013-01-31 Trill网络中处理报文的方法和装置 WO2014117360A1 (zh)

Priority Applications (4)

Application Number Priority Date Filing Date Title
EP13873843.0A EP2940944B1 (en) 2013-01-31 2013-01-31 Method and device for processing packet in trill network
CN201380000086.1A CN104137492B (zh) 2013-01-31 2013-01-31 Trill网络中处理报文的方法和装置
PCT/CN2013/071194 WO2014117360A1 (zh) 2013-01-31 2013-01-31 Trill网络中处理报文的方法和装置
US14/811,591 US9800591B2 (en) 2013-01-31 2015-07-28 Method and apparatus for processing packet on trill network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2013/071194 WO2014117360A1 (zh) 2013-01-31 2013-01-31 Trill网络中处理报文的方法和装置

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US14/811,591 Continuation US9800591B2 (en) 2013-01-31 2015-07-28 Method and apparatus for processing packet on trill network

Publications (1)

Publication Number Publication Date
WO2014117360A1 true WO2014117360A1 (zh) 2014-08-07

Family

ID=51261415

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/071194 WO2014117360A1 (zh) 2013-01-31 2013-01-31 Trill网络中处理报文的方法和装置

Country Status (4)

Country Link
US (1) US9800591B2 (zh)
EP (1) EP2940944B1 (zh)
CN (1) CN104137492B (zh)
WO (1) WO2014117360A1 (zh)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050086524A1 (en) * 2003-10-16 2005-04-21 Deep Nines Incorporated Systems and methods for providing network security with zero network footprint
CN101699796A (zh) * 2009-09-09 2010-04-28 成都飞鱼星科技开发有限公司 一种基于流信任的数据报文高速转发的方法、系统及路由器
CN101917423A (zh) * 2010-08-05 2010-12-15 上海酷族信息技术有限公司 数据库安全防范的操作方法
CN102118303A (zh) * 2010-01-04 2011-07-06 华为技术有限公司 一种数据报文的发送方法、系统和边缘设备

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7903647B2 (en) * 2005-11-29 2011-03-08 Cisco Technology, Inc. Extending sso for DHCP snooping to two box redundancy
US7653063B2 (en) * 2007-01-05 2010-01-26 Cisco Technology, Inc. Source address binding check
CN101888370B (zh) * 2009-05-11 2013-01-09 中兴通讯股份有限公司 防止IPv6地址被欺骗性攻击的装置与方法
US8380819B2 (en) * 2009-05-14 2013-02-19 Avaya Inc. Method to allow seamless connectivity for wireless devices in DHCP snooping/dynamic ARP inspection/IP source guard enabled unified network
US20130259050A1 (en) * 2010-11-30 2013-10-03 Donald E. Eastlake, III Systems and methods for multi-level switching of data frames
US8902794B2 (en) * 2012-09-27 2014-12-02 Cisco Technology, Inc. System and method for providing N-way link-state routing redundancy without peer links in a network environment
US8862772B2 (en) * 2012-10-09 2014-10-14 Cisco Technology, Inc. System and method for implementing a multilevel data center fabric in a network environment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050086524A1 (en) * 2003-10-16 2005-04-21 Deep Nines Incorporated Systems and methods for providing network security with zero network footprint
CN101699796A (zh) * 2009-09-09 2010-04-28 成都飞鱼星科技开发有限公司 一种基于流信任的数据报文高速转发的方法、系统及路由器
CN102118303A (zh) * 2010-01-04 2011-07-06 华为技术有限公司 一种数据报文的发送方法、系统和边缘设备
CN101917423A (zh) * 2010-08-05 2010-12-15 上海酷族信息技术有限公司 数据库安全防范的操作方法

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP2940944A4 *

Also Published As

Publication number Publication date
CN104137492B (zh) 2017-02-08
CN104137492A (zh) 2014-11-05
EP2940944B1 (en) 2017-03-01
US20150334124A1 (en) 2015-11-19
US9800591B2 (en) 2017-10-24
EP2940944A1 (en) 2015-11-04
EP2940944A4 (en) 2015-12-30

Similar Documents

Publication Publication Date Title
US7996894B1 (en) MAC address modification of otherwise locally bridged client devices to provide security
US8588233B1 (en) Peer-to-peer connection establishment using TURN
EP3720100A1 (en) Service request processing method and device
US9407493B2 (en) System and apparatus for router advertisement options for configuring networks to support multi-homed next hop routes
US20150207793A1 (en) Feature Enablement or Disablement Based on Discovery Message
WO2010054471A1 (en) Method and apparatus for network port and network address translation
US8917629B2 (en) Method and apparatus for detecting devices on a local area network
JP6118122B2 (ja) 通信装置及びその制御方法、プログラム
WO2015070626A1 (zh) 网络协同防御方法、装置和系统
CN1938982A (zh) 通过认证因特网控制消息协议分组来防止网络攻击的方法和装置
WO2011032447A1 (zh) 新网与互联网互通的实现方法、系统及通信端
JP2006033206A (ja) 認証システム、ネットワーク集線装置及びそれらに用いる認証方法並びにそのプログラム
WO2011082584A1 (zh) 数据报文分类处理的实现方法、网络及终端
WO2012041168A1 (zh) 用于IPv6网络的网络连接处理方法及其装置
WO2013023465A1 (zh) 身份位置分离与传统网络互联互通方法、ilr和asr
WO2015014167A1 (zh) 一种处理原始ip报文的方法和相应装置
WO2014107905A1 (zh) 集群以及转发方法
WO2014117360A1 (zh) Trill网络中处理报文的方法和装置
WO2012075768A1 (zh) 身份位置分离网络的监听方法和系统
JP7158826B2 (ja) 通信制御装置、通信制御システム及び通信制御方法
WO2015013883A1 (zh) 一种数据传输方法及设备
US10708188B2 (en) Application service virtual circuit
WO2020048622A1 (en) A method, apparatus & computer program
WO2012075770A1 (zh) 身份位置分离网络的阻断方法和系统
WO2013053293A1 (zh) 一种标识网与传统网络互联互通的方法、asr及isr

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13873843

Country of ref document: EP

Kind code of ref document: A1

REEP Request for entry into the european phase

Ref document number: 2013873843

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2013873843

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE