WO2023246501A1 - Message verification method and apparatus, and related device and storage medium - Google Patents

Message verification method and apparatus, and related device and storage medium Download PDF

Info

Publication number
WO2023246501A1
WO2023246501A1 PCT/CN2023/098576 CN2023098576W WO2023246501A1 WO 2023246501 A1 WO2023246501 A1 WO 2023246501A1 CN 2023098576 W CN2023098576 W CN 2023098576W WO 2023246501 A1 WO2023246501 A1 WO 2023246501A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
token
forwarding path
node
data table
Prior art date
Application number
PCT/CN2023/098576
Other languages
French (fr)
Chinese (zh)
Inventor
杨锋
程伟强
Original Assignee
中国移动通信有限公司研究院
中国移动通信集团有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国移动通信有限公司研究院, 中国移动通信集团有限公司 filed Critical 中国移动通信有限公司研究院
Publication of WO2023246501A1 publication Critical patent/WO2023246501A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/34Source routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present application relates to the field of communication technology, and in particular to a message verification method, device, related equipment and storage medium.
  • SD-WAN Software Defined Wide Area Network
  • IPv6 Segment Routing IPv6
  • IPv6 Internet Protocol Version 6 IPv6, Internet Protocol Version 6
  • embodiments of the present application provide a message verification method, device, related equipment and storage medium.
  • Embodiments of this application provide a message verification method, applied to the first node.
  • the method includes:
  • the first data table uses tokens as indexes and stores first information corresponding to each message forwarding path in at least one message forwarding path; the token is obtained based on mapping of the corresponding message forwarding path.
  • the embodiment of the present application also provides a message verification method, which is applied to customer terminal equipment (CPE, Customer Premise Equipment).
  • CPE Customer terminal Equipment
  • the method includes:
  • the first node includes provider edge equipment and/or (PE, Provider Edge) equipment or point-of-presence (PoP, point-of-presence), and is used to verify the first message based on the first data table;
  • PE provider edge equipment and/or
  • PoP point-of-presence
  • the first data table uses tokens as indexes and stores first information corresponding to each message forwarding path in at least one message forwarding path; the token is obtained based on mapping of the corresponding message forwarding path.
  • Embodiments of this application also provide a message verification method, which is applied to Border Gateway Protocol (BGP, Border Gateway Protocol) equipment.
  • the method includes:
  • the second information includes a second token and a segment list of the second message; the second information is used for the first node to write the first information corresponding to the message forwarding path of the second message into the first node.
  • a data table
  • the first data table uses tokens as indexes and stores first information corresponding to each message forwarding path in at least one message forwarding path; the token is obtained based on mapping of the corresponding message forwarding path.
  • the first sending unit is configured to send the first message to the first node; wherein,
  • the second sending unit is configured to send the second information to the first node; wherein,
  • the first processor is configured to verify the first message based on the first data table; wherein,
  • the first node includes a PE device or PoP, which is used to verify the first message based on a first data table; the first data table uses a token as an index and stores each message in at least one message forwarding path. The first information corresponding to the message forwarding path; the token is mapped based on the corresponding message forwarding path.
  • the second information includes a second token and a segment list of the second message; the second information is used for the first node to write the first information corresponding to the message forwarding path of the second message into the first node.
  • a data table
  • An embodiment of the present application also provides a network device, including a first processor and a first memory for storing a computer program capable of running on the first processor,
  • the first processor is configured to execute the steps of any one of the methods on the first node side when running the computer program.
  • the second processor is configured to execute the steps of any one of the methods on the CPE side when running the computer program.
  • An embodiment of the present application also provides a network device, including a third processor and a third memory for storing a computer program capable of running on the third processor,
  • the third processor is configured to execute the steps of any one of the methods on the BGP device side when running the computer program.
  • Embodiments of the present application also provide a storage medium on which a computer program is stored.
  • the steps of any one of the methods on the first node side are implemented, or any one of the methods on the CPE side is implemented.
  • Figure 2 is a schematic structural diagram of SRH in related technology
  • Figure 3 is a schematic diagram of network architecture in related technologies
  • Figure 8 is a schematic flow chart of the implementation of a message verification method according to an embodiment of the present application.
  • Figure 9 is a schematic diagram of the interaction flow of a message verification method according to an embodiment of the present application.
  • Figure 10 is a schematic structural diagram of a message verification device according to an embodiment of the present application.
  • Figure 13 is a schematic structural diagram of a network device according to an embodiment of the present application.
  • Figure 14 is a schematic structural diagram of a client terminal device according to an embodiment of the present application.
  • Control protocol simplification SR distributes SIDs through Interior Gateway Protocol (IGP, Interior Gateway Protocol) and BGP, without the need to deploy and maintain traditional label distribution protocol (LDP, label distribution protocol), based on the traffic engineering extended resource reservation protocol (RSVP- TE, Resource ReSerVation Protocol-Traffic Engineering), etc.
  • IGP Interior Gateway Protocol
  • BGP Border Gateway Protocol
  • LDP label distribution protocol
  • RSVP- TE traffic engineering extended resource reservation protocol
  • RSVP- TE Resource ReSerVation Protocol-Traffic Engineering
  • SR generates massive SR paths by combining limited links and node segments, and path information only needs to be saved at the head node, and intermediate nodes in the network do not need to maintain path status information.
  • segments can be regarded as instructions.
  • the combination of segments to form an SR path that meets specific needs can be regarded as programming the network. This kind of programming can flexibly establish paths that meet different needs and unlock the value of the network.
  • SRv6 is an SR source routing technology based on IPv6.
  • the length of the SRv6 SID is 128 bits, which is consistent with the IPv6 address.
  • the SID format usually consists of three parts, including locator (Locator), function (Function) and optional parameters (Argument).
  • Locator is an identifier assigned to a network node and is used for routing and forwarding data packets.
  • the Locator is a variable-length part used to adapt to networks of different sizes. Locator identifiers have two important properties: routable and aggregable.
  • Function is used to express the forwarding action to be executed by the instruction, which is equivalent to the operation code of the computer instruction.
  • SRv6 network programming different forwarding behaviors are expressed by different Functions.
  • Argument is an optional field used to carry parameters required when executing instructions. These parameters may contain streams, services, or any other relevant information.
  • SRv6SID can be used to flexibly indicate various operations and parameters in the network.
  • SRv6 While inheriting all the advantages of SR, SRv6 has gained stronger scalability and programmability through combination with IPv6, and has unique advantages in network simplification and meeting new business requirements.
  • SD-WAN based on SRv6 because SR source routing technology encodes all network information into packets, all path information is carried in packets initiated by the user side, and path information is not constrained, causing users to The control rights are too large; when the SRv6 network extends to untrusted user sides, there is a hidden danger of users calling network resources without authorization.
  • the CPE is located in an untrusted domain. By specifying the path in the packet, users can not only access their own private network in the cloud (VPC, Virtual Private Cloud), but also illegally access other Users' VPC brings network security risks.
  • HMAC hash operation message authentication code
  • Path verification needs to support flexible hop-by-hop, head-to-tail, or arbitrary node combination verification to reduce the difficulty of hardware deployment and implementation.
  • the embodiment of the present application provides a message verification method, which is applied to the first node.
  • the first node may be a router or a virtual routing device.
  • the first node includes PE equipment and/or PoP. Referring to Figure 4, the method includes:
  • Step 401 Verify the first message based on the first data table.
  • the first data table is stored in the first node, and different first nodes store different first data tables.
  • the first node verifies the first message based on the first data table and obtains the verification result of the first message. For example, based on the token in the first data table and/or the first information indexed by the corresponding token, the first message is verified to obtain the verification result of the first message.
  • the first data table is also called a legal path verification table.
  • the first information is legal path information corresponding to the first node.
  • Each token corresponds to a message forwarding path, and the token and the corresponding first information are associated and stored in the first data table.
  • the token can be a hash value calculated based on the packet forwarding path, or it can be a random number assigned to the corresponding packet forwarding path.
  • the incoming interface number in the first information is used to verify the incoming interface number in the first message when the incoming interface of the first node is a tunnel.
  • the first verification mode if the verification result of the first message meets at least one of the following conditions, the first message is indicated as an illegal message and the first message is discarded:
  • the first message does not carry the token
  • the first message carries the first token, and the first token does not exist in the first data table
  • the first packet carries the first token, the first token exists in the first data table, and the first inbound interface number does not match the second inbound interface number; the first inbound interface number represents the index indexed by the first token.
  • the first packet carries the first token, the first token exists in the first data table, and the first next hop address does not match the second next hop address; the first next hop address is represented by the first token The next hop address in the indexed first information; the second next hop address represents the next hop address corresponding to the first message at the first node.
  • the first node queries the first data table for the first token; if the first token is not found in the first data table, the first node discards the first message.
  • the first token is queried in the first data table, the first information indexed by the first token is determined in the first data table, and the ingress interface number is obtained from the determined first information.
  • the first message carries the first token, and the first token does not exist in the first data table.
  • the method further includes :
  • the next hop address of the first message is the next hop address in the first information indexed by the first token.
  • the data in the first data table is dynamically updated. Based on this, in one embodiment, the method further includes:
  • the first message carries at least a first token and also carries a second inbound interface number and/or SL; wherein,
  • the second ingress interface number represents the ingress interface number corresponding to the first message at the first node
  • the SL is used for the first node to determine a second next hop address; the second next hop address represents the next hop address corresponding to the first message at the first node.
  • the first node can determine the second next hop address based on the SL and the segment list carried in the first message.
  • the first token is mapped from the segment list of the first message.
  • the first token is encapsulated in the SRH of the first message.
  • embodiments of the present application also provide a message verification method, which is applied to BGP equipment.
  • the BGP equipment is an SD-WAN controller or a cloud private network controller. Referring to Figure 8, the method includes:
  • Step 801 Send the second information to the first node.
  • the second information includes a second token and a segment list of the second message; the second information is used for the The first node writes the first information corresponding to the packet forwarding path of the second packet into the first data table;
  • the first data table uses tokens as indexes and stores the first information corresponding to each message forwarding path in at least one message forwarding path; the token is mapped based on the corresponding message forwarding path;
  • the first information corresponding to the message forwarding path of the second message is indexed in the first data table with the second token; the first information corresponding to the message forwarding path of the second message Determined by the segment list of the second message.
  • the BGP device determines the second information and sends the second information to the first node.
  • the first data table is used for the first node to verify the validity of the received message.
  • the first node includes PE equipment and/or PoP.
  • the first information includes one of the following:
  • the corresponding message forwarding path is at the next hop address corresponding to the first node.
  • the method further includes:
  • the BGP device delivers the second information to the CPE, so that the CPE encapsulates the second message based on the second token and the segment list of the second message.
  • the message verification method shown in Figure 9 includes:
  • Step 1 The CPE sends the first message to the first node.
  • the first node includes PE equipment or PoP.
  • the CPE may directly or indirectly send the first message to the first node. For example, as shown in Figure 5, the CPE directly sends the first message to the PE device, or the CPE sends the first message to the PoP through the PE device.
  • the first packet carries at least the first token and also carries the second inbound interface number and/or SL; wherein,
  • the second ingress interface number represents the ingress interface number corresponding to the first packet at the first node
  • the second next hop address represents the next hop address corresponding to the first message at the first node.
  • the first token is mapped from the segment list of the first message; the first token is encapsulated in the SRH of the first message.
  • the first data table uses the token as an index and stores the first information corresponding to each packet forwarding path in at least one packet forwarding path; the token is mapped based on the corresponding packet forwarding path.
  • the first information includes at least one of the following:
  • the token and the corresponding first information are stored in the first data table in association.
  • the first node discards the first message:
  • the first message does not carry the token
  • the first packet carries the first token, the first token exists in the first data table, and the first inbound interface number does not match the second inbound interface number; the first inbound interface number represents the index indexed by the first token.
  • the first packet carries the first token, the first token exists in the first data table, and the first next hop address is the same as the second next hop address.
  • the one-hop address does not match; the first next-hop address represents the next-hop address in the first information indexed by the first token; the second next-hop address represents the next-hop address of the first message corresponding to the first node. jump address.
  • the first token is mapped from the segment list of the first message.
  • the first token carried in the first message is encapsulated in the SRH of the first message.
  • step 2 please refer to the relevant description in step 401, which will not be described again here.
  • the first node further determines the next hop address of the first message in the first data table based on the first token carried in the first message.
  • the next hop address of the first message is the next hop address in the first information indexed by the first token.
  • Step 3 The BGP device sends the second information to the first node.
  • the second information includes a second token and a segment list of the second message; the second information is used for the first node to write the first information corresponding to the message forwarding path of the second message into the first data table;
  • the first information corresponding to the message forwarding path of the second message is indexed by the second token in the first data table; the first information corresponding to the message forwarding path of the second message is represented by the segment list of the second message. OK out.
  • Step 4 The first node receives the second information sent by the BGP device.
  • Step 5 The first node writes the first information corresponding to the packet forwarding path of the second packet into the first data table.
  • the first information corresponding to the message forwarding path of the second message is indexed by the second token in the first data table; the first information corresponding to the message forwarding path of the second message is indexed by the second message
  • the segment list is determined.
  • Step 6 The BGP device sends the second information to the CPE.
  • the second information includes a second token and a segment list of the second message.
  • Step 7 The CPE receives the second information and encapsulates the second message based on the second information.
  • Step 8 The CPE sends the second message to the first node.
  • Step 9 The first node verifies the second message based on the first data table.
  • the method for verifying the second message by the first node is similar to the method for verifying the first message, and will not be described again here.
  • the first node discards the second message:
  • the second message does not carry the token
  • the second message carries the second token, and the second token does not exist in the first data table
  • the second packet carries the second token, the second token exists in the first data table, and the third inbound interface number does not match the fourth inbound interface number; the third inbound interface number represents the index indexed by the second token.
  • the second packet carries the second token, the second token exists in the first data table, and the third next hop address does not match the fourth next hop address; the third next hop address is represented by the second token The next hop address in the indexed first information; the fourth next hop address represents the next hop address corresponding to the first node of the second message.
  • the second token is mapped from the segment list of the second message.
  • the second token carried in the second message is encapsulated in the SRH of the second message.
  • the CPE sends the first message to the first node, and the first node verifies the first message based on the first data table; wherein , the first data table uses tokens as indexes and stores the first information corresponding to each message forwarding path in at least one message forwarding path; the token is mapped based on the corresponding message forwarding path.
  • each first node can verify the legitimacy of the received first message based on the first data table, thereby reducing network security risks, and the first data table uses tokens as indexes, which can reduce the risk of the first data Table maintenance difficulty.
  • the first node can query the first information corresponding to each forwarding path in the first data table based on the token. It does not need to use SID to retrieve or compare path information, which can reduce the computational load and save query time, thereby reducing Hardware deployment is difficult to implement.
  • the embodiment of the present application also provides a message verification device.
  • the device includes:
  • the verification unit 101 is configured to verify the first message based on the first data table; wherein,
  • the first data table uses tokens as indexes and stores first information corresponding to each message forwarding path in at least one message forwarding path; the token is obtained based on mapping of the corresponding message forwarding path.
  • the first information includes at least one of the following:
  • the corresponding message forwarding path is at the next hop address corresponding to the first node.
  • the device further includes:
  • a discarding unit configured to discard the first message when the verification result of the first message meets at least one of the following conditions:
  • the first message does not carry a token
  • the first message carries a first token, and the first token does not exist in the first data table
  • the first packet carries a first token, the first token exists in the first data table, and the first ingress interface number does not match the second ingress interface number; the first ingress interface number represents The ingress interface number in the first information indexed by the first token; the second ingress interface number represents the ingress interface number corresponding to the first message at the first node;
  • the first packet carries a first token, the first token exists in the first data table, and the first next hop address does not match the second next hop address; the first next hop address The hop address represents the next hop address in the first information indexed by the first token; the second next hop address represents the next hop address of the first message corresponding to the first node. .
  • the device further includes:
  • the first determination unit is configured to determine the next hop address of the first message in the first data table based on the first token carried by the first message; wherein the first message The next hop address of is the next hop address in the first information indexed by the first token.
  • the first token is mapped from the segment list of the first message.
  • the first token carried in the first message is encapsulated in the SRH of the first message.
  • the device further includes:
  • the first receiving unit is configured to receive the second information delivered by the BGP device; the second information includes the second token and the segment list of the second message;
  • a writing unit configured to write the first information corresponding to the message forwarding path of the second message into the first data table
  • the first information corresponding to the message forwarding path of the second message is indexed in the first data table with the second token; the first information corresponding to the message forwarding path of the second message Determined by the segment list of the second message.
  • the first node includes providing PE equipment and/or PoP.
  • the first receiving unit can be implemented by the processor in the message verification device in combination with the communication interface, and the verification unit 101, the discarding unit, the first determination unit and the writing unit are implemented by the processor of the message verification device.
  • the message verification device provided in the above embodiment performs message verification
  • only the division of the above program modules is used as an example.
  • the above processing can be allocated to different modules as needed.
  • the program module is completed, that is, the internal structure of the device is divided into different program modules to complete all or part of the processing described above.
  • the message verification device provided in the above embodiments and the message verification method embodiment on the first node side belong to the same concept. Please refer to the method embodiment for details of the specific implementation process, which will not be described again here.
  • the embodiment of the present application also provides a message verification device, which is installed on the CPE. As shown in Figure 11, the device includes:
  • the first sending unit 111 is configured to send the first message to the first node; wherein,
  • the first node includes a PE device or a PoP and is configured to verify the first message based on a first data table; the first data table uses a token as an index and stores each message in at least one message forwarding path. The first information corresponding to the message forwarding path; the token is mapped based on the corresponding message forwarding path.
  • the first information includes at least one of the following:
  • the corresponding message forwarding path is at the next hop address corresponding to the first node.
  • the first message carries at least a first token and also carries a second inbound interface number and/or SL; wherein,
  • the second ingress interface number represents the ingress interface number corresponding to the first message at the first node
  • the SL is used for the first node to determine a second next hop address; the second next hop address represents the next hop address corresponding to the first message at the first node.
  • the first token is encapsulated in the SRH of the first message.
  • the first sending unit 111 can be implemented by a processor in the message verification device combined with a communication interface.
  • the message verification device provided in the above embodiment performs message verification
  • only the division of the above program modules is used as an example.
  • the above processing can be allocated to different modules as needed.
  • the program module is completed, that is, the internal structure of the device is divided into different program modules to complete all or part of the processing described above.
  • the message verification device provided in the above embodiments and the message verification method embodiment on the CPE side belong to the same concept. Please refer to the method embodiment for details of the specific implementation process, which will not be described again here.
  • the embodiment of the present application also provides a message verification device, which is installed on the BGP device.
  • the BGP device is an SD-WAN controller or a cloud private network controller, such as As shown in Figure 12, the device includes:
  • the second sending unit 121 is configured to send the second information to the first node; wherein,
  • the second information includes a second token and a segment list of the second message; the second information is used for the first node to write the first information corresponding to the message forwarding path of the second message into the first node.
  • a data table
  • the first data table uses tokens as indexes and stores the first information corresponding to each message forwarding path in at least one message forwarding path; the token is mapped based on the corresponding message forwarding path;
  • the first information corresponding to the message forwarding path of the second message is indexed in the first data table with the second token; the first information corresponding to the message forwarding path of the second message Determined by the segment list of the second message.
  • the first information includes one of the following:
  • the corresponding message forwarding path is at the next hop address corresponding to the first node.
  • the second sending unit 121 is further configured to: deliver the second information to the CPE; wherein the second information is used for the CPE to encapsulate the second message.
  • the first node includes PE equipment and/or PoP.
  • the second sending unit 121 can be implemented by a processor in the message verification device combined with a communication interface.
  • the message verification device provided in the above embodiment performs message verification
  • only the division of the above program modules is used as an example.
  • the above processing can be allocated to different modules as needed.
  • the program module is completed, that is, the internal structure of the device is divided into different program modules to complete all or part of the processing described above.
  • the message verification device provided in the above embodiments and the message verification method embodiment on the BGP device side belong to the same concept. Please refer to the method embodiment for details of the specific implementation process, which will not be described again here.
  • the embodiment of the present application also provides a network device.
  • the network device 13 includes:
  • the first communication interface 131 is capable of information exchange with other network nodes
  • the first processor 132 is connected to the first communication interface 131 to implement information interaction with other network nodes, and is used to execute the method provided by one or more technical solutions on the first node side when running a computer program.
  • the computer program is stored on the first memory 133 .
  • the first processor 132 is configured to verify the first message based on the first data table; wherein,
  • the first data table uses tokens as indexes and stores first information corresponding to each message forwarding path in at least one message forwarding path; the token is obtained based on mapping of the corresponding message forwarding path.
  • the first information includes at least one of the following:
  • the corresponding message forwarding path is at the next hop address corresponding to the first node.
  • the first processor 132 is further configured to discard the first message if the verification result of the first message meets at least one of the following conditions:
  • the first message does not carry a token
  • the first message carries a first token, and the first token does not exist in the first data table
  • the first packet carries a first token, the first token exists in the first data table, and the first ingress interface number does not match the second ingress interface number; the first ingress interface number represents The ingress interface number in the first information indexed by the first token; the second ingress interface number represents the ingress interface number corresponding to the first message at the first node;
  • the first packet carries a first token, the first token exists in the first data table, and the first next hop address does not match the second next hop address; the first next hop address The hop address represents the next hop address in the first information indexed by the first token; the second next hop address represents the next hop address of the first message corresponding to the first node. .
  • the first processor 132 is further configured to: determine the next hop address of the first message in the first data table based on the first token carried in the first message; Wherein, the next hop address of the first message is the next hop address in the first information indexed by the first token.
  • the first token is mapped from the segment list of the first message.
  • the first token carried in the first message is encapsulated in the SRH of the first message.
  • the first communication interface 131 is configured to receive the second information delivered by the BGP device; the second information includes a second token and a segment list of the second message;
  • the first processor 132 is also configured to: write the first information corresponding to the message forwarding path of the second message into the first data table; wherein the first information corresponding to the message forwarding path of the second message is The information is indexed by the second token in the first data table; the first information corresponding to the packet forwarding path of the second packet is determined from the segment list of the second packet.
  • the first node includes providing PE equipment and/or PoP.
  • bus system 134 is used to implement connection communication between these components.
  • bus system 134 also includes a power bus, a control bus and a status signal bus.
  • the various buses are labeled bus system 134 in FIG. 13 .
  • the first memory 133 in the embodiment of the present application is used to store various types of data to support the operation of the network device 13 .
  • Examples of such data include: any computer program used to operate on the network device 13.
  • the methods disclosed in the above embodiments of the present application can be applied to the first processor 132 or implemented by the first processor 132 .
  • the first processor 132 may be an integrated circuit chip having signal processing capabilities. During the implementation process, each step of the above method can be completed by instructions in the form of hardware integrated logic circuits or software in the first processor 132 .
  • the above-mentioned first processor 132 may be a general-purpose processor, a digital signal Processor (DSP, Digital Signal Processor), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • DSP Digital Signal Processor
  • the first processor 132 can implement or execute the various methods, steps and logical block diagrams disclosed in the embodiments of this application.
  • a general-purpose processor may be a microprocessor or any conventional processor, etc.
  • the steps of the method disclosed in the embodiments of this application can be directly implemented by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor.
  • the software module may be located in a storage medium, and the storage medium is located in the first memory 133.
  • the first processor 132 reads the information in the first memory 133, and completes the steps of the foregoing method in combination with its hardware.
  • the network device 13 may be configured by one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), Complex Programmable Logic Devices (CPLDs) , Complex Programmable Logic Device), Field-Programmable Gate Array (FPGA, Field-Programmable Gate Array), general-purpose processor, controller, microcontroller (MCU, Micro Controller Unit), microprocessor (Microprocessor), or other electronics Component implementation, used to execute the aforementioned methods.
  • ASICs Application Specific Integrated Circuits
  • DSPs Programmable Logic Devices
  • CPLDs Complex Programmable Logic Device
  • FPGA Field-Programmable Gate Array
  • MCU microcontroller
  • Microcontroller Micro Controller Unit
  • Microprocessor Microprocessor
  • the embodiment of the present application also provides a client terminal device.
  • the client terminal device 14 includes:
  • the second communication interface 141 is capable of information exchange with other network nodes
  • the second processor 142 is connected to the second communication interface 141 to implement information interaction with other network nodes, and is used to execute the method provided by one or more technical solutions on the CPE side when running a computer program.
  • the computer program is stored on the second memory 143 .
  • the second communication interface 141 is configured to send the first message to the first node; wherein,
  • the first node includes a PE device or PoP, which is used to verify the first message based on a first data table; the first data table uses a token as an index and stores each message in at least one message forwarding path. The first information corresponding to the message forwarding path; the token is mapped based on the corresponding message forwarding path.
  • the first information includes at least one of the following:
  • the corresponding message forwarding path is at the next hop address corresponding to the first node.
  • the first message carries at least a first token and also carries a second inbound interface number and/or SL; wherein,
  • the second ingress interface number represents the ingress interface number corresponding to the first message at the first node
  • the SL is used for the first node to determine a second next hop address; the second next hop address represents the next hop address corresponding to the first message at the first node.
  • the first token is encapsulated in the SRH of the first message.
  • bus system 144 is used to implement connection communication between these components.
  • the bus system 144 also includes a power bus, a control bus and a status signal bus.
  • the various buses are labeled bus system 144 in FIG. 14 .
  • the second memory 143 in the embodiment of the present application is used to store various types of data to support the operation of the client terminal device 14 .
  • Examples of such data include: any computer program for operation on the client terminal device 14.
  • the methods disclosed in the above embodiments of the present application can be applied to the second processor 142 or implemented by the second processor 142 .
  • the second processor 142 may be an integrated circuit chip with signal processing capabilities. During the implementation process, each step of the above method can be completed by instructions in the form of hardware integrated logic circuits or software in the second processor 142 .
  • the above-mentioned second processor 142 may be a general-purpose processor, a DSP, or or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the second processor 142 can implement or execute the various methods, steps and logical block diagrams disclosed in the embodiments of this application.
  • a general-purpose processor may be a microprocessor or any conventional processor, etc.
  • the steps of the method disclosed in the embodiments of this application can be directly implemented by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor.
  • the software module may be located in a storage medium, and the storage medium is located in the second memory 143.
  • the second processor 142 reads the information in the second memory 143, and completes the steps of the foregoing method in combination with its hardware.
  • the client terminal device 14 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general-purpose processors, controllers, MCUs, Microprocessors, or other electronic components for performing the aforementioned methods.
  • the embodiment of the present application also provides a network device.
  • the network device 15 includes:
  • the third communication interface 151 is capable of information exchange with other network nodes
  • the third processor 152 is connected to the third communication interface 151 to implement information interaction with other network nodes, and is used to execute the method provided by one or more technical solutions on the BGP device side when running a computer program.
  • the computer program is stored on the third memory 153 .
  • the third communication interface 151 is configured to deliver the second information to the first node; wherein,
  • the second information includes a second token and a segment list of the second message; the second information is used for the first node to write the first information corresponding to the message forwarding path of the second message into the first node.
  • a data table
  • the first data table uses tokens as indexes and stores the first information corresponding to each message forwarding path in at least one message forwarding path; the token is mapped based on the corresponding message forwarding path;
  • the first information corresponding to the message forwarding path of the second message is indexed in the first data table with the second token; the first information corresponding to the message forwarding path of the second message Determined by the segment list of the second message.
  • the first information includes one of the following:
  • the corresponding message forwarding path is at the next hop address corresponding to the first node.
  • the third communication interface 151 is further configured to: deliver the second information to the CPE; wherein the second information is used for the CPE to encapsulate the second message.
  • the first node includes PE equipment and/or PoP.
  • bus system 154 is used to implement connection communication between these components.
  • the bus system 154 also includes a power bus, a control bus and a status signal bus.
  • the various buses are labeled bus system 154 in FIG. 15 .
  • the third memory 153 in the embodiment of the present application is used to store various types of data to support the operation of the network device 15 .
  • Examples of such data include: any computer program used to operate on network device 15.
  • the methods disclosed in the above embodiments of the present application can be applied to the third processor 152 or implemented by the third processor 152 .
  • the third processor 152 may be an integrated circuit chip with signal processing capabilities. During the implementation process, each step of the above method can be completed by instructions in the form of hardware integrated logic circuits or software in the third processor 152 .
  • the above-mentioned third processor 152 may be a general-purpose processor, a DSP, or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the third processor 152 can implement or execute the various methods, steps and logical block diagrams disclosed in the embodiments of this application.
  • a general-purpose processor may be a microprocessor or any conventional processor, etc.
  • the software module may be located in a storage medium, and the storage medium is located in the third memory 153.
  • the third processor 152 reads the information in the third memory 153, and completes the steps of the foregoing method in combination with its hardware.
  • the network device 15 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general-purpose processors, controllers, MCUs, Microprocessors, or other electronic components for performing the aforementioned methods.
  • the memory in the embodiment of the present application can be a volatile memory or a non-volatile memory, and can also include volatile and non-volatile memories. Both. Among them, non-volatile memory can be read-only memory (ROM, Read Only Memory), programmable read-only memory (PROM, Programmable Read-Only Memory), erasable programmable read-only memory (EPROM, Erasable Programmable Read-Only Memory).
  • ROM Read Only Memory
  • PROM programmable read-only memory
  • EPROM Erasable Programmable Read-Only Memory
  • EEPROM Electrically Erasable Programmable Read-Only Memory
  • FRAM Magnetic Random Access Memory
  • Flash Memory Magnetic Surface Memory , optical disk, or compact disc (CD-ROM, Compact Disc Read-Only Memory); magnetic surface memory can be disk storage or tape storage.
  • Volatile memory can be random access memory (RAM, Random Access Memory), which is used as an external cache.
  • RAM Random Access Memory
  • SRAM Static Random Access Memory
  • SSRAM Synchronous Static Random Access Memory
  • DRAM Dynamic Random Access Memory
  • SDRAM Synchronous Dynamic Random Access Memory
  • DDRSDRAM Double Data Rate Synchronous Dynamic Random Access Memory
  • ESDRAM enhanced Type Synchronous Dynamic Random Access Memory
  • SLDRAM Synchronous Link Dynamic Random Access Memory
  • DRRAM Direct Rambus Random Access Memory
  • the memories described in the embodiments of the present application are intended to include, but are not limited to, these and any other suitable types of memories.
  • the embodiment of the present application also provides a storage medium, that is, a computer storage medium, specifically a computer-readable storage medium, for example, including a first memory 133 that stores a computer program.
  • the above computer program can be used by the network device 13
  • the first processor 132 executes to complete the steps described in the foregoing first node-side method.
  • Another example includes a second memory 143 that stores a computer program.
  • the computer program can be executed by the second processor 142 of the client terminal device 14 to complete the steps of the aforementioned CPE side method.
  • Another example includes a third memory 153 that stores a computer program.
  • the computer program can be executed by the third processor 152 of the network device 15 to complete the steps of the aforementioned BGP device-side method.
  • the computer-readable storage medium can be FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface memory, optical disk, or CD-ROM and other memories.
  • a and/or B can mean: A exists alone, A and B exist simultaneously, and they exist alone. B these three situations.
  • at least one in this article means any one of a plurality or any combination of at least two of a plurality, for example, including at least one of A, B, and C, which can mean including from A, Any one or more elements selected from the set composed of B and C.

Abstract

Disclosed in the present application are a message verification method and apparatus, and a related device and a storage medium. The method comprises: a first node verifying a first message on the basis of a first data table, wherein the first data table takes a token as an index, and stores first information corresponding to each message forwarding path among at least one message forwarding path; and the token is obtained by means of performing mapping on the basis of a corresponding message forwarding path.

Description

报文校验方法、装置、相关设备及存储介质Message verification methods, devices, related equipment and storage media
申请的交叉引用Application cross-reference
本申请基于申请号为202210705160.0,申请日为2022年06月21日的中国专利申请提出,并要求上述中国专利申请的优先权,上述中国专利申请的全部内容在此引入本申请作为参考。This application is based on a Chinese patent application with application number 202210705160.0 and a filing date of June 21, 2022, and claims the priority of the above-mentioned Chinese patent application. The entire content of the above-mentioned Chinese patent application is hereby incorporated into this application as a reference.
技术领域Technical field
本申请涉及通信技术领域,尤其涉及一种报文校验方法、装置、相关设备及存储介质。The present application relates to the field of communication technology, and in particular to a message verification method, device, related equipment and storage medium.
背景技术Background technique
相关技术中,基于互联网协议第六版(IPv6,Internet Protocol Version 6)的段路由(SRv6,Segment Routing IPv6)的软件定义广域网(SD-WAN,Software Defined Wide Area Network)存在网络安全风险。Among related technologies, the Software Defined Wide Area Network (SD-WAN) based on the segment routing (SRv6, Segment Routing IPv6) of the Internet Protocol Version 6 (IPv6, Internet Protocol Version 6) has network security risks.
发明内容Contents of the invention
为解决相关技术问题,本申请实施例提供一种报文校验方法、装置、相关设备及存储介质。In order to solve related technical problems, embodiments of the present application provide a message verification method, device, related equipment and storage medium.
本申请实施例的技术方案是这样实现的:The technical solution of the embodiment of this application is implemented as follows:
本申请实施例提供了一种报文校验方法,应用于第一节点,所述方法包括:Embodiments of this application provide a message verification method, applied to the first node. The method includes:
基于第一数据表,校验第一报文;其中,Based on the first data table, verify the first message; where,
所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;所述令牌基于对应的报文转发路径映射得到。The first data table uses tokens as indexes and stores first information corresponding to each message forwarding path in at least one message forwarding path; the token is obtained based on mapping of the corresponding message forwarding path.
本申请实施例还提供了一种报文校验方法,应用于客户终端设备(CPE,Customer Premise Equipment),所述方法包括:The embodiment of the present application also provides a message verification method, which is applied to customer terminal equipment (CPE, Customer Premise Equipment). The method includes:
向第一节点发送第一报文;其中,Send the first message to the first node; where,
所述第一节点包括提供商边缘设备和/或(PE,Provider Edge)设备或入网点(PoP,point-of-presence),用于基于第一数据表校验所述第一报文;所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;所述令牌基于对应的报文转发路径映射得到。The first node includes provider edge equipment and/or (PE, Provider Edge) equipment or point-of-presence (PoP, point-of-presence), and is used to verify the first message based on the first data table; The first data table uses tokens as indexes and stores first information corresponding to each message forwarding path in at least one message forwarding path; the token is obtained based on mapping of the corresponding message forwarding path.
本申请实施例还提供了一种报文校验方法,应用于边界网关协议(BGP,Border Gateway Protocol)设备,所述方法包括: Embodiments of this application also provide a message verification method, which is applied to Border Gateway Protocol (BGP, Border Gateway Protocol) equipment. The method includes:
向第一节点下发第二信息;其中,Send the second information to the first node; where,
所述第二信息包括第二令牌和第二报文的段列表;所述第二信息用于供所述第一节点将第二报文的报文转发路径对应的第一信息写入第一数据表;The second information includes a second token and a segment list of the second message; the second information is used for the first node to write the first information corresponding to the message forwarding path of the second message into the first node. a data table;
所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;令牌基于对应的报文转发路径映射得到;The first data table uses tokens as indexes and stores the first information corresponding to each message forwarding path in at least one message forwarding path; the token is mapped based on the corresponding message forwarding path;
所述第二报文的报文转发路径对应的第一信息在所述第一数据表中以所述第二令牌为索引;所述第二报文的报文转发路径对应的第一信息由所述第二报文的段列表确定出。The first information corresponding to the message forwarding path of the second message is indexed in the first data table with the second token; the first information corresponding to the message forwarding path of the second message Determined by the segment list of the second message.
本申请实施例还提供了一种报文校验装置,包括:The embodiment of the present application also provides a message verification device, including:
校验单元,配置为基于第一数据表,校验第一报文;其中,The verification unit is configured to verify the first message based on the first data table; wherein,
所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;所述令牌基于对应的报文转发路径映射得到。The first data table uses tokens as indexes and stores first information corresponding to each message forwarding path in at least one message forwarding path; the token is obtained based on mapping of the corresponding message forwarding path.
本申请实施例还提供了一种报文校验装置,包括:The embodiment of the present application also provides a message verification device, including:
第一发送单元,配置为向第一节点发送第一报文;其中,The first sending unit is configured to send the first message to the first node; wherein,
所述第一节点包括PE设备或PoP,用于基于第一数据表校验所述第一报文;所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;所述令牌基于对应的报文转发路径映射得到。The first node includes a PE device or PoP, which is used to verify the first message based on a first data table; the first data table uses a token as an index and stores each message in at least one message forwarding path. The first information corresponding to the message forwarding path; the token is mapped based on the corresponding message forwarding path.
本申请实施例还提供了一种报文校验装置,包括:The embodiment of the present application also provides a message verification device, including:
第二发送单元,配置为向第一节点下发第二信息;其中,The second sending unit is configured to send the second information to the first node; wherein,
所述第二信息包括第二令牌和第二报文的段列表;所述第二信息用于供所述第一节点将第二报文的报文转发路径对应的第一信息写入第一数据表;The second information includes a second token and a segment list of the second message; the second information is used for the first node to write the first information corresponding to the message forwarding path of the second message into the first node. a data table;
所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;令牌基于对应的报文转发路径映射得到;The first data table uses tokens as indexes and stores the first information corresponding to each message forwarding path in at least one message forwarding path; the token is mapped based on the corresponding message forwarding path;
所述第二报文的报文转发路径对应的第一信息在所述第一数据表中以所述第二令牌为索引;所述第二报文的报文转发路径对应的第一信息由所述第二报文的段列表确定出。The first information corresponding to the message forwarding path of the second message is indexed in the first data table with the second token; the first information corresponding to the message forwarding path of the second message Determined by the segment list of the second message.
本申请实施例还提供了一种网络设备,包括第一处理器和第一通信接口,其中,An embodiment of the present application also provides a network device, including a first processor and a first communication interface, wherein,
所述第一处理器,配置为基于第一数据表,校验第一报文;其中,The first processor is configured to verify the first message based on the first data table; wherein,
所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;所述令牌基于对应的报文转发路径映射得到。The first data table uses tokens as indexes and stores first information corresponding to each message forwarding path in at least one message forwarding path; the token is obtained based on mapping of the corresponding message forwarding path.
本申请实施例还提供了一种客户终端设备,包括第二处理器和第二通信接口,其中,An embodiment of the present application also provides a client terminal device, including a second processor and a second communication interface, wherein:
所述第二通信接口,配置为向第一节点发送第一报文;其中,The second communication interface is configured to send the first message to the first node; wherein,
所述第一节点包括PE设备或PoP,用于基于第一数据表校验所述第一报文;所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;所述令牌基于对应的报文转发路径映射得到。The first node includes a PE device or PoP, which is used to verify the first message based on a first data table; the first data table uses a token as an index and stores each message in at least one message forwarding path. The first information corresponding to the message forwarding path; the token is mapped based on the corresponding message forwarding path.
本申请实施例还提供了一种网络设备,包括第三处理器和第三通信接口,其中,An embodiment of the present application also provides a network device, including a third processor and a third communication interface, wherein:
所述第三通信接口,配置为向第一节点下发第二信息;其中,The third communication interface is configured to deliver the second information to the first node; wherein,
所述第二信息包括第二令牌和第二报文的段列表;所述第二信息用于供所述第一节点将第二报文的报文转发路径对应的第一信息写入第一数据表;The second information includes a second token and a segment list of the second message; the second information is used for the first node to write the first information corresponding to the message forwarding path of the second message into the first node. a data table;
所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;令牌基于对应的报文转发路径映射得到;The first data table uses tokens as indexes and stores the first information corresponding to each message forwarding path in at least one message forwarding path; the token is mapped based on the corresponding message forwarding path;
所述第二报文的报文转发路径对应的第一信息在所述第一数据表中以所述第二令牌为索引;所述第二报文的报文转发路径对应的第一信息由所述第二报文的段列表确定出。 The first information corresponding to the message forwarding path of the second message is indexed in the first data table with the second token; the first information corresponding to the message forwarding path of the second message Determined by the segment list of the second message.
本申请实施例还提供了一种网络设备,包括第一处理器和用于存储能够在第一处理器上运行的计算机程序的第一存储器,An embodiment of the present application also provides a network device, including a first processor and a first memory for storing a computer program capable of running on the first processor,
其中,所述第一处理器配置为运行所述计算机程序时,执行上述第一节点侧任一项所述方法的步骤。Wherein, the first processor is configured to execute the steps of any one of the methods on the first node side when running the computer program.
本申请实施例还提供了一种客户终端设备,包括第二处理器和用于存储能够在第二处理器上运行的计算机程序的第二存储器,An embodiment of the present application also provides a client terminal device, including a second processor and a second memory for storing a computer program capable of running on the second processor,
其中,所述第二处理器配置为运行所述计算机程序时,执行上述CPE侧任一项所述方法的步骤。Wherein, the second processor is configured to execute the steps of any one of the methods on the CPE side when running the computer program.
本申请实施例还提供了一种网络设备,包括第三处理器和用于存储能够在第三处理器上运行的计算机程序的第三存储器,An embodiment of the present application also provides a network device, including a third processor and a third memory for storing a computer program capable of running on the third processor,
其中,所述第三处理器配置为运行所述计算机程序时,执行上述BGP设备侧任一项所述方法的步骤。Wherein, the third processor is configured to execute the steps of any one of the methods on the BGP device side when running the computer program.
本申请实施例还提供了一种存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现上述第一节点侧任一项所述方法的步骤,或实现上述CPE侧任一项所述方法的步骤,或实现上述BGP设备侧任一项所述方法的步骤。Embodiments of the present application also provide a storage medium on which a computer program is stored. When the computer program is executed by a processor, the steps of any one of the methods on the first node side are implemented, or any one of the methods on the CPE side is implemented. The steps of the method described in the above item, or the steps of implementing any of the methods described in the above BGP device side.
在本申请实施例提供的报文校验方法、装置、相关设备及存储介质中,CPE向第一节点发送第一报文,第一节点基于第一数据表,校验第一报文;其中,所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;所述令牌基于对应的报文转发路径映射得到。上述方案,每个第一节点均可基于第一数据表校验接收到的第一报文的合法性,从而降低网络安全风险,并且第一数据表以令牌为索引,可以降低第一数据表的维护难度,第一节点可以基于令牌查询第一数据表中每条转发路径对应的第一信息,不需要利用段标识(SID,Segment Identify)来检索或比较路径信息,可以降低运算量和节省查询时间,从而降低硬件部署实现难度。In the message verification method, device, related equipment and storage medium provided by the embodiments of this application, the CPE sends the first message to the first node, and the first node verifies the first message based on the first data table; wherein , the first data table uses tokens as indexes and stores the first information corresponding to each message forwarding path in at least one message forwarding path; the token is mapped based on the corresponding message forwarding path. In the above scheme, each first node can verify the legitimacy of the received first message based on the first data table, thereby reducing network security risks, and the first data table uses tokens as indexes, which can reduce the risk of the first data Table maintenance difficulty. The first node can query the first information corresponding to each forwarding path in the first data table based on the token. It does not need to use segment identifiers (SID, Segment Identify) to retrieve or compare path information, which can reduce the amount of calculations. and save query time, thereby reducing the difficulty of hardware deployment.
附图说明Description of the drawings
图1为相关技术中SID的结构示意图;Figure 1 is a schematic structural diagram of SID in related technologies;
图2为相关技术中SRH的结构示意图;Figure 2 is a schematic structural diagram of SRH in related technology;
图3为相关技术中网络架构示意图;Figure 3 is a schematic diagram of network architecture in related technologies;
图4为本申请实施例一种报文校验方法的实现流程示意图;Figure 4 is a schematic flow chart of the implementation of a message verification method according to an embodiment of the present application;
图5为本申请实施例一种报文校验方法的示意图;Figure 5 is a schematic diagram of a message verification method according to an embodiment of the present application;
图6为本申请实施例一种报文转发方法的示意图;Figure 6 is a schematic diagram of a message forwarding method according to an embodiment of the present application;
图7为本申请实施例一种报文校验方法的实现流程示意图;Figure 7 is a schematic flow chart of the implementation of a message verification method according to an embodiment of the present application;
图8为本申请实施例一种报文校验方法的实现流程示意图;Figure 8 is a schematic flow chart of the implementation of a message verification method according to an embodiment of the present application;
图9为本申请实施例一种报文校验方法的交互流程示意图;Figure 9 is a schematic diagram of the interaction flow of a message verification method according to an embodiment of the present application;
图10为本申请实施例一种报文校验装置结构示意图;Figure 10 is a schematic structural diagram of a message verification device according to an embodiment of the present application;
图11为本申请实施例一种报文校验装置结构示意图;Figure 11 is a schematic structural diagram of a message verification device according to an embodiment of the present application;
图12为本申请实施例一种报文校验装置结构示意图;Figure 12 is a schematic structural diagram of a message verification device according to an embodiment of the present application;
图13为本申请实施例一种网络设备结构示意图;Figure 13 is a schematic structural diagram of a network device according to an embodiment of the present application;
图14为本申请实施例一种客户终端设备结构示意图;Figure 14 is a schematic structural diagram of a client terminal device according to an embodiment of the present application;
图15为本申请实施例一种网络设备结构示意图。 Figure 15 is a schematic structural diagram of a network device according to an embodiment of the present application.
具体实施方式Detailed ways
在介绍本申请实施例之前,先对相关技术进行说明:Before introducing the embodiments of this application, related technologies will be described first:
段路由(SR,Segment Routing)是一种源路由技术,通过为网络中的节点、链路或业务功能分配段(Segment),并在头节点将这些Segment进行按需组合,形成封装在报文头中的Segment序列,即段列表(segmentlist)。当报文到达SR域的入口时,可以根据需求压入Segment序列,按照Segment序列中Segment的指示依次引导报文至对应的节点、链路或业务功能。Segment Routing (SR, Segment Routing) is a source routing technology that allocates segments to nodes, links or business functions in the network, and combines these segments on demand at the head node to form an encapsulated message. The Segment sequence in the header, that is, the segment list (segmentlist). When the packet reaches the entrance of the SR domain, it can be pushed into the Segment sequence according to the requirements, and the packet is guided to the corresponding node, link or service function in turn according to the instructions of the Segment in the Segment sequence.
SR的优点可以总结为四个方面:The advantages of SR can be summarized in four aspects:
控制协议简化:SR通过内部网关协议(IGP,Interior Gateway Protocol)和BGP分发SID,无需部署和维护传统的标签分发协议(LDP,label distribution protocol),基于流量工程扩展的资源预留协议(RSVP-TE,Resource ReSerVation Protocol-Traffic Engineering)等。Control protocol simplification: SR distributes SIDs through Interior Gateway Protocol (IGP, Interior Gateway Protocol) and BGP, without the need to deploy and maintain traditional label distribution protocol (LDP, label distribution protocol), based on the traffic engineering extended resource reservation protocol (RSVP- TE, Resource ReSerVation Protocol-Traffic Engineering), etc.
高可扩展性:SR通过对有限的链路和节点Segment的组合生成海量的SR路径,且路径信息只需在头节点保存,网络中间节点无需维护路径状态信息。High scalability: SR generates massive SR paths by combining limited links and node segments, and path information only needs to be saved at the head node, and intermediate nodes in the network do not need to maintain path status information.
可编程能力:在SR技术体系中,可以把Segment看成是一种指令,通过Segment的组合形成满足特定需求的SR路径可以看成是对网络的编程。这种编程可以灵活建立满足不同需求的路径,释放网络的价值。Programmability: In the SR technology system, segments can be regarded as instructions. The combination of segments to form an SR path that meets specific needs can be regarded as programming the network. This kind of programming can flexibly establish paths that meet different needs and unlock the value of the network.
高可靠保护:SR能提供100%网络覆盖的快速重路由(Fast Re-Route)保护,解决了网际协议(IP,Internet Protocol)网络长期面临的技术难题,能够在高可扩展性的情况下达到完全的可靠性保护。High reliability protection: SR can provide 100% network coverage Fast Re-Route protection, which solves the long-term technical problems faced by Internet Protocol (IP, Internet Protocol) networks and can achieve high scalability. Complete reliability protection.
SRv6是一种基于IPv6实现的SR源路由技术,SRv6的SID的长度为128比特,与IPv6地址保持一致。如图1所示,SID的格式通常由三部分组成,包括定位标识(Locator)、功能(Function)和可选的参数(Argument)。SRv6 is an SR source routing technology based on IPv6. The length of the SRv6 SID is 128 bits, which is consistent with the IPv6 address. As shown in Figure 1, the SID format usually consists of three parts, including locator (Locator), function (Function) and optional parameters (Argument).
其中:Locator是分配给一个网络节点的标识,用于路由和转发数据包。在SRv6SID中Locator是一个长度可变的部分,用于适配不同规模的网络。Locator标识有两个重要的属性:可路由和可聚合。Among them: Locator is an identifier assigned to a network node and is used for routing and forwarding data packets. In SRv6SID, the Locator is a variable-length part used to adapt to networks of different sizes. Locator identifiers have two important properties: routable and aggregable.
Function是用来表达指令要执行的转发动作,相当于计算机指令的操作码。在SRv6网络编程中,不同的转发行为由不同的Function来表达。Function is used to express the forwarding action to be executed by the instruction, which is equivalent to the operation code of the computer instruction. In SRv6 network programming, different forwarding behaviors are expressed by different Functions.
Argument是一个可选字段,用于携带在执行指令时所需要的参数。这些参数可能包含流、服务或任何其他相关的信息。Argument is an optional field used to carry parameters required when executing instructions. These parameters may contain streams, services, or any other relevant information.
通过对SRv6SID格式的如上定义,使SRv6SID可以被用于灵活指示网络中的各种操作和参数。Through the above definition of the SRv6SID format, SRv6SID can be used to flexibly indicate various operations and parameters in the network.
另一方面,SRv6在IPv6的路由扩展报文头中引入了新的SRH,用于携带SRv6SID的序列,实现对SRv6网络路径和各种功能的灵活编程。SRH还可以包括可选的TLV(Type-length-value)字段,用于携带长度可变的数据,为SRv6提供了更好的扩展性。SRH的格式如图2所示。On the other hand, SRv6 introduces a new SRH in the routing extension header of IPv6, which is used to carry the sequence of SRv6 SID to realize flexible programming of SRv6 network paths and various functions. SRH can also include an optional TLV (Type-length-value) field to carry variable-length data, providing better scalability for SRv6. The format of SRH is shown in Figure 2.
SRv6在继承SR全部优点的同时,通过与IPv6的结合获得了更强的扩展性和可编程能力,在网络简化和满足新业务需求方面有独特的优势。在基于SRv6的SD-WAN中,因SR源路由技术将所有的网络信息都编码到报文内,所有路径信息均在用户侧发起的报文中携带,且未对路径信息进行约束,导致用户的控制权过大;SRv6网络延伸到非受信的用户侧存在用户非授权调用网络资源的隐患。如图3所示,例如在上云场景,CPE位于非可信域,通过在报文中指定路径,用户除了访问自己的云内专有网络(VPC,Virtual Private Cloud),还可以非法访问其他用户的VPC,带来网络安全风险。 While inheriting all the advantages of SR, SRv6 has gained stronger scalability and programmability through combination with IPv6, and has unique advantages in network simplification and meeting new business requirements. In SD-WAN based on SRv6, because SR source routing technology encodes all network information into packets, all path information is carried in packets initiated by the user side, and path information is not constrained, causing users to The control rights are too large; when the SRv6 network extends to untrusted user sides, there is a hidden danger of users calling network resources without authorization. As shown in Figure 3, for example, in the cloud migration scenario, the CPE is located in an untrusted domain. By specifying the path in the packet, users can not only access their own private network in the cloud (VPC, Virtual Private Cloud), but also illegally access other Users' VPC brings network security risks.
针对基于SRv6的SD-WAN中,用户的控制权过大,存在网络安全风险的问题,相关技术中提出了以下三种校验报文的方案:In response to the problem that users have too much control rights and network security risks exist in SD-WAN based on SRv6, the following three schemes for verifying packets have been proposed in related technologies:
方案一:逐跳校验Solution 1: Hop-by-hop verification
标准建议采用密钥相关的哈希运算消息认证码(HMAC,Hash-based Message Authentication Code)校验合法的SRv6路径,但难以实现。原因在于:当前路由器硬件不支持HMAC计算,需升级硬件,成本高;路由器进行HMAC校验带来巨大的运算量将严重影响转发效率。The standard recommends using a key-related hash operation message authentication code (HMAC, Hash-based Message Authentication Code) to verify the legal SRv6 path, but it is difficult to implement. The reason is: the current router hardware does not support HMAC calculation, and the hardware needs to be upgraded, which is costly; the huge amount of calculations brought by the router for HMAC verification will seriously affect the forwarding efficiency.
方案二:入口检验Option 2: Entrance inspection
采用访问控制列表(ACL,Access Control List)可以实现针对流量的匹配和过滤,但是,SID列表(List)长度不固定,ACL资源消耗大,不适合大规模部署;ACL需要匹配SID列表,难以维护,难以投入使用。Access control lists (ACLs) can be used to match and filter traffic. However, the length of the SID list (List) is not fixed, and ACL resource consumption is large, making it not suitable for large-scale deployment; ACL needs to match the SID list, which is difficult to maintain. , difficult to put into use.
方案三:两端检验Option 3: Testing at both ends
通过在CPE和PoP两端进行报文校验,可以防止非授权访问,但是分布式拒绝服务(DDoS,Distributed Denial of Service)攻击发生时,由于中间节点未校验接收到的报文,仍无法阻止DDoS攻击。Unauthorized access can be prevented by verifying messages at both ends of the CPE and PoP. However, when a Distributed Denial of Service (DDoS) attack occurs, since the intermediate node does not verify the received message, it still cannot Block DDoS attacks.
路径校验需支持灵活的逐跳、首尾或任意节点组合校验的来降低硬件部署实现难度。Path verification needs to support flexible hop-by-hop, head-to-tail, or arbitrary node combination verification to reduce the difficulty of hardware deployment and implementation.
基于此,本申请的各个实施例中,CPE向第一节点发送第一报文,第一节点基于第一数据表,校验第一报文;其中,所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;所述令牌基于对应的报文转发路径映射得到。上述方案,每个第一节点均可基于第一数据表校验接收到的第一报文的合法性,从而降低网络安全风险,并且第一数据表以令牌为索引,可以降低第一数据表的维护难度,第一节点可以基于令牌查询第一数据表中每条转发路径对应的第一信息,不需要利用SID来检索或比较路径信息,可以降低运算量和节省查询时间,从而降低硬件部署实现难度。Based on this, in various embodiments of the present application, the CPE sends the first message to the first node, and the first node verifies the first message based on the first data table; wherein the first data table uses a token as The index stores the first information corresponding to each message forwarding path in at least one message forwarding path; the token is mapped based on the corresponding message forwarding path. In the above scheme, each first node can verify the legitimacy of the received first message based on the first data table, thereby reducing network security risks, and the first data table uses tokens as indexes, which can reduce the risk of the first data Table maintenance difficulty. The first node can query the first information corresponding to each forwarding path in the first data table based on the token. It does not need to use SID to retrieve or compare path information, which can reduce the computational load and save query time, thereby reducing Hardware deployment is difficult to implement.
下面结合附图及实施例对本申请再作进一步详细的描述。The present application will be described in further detail below in conjunction with the accompanying drawings and embodiments.
本申请实施例提供了一种报文校验方法,应用于第一节点,第一节点可以是路由器或虚拟路由设备。其中,第一节点包括PE设备和/或PoP。参照图4,该方法包括:The embodiment of the present application provides a message verification method, which is applied to the first node. The first node may be a router or a virtual routing device. Wherein, the first node includes PE equipment and/or PoP. Referring to Figure 4, the method includes:
步骤401:基于第一数据表,校验第一报文。Step 401: Verify the first message based on the first data table.
其中,所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;所述令牌基于对应的报文转发路径映射得到。Wherein, the first data table uses tokens as indexes and stores first information corresponding to each message forwarding path in at least one message forwarding path; the token is mapped based on the corresponding message forwarding path.
这里,第一节点中存储有第一数据表,不同的第一节点存储的第一数据表不同。第一节点在接收到第一报文的情况下,基于第一数据表校验第一报文,得到第一报文的校验结果。例如,基于第一数据表中的令牌和/或由对应令牌索引到的第一信息,校验第一报文,得到第一报文的校验结果。Here, the first data table is stored in the first node, and different first nodes store different first data tables. When receiving the first message, the first node verifies the first message based on the first data table and obtains the verification result of the first message. For example, based on the token in the first data table and/or the first information indexed by the corresponding token, the first message is verified to obtain the verification result of the first message.
其中,第一报文可以由CPE发送,也可以由其他第一节点发送。在该校验结果表征校验成功的情况下,表征第一报文合法,第一节点基于第一报文的下一跳(NH,Next Hop)地址转发第一报文;在该校验结果表征校验失败的情况下,表征第一报文非法,第一节点丢弃第一报文。下一跳地址可以为下一跳SID。The first message may be sent by the CPE or by other first nodes. When the verification result indicates that the verification is successful, indicating that the first message is legal, the first node forwards the first message based on the next hop (NH, Next Hop) address of the first message; in the verification result If the verification fails, the first message is illegal and the first node discards the first message. The next hop address can be the next hop SID.
第一数据表也称合法性路径校验表。第一信息是第一节点对应的合法路径信息。每个令牌对应一条报文转发路径,令牌和对应的第一信息关联存储于第一数据表中。令牌可以是基于报文转发路径计算出的哈希值,也可以是为对应报文转发路径分配的随机数。The first data table is also called a legal path verification table. The first information is legal path information corresponding to the first node. Each token corresponds to a message forwarding path, and the token and the corresponding first information are associated and stored in the first data table. The token can be a hash value calculated based on the packet forwarding path, or it can be a random number assigned to the corresponding packet forwarding path.
需要说明的是,第一节点可以默认开启报文校验功能,也可根据实际需求使能报文 校验功能,或关闭报文校验功能。在开启或使能报文校验功能的情况下,第一节点基于第一数据表校验第一报文。It should be noted that the first node can enable the message verification function by default, or can enable the message verification function according to actual needs. verification function, or turn off the message verification function. When the message verification function is enabled or enabled, the first node verifies the first message based on the first data table.
为了提高报文校验结果的可信度,进而降低网络安全风险,在一实施例中,所述第一信息包括以下至少之一:In order to improve the credibility of the message verification results and thereby reduce network security risks, in one embodiment, the first information includes at least one of the following:
对应的报文转发路径在所述第一节点对应的入接口号;The corresponding ingress interface number of the corresponding packet forwarding path at the first node;
对应的报文转发路径在所述第一节点对应的下一跳地址。The corresponding message forwarding path is at the next hop address corresponding to the first node.
这里,在第一数据表中,下一跳地址可以标记为NH,入接口号可以标记为IngIF。入接口号表征隧道的入接口信息,隧道可以是互联网安全协议(IPSec,Internet Protocol Security)隧道,或者通用路由封装(GRE,Generic Routing Encapsulation)隧道等。Here, in the first data table, the next hop address may be marked as NH, and the ingress interface number may be marked as IngIF. The ingress interface number represents the ingress interface information of the tunnel. The tunnel can be an Internet Security Protocol (IPSec, Internet Protocol Security) tunnel, or a Generic Routing Encapsulation (GRE, Generic Routing Encapsulation) tunnel.
第一信息中的入接口号用于在第一节点的入接口为隧道的情况下,校验第一报文中的入接口号。The incoming interface number in the first information is used to verify the incoming interface number in the first message when the incoming interface of the first node is a tunnel.
第一信息中的下一跳地址用于校验第一报文中的下一跳地址,第一报文中的下一跳地址是指第一报文在第一节点对应的下一跳地址。The next hop address in the first information is used to verify the next hop address in the first message. The next hop address in the first message refers to the next hop address corresponding to the first node in the first message. .
考虑到第一节点转发包含非法的路径信息的用户报文时,可能会导致对应用户非法其他用户的VPC,从而引发网络安全隐患,例如数据泄露,基于此,为了降低网络安全风险,在一实施例中,所述方法还包括:Considering that when the first node forwards user packets containing illegal path information, it may cause the corresponding user to illegally enter the VPC of other users, thereby causing network security risks, such as data leakage. Based on this, in order to reduce network security risks, in the implementation In the example, the method also includes:
在所述第一报文的校验结果满足以下条件至少之一的情况下,丢弃所述第一报文:If the verification result of the first message meets at least one of the following conditions, the first message is discarded:
所述第一报文未携带令牌;The first message does not carry a token;
所述第一报文携带第一令牌,且所述第一数据表中不存在所述第一令牌;The first message carries a first token, and the first token does not exist in the first data table;
所述第一报文携带第一令牌,所述第一数据表中存在所述第一令牌,且第一入接口号与第二入接口号不匹配;所述第一入接口号表征由所述第一令牌索引到的第一信息中的入接口号;所述第二入接口号表征所述第一报文在所述第一节点对应的入接口号;The first packet carries a first token, the first token exists in the first data table, and the first ingress interface number does not match the second ingress interface number; the first ingress interface number represents The ingress interface number in the first information indexed by the first token; the second ingress interface number represents the ingress interface number corresponding to the first message at the first node;
所述第一报文携带第一令牌,所述第一数据表中存在所述第一令牌,且第一下一跳地址与第二下一跳地址不匹配;所述第一下一跳地址表征由所述第一令牌索引到的第一信息中的下一跳地址;所述第二下一跳地址表征所述第一报文在所述第一节点对应的下一跳地址。The first packet carries a first token, the first token exists in the first data table, and the first next hop address does not match the second next hop address; the first next hop address The hop address represents the next hop address in the first information indexed by the first token; the second next hop address represents the next hop address of the first message corresponding to the first node. .
这里,第一节点支持第一校验模式和第二校验模式。第一节点根据配置信息确定当前使用哪种校验模式校验第一报文。第一校验模式也称为源路由路径模式,第二校验模式也称为非源路由路径模式。在第一校验模式下,第一节点基于第一数据表中对应的报文转发路径对应的令牌,以及下一跳地址和/或入接口号,校验第一报文。在第二校验模式下,第一节点基于第一数据表中对应的报文转发路径对应的令牌,校验第一报文。Here, the first node supports the first verification mode and the second verification mode. The first node determines which verification mode is currently used to verify the first message according to the configuration information. The first verification mode is also called the source routing path mode, and the second verification mode is also called the non-source routing path mode. In the first verification mode, the first node verifies the first message based on the token corresponding to the corresponding message forwarding path in the first data table, and the next hop address and/or ingress interface number. In the second verification mode, the first node verifies the first message based on the token corresponding to the corresponding message forwarding path in the first data table.
在第一校验模式下,在第一报文的校验结果满足以下条件至少之一的情况下,表征第一报文为非法报文,丢弃第一报文:In the first verification mode, if the verification result of the first message meets at least one of the following conditions, the first message is indicated as an illegal message and the first message is discarded:
第一报文未携带令牌;The first message does not carry the token;
第一报文携带第一令牌,且第一数据表中不存在第一令牌;The first message carries the first token, and the first token does not exist in the first data table;
第一报文携带第一令牌,第一数据表中存在第一令牌,且第一入接口号与第二入接口号不匹配;第一入接口号表征由第一令牌索引到的第一信息中的入接口号;第二入接口号表征所述第一报文在第一节点对应的入接口号;The first packet carries the first token, the first token exists in the first data table, and the first inbound interface number does not match the second inbound interface number; the first inbound interface number represents the index indexed by the first token. The ingress interface number in the first information; the second ingress interface number represents the ingress interface number corresponding to the first message at the first node;
第一报文携带第一令牌,第一数据表中存在第一令牌,且第一下一跳地址与第二下一跳地址不匹配;第一下一跳地址表征由第一令牌索引到的第一信息中的下一跳地址;第二下一跳地址表征第一报文在第一节点对应的下一跳地址。The first packet carries the first token, the first token exists in the first data table, and the first next hop address does not match the second next hop address; the first next hop address is represented by the first token The next hop address in the indexed first information; the second next hop address represents the next hop address corresponding to the first message at the first node.
例如,在第一校验模式下,第一节点检测第一报文是否携带令牌,在第一报文未携带令牌的情况下,丢弃第一报文。For example, in the first verification mode, the first node detects whether the first message carries a token, and if the first message does not carry the token, discards the first message.
在第一报文携带令牌的情况下,第一节点从第一报文中提取出第一令牌,以及从第 一报文中提取出第二入接口号和/或第二下一跳地址,其中,如图5所示,第二下一跳地址可以基于第一报文携带的指针(SL,Segment Left)和第一报文中的段列表确定出。SL用于指示当前活跃的Segment,第一节点由SL得到当前活跃的SID,基于当前活跃的SID,从第一报文中的段列表确定出下一跳SID。When the first message carries a token, the first node extracts the first token from the first message, and extracts the first token from the first message. The second inbound interface number and/or the second next hop address are extracted from one packet. As shown in Figure 5, the second next hop address can be based on the pointer (SL, Segment Left) carried in the first packet. and the segment list in the first message. SL is used to indicate the currently active Segment. The first node obtains the currently active SID from the SL. Based on the currently active SID, it determines the next hop SID from the segment list in the first message.
第一节点在第一数据表中查询第一令牌;在第一数据表中未查询到第一令牌的情况下,丢弃第一报文。在第一数据表中查询到第一令牌的情况下,在第一数据表中,确定出由第一令牌索引到的第一信息,并从确定出的第一信息中获取入接口号和/或下一跳地址,从而得到第一入接口号和/或第一下一跳地址;比较第一入接口号与第二入接口号,和/或,比较第一下一跳地址与第二下一跳地址;在比较结果表征第一入接口号与第二入接口号不匹配(不同)的情况下,和/或,在比较结果表征第一下一跳地址与第二下一跳地址不匹配的情况下,丢弃第一报文。The first node queries the first data table for the first token; if the first token is not found in the first data table, the first node discards the first message. When the first token is queried in the first data table, the first information indexed by the first token is determined in the first data table, and the ingress interface number is obtained from the determined first information. and/or the next hop address to obtain the first inbound interface number and/or the first next hop address; compare the first inbound interface number and the second inbound interface number, and/or compare the first next hop address and The second next hop address; when the comparison result represents that the first inlet interface number and the second ingress interface number do not match (are different), and/or, when the comparison result represents the first next hop address and the second next hop address If the hop address does not match, the first packet is discarded.
在第一报文携带第一令牌,第一数据表中存在第一令牌,且第一入接口号与第二入接口号匹配,和/或,第一下一跳地址与第二下一跳地址匹配的情况下,表征第一报文为合法报文,第一节点基于第一下一跳地址或第二下一跳地址,转发第一报文。The first packet carries the first token, the first token exists in the first data table, and the first inbound interface number matches the second inbound interface number, and/or the first next hop address matches the second inbound interface number. When the one-hop address matches, it indicates that the first message is a legitimate message, and the first node forwards the first message based on the first next-hop address or the second next-hop address.
图6示出了本申请实施例一种报文转发方法的示意图,图6中在相关技术的基础上新增了虚线框中的报文校验流程。实际应用时,如图6中的虚线框所示,第一节点从第一报文中的SRH中提取第一令牌和下一跳地址(NH SID),从第一报文中提取入接口号(IngIF),并在第一数据表中查询第一令牌;在第一数据表中未查询到第一令牌的情况下,丢弃第一报文;在第一数据表中查询到第一令牌的情况下,在第一数据表中获取由第一令牌索引到的第一信息中的IngIF和NH SID;Figure 6 shows a schematic diagram of a message forwarding method according to an embodiment of the present application. In Figure 6, a message verification process in a dotted box is added based on related technologies. In actual application, as shown in the dotted box in Figure 6, the first node extracts the first token and next hop address (NH SID) from the SRH in the first message, and extracts the incoming interface from the first message. (IngIF), and query the first token in the first data table; if the first token is not found in the first data table, discard the first message; query the first token in the first data table In the case of one token, obtain the IngIF and NH SID in the first information indexed by the first token in the first data table;
在从第一数据表中获取到的IngIF与第一报文中的IngIF不同,和/或,从第一数据表中获取到的NH SID与第一报文中的NH SID不同的情况下,丢弃第一报文。在从第一数据表中获取到的IngIF与第一报文中的IngIF相同,且从第一数据表中获取到的NH SID与第一报文中的NH SID相同的情况下,基于第一报文的NH SID转发第一报文。In the case where the IngIF obtained from the first data table is different from the IngIF in the first message, and/or the NH SID obtained from the first data table is different from the NH SID in the first message, Discard the first packet. When the IngIF obtained from the first data table is the same as the IngIF in the first message, and the NH SID obtained from the first data table is the same as the NH SID in the first message, based on the first The first message is forwarded based on the NH SID of the message.
在第二校验模式下,在第一报文的校验结果满足以下条件至少之一的情况下,表征第一报文为非法报文,丢弃第一报文:In the second verification mode, if the verification result of the first message meets at least one of the following conditions, the first message is indicated as an illegal message and the first message is discarded:
第一报文未携带令牌;The first message does not carry the token;
第一报文携带第一令牌,且第一数据表中不存在第一令牌。The first message carries the first token, and the first token does not exist in the first data table.
例如,在第二校验模式下,第一节点检测第一报文是否携带令牌,在第一报文未携带令牌的情况下,丢弃第一报文。在第一报文携带令牌的情况下,从第一报文中提取出第一令牌,并在第一数据表中查询第一令牌,在第一数据表中未查询到第一令牌的情况下,丢弃第一报文。在第一数据表中查询到第一令牌的情况下,基于第一报文中的第二下一跳地址,转发第一报文。For example, in the second verification mode, the first node detects whether the first message carries a token, and if the first message does not carry a token, discards the first message. When the first message carries a token, the first token is extracted from the first message, and the first token is queried in the first data table. The first token is not queried in the first data table. In the case of a card, the first packet is discarded. When the first token is found in the first data table, the first message is forwarded based on the second next hop address in the first message.
第一节点在校验第一报文中的下一跳地址之前,需要从第一数据表中获取第一报文的下一跳地址,基于此,在一实施例中,所述方法还包括:Before verifying the next hop address in the first message, the first node needs to obtain the next hop address of the first message from the first data table. Based on this, in one embodiment, the method further includes :
基于所述第一报文携带的第一令牌,在所述第一数据表中确定所述第一报文的下一跳地址;其中,Based on the first token carried in the first message, the next hop address of the first message is determined in the first data table; wherein,
所述第一报文的下一跳地址是由所述第一令牌索引到的第一信息中的下一跳地址。The next hop address of the first message is the next hop address in the first information indexed by the first token.
这里,第一节点从第一报文中提取出第一令牌,基于第一报文携带的第一令牌,在第一数据表中查询第一令牌对应的第一信息,并从查询到的第一信息中确定出下一跳地址,得到第一报文的下一跳地址。Here, the first node extracts the first token from the first message, queries the first information corresponding to the first token in the first data table based on the first token carried in the first message, and retrieves the first token from the first data table. The next hop address is determined from the first information received, and the next hop address of the first message is obtained.
在一实施例中,所述第一令牌由所述第一报文的段列表映射得到。In an embodiment, the first token is mapped from the segment list of the first message.
这里,第一报文的报文转发路径为段列表,第一令牌是基于第一报文的段列表计算出的哈希值,或,第一令牌是为第一报文的段列表分配的随机数。 Here, the packet forwarding path of the first packet is the segment list, and the first token is a hash value calculated based on the segment list of the first packet, or the first token is the segment list of the first packet. The random number assigned.
在一实施例中,所述第一报文携带的第一令牌封装于所述第一报文的段路由头(SRH,Segment Routing Header)中。In one embodiment, the first token carried in the first message is encapsulated in a Segment Routing Header (SRH) of the first message.
这里,第一节点从第一报文的SRH中提取第一令牌。Here, the first node extracts the first token from the SRH of the first message.
第一数据表中的数据是动态更新的,基于此,在一实施例中,所述方法还包括:The data in the first data table is dynamically updated. Based on this, in one embodiment, the method further includes:
接收BGP设备下发的第二信息;所述第二信息包括第二令牌和第二报文的段列表;Receive the second information sent by the BGP device; the second information includes the second token and the segment list of the second message;
将第二报文的报文转发路径对应的第一信息写入所述第一数据表;其中,Write the first information corresponding to the message forwarding path of the second message into the first data table; wherein,
所述第二报文的报文转发路径对应的第一信息在所述第一数据表中以所述第二令牌为索引;所述第二报文的报文转发路径对应的第一信息由所述第二报文的段列表确定出。The first information corresponding to the message forwarding path of the second message is indexed in the first data table with the second token; the first information corresponding to the message forwarding path of the second message Determined by the segment list of the second message.
这里,BGP设备包括SD-WAN控制器和/或云专网控制器。实际应用时,在第一节点为PE设备或PoP的情况下,BGP设备为云专网控制器。Here, BGP devices include SD-WAN controllers and/or cloud private network controllers. In actual application, when the first node is a PE device or PoP, the BGP device is the cloud private network controller.
第一节点接收BGP设备下发的第二信息,基于第二信息中包含的第二报文的段列表,确定出第二报文的报文转发路径对应的第一信息;将第二报文的报文转发路径对应的第一信息写入第一数据表。其中,第一信息至少包括第二令牌,还可以包括第二报文的报文转发路径在第一节点对应的入接口号和/或下一跳地址。The first node receives the second information delivered by the BGP device, and determines the first information corresponding to the packet forwarding path of the second packet based on the segment list of the second packet included in the second information; The first information corresponding to the packet forwarding path is written into the first data table. Wherein, the first information at least includes the second token, and may also include the ingress interface number and/or next hop address corresponding to the packet forwarding path of the second packet at the first node.
需要说明的是,第一数据表中第一报文的报文转发路径对应的第一信息,也是基于BGP设备下发的第一令牌和第一报文的段列表确定出。It should be noted that the first information corresponding to the packet forwarding path of the first packet in the first data table is also determined based on the first token issued by the BGP device and the segment list of the first packet.
对应地,本申请实施例还提供了一种报文校验方法,应用于CPE。参照图7,该方法包括:Correspondingly, the embodiment of this application also provides a message verification method, which is applied to CPE. Referring to Figure 7, the method includes:
步骤701:向第一节点发送第一报文。Step 701: Send the first message to the first node.
其中,所述第一节点包括PE设备或PoP,用于基于第一数据表校验所述第一报文;所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;所述令牌基于对应的报文转发路径映射得到。Wherein, the first node includes a PE device or PoP, which is used to verify the first message based on a first data table; the first data table uses a token as an index and stores at least one message forwarding path. The first information corresponding to each message forwarding path; the token is mapped based on the corresponding message forwarding path.
这里,CPE封装第一报文,并向第一节点发送第一报文。Here, the CPE encapsulates the first message and sends the first message to the first node.
示例性地,CPE封装第一报文的方法可以为:CPE接收BGP设备(例如,SD-WAN控制器)下发的第一报文的第一令牌和第一报文的源路径(SR Policy),SR Policy包括第一报文的段列表;基于第一报文的第一令牌和第一报文的段列表,封装第一报文。Exemplarily, the method for the CPE to encapsulate the first message may be: the CPE receives the first token of the first message and the source path (SR) of the first message delivered by the BGP device (for example, SD-WAN controller). Policy), the SR Policy includes the segment list of the first message; the first message is encapsulated based on the first token of the first message and the segment list of the first message.
在一实施例中,所述第一信息包括以下至少之一:In one embodiment, the first information includes at least one of the following:
对应的报文转发路径在所述第一节点对应的入接口号;The corresponding ingress interface number of the corresponding packet forwarding path at the first node;
对应的报文转发路径在所述第一节点对应的下一跳地址。The corresponding message forwarding path is at the next hop address corresponding to the first node.
在一实施例中,所述第一报文至少携带第一令牌,还携带第二入接口号和/或SL;其中,In one embodiment, the first message carries at least a first token and also carries a second inbound interface number and/or SL; wherein,
所述第二入接口号表征所述第一报文在所述第一节点对应的入接口号;The second ingress interface number represents the ingress interface number corresponding to the first message at the first node;
所述SL用于供所述第一节点确定第二下一跳地址;所述第二下一跳地址表征所述第一报文在所述第一节点对应的下一跳地址。The SL is used for the first node to determine a second next hop address; the second next hop address represents the next hop address corresponding to the first message at the first node.
其中,由于SL用于指示当前活跃的Segment,因此,第一节点可以基于第一报文携带的SL和段列表确定出第二下一跳地址。Since the SL is used to indicate the currently active Segment, the first node can determine the second next hop address based on the SL and the segment list carried in the first message.
在一实施例中,所述第一令牌由所述第一报文的段列表映射得到。In an embodiment, the first token is mapped from the segment list of the first message.
在一实施例中,所述第一令牌封装于所述第一报文的SRH中。In one embodiment, the first token is encapsulated in the SRH of the first message.
对应地,为了更新第一数据表中的数据,本申请实施例还提供了一种报文校验方法,应用于BGP设备,BGP设备为SD-WAN控制器或云专网控制器。参照图8,该方法包括:Correspondingly, in order to update the data in the first data table, embodiments of the present application also provide a message verification method, which is applied to BGP equipment. The BGP equipment is an SD-WAN controller or a cloud private network controller. Referring to Figure 8, the method includes:
步骤801:向第一节点下发第二信息。Step 801: Send the second information to the first node.
其中,所述第二信息包括第二令牌和第二报文的段列表;所述第二信息用于供所述 第一节点将第二报文的报文转发路径对应的第一信息写入第一数据表;Wherein, the second information includes a second token and a segment list of the second message; the second information is used for the The first node writes the first information corresponding to the packet forwarding path of the second packet into the first data table;
所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;令牌基于对应的报文转发路径映射得到;The first data table uses tokens as indexes and stores the first information corresponding to each message forwarding path in at least one message forwarding path; the token is mapped based on the corresponding message forwarding path;
所述第二报文的报文转发路径对应的第一信息在所述第一数据表中以所述第二令牌为索引;所述第二报文的报文转发路径对应的第一信息由所述第二报文的段列表确定出。The first information corresponding to the message forwarding path of the second message is indexed in the first data table with the second token; the first information corresponding to the message forwarding path of the second message Determined by the segment list of the second message.
这里,BGP设备确定出第二信息,并向第一节点发送第二信息。第一数据表用于供第一节点校验接收到的报文的合法性。Here, the BGP device determines the second information and sends the second information to the first node. The first data table is used for the first node to verify the validity of the received message.
在一实施例中,所述第一节点包括PE设备和/或PoP。In an embodiment, the first node includes PE equipment and/or PoP.
在一实施例中,所述第一信息包括以下之一:In one embodiment, the first information includes one of the following:
对应的报文转发路径在所述第一节点对应的入接口号;The corresponding ingress interface number of the corresponding packet forwarding path at the first node;
对应的报文转发路径在所述第一节点对应的下一跳地址。The corresponding message forwarding path is at the next hop address corresponding to the first node.
在一实施例中,所述方法还包括:In one embodiment, the method further includes:
向CPE下发所述第二信息;其中,所述第二信息用于供所述CPE封装所述第二报文。Deliver the second information to the CPE; wherein the second information is used for the CPE to encapsulate the second message.
这里,BGP设备向CPE下发第二信息,以使CPE基于第二令牌和第二报文的段列表封装第二报文。Here, the BGP device delivers the second information to the CPE, so that the CPE encapsulates the second message based on the second token and the segment list of the second message.
下面进一步地结合交互流程示意图,对本申请实施例方案进行说明。The following further describes the embodiments of the present application in conjunction with the interaction flow diagram.
图9所示的报文校验方法,包括:The message verification method shown in Figure 9 includes:
步骤1:CPE向第一节点发送第一报文。Step 1: The CPE sends the first message to the first node.
其中,第一节点包括PE设备或PoP。CPE可以直接或间接向第一节点发送第一报文。例如,如图5所示,CPE直接向PE设备发送第一报文,或者,CPE通过PE设备,向PoP发送第一报文。Wherein, the first node includes PE equipment or PoP. The CPE may directly or indirectly send the first message to the first node. For example, as shown in Figure 5, the CPE directly sends the first message to the PE device, or the CPE sends the first message to the PoP through the PE device.
在一实施例中,第一报文至少携带第一令牌,还携带第二入接口号和/或SL;其中,In one embodiment, the first packet carries at least the first token and also carries the second inbound interface number and/or SL; wherein,
第二入接口号表征第一报文在第一节点对应的入接口号;The second ingress interface number represents the ingress interface number corresponding to the first packet at the first node;
SL用于供第一节点确定第二下一跳地址;第二下一跳地址表征第一报文在第一节点对应的下一跳地址。SL is used for the first node to determine the second next hop address; the second next hop address represents the next hop address corresponding to the first message at the first node.
其中,第一令牌由第一报文的段列表映射得到;第一令牌封装于第一报文的SRH中。The first token is mapped from the segment list of the first message; the first token is encapsulated in the SRH of the first message.
步骤2:第一节点基于第一数据表,校验第一报文。Step 2: The first node verifies the first message based on the first data table.
其中,第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;令牌基于对应的报文转发路径映射得到。The first data table uses the token as an index and stores the first information corresponding to each packet forwarding path in at least one packet forwarding path; the token is mapped based on the corresponding packet forwarding path.
在一实施例中,第一信息包括以下至少之一:In an embodiment, the first information includes at least one of the following:
对应的报文转发路径在第一节点对应的入接口号;The ingress interface number corresponding to the corresponding packet forwarding path on the first node;
对应的报文转发路径在第一节点对应的下一跳地址。The corresponding packet forwarding path is the next hop address corresponding to the first node.
这里,如图5所示,令牌和对应的第一信息关联存储于第一数据表中。Here, as shown in Figure 5, the token and the corresponding first information are stored in the first data table in association.
在一实施例中,在第一报文的校验结果满足以下条件至少之一的情况下,第一节点丢弃第一报文:In an embodiment, when the verification result of the first message meets at least one of the following conditions, the first node discards the first message:
第一报文未携带令牌;The first message does not carry the token;
第一报文携带第一令牌,且第一数据表中不存在第一令牌;The first message carries the first token, and the first token does not exist in the first data table;
第一报文携带第一令牌,第一数据表中存在第一令牌,且第一入接口号与第二入接口号不匹配;第一入接口号表征由第一令牌索引到的第一信息中的入接口号;第二入接口号表征第一报文在第一节点对应的入接口号;The first packet carries the first token, the first token exists in the first data table, and the first inbound interface number does not match the second inbound interface number; the first inbound interface number represents the index indexed by the first token. The ingress interface number in the first information; the second ingress interface number represents the ingress interface number corresponding to the first message at the first node;
第一报文携带第一令牌,第一数据表中存在第一令牌,且第一下一跳地址与第二下 一跳地址不匹配;第一下一跳地址表征由第一令牌索引到的第一信息中的下一跳地址;第二下一跳地址表征第一报文在第一节点对应的下一跳地址。The first packet carries the first token, the first token exists in the first data table, and the first next hop address is the same as the second next hop address. The one-hop address does not match; the first next-hop address represents the next-hop address in the first information indexed by the first token; the second next-hop address represents the next-hop address of the first message corresponding to the first node. jump address.
其中,第一令牌由第一报文的段列表映射得到。第一报文携带的第一令牌封装于第一报文的SRH中。The first token is mapped from the segment list of the first message. The first token carried in the first message is encapsulated in the SRH of the first message.
需要说明的是,步骤2的实现过程请参阅步骤401中的相关描述,此处不赘述。It should be noted that for the implementation process of step 2, please refer to the relevant description in step 401, which will not be described again here.
在一实施例中,第一节点还基于第一报文携带的第一令牌,在第一数据表中确定第一报文的下一跳地址。其中,第一报文的下一跳地址是由第一令牌索引到的第一信息中的下一跳地址。In an embodiment, the first node further determines the next hop address of the first message in the first data table based on the first token carried in the first message. The next hop address of the first message is the next hop address in the first information indexed by the first token.
步骤3:BGP设备向第一节点发送第二信息。Step 3: The BGP device sends the second information to the first node.
其中,第二信息包括第二令牌和第二报文的段列表;第二信息用于供第一节点将第二报文的报文转发路径对应的第一信息写入第一数据表;第二报文的报文转发路径对应的第一信息在第一数据表中以第二令牌为索引;第二报文的报文转发路径对应的第一信息由第二报文的段列表确定出。The second information includes a second token and a segment list of the second message; the second information is used for the first node to write the first information corresponding to the message forwarding path of the second message into the first data table; The first information corresponding to the message forwarding path of the second message is indexed by the second token in the first data table; the first information corresponding to the message forwarding path of the second message is represented by the segment list of the second message. OK out.
步骤4:第一节点接收BGP设备下发的第二信息。Step 4: The first node receives the second information sent by the BGP device.
步骤5:第一节点将第二报文的报文转发路径对应的第一信息写入所述第一数据表。Step 5: The first node writes the first information corresponding to the packet forwarding path of the second packet into the first data table.
其中,第二报文的报文转发路径对应的第一信息在第一数据表中以第二令牌为索引;第二报文的报文转发路径对应的第一信息由第二报文的段列表确定出。Wherein, the first information corresponding to the message forwarding path of the second message is indexed by the second token in the first data table; the first information corresponding to the message forwarding path of the second message is indexed by the second message The segment list is determined.
步骤6:BGP设备向CPE发送第二信息。Step 6: The BGP device sends the second information to the CPE.
其中,第二信息包括第二令牌和第二报文的段列表。The second information includes a second token and a segment list of the second message.
步骤7:CPE接收第二信息,基于所述第二信息封装第二报文。Step 7: The CPE receives the second information and encapsulates the second message based on the second information.
步骤8:CPE向第一节点发送第二报文。Step 8: The CPE sends the second message to the first node.
步骤9:第一节点基于第一数据表,校验第二报文。Step 9: The first node verifies the second message based on the first data table.
这里,第一节点校验第二报文的方法与校验第一报文的方法类似,此处不赘述。Here, the method for verifying the second message by the first node is similar to the method for verifying the first message, and will not be described again here.
其中,在第二报文的校验结果满足以下条件至少之一的情况下,第一节点丢弃第二报文:Wherein, when the verification result of the second message meets at least one of the following conditions, the first node discards the second message:
第二报文未携带令牌;The second message does not carry the token;
第二报文携带第二令牌,且第一数据表中不存在第二令牌;The second message carries the second token, and the second token does not exist in the first data table;
第二报文携带第二令牌,第一数据表中存在第二令牌,且第三入接口号与第四入接口号不匹配;第三入接口号表征由第二令牌索引到的第一信息中的入接口号;第四入接口号表征第二报文在第一节点对应的入接口号;The second packet carries the second token, the second token exists in the first data table, and the third inbound interface number does not match the fourth inbound interface number; the third inbound interface number represents the index indexed by the second token. The ingress interface number in the first information; the fourth ingress interface number represents the ingress interface number corresponding to the second message at the first node;
第二报文携带第二令牌,第一数据表中存在第二令牌,且第三下一跳地址与第四下一跳地址不匹配;第三下一跳地址表征由第二令牌索引到的第一信息中的下一跳地址;第四下一跳地址表征第二报文在第一节点对应的下一跳地址。The second packet carries the second token, the second token exists in the first data table, and the third next hop address does not match the fourth next hop address; the third next hop address is represented by the second token The next hop address in the indexed first information; the fourth next hop address represents the next hop address corresponding to the first node of the second message.
其中,第二令牌由第二报文的段列表映射得到。第二报文携带的第二令牌封装于第二报文的SRH中。The second token is mapped from the segment list of the second message. The second token carried in the second message is encapsulated in the SRH of the second message.
在本申请实施例提供的报文校验方法、装置、相关设备及存储介质中,CPE向第一节点发送第一报文,第一节点基于第一数据表,校验第一报文;其中,所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;所述令牌基于对应的报文转发路径映射得到。上述方案,每个第一节点均可基于第一数据表校验接收到的第一报文的合法性,从而降低网络安全风险,并且第一数据表以令牌为索引,可以降低第一数据表的维护难度,第一节点可以基于令牌查询第一数据表中每条转发路径对应的第一信息,不需要利用SID来检索或比较路径信息,可以降低运算量和节省查询时间,从而降低硬件部署实现难度。In the message verification method, device, related equipment and storage medium provided by the embodiments of this application, the CPE sends the first message to the first node, and the first node verifies the first message based on the first data table; wherein , the first data table uses tokens as indexes and stores the first information corresponding to each message forwarding path in at least one message forwarding path; the token is mapped based on the corresponding message forwarding path. In the above scheme, each first node can verify the legitimacy of the received first message based on the first data table, thereby reducing network security risks, and the first data table uses tokens as indexes, which can reduce the risk of the first data Table maintenance difficulty. The first node can query the first information corresponding to each forwarding path in the first data table based on the token. It does not need to use SID to retrieve or compare path information, which can reduce the computational load and save query time, thereby reducing Hardware deployment is difficult to implement.
为了实现本申请实施例的报文校验方法,本申请实施例还提供了一种报文校验装 置,设置在第一节点上,如图10所示,该装置包括:In order to implement the message verification method in the embodiment of the present application, the embodiment of the present application also provides a message verification device. Set on the first node, as shown in Figure 10, the device includes:
校验单元101,配置为基于第一数据表,校验第一报文;其中,The verification unit 101 is configured to verify the first message based on the first data table; wherein,
所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;所述令牌基于对应的报文转发路径映射得到。The first data table uses tokens as indexes and stores first information corresponding to each message forwarding path in at least one message forwarding path; the token is obtained based on mapping of the corresponding message forwarding path.
在一实施例中,所述第一信息包括以下至少之一:In one embodiment, the first information includes at least one of the following:
对应的报文转发路径在所述第一节点对应的入接口号;The corresponding ingress interface number of the corresponding packet forwarding path at the first node;
对应的报文转发路径在所述第一节点对应的下一跳地址。The corresponding message forwarding path is at the next hop address corresponding to the first node.
在一实施例中,该装置还包括:In one embodiment, the device further includes:
丢弃单元,配置为在所述第一报文的校验结果满足以下条件至少之一的情况下,丢弃所述第一报文:A discarding unit configured to discard the first message when the verification result of the first message meets at least one of the following conditions:
所述第一报文未携带令牌;The first message does not carry a token;
所述第一报文携带第一令牌,且所述第一数据表中不存在所述第一令牌;The first message carries a first token, and the first token does not exist in the first data table;
所述第一报文携带第一令牌,所述第一数据表中存在所述第一令牌,且第一入接口号与第二入接口号不匹配;所述第一入接口号表征由所述第一令牌索引到的第一信息中的入接口号;所述第二入接口号表征所述第一报文在所述第一节点对应的入接口号;The first packet carries a first token, the first token exists in the first data table, and the first ingress interface number does not match the second ingress interface number; the first ingress interface number represents The ingress interface number in the first information indexed by the first token; the second ingress interface number represents the ingress interface number corresponding to the first message at the first node;
所述第一报文携带第一令牌,所述第一数据表中存在所述第一令牌,且第一下一跳地址与第二下一跳地址不匹配;所述第一下一跳地址表征由所述第一令牌索引到的第一信息中的下一跳地址;所述第二下一跳地址表征所述第一报文在所述第一节点对应的下一跳地址。The first packet carries a first token, the first token exists in the first data table, and the first next hop address does not match the second next hop address; the first next hop address The hop address represents the next hop address in the first information indexed by the first token; the second next hop address represents the next hop address of the first message corresponding to the first node. .
在一实施例中,该装置还包括:In one embodiment, the device further includes:
第一确定单元,配置为基于所述第一报文携带的第一令牌,在所述第一数据表中确定所述第一报文的下一跳地址;其中,所述第一报文的下一跳地址是由所述第一令牌索引到的第一信息中的下一跳地址。The first determination unit is configured to determine the next hop address of the first message in the first data table based on the first token carried by the first message; wherein the first message The next hop address of is the next hop address in the first information indexed by the first token.
在一实施例中,所述第一令牌由所述第一报文的段列表映射得到。In an embodiment, the first token is mapped from the segment list of the first message.
在一实施例中,所述第一报文携带的第一令牌封装于所述第一报文的SRH中。In one embodiment, the first token carried in the first message is encapsulated in the SRH of the first message.
在一实施例中,该装置还包括:In one embodiment, the device further includes:
第一接收单元,配置为接收BGP设备下发的第二信息;所述第二信息包括第二令牌和第二报文的段列表;The first receiving unit is configured to receive the second information delivered by the BGP device; the second information includes the second token and the segment list of the second message;
写入单元,配置为将第二报文的报文转发路径对应的第一信息写入所述第一数据表;其中,A writing unit configured to write the first information corresponding to the message forwarding path of the second message into the first data table; wherein,
所述第二报文的报文转发路径对应的第一信息在所述第一数据表中以所述第二令牌为索引;所述第二报文的报文转发路径对应的第一信息由所述第二报文的段列表确定出。The first information corresponding to the message forwarding path of the second message is indexed in the first data table with the second token; the first information corresponding to the message forwarding path of the second message Determined by the segment list of the second message.
在一实施例中,所述第一节点包括提供PE设备和/或PoP。In an embodiment, the first node includes providing PE equipment and/or PoP.
实际应用时,第一接收单元可由报文校验装置中的处理器结合通信接口实现,校验单元101、丢弃单元、第一确定单元和写入单元由报文校验装置的处理器实现。In actual application, the first receiving unit can be implemented by the processor in the message verification device in combination with the communication interface, and the verification unit 101, the discarding unit, the first determination unit and the writing unit are implemented by the processor of the message verification device.
需要说明的是:上述实施例提供的报文校验装置在进行报文校验时,仅以上述各程序模块的划分进行举例说明,实际应用中,可以根据需要而将上述处理分配由不同的程序模块完成,即将装置的内部结构划分成不同的程序模块,以完成以上描述的全部或者部分处理。另外,上述实施例提供的报文校验装置与第一节点侧的报文校验方法实施例属于同一构思,具体实现过程详见方法实施例,这里不再赘述。It should be noted that when the message verification device provided in the above embodiment performs message verification, only the division of the above program modules is used as an example. In actual applications, the above processing can be allocated to different modules as needed. The program module is completed, that is, the internal structure of the device is divided into different program modules to complete all or part of the processing described above. In addition, the message verification device provided in the above embodiments and the message verification method embodiment on the first node side belong to the same concept. Please refer to the method embodiment for details of the specific implementation process, which will not be described again here.
为了实现本申请实施例的报文校验方法,本申请实施例还提供了一种报文校验装置,设置在CPE上,如图11所示,该装置包括:In order to implement the message verification method in the embodiment of the present application, the embodiment of the present application also provides a message verification device, which is installed on the CPE. As shown in Figure 11, the device includes:
第一发送单元111,配置为向第一节点发送第一报文;其中, The first sending unit 111 is configured to send the first message to the first node; wherein,
所述第一节点包括PE设备或PoP,配置为基于第一数据表校验所述第一报文;所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;所述令牌基于对应的报文转发路径映射得到。The first node includes a PE device or a PoP and is configured to verify the first message based on a first data table; the first data table uses a token as an index and stores each message in at least one message forwarding path. The first information corresponding to the message forwarding path; the token is mapped based on the corresponding message forwarding path.
在一实施例中,所述第一信息包括以下至少之一:In one embodiment, the first information includes at least one of the following:
对应的报文转发路径在所述第一节点对应的入接口号;The corresponding ingress interface number of the corresponding packet forwarding path at the first node;
对应的报文转发路径在所述第一节点对应的下一跳地址。The corresponding message forwarding path is at the next hop address corresponding to the first node.
在一实施例中,所述第一报文至少携带第一令牌,还携带第二入接口号和/或SL;其中,In one embodiment, the first message carries at least a first token and also carries a second inbound interface number and/or SL; wherein,
所述第二入接口号表征所述第一报文在所述第一节点对应的入接口号;The second ingress interface number represents the ingress interface number corresponding to the first message at the first node;
所述SL用于供所述第一节点确定第二下一跳地址;所述第二下一跳地址表征所述第一报文在所述第一节点对应的下一跳地址。The SL is used for the first node to determine a second next hop address; the second next hop address represents the next hop address corresponding to the first message at the first node.
在一实施例中,所述第一令牌封装于所述第一报文的SRH中。In one embodiment, the first token is encapsulated in the SRH of the first message.
实际应用时,第一发送单元111可由报文校验装置中的处理器结合通信接口实现。In actual application, the first sending unit 111 can be implemented by a processor in the message verification device combined with a communication interface.
需要说明的是:上述实施例提供的报文校验装置在进行报文校验时,仅以上述各程序模块的划分进行举例说明,实际应用中,可以根据需要而将上述处理分配由不同的程序模块完成,即将装置的内部结构划分成不同的程序模块,以完成以上描述的全部或者部分处理。另外,上述实施例提供的报文校验装置与CPE侧的报文校验方法实施例属于同一构思,具体实现过程详见方法实施例,这里不再赘述。It should be noted that when the message verification device provided in the above embodiment performs message verification, only the division of the above program modules is used as an example. In actual applications, the above processing can be allocated to different modules as needed. The program module is completed, that is, the internal structure of the device is divided into different program modules to complete all or part of the processing described above. In addition, the message verification device provided in the above embodiments and the message verification method embodiment on the CPE side belong to the same concept. Please refer to the method embodiment for details of the specific implementation process, which will not be described again here.
为了实现本申请实施例的报文校验方法,本申请实施例还提供了一种报文校验装置,设置在BGP设备上,BGP设备为SD-WAN控制器或云专网控制器,如图12所示,该装置包括:In order to implement the message verification method in the embodiment of the present application, the embodiment of the present application also provides a message verification device, which is installed on the BGP device. The BGP device is an SD-WAN controller or a cloud private network controller, such as As shown in Figure 12, the device includes:
第二发送单元121,配置为向第一节点下发第二信息;其中,The second sending unit 121 is configured to send the second information to the first node; wherein,
所述第二信息包括第二令牌和第二报文的段列表;所述第二信息用于供所述第一节点将第二报文的报文转发路径对应的第一信息写入第一数据表;The second information includes a second token and a segment list of the second message; the second information is used for the first node to write the first information corresponding to the message forwarding path of the second message into the first node. a data table;
所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;令牌基于对应的报文转发路径映射得到;The first data table uses tokens as indexes and stores the first information corresponding to each message forwarding path in at least one message forwarding path; the token is mapped based on the corresponding message forwarding path;
所述第二报文的报文转发路径对应的第一信息在所述第一数据表中以所述第二令牌为索引;所述第二报文的报文转发路径对应的第一信息由所述第二报文的段列表确定出。The first information corresponding to the message forwarding path of the second message is indexed in the first data table with the second token; the first information corresponding to the message forwarding path of the second message Determined by the segment list of the second message.
在一实施例中,所述第一信息包括以下之一:In one embodiment, the first information includes one of the following:
对应的报文转发路径在所述第一节点对应的入接口号;The corresponding ingress interface number of the corresponding packet forwarding path at the first node;
对应的报文转发路径在所述第一节点对应的下一跳地址。The corresponding message forwarding path is at the next hop address corresponding to the first node.
在一实施例中,第二发送单元121还配置为:向CPE下发所述第二信息;其中,所述第二信息用于供所述CPE封装所述第二报文。In an embodiment, the second sending unit 121 is further configured to: deliver the second information to the CPE; wherein the second information is used for the CPE to encapsulate the second message.
在一实施例中,所述第一节点包括PE设备和/或PoP。In an embodiment, the first node includes PE equipment and/or PoP.
实际应用时,第二发送单元121可由报文校验装置中的处理器结合通信接口实现。In actual application, the second sending unit 121 can be implemented by a processor in the message verification device combined with a communication interface.
需要说明的是:上述实施例提供的报文校验装置在进行报文校验时,仅以上述各程序模块的划分进行举例说明,实际应用中,可以根据需要而将上述处理分配由不同的程序模块完成,即将装置的内部结构划分成不同的程序模块,以完成以上描述的全部或者部分处理。另外,上述实施例提供的报文校验装置与BGP设备侧的报文校验方法实施例属于同一构思,具体实现过程详见方法实施例,这里不再赘述。It should be noted that when the message verification device provided in the above embodiment performs message verification, only the division of the above program modules is used as an example. In actual applications, the above processing can be allocated to different modules as needed. The program module is completed, that is, the internal structure of the device is divided into different program modules to complete all or part of the processing described above. In addition, the message verification device provided in the above embodiments and the message verification method embodiment on the BGP device side belong to the same concept. Please refer to the method embodiment for details of the specific implementation process, which will not be described again here.
基于上述程序模块的硬件实现,且为了实现本申请实施例第一节点侧的方法,本申请实施例还提供了一种网络设备,如图13所示,网络设备13包括:Based on the hardware implementation of the above program module, and in order to implement the method on the first node side in the embodiment of the present application, the embodiment of the present application also provides a network device. As shown in Figure 13, the network device 13 includes:
第一通信接口131,能够与其他网络节点进行信息交互; The first communication interface 131 is capable of information exchange with other network nodes;
第一处理器132,与所述第一通信接口131连接,以实现与其他网络节点进行信息交互,用于运行计算机程序时,执行上述第一节点侧一个或多个技术方案提供的方法。而所述计算机程序存储在第一存储器133上。The first processor 132 is connected to the first communication interface 131 to implement information interaction with other network nodes, and is used to execute the method provided by one or more technical solutions on the first node side when running a computer program. The computer program is stored on the first memory 133 .
具体地,第一处理器132,配置为基于第一数据表,校验第一报文;其中,Specifically, the first processor 132 is configured to verify the first message based on the first data table; wherein,
所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;所述令牌基于对应的报文转发路径映射得到。The first data table uses tokens as indexes and stores first information corresponding to each message forwarding path in at least one message forwarding path; the token is obtained based on mapping of the corresponding message forwarding path.
在一实施例中,所述第一信息包括以下至少之一:In one embodiment, the first information includes at least one of the following:
对应的报文转发路径在所述第一节点对应的入接口号;The corresponding ingress interface number of the corresponding packet forwarding path at the first node;
对应的报文转发路径在所述第一节点对应的下一跳地址。The corresponding message forwarding path is at the next hop address corresponding to the first node.
在一实施例中,第一处理器132,还配置为在所述第一报文的校验结果满足以下条件至少之一的情况下,丢弃所述第一报文:In an embodiment, the first processor 132 is further configured to discard the first message if the verification result of the first message meets at least one of the following conditions:
所述第一报文未携带令牌;The first message does not carry a token;
所述第一报文携带第一令牌,且所述第一数据表中不存在所述第一令牌;The first message carries a first token, and the first token does not exist in the first data table;
所述第一报文携带第一令牌,所述第一数据表中存在所述第一令牌,且第一入接口号与第二入接口号不匹配;所述第一入接口号表征由所述第一令牌索引到的第一信息中的入接口号;所述第二入接口号表征所述第一报文在所述第一节点对应的入接口号;The first packet carries a first token, the first token exists in the first data table, and the first ingress interface number does not match the second ingress interface number; the first ingress interface number represents The ingress interface number in the first information indexed by the first token; the second ingress interface number represents the ingress interface number corresponding to the first message at the first node;
所述第一报文携带第一令牌,所述第一数据表中存在所述第一令牌,且第一下一跳地址与第二下一跳地址不匹配;所述第一下一跳地址表征由所述第一令牌索引到的第一信息中的下一跳地址;所述第二下一跳地址表征所述第一报文在所述第一节点对应的下一跳地址。The first packet carries a first token, the first token exists in the first data table, and the first next hop address does not match the second next hop address; the first next hop address The hop address represents the next hop address in the first information indexed by the first token; the second next hop address represents the next hop address of the first message corresponding to the first node. .
在一实施例中,第一处理器132还配置为:基于所述第一报文携带的第一令牌,在所述第一数据表中确定所述第一报文的下一跳地址;其中,所述第一报文的下一跳地址是由所述第一令牌索引到的第一信息中的下一跳地址。In an embodiment, the first processor 132 is further configured to: determine the next hop address of the first message in the first data table based on the first token carried in the first message; Wherein, the next hop address of the first message is the next hop address in the first information indexed by the first token.
在一实施例中,所述第一令牌由所述第一报文的段列表映射得到。In an embodiment, the first token is mapped from the segment list of the first message.
在一实施例中,所述第一报文携带的第一令牌封装于所述第一报文的SRH中。In one embodiment, the first token carried in the first message is encapsulated in the SRH of the first message.
在一实施例中,第一通信接口131,配置为接收BGP设备下发的第二信息;所述第二信息包括第二令牌和第二报文的段列表;In one embodiment, the first communication interface 131 is configured to receive the second information delivered by the BGP device; the second information includes a second token and a segment list of the second message;
第一处理器132还配置为:将第二报文的报文转发路径对应的第一信息写入所述第一数据表;其中,所述第二报文的报文转发路径对应的第一信息在所述第一数据表中以所述第二令牌为索引;所述第二报文的报文转发路径对应的第一信息由所述第二报文的段列表确定出。The first processor 132 is also configured to: write the first information corresponding to the message forwarding path of the second message into the first data table; wherein the first information corresponding to the message forwarding path of the second message is The information is indexed by the second token in the first data table; the first information corresponding to the packet forwarding path of the second packet is determined from the segment list of the second packet.
在一实施例中,所述第一节点包括提供PE设备和/或PoP。In an embodiment, the first node includes providing PE equipment and/or PoP.
需要说明的是:第一处理器132和第一通信接口131的具体处理过程可参照上述方法理解。It should be noted that the specific processing procedures of the first processor 132 and the first communication interface 131 can be understood with reference to the above method.
当然,实际应用时,网络设备13中的各个组件通过总线系统134耦合在一起。可理解,总线系统134用于实现这些组件之间的连接通信。总线系统134除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图13中将各种总线都标为总线系统134。Of course, in actual application, various components in the network device 13 are coupled together through the bus system 134 . It can be understood that the bus system 134 is used to implement connection communication between these components. In addition to the data bus, the bus system 134 also includes a power bus, a control bus and a status signal bus. However, for the sake of clarity, the various buses are labeled bus system 134 in FIG. 13 .
本申请实施例中的第一存储器133用于存储各种类型的数据以支持网络设备13的操作。这些数据的示例包括:用于在网络设备13上操作的任何计算机程序。The first memory 133 in the embodiment of the present application is used to store various types of data to support the operation of the network device 13 . Examples of such data include: any computer program used to operate on the network device 13.
上述本申请实施例揭示的方法可以应用于所述第一处理器132中,或者由所述第一处理器132实现。所述第一处理器132可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过所述第一处理器132中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述第一处理器132可以是通用处理器、数字信号 处理器(DSP,Digital Signal Processor),或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述第一处理器132可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于第一存储器133,所述第一处理器132读取第一存储器133中的信息,结合其硬件完成前述方法的步骤。The methods disclosed in the above embodiments of the present application can be applied to the first processor 132 or implemented by the first processor 132 . The first processor 132 may be an integrated circuit chip having signal processing capabilities. During the implementation process, each step of the above method can be completed by instructions in the form of hardware integrated logic circuits or software in the first processor 132 . The above-mentioned first processor 132 may be a general-purpose processor, a digital signal Processor (DSP, Digital Signal Processor), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The first processor 132 can implement or execute the various methods, steps and logical block diagrams disclosed in the embodiments of this application. A general-purpose processor may be a microprocessor or any conventional processor, etc. The steps of the method disclosed in the embodiments of this application can be directly implemented by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, and the storage medium is located in the first memory 133. The first processor 132 reads the information in the first memory 133, and completes the steps of the foregoing method in combination with its hardware.
在示例性实施例中,网络设备13可以被一个或多个应用专用集成电路(ASIC,Application Specific Integrated Circuit)、DSP、可编程逻辑器件(PLD,Programmable Logic Device)、复杂可编程逻辑器件(CPLD,Complex Programmable Logic Device)、现场可编程门阵列(FPGA,Field-Programmable Gate Array)、通用处理器、控制器、微控制器(MCU,Micro Controller Unit)、微处理器(Microprocessor)、或者其他电子元件实现,用于执行前述方法。In an exemplary embodiment, the network device 13 may be configured by one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), Complex Programmable Logic Devices (CPLDs) , Complex Programmable Logic Device), Field-Programmable Gate Array (FPGA, Field-Programmable Gate Array), general-purpose processor, controller, microcontroller (MCU, Micro Controller Unit), microprocessor (Microprocessor), or other electronics Component implementation, used to execute the aforementioned methods.
基于上述程序模块的硬件实现,且为了实现本申请实施例CPE侧的方法,本申请实施例还提供了一种客户终端设备,如图14所示,该客户终端设备14包括:Based on the hardware implementation of the above program module, and in order to implement the method on the CPE side in the embodiment of the present application, the embodiment of the present application also provides a client terminal device. As shown in Figure 14, the client terminal device 14 includes:
第二通信接口141,能够与其他网络节点进行信息交互;The second communication interface 141 is capable of information exchange with other network nodes;
第二处理器142,与所述第二通信接口141连接,以实现与其他网络节点进行信息交互,用于运行计算机程序时,执行上述CPE侧一个或多个技术方案提供的方法。而所述计算机程序存储在第二存储器143上。The second processor 142 is connected to the second communication interface 141 to implement information interaction with other network nodes, and is used to execute the method provided by one or more technical solutions on the CPE side when running a computer program. The computer program is stored on the second memory 143 .
具体地,第二通信接口141,配置为向第一节点发送第一报文;其中,Specifically, the second communication interface 141 is configured to send the first message to the first node; wherein,
所述第一节点包括PE设备或PoP,用于基于第一数据表校验所述第一报文;所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;所述令牌基于对应的报文转发路径映射得到。The first node includes a PE device or PoP, which is used to verify the first message based on a first data table; the first data table uses a token as an index and stores each message in at least one message forwarding path. The first information corresponding to the message forwarding path; the token is mapped based on the corresponding message forwarding path.
在一实施例中,所述第一信息包括以下至少之一:In one embodiment, the first information includes at least one of the following:
对应的报文转发路径在所述第一节点对应的入接口号;The corresponding ingress interface number of the corresponding packet forwarding path at the first node;
对应的报文转发路径在所述第一节点对应的下一跳地址。The corresponding message forwarding path is at the next hop address corresponding to the first node.
在一实施例中,所述第一报文至少携带第一令牌,还携带第二入接口号和/或SL;其中,In one embodiment, the first message carries at least a first token and also carries a second inbound interface number and/or SL; wherein,
所述第二入接口号表征所述第一报文在所述第一节点对应的入接口号;The second ingress interface number represents the ingress interface number corresponding to the first message at the first node;
所述SL用于供所述第一节点确定第二下一跳地址;所述第二下一跳地址表征所述第一报文在所述第一节点对应的下一跳地址。The SL is used for the first node to determine a second next hop address; the second next hop address represents the next hop address corresponding to the first message at the first node.
在一实施例中,所述第一令牌封装于所述第一报文的SRH中。In one embodiment, the first token is encapsulated in the SRH of the first message.
需要说明的是:第二处理器142和第二通信接口141的具体处理过程可参照上述方法理解。It should be noted that the specific processing procedures of the second processor 142 and the second communication interface 141 can be understood with reference to the above method.
当然,实际应用时,客户终端设备14中的各个组件通过总线系统144耦合在一起。可理解,总线系统144用于实现这些组件之间的连接通信。总线系统144除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图14中将各种总线都标为总线系统144。Of course, in actual application, various components in the customer terminal device 14 are coupled together through the bus system 144 . It can be understood that the bus system 144 is used to implement connection communication between these components. In addition to the data bus, the bus system 144 also includes a power bus, a control bus and a status signal bus. However, for the sake of clarity, the various buses are labeled bus system 144 in FIG. 14 .
本申请实施例中的第二存储器143用于存储各种类型的数据以支持客户终端设备14操作。这些数据的示例包括:用于在客户终端设备14上操作的任何计算机程序。The second memory 143 in the embodiment of the present application is used to store various types of data to support the operation of the client terminal device 14 . Examples of such data include: any computer program for operation on the client terminal device 14.
上述本申请实施例揭示的方法可以应用于所述第二处理器142中,或者由所述第二处理器142实现。所述第二处理器142可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过所述第二处理器142中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述第二处理器142可以是通用处理器、DSP,或 者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述第二处理器142可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于第二存储器143,所述第二处理器142读取第二存储器143中的信息,结合其硬件完成前述方法的步骤。The methods disclosed in the above embodiments of the present application can be applied to the second processor 142 or implemented by the second processor 142 . The second processor 142 may be an integrated circuit chip with signal processing capabilities. During the implementation process, each step of the above method can be completed by instructions in the form of hardware integrated logic circuits or software in the second processor 142 . The above-mentioned second processor 142 may be a general-purpose processor, a DSP, or or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The second processor 142 can implement or execute the various methods, steps and logical block diagrams disclosed in the embodiments of this application. A general-purpose processor may be a microprocessor or any conventional processor, etc. The steps of the method disclosed in the embodiments of this application can be directly implemented by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, and the storage medium is located in the second memory 143. The second processor 142 reads the information in the second memory 143, and completes the steps of the foregoing method in combination with its hardware.
在示例性实施例中,客户终端设备14可以被一个或多个ASIC、DSP、PLD、CPLD、FPGA、通用处理器、控制器、MCU、Microprocessor、或其他电子元件实现,用于执行前述方法。In an exemplary embodiment, the client terminal device 14 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general-purpose processors, controllers, MCUs, Microprocessors, or other electronic components for performing the aforementioned methods.
基于上述程序模块的硬件实现,且为了实现本申请实施例BGP设备侧的方法,本申请实施例还提供了一种网络设备,如图15所示,该网络设备15包括:Based on the hardware implementation of the above program module, and in order to implement the method on the BGP device side of the embodiment of the present application, the embodiment of the present application also provides a network device. As shown in Figure 15, the network device 15 includes:
第三通信接口151,能够与其他网络节点进行信息交互;The third communication interface 151 is capable of information exchange with other network nodes;
第三处理器152,与所述第三通信接口151连接,以实现与其他网络节点进行信息交互,用于运行计算机程序时,执行上述BGP设备侧一个或多个技术方案提供的方法。而所述计算机程序存储在第三存储器153上。The third processor 152 is connected to the third communication interface 151 to implement information interaction with other network nodes, and is used to execute the method provided by one or more technical solutions on the BGP device side when running a computer program. The computer program is stored on the third memory 153 .
具体地,第三通信接口151,配置为向第一节点下发第二信息;其中,Specifically, the third communication interface 151 is configured to deliver the second information to the first node; wherein,
所述第二信息包括第二令牌和第二报文的段列表;所述第二信息用于供所述第一节点将第二报文的报文转发路径对应的第一信息写入第一数据表;The second information includes a second token and a segment list of the second message; the second information is used for the first node to write the first information corresponding to the message forwarding path of the second message into the first node. a data table;
所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;令牌基于对应的报文转发路径映射得到;The first data table uses tokens as indexes and stores the first information corresponding to each message forwarding path in at least one message forwarding path; the token is mapped based on the corresponding message forwarding path;
所述第二报文的报文转发路径对应的第一信息在所述第一数据表中以所述第二令牌为索引;所述第二报文的报文转发路径对应的第一信息由所述第二报文的段列表确定出。The first information corresponding to the message forwarding path of the second message is indexed in the first data table with the second token; the first information corresponding to the message forwarding path of the second message Determined by the segment list of the second message.
在一实施例中,所述第一信息包括以下之一:In one embodiment, the first information includes one of the following:
对应的报文转发路径在所述第一节点对应的入接口号;The corresponding ingress interface number of the corresponding packet forwarding path at the first node;
对应的报文转发路径在所述第一节点对应的下一跳地址。The corresponding message forwarding path is at the next hop address corresponding to the first node.
在一实施例中,第三通信接口151还配置为:向CPE下发所述第二信息;其中,所述第二信息用于供所述CPE封装所述第二报文。In an embodiment, the third communication interface 151 is further configured to: deliver the second information to the CPE; wherein the second information is used for the CPE to encapsulate the second message.
在一实施例中,所述第一节点包括PE设备和/或PoP。In an embodiment, the first node includes PE equipment and/or PoP.
需要说明的是:第三处理器152和第三通信接口151的具体处理过程可参照上述方法理解。It should be noted that the specific processing procedures of the third processor 152 and the third communication interface 151 can be understood with reference to the above method.
当然,实际应用时,网络设备15中的各个组件通过总线系统154耦合在一起。可理解,总线系统154用于实现这些组件之间的连接通信。总线系统154除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图15中将各种总线都标为总线系统154。Of course, in actual application, various components in the network device 15 are coupled together through the bus system 154 . It can be understood that the bus system 154 is used to implement connection communication between these components. In addition to the data bus, the bus system 154 also includes a power bus, a control bus and a status signal bus. However, for the sake of clarity, the various buses are labeled bus system 154 in FIG. 15 .
本申请实施例中的第三存储器153用于存储各种类型的数据以支持网络设备15的操作。这些数据的示例包括:用于在网络设备15上操作的任何计算机程序。The third memory 153 in the embodiment of the present application is used to store various types of data to support the operation of the network device 15 . Examples of such data include: any computer program used to operate on network device 15.
上述本申请实施例揭示的方法可以应用于所述第三处理器152中,或者由所述第三处理器152实现。所述第三处理器152可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过所述第三处理器152中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述第三处理器152可以是通用处理器、DSP,或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述第三处理器152可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤, 可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于第三存储器153,所述第三处理器152读取第三存储器153中的信息,结合其硬件完成前述方法的步骤。The methods disclosed in the above embodiments of the present application can be applied to the third processor 152 or implemented by the third processor 152 . The third processor 152 may be an integrated circuit chip with signal processing capabilities. During the implementation process, each step of the above method can be completed by instructions in the form of hardware integrated logic circuits or software in the third processor 152 . The above-mentioned third processor 152 may be a general-purpose processor, a DSP, or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The third processor 152 can implement or execute the various methods, steps and logical block diagrams disclosed in the embodiments of this application. A general-purpose processor may be a microprocessor or any conventional processor, etc. Combined with the steps of the methods disclosed in the embodiments of this application, It can be directly implemented by the hardware decoding processor, or it can be executed by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, and the storage medium is located in the third memory 153. The third processor 152 reads the information in the third memory 153, and completes the steps of the foregoing method in combination with its hardware.
在示例性实施例中,网络设备15可以被一个或多个ASIC、DSP、PLD、CPLD、FPGA、通用处理器、控制器、MCU、Microprocessor、或其他电子元件实现,用于执行前述方法。In an exemplary embodiment, the network device 15 may be implemented by one or more ASICs, DSPs, PLDs, CPLDs, FPGAs, general-purpose processors, controllers, MCUs, Microprocessors, or other electronic components for performing the aforementioned methods.
可以理解,本申请实施例的存储器(第一存储器133、第二存储器143、第三存储器153)可以是易失性存储器或者非易失性存储器,也可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(ROM,Read Only Memory)、可编程只读存储器(PROM,Programmable Read-Only Memory)、可擦除可编程只读存储器(EPROM,Erasable Programmable Read-Only Memory)、电可擦除可编程只读存储器(EEPROM,Electrically Erasable Programmable Read-Only Memory)、磁性随机存取存储器(FRAM,ferromagnetic random access memory)、快闪存储器(Flash Memory)、磁表面存储器、光盘、或只读光盘(CD-ROM,Compact Disc Read-Only Memory);磁表面存储器可以是磁盘存储器或磁带存储器。易失性存储器可以是随机存取存储器(RAM,Random Access Memory),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(SRAM,Static Random Access Memory)、同步静态随机存取存储器(SSRAM,Synchronous Static Random Access Memory)、动态随机存取存储器(DRAM,Dynamic Random Access Memory)、同步动态随机存取存储器(SDRAM,Synchronous Dynamic Random Access Memory)、双倍数据速率同步动态随机存取存储器(DDRSDRAM,Double Data Rate Synchronous Dynamic Random Access Memory)、增强型同步动态随机存取存储器(ESDRAM,Enhanced Synchronous Dynamic Random Access Memory)、同步连接动态随机存取存储器(SLDRAM,SyncLink Dynamic Random Access Memory)、直接内存总线随机存取存储器(DRRAM,Direct Rambus Random Access Memory)。本申请实施例描述的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It can be understood that the memory (first memory 133, second memory 143, third memory 153) in the embodiment of the present application can be a volatile memory or a non-volatile memory, and can also include volatile and non-volatile memories. Both. Among them, non-volatile memory can be read-only memory (ROM, Read Only Memory), programmable read-only memory (PROM, Programmable Read-Only Memory), erasable programmable read-only memory (EPROM, Erasable Programmable Read-Only Memory). Only Memory), Electrically Erasable Programmable Read-Only Memory (EEPROM, Electrically Erasable Programmable Read-Only Memory), Magnetic Random Access Memory (FRAM, ferromagnetic random access memory), Flash Memory, Magnetic Surface Memory , optical disk, or compact disc (CD-ROM, Compact Disc Read-Only Memory); magnetic surface memory can be disk storage or tape storage. Volatile memory can be random access memory (RAM, Random Access Memory), which is used as an external cache. By way of illustration, but not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory Memory (DRAM, Dynamic Random Access Memory), synchronous dynamic random access memory (SDRAM, Synchronous Dynamic Random Access Memory), double data rate synchronous dynamic random access memory (DDRSDRAM, Double Data Rate Synchronous Dynamic Random Access Memory), enhanced Type Synchronous Dynamic Random Access Memory (ESDRAM, Enhanced Synchronous Dynamic Random Access Memory), Synchronous Link Dynamic Random Access Memory (SLDRAM, SyncLink Dynamic Random Access Memory), Direct Memory Bus Random Access Memory (DRRAM, Direct Rambus Random Access Memory) ). The memories described in the embodiments of the present application are intended to include, but are not limited to, these and any other suitable types of memories.
在示例性实施例中,本申请实施例还提供了一种存储介质,即计算机存储介质,具体为计算机可读存储介质,例如包括存储计算机程序的第一存储器133,上述计算机程序可由网络设备13的第一处理器132执行,以完成前述第一节点侧方法所述步骤。再比如包括存储计算机程序的第二存储器143,上述计算机程序可由客户终端设备14的第二处理器142执行,以完成前述CPE侧方法所述步骤。再比如包括存储计算机程序的第三存储器153,上述计算机程序可由网络设备15的第三处理器152执行,以完成前述BGP设备侧方法所述步骤。计算机可读存储介质可以是FRAM、ROM、PROM、EPROM、EEPROM、Flash Memory、磁表面存储器、光盘、或CD-ROM等存储器。In an exemplary embodiment, the embodiment of the present application also provides a storage medium, that is, a computer storage medium, specifically a computer-readable storage medium, for example, including a first memory 133 that stores a computer program. The above computer program can be used by the network device 13 The first processor 132 executes to complete the steps described in the foregoing first node-side method. Another example includes a second memory 143 that stores a computer program. The computer program can be executed by the second processor 142 of the client terminal device 14 to complete the steps of the aforementioned CPE side method. Another example includes a third memory 153 that stores a computer program. The computer program can be executed by the third processor 152 of the network device 15 to complete the steps of the aforementioned BGP device-side method. The computer-readable storage medium can be FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface memory, optical disk, or CD-ROM and other memories.
需要说明的是:“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It should be noted that "first", "second", etc. are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence.
本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中术语“至少一种”表示多个中的任意一种或多种中的至少两种的任意组合,例如,包括A、B、C中的至少一种,可以表示包括从A、B和C构成的集合中选择的任意一个或多个元素。The term "and/or" in this article is just an association relationship that describes related objects, indicating that three relationships can exist. For example, A and/or B can mean: A exists alone, A and B exist simultaneously, and they exist alone. B these three situations. In addition, the term "at least one" in this article means any one of a plurality or any combination of at least two of a plurality, for example, including at least one of A, B, and C, which can mean including from A, Any one or more elements selected from the set composed of B and C.
另外,本申请实施例所记载的技术方案之间,在不冲突的情况下,可以任意组合。In addition, the technical solutions described in the embodiments of this application can be combined arbitrarily as long as there is no conflict.
以上所述,仅为本申请的较佳实施例而已,并非用于限定本申请的保护范围。 The above descriptions are only preferred embodiments of the present application and are not intended to limit the protection scope of the present application.

Claims (26)

  1. 一种报文校验方法,应用于第一节点,所述方法包括:A message verification method, applied to the first node, the method includes:
    基于第一数据表,校验第一报文;其中,Based on the first data table, verify the first message; where,
    所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;所述令牌基于对应的报文转发路径映射得到。The first data table uses tokens as indexes and stores first information corresponding to each message forwarding path in at least one message forwarding path; the token is obtained based on mapping of the corresponding message forwarding path.
  2. 根据权利要求1所述的方法,其中,所述第一信息包括以下至少之一:The method of claim 1, wherein the first information includes at least one of the following:
    对应的报文转发路径在所述第一节点对应的入接口号;The corresponding ingress interface number of the corresponding packet forwarding path at the first node;
    对应的报文转发路径在所述第一节点对应的下一跳地址。The corresponding message forwarding path is at the next hop address corresponding to the first node.
  3. 根据权利要求1所述的方法,其中,所述方法还包括:The method of claim 1, further comprising:
    在所述第一报文的校验结果满足以下条件至少之一的情况下,丢弃所述第一报文:If the verification result of the first message meets at least one of the following conditions, the first message is discarded:
    所述第一报文未携带令牌;The first message does not carry a token;
    所述第一报文携带第一令牌,且所述第一数据表中不存在所述第一令牌;The first message carries a first token, and the first token does not exist in the first data table;
    所述第一报文携带第一令牌,所述第一数据表中存在所述第一令牌,且第一入接口号与第二入接口号不匹配;所述第一入接口号表征由所述第一令牌索引到的第一信息中的入接口号;所述第二入接口号表征所述第一报文在所述第一节点对应的入接口号;The first packet carries a first token, the first token exists in the first data table, and the first ingress interface number does not match the second ingress interface number; the first ingress interface number represents The ingress interface number in the first information indexed by the first token; the second ingress interface number represents the ingress interface number corresponding to the first message at the first node;
    所述第一报文携带第一令牌,所述第一数据表中存在所述第一令牌,且第一下一跳地址与第二下一跳地址不匹配;所述第一下一跳地址表征由所述第一令牌索引到的第一信息中的下一跳地址;所述第二下一跳地址表征所述第一报文在所述第一节点对应的下一跳地址。The first packet carries a first token, the first token exists in the first data table, and the first next hop address does not match the second next hop address; the first next hop address The hop address represents the next hop address in the first information indexed by the first token; the second next hop address represents the next hop address of the first message corresponding to the first node. .
  4. 根据权利要求1所述的方法,其中,所述方法还包括:The method of claim 1, further comprising:
    基于所述第一报文携带的第一令牌,在所述第一数据表中确定所述第一报文的下一跳地址;其中,Based on the first token carried in the first message, the next hop address of the first message is determined in the first data table; wherein,
    所述第一报文的下一跳地址是由所述第一令牌索引到的第一信息中的下一跳地址。The next hop address of the first message is the next hop address in the first information indexed by the first token.
  5. 根据权利要求3或4所述的方法,其中,所述第一令牌由所述第一报文的段列表映射得到。The method according to claim 3 or 4, wherein the first token is mapped from the segment list of the first message.
  6. 根据权利要求3或4所述的方法,其中,所述第一报文携带的第一令牌封装于所述第一报文的段路由头SRH中。The method according to claim 3 or 4, wherein the first token carried in the first message is encapsulated in the segment routing header SRH of the first message.
  7. 根据权利要求1所述的方法,其中,所述方法还包括:The method of claim 1, further comprising:
    接收边界网关协议BGP设备下发的第二信息;所述第二信息包括第二令牌和第二报文的段列表;Receive the second information delivered by the Border Gateway Protocol BGP device; the second information includes a second token and a segment list of the second message;
    将第二报文的报文转发路径对应的第一信息写入所述第一数据表;其中,Write the first information corresponding to the message forwarding path of the second message into the first data table; wherein,
    所述第二报文的报文转发路径对应的第一信息在所述第一数据表中以所述第二令牌为索引;所述第二报文的报文转发路径对应的第一信息由所述第二报文的段列表确定出。The first information corresponding to the message forwarding path of the second message is indexed in the first data table with the second token; the first information corresponding to the message forwarding path of the second message Determined by the segment list of the second message.
  8. 根据权利要求1所述的方法,其中,所述第一节点包括提供商边缘PE设备和/或入网点PoP。The method of claim 1, wherein the first node includes a provider edge PE device and/or a point of presence PoP.
  9. 一种报文校验方法,应用于客户终端设备CPE,所述方法包括:A message verification method, applied to customer terminal equipment CPE, the method includes:
    向第一节点发送第一报文;其中,Send the first message to the first node; where,
    所述第一节点包括PE设备或PoP,用于基于第一数据表校验所述第一报文;所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;所述令牌基于对应的报文转发路径映射得到。The first node includes a PE device or PoP, which is used to verify the first message based on a first data table; the first data table uses a token as an index and stores each message in at least one message forwarding path. The first information corresponding to the message forwarding path; the token is mapped based on the corresponding message forwarding path.
  10. 根据权利要求9所述的方法,其中,所述第一信息包括以下至少之一: The method of claim 9, wherein the first information includes at least one of the following:
    对应的报文转发路径在所述第一节点对应的入接口号;The corresponding ingress interface number of the corresponding packet forwarding path at the first node;
    对应的报文转发路径在所述第一节点对应的下一跳地址。The corresponding message forwarding path is at the next hop address corresponding to the first node.
  11. 根据权利要求9或10所述的方法,其中,所述第一报文至少携带第一令牌,还携带第二入接口号和/或指针SL;其中,The method according to claim 9 or 10, wherein the first message carries at least a first token and also carries a second inbound interface number and/or pointer SL; wherein,
    所述第二入接口号表征所述第一报文在所述第一节点对应的入接口号;The second ingress interface number represents the ingress interface number corresponding to the first message at the first node;
    所述SL用于供所述第一节点确定第二下一跳地址;所述第二下一跳地址表征所述第一报文在所述第一节点对应的下一跳地址。The SL is used for the first node to determine a second next hop address; the second next hop address represents the next hop address corresponding to the first message at the first node.
  12. 根据权利要求11所述的方法,其中,所述第一令牌封装于所述第一报文的SRH中。The method according to claim 11, wherein the first token is encapsulated in the SRH of the first message.
  13. 一种报文校验方法,应用于BGP设备,所述方法包括:A message verification method, applied to BGP equipment, the method includes:
    向第一节点下发第二信息;其中,Send the second information to the first node; where,
    所述第二信息包括第二令牌和第二报文的段列表;所述第二信息用于供所述第一节点将第二报文的报文转发路径对应的第一信息写入第一数据表;The second information includes a second token and a segment list of the second message; the second information is used for the first node to write the first information corresponding to the message forwarding path of the second message into the first node. a data table;
    所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;令牌基于对应的报文转发路径映射得到;The first data table uses tokens as indexes and stores the first information corresponding to each message forwarding path in at least one message forwarding path; the token is mapped based on the corresponding message forwarding path;
    所述第二报文的报文转发路径对应的第一信息在所述第一数据表中以所述第二令牌为索引;所述第二报文的报文转发路径对应的第一信息由所述第二报文的段列表确定出。The first information corresponding to the message forwarding path of the second message is indexed in the first data table with the second token; the first information corresponding to the message forwarding path of the second message Determined by the segment list of the second message.
  14. 根据权利要求13所述的方法,其中,所述第一信息包括以下之一:The method of claim 13, wherein the first information includes one of the following:
    对应的报文转发路径在所述第一节点对应的入接口号;The corresponding ingress interface number of the corresponding packet forwarding path at the first node;
    对应的报文转发路径在所述第一节点对应的下一跳地址。The corresponding message forwarding path is at the next hop address corresponding to the first node.
  15. 根据权利要求13或14所述的方法,其中,所述方法还包括:The method according to claim 13 or 14, wherein the method further includes:
    向CPE下发所述第二信息;其中,所述第二信息用于供所述CPE封装所述第二报文。Deliver the second information to the CPE; wherein the second information is used for the CPE to encapsulate the second message.
  16. 根据权利要求13或14所述的方法,其中,所述第一节点包括PE设备和/或PoP。The method according to claim 13 or 14, wherein the first node includes a PE device and/or a PoP.
  17. 一种报文校验装置,包括:A message verification device, including:
    校验单元,配置为基于第一数据表,校验第一报文;其中,The verification unit is configured to verify the first message based on the first data table; wherein,
    所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;所述令牌基于对应的报文转发路径映射得到。The first data table uses tokens as indexes and stores first information corresponding to each message forwarding path in at least one message forwarding path; the token is obtained based on mapping of the corresponding message forwarding path.
  18. 一种报文校验装置,包括:A message verification device, including:
    第一发送单元,配置为向第一节点发送第一报文;其中,The first sending unit is configured to send the first message to the first node; wherein,
    所述第一节点包括PE设备或PoP,用于基于第一数据表校验所述第一报文;所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;所述令牌基于对应的报文转发路径映射得到。The first node includes a PE device or PoP, which is used to verify the first message based on a first data table; the first data table uses a token as an index and stores each message in at least one message forwarding path. The first information corresponding to the message forwarding path; the token is mapped based on the corresponding message forwarding path.
  19. 一种报文校验装置,包括:A message verification device, including:
    第二发送单元,配置为向第一节点下发第二信息;其中,The second sending unit is configured to send the second information to the first node; wherein,
    所述第二信息包括第二令牌和第二报文的段列表;所述第二信息用于供所述第一节点将第二报文的报文转发路径对应的第一信息写入第一数据表;The second information includes a second token and a segment list of the second message; the second information is used for the first node to write the first information corresponding to the message forwarding path of the second message into the first node. a data table;
    所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;令牌基于对应的报文转发路径映射得到;The first data table uses tokens as indexes and stores the first information corresponding to each message forwarding path in at least one message forwarding path; the token is mapped based on the corresponding message forwarding path;
    所述第二报文的报文转发路径对应的第一信息在所述第一数据表中以所述第二令牌为索引;所述第二报文的报文转发路径对应的第一信息由所述第二报文的段列表确定出。The first information corresponding to the message forwarding path of the second message is indexed in the first data table with the second token; the first information corresponding to the message forwarding path of the second message Determined by the segment list of the second message.
  20. 一种网络设备,包括第一处理器和第一通信接口,其中, A network device includes a first processor and a first communication interface, wherein,
    所述第一处理器,配置为基于第一数据表,校验第一报文;其中,The first processor is configured to verify the first message based on the first data table; wherein,
    所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;所述令牌基于对应的报文转发路径映射得到。The first data table uses tokens as indexes and stores first information corresponding to each message forwarding path in at least one message forwarding path; the token is obtained based on mapping of the corresponding message forwarding path.
  21. 一种客户终端设备,包括第二处理器和第二通信接口,其中,A client terminal device includes a second processor and a second communication interface, wherein,
    所述第二通信接口,配置为向第一节点发送第一报文;其中,The second communication interface is configured to send the first message to the first node; wherein,
    所述第一节点包括PE设备或PoP,用于基于第一数据表校验所述第一报文;所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;所述令牌基于对应的报文转发路径映射得到。The first node includes a PE device or PoP, which is used to verify the first message based on a first data table; the first data table uses a token as an index and stores each message in at least one message forwarding path. The first information corresponding to the message forwarding path; the token is mapped based on the corresponding message forwarding path.
  22. 一种网络设备,包括第三处理器和第三通信接口,其中,A network device includes a third processor and a third communication interface, wherein,
    所述第三通信接口,配置为向第一节点下发第二信息;其中,The third communication interface is configured to deliver the second information to the first node; wherein,
    所述第二信息包括第二令牌和第二报文的段列表;所述第二信息用于供所述第一节点将第二报文的报文转发路径对应的第一信息写入第一数据表;The second information includes a second token and a segment list of the second message; the second information is used for the first node to write the first information corresponding to the message forwarding path of the second message into the first node. a data table;
    所述第一数据表以令牌为索引,存储有至少一条报文转发路径中的每条报文转发路径对应的第一信息;令牌基于对应的报文转发路径映射得到;The first data table uses tokens as indexes and stores the first information corresponding to each message forwarding path in at least one message forwarding path; the token is mapped based on the corresponding message forwarding path;
    所述第二报文的报文转发路径对应的第一信息在所述第一数据表中以所述第二令牌为索引;所述第二报文的报文转发路径对应的第一信息由所述第二报文的段列表确定出。The first information corresponding to the message forwarding path of the second message is indexed in the first data table with the second token; the first information corresponding to the message forwarding path of the second message Determined by the segment list of the second message.
  23. 一种网络设备,包括第一处理器和用于存储能够在第一处理器上运行的计算机程序的第一存储器,A network device including a first processor and a first memory for storing a computer program capable of running on the first processor,
    其中,所述第一处理器配置为运行所述计算机程序时,执行权利要求1至8任一项所述的方法的步骤。Wherein, the first processor is configured to perform the steps of the method according to any one of claims 1 to 8 when running the computer program.
  24. 一种客户终端设备,包括第二处理器和用于存储能够在第二处理器上运行的计算机程序的第二存储器,A client terminal device including a second processor and a second memory for storing a computer program capable of running on the second processor,
    其中,所述第二处理器配置为运行所述计算机程序时,执行权利要求9至12任一项所述的方法的步骤。Wherein, the second processor is configured to perform the steps of the method according to any one of claims 9 to 12 when running the computer program.
  25. 一种网络设备,包括第三处理器和用于存储能够在第三处理器上运行的计算机程序的第三存储器,A network device including a third processor and a third memory for storing a computer program capable of running on the third processor,
    其中,所述第三处理器配置为运行所述计算机程序时,执行权利要求13至16任一项所述的方法的步骤。Wherein, the third processor is configured to perform the steps of the method according to any one of claims 13 to 16 when running the computer program.
  26. 一种存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现权利要求1至8任一项所述的方法的步骤,或实现权利要求9至12任一项所述的方法的步骤,或实现权利要求13至16任一项所述的方法的步骤。 A storage medium with a computer program stored thereon, which when executed by a processor implements the steps of the method described in any one of claims 1 to 8, or implements the method described in any one of claims 9 to 12 The steps of the method, or the steps of implementing the method of any one of claims 13 to 16.
PCT/CN2023/098576 2022-06-21 2023-06-06 Message verification method and apparatus, and related device and storage medium WO2023246501A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210705160.0A CN117318947A (en) 2022-06-21 2022-06-21 Message verification method, device, related equipment and storage medium
CN202210705160.0 2022-06-21

Publications (1)

Publication Number Publication Date
WO2023246501A1 true WO2023246501A1 (en) 2023-12-28

Family

ID=89279859

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/098576 WO2023246501A1 (en) 2022-06-21 2023-06-06 Message verification method and apparatus, and related device and storage medium

Country Status (2)

Country Link
CN (1) CN117318947A (en)
WO (1) WO2023246501A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1719783A (en) * 2004-07-09 2006-01-11 国际商业机器公司 Method and system for dentifying a distributed denial of service (DDOS) attack within a network and defending against such an attack
US20200012798A1 (en) * 2018-07-03 2020-01-09 Visa International Service Association Token state synchronization
US20200195439A1 (en) * 2018-12-18 2020-06-18 Citrix Systems, Inc. Method for securing the rendezvous connection in a cloud service using routing tokens
US20210058373A1 (en) * 2019-08-19 2021-02-25 Hall Labs Llc Token secured routing

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1719783A (en) * 2004-07-09 2006-01-11 国际商业机器公司 Method and system for dentifying a distributed denial of service (DDOS) attack within a network and defending against such an attack
US20200012798A1 (en) * 2018-07-03 2020-01-09 Visa International Service Association Token state synchronization
US20200195439A1 (en) * 2018-12-18 2020-06-18 Citrix Systems, Inc. Method for securing the rendezvous connection in a cloud service using routing tokens
US20210058373A1 (en) * 2019-08-19 2021-02-25 Hall Labs Llc Token secured routing

Also Published As

Publication number Publication date
CN117318947A (en) 2023-12-29

Similar Documents

Publication Publication Date Title
US9461979B2 (en) Method and system for including network security information in a frame
US9009465B2 (en) Augmenting name/prefix based routing protocols with trust anchor in information-centric networks
US8555056B2 (en) Method and system for including security information with a packet
US10454818B2 (en) CCN name chaining
US9143481B2 (en) Systems and methods for application-specific access to virtual private networks
US11888652B2 (en) VXLAN implementation method, network device, and communications system
US20110113236A1 (en) Methods, systems, and computer readable media for offloading internet protocol security (ipsec) processing using an ipsec proxy mechanism
US10397047B2 (en) Apparatus, system, and method for secure remote configuration of network devices
US20230102984A1 (en) METHOD AND APPARATUS FOR VERIFYING SRv6 PACKET
WO2007103338A2 (en) Technique for processing data packets in a communication network
WO2021013233A1 (en) Evpn packet forwarding method, system, storage medium, and terminal
WO2021197003A1 (en) Boundary filtering method and device for srv6 trust domain
US11418951B2 (en) Method for identifying encrypted data stream, device, storage medium and system
US10708295B1 (en) Network route hijack protection
CN112637237A (en) Service encryption method, system, equipment and storage medium based on SRoU
WO2023246501A1 (en) Message verification method and apparatus, and related device and storage medium
US20240114013A1 (en) Packet processing method, client end device, server end device, and computer-readable medium
WO2023109450A1 (en) Access control method and related device thereof
WO2023179656A1 (en) Srv6 message processing method and apparatus, communication device, and storage medium
WO2024027419A1 (en) Packet sending method, apparatus and system
WO2022063075A1 (en) Billing method and apparatus, communication device, and readable storage medium
CN108989206B (en) Message forwarding method and device
US20210092103A1 (en) In-line encryption of network data
CN113810353A (en) Method for checking application information, message processing method and device
CN117501671A (en) Border Gateway Protocol (BGP) FlowSpec-initiated authorization using route source authorization (ROA)

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23826150

Country of ref document: EP

Kind code of ref document: A1