WO2024001987A1 - Method for generating validation rule, and related apparatus - Google Patents

Method for generating validation rule, and related apparatus Download PDF

Info

Publication number
WO2024001987A1
WO2024001987A1 PCT/CN2023/102311 CN2023102311W WO2024001987A1 WO 2024001987 A1 WO2024001987 A1 WO 2024001987A1 CN 2023102311 W CN2023102311 W CN 2023102311W WO 2024001987 A1 WO2024001987 A1 WO 2024001987A1
Authority
WO
WIPO (PCT)
Prior art keywords
network device
network
message
interface
address
Prior art date
Application number
PCT/CN2023/102311
Other languages
French (fr)
Chinese (zh)
Inventor
黄明庆
耿男
庄顺万
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2024001987A1 publication Critical patent/WO2024001987A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

Disclosed in the embodiments of the present application are a method for generating a validation rule, and a related apparatus, which method and apparatus are used for reducing the overheads of generating a source address validation rule. The method comprises: a first network device sending a first notification message to a second network device, wherein a network prefix in the first notification message is the network prefix of a user side of the first network device; and the first network device sending a first detection message to the second network device, wherein a network prefix in the first detection message is the network prefix of a user side of the second network device, and the second network device receiving an interface of the first detection message and the network prefix of the user side of the first network device, such that the second network device generates a first source address validation rule.

Description

一种生成验证规则的方法以及相关装置A method for generating verification rules and related devices
本申请要求于2022年6月28日提交中国国家知识产权局、申请号202210742345.9、申请名称为“一种生成验证规则的方法以及相关装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent application filed with the State Intellectual Property Office of China on June 28, 2022, with application number 202210742345.9 and the application title "A method of generating verification rules and related devices", the entire content of which is incorporated by reference. in this application.
技术领域Technical field
本申请实施例涉及网络领域,尤其涉及一种生成验证规则的方法以及相关装置。Embodiments of the present application relate to the network field, and in particular, to a method of generating verification rules and related devices.
背景技术Background technique
源地址伪造攻击是主要的互联网安全威胁之一,攻击者所发送的报文的源地址可以伪造成其他主机的地址,从而造成直接或间接的攻击。Source address forgery attacks are one of the major Internet security threats. The source addresses of packets sent by attackers can be forged into the addresses of other hosts, thereby causing direct or indirect attacks.
源地址验证(source address validation,SAV)可以用于消除源地址伪造攻击,SAV的基本原理是基于SAV规则检测具有目标源地址的报文是否从合法接口到达网络设备,从而确定该报文是否为非法报文,SAV规则体现为目标源地址与合法接口的对应关系。上述SAV规则需要基于分布式源地址验证协议(distributed SAV,DSAV)建立,然而在现有的技术中没有考虑到实际的通信需求,因此导致DSAV的过程带来了过大的开销。Source address validation (SAV) can be used to eliminate source address forgery attacks. The basic principle of SAV is to detect whether a packet with a target source address reaches the network device from a legal interface based on SAV rules, thereby determining whether the packet is For illegal packets, SAV rules are reflected in the correspondence between the target source address and the legal interface. The above SAV rules need to be established based on the distributed source address verification protocol (distributed SAV, DSAV). However, the actual communication requirements are not considered in the existing technology, so the DSAV process brings excessive overhead.
发明内容Contents of the invention
本申请提供了一种生成验证规则的方法以及相关装置,用于降低生成源地址验证规则的开销。This application provides a method for generating verification rules and related devices to reduce the cost of generating source address verification rules.
本申请第一方面提供了一种生成验证规则的方法:The first aspect of this application provides a method of generating verification rules:
第一网络设备向第二网络设备发送第一通告报文,第一通告报文中的网络前缀为第一网络设备的用户侧的网络前缀。第一网络设备向第二网络设备发送第一探测报文,第一探测报文中的网络前缀为第二网络设备的用户侧的网络前缀。第二网络设备的用户侧的网络前缀用于引导第一探测报文传输至第二网络设备,并且第二网络设备接收第一探测报文的接口以及第一网络设备的用户侧的网络前缀用于第二网络设备生成第一源地址验证规则。The first network device sends a first notification message to the second network device, and the network prefix in the first notification message is the network prefix of the user side of the first network device. The first network device sends a first detection message to the second network device, and the network prefix in the first detection message is the network prefix of the user side of the second network device. The user-side network prefix of the second network device is used to guide the transmission of the first detection message to the second network device, and the interface of the second network device that receives the first detection message and the user-side network prefix of the first network device are used. Generate a first source address verification rule on the second network device.
本申请中,用户侧的网络前缀与用户对应,由于在实际的通信场景中大部分是用户与用户之间进行通信,并且用户侧的网络前缀更容易受到攻击,因此有必要有针对性的对用户侧的网络前缀进行验证,第一通告报文中的网络前缀为第一网络设备的用户侧的网络前缀,第一探测报文的网络前缀为第二网络设备的用户侧的网络前缀,提高了生成SAV规则的针对性,从而大幅降低了开销和提高路由变更时的协议收敛速度。In this application, the network prefix on the user side corresponds to the user. Since in actual communication scenarios, most communications are between users, and the network prefix on the user side is more vulnerable to attacks, it is necessary to target it in a targeted manner. The network prefix on the user side is verified. The network prefix in the first advertisement message is the network prefix on the user side of the first network device. The network prefix in the first detection message is the network prefix on the user side of the second network device. This improves The generated SAV rules are more targeted, thereby significantly reducing the overhead and improving the protocol convergence speed when routing changes are made.
在一种可能的实现方式中,第一源地址验证规则包括接收第一探测报文的接口和第一网络设备的用户侧的网络前缀,其中接收第一探测报文的接口为接收第一报文的合法接口,第一报文的源地址为与第一网络设备的用户侧的网络前缀对应的地址。In a possible implementation, the first source address verification rule includes an interface that receives the first detection packet and a network prefix on the user side of the first network device, where the interface that receives the first detection packet is the interface that receives the first detection packet. the legal interface of the packet, and the source address of the first packet is the address corresponding to the network prefix on the user side of the first network device.
在一种可能的实现方式中,第一探测报文以及第一通告报文还用于中继第一探测报文以及第一通告报文的网络设备生成第二源地址验证规则。In a possible implementation manner, the first detection message and the first notification message are also used for the network device that relays the first detection message and the first notification message to generate a second source address verification rule.
本申请中,中继第一探测报文以及第一通告报文的网络设备生成第二SAV规则,从而能够提前识别攻击流量。In this application, the network device that relays the first detection message and the first notification message generates the second SAV rule, so that attack traffic can be identified in advance.
在一种可能的实现方式中,第一网络设备还生成第二通告报文,第二通告报文中的网络地址为第一网络设备的网络侧的地址。第一网络设备还向第二网络设备发送第二通告报文,第二通告报文用于第二网络设备生成第三源地址验证规则,第三源地址验证规则包括第二网络设备的用户侧接口以及第一网络设备的网络侧的地址。第三源地址验证规则指示第二网络设备的用户侧接口为接收第二报文的非法接口,第二报文的源地址为第一网络设备的网络侧的地址。In a possible implementation, the first network device also generates a second advertisement message, and the network address in the second advertisement message is the address of the network side of the first network device. The first network device also sends a second notification message to the second network device. The second notification message is used by the second network device to generate a third source address verification rule. The third source address verification rule includes the user side of the second network device. interface and the address of the network side of the first network device. The third source address verification rule indicates that the user-side interface of the second network device is an illegal interface for receiving the second message, and the source address of the second message is the network-side address of the first network device.
本申请中,网络侧的地址与网络设备对应,由于在实际的通信场景中还存在用户将源地址伪造成第一网络设备的网络侧的地址的非法流量,因此通过在第二网络设备生成第三SAV规则,能够在第二网络设备的用户侧接口拦截上述非法流量,提高了生成SAV规则的针对性,从而大幅降低了开销和提高路由变更时的协议收敛速度。In this application, the network-side address corresponds to the network device. Since in actual communication scenarios there are illegal traffic in which users forge the source address into the network-side address of the first network device, the second network device generates the third network-side address. Three SAV rules can intercept the above-mentioned illegal traffic on the user-side interface of the second network device, improving the pertinence of generating SAV rules, thus significantly reducing the overhead and improving the protocol convergence speed when routing changes.
在一种可能的实现方式中,第一探测报文以及第一通告报文为内部网关协议(interior gateway  protocol,IGP)报文或边界网关协议(border gateway protocol,BGP)报文。In a possible implementation, the first detection message and the first notification message are interior gateway protocols (interior gateway protocol). protocol, IGP) message or border gateway protocol (border gateway protocol, BGP) message.
本申请第二方面提供了一种生成验证规则的方法:The second aspect of this application provides a method of generating verification rules:
第一网络设备生成通告报文,通告报文中的网络地址为第一网络设备的网络侧的地址。第一网络设备向第二网络设备发送通告报文,该通告报文用于第二网络设备生成源地址验证规则。源地址验证规则包括第二网络设备的用户侧接口和第一网络设备的网络侧的地址,源地址验证规则指示第二网络设备的用户侧接口为接收报文的非法接口,报文的源地址为第一网络设备的网络侧的地址。The first network device generates a notification message, and the network address in the notification message is the address of the network side of the first network device. The first network device sends a notification message to the second network device, and the notification message is used by the second network device to generate a source address verification rule. The source address verification rule includes the user-side interface of the second network device and the network-side address of the first network device. The source address verification rule indicates that the user-side interface of the second network device is an illegal interface for receiving the message. The source address of the message is the network-side address of the first network device.
本申请中,网络侧的地址与网络设备对应,由于在实际的通信场景中存在用户将源地址伪造成第一网络设备的网络侧的地址的非法流量,因此通过在第二网络设备生成第三SAV规则,能够在第二网络设备的用户侧接口拦截上述非法流量,提高了生成SAV规则的针对性,从而大幅降低了开销和提高路由变更时的协议收敛速度。In this application, the address on the network side corresponds to the network device. Since in actual communication scenarios, there is illegal traffic in which users forge the source address into the address on the network side of the first network device, the third network device is generated by generating the third network address on the second network device. SAV rules can intercept the above-mentioned illegal traffic on the user-side interface of the second network device, improving the pertinence of generating SAV rules, thereby significantly reducing overhead and improving protocol convergence speed when routing changes.
本申请第三方面提供了一种生成验证规则的方法:The third aspect of this application provides a method of generating verification rules:
第二网络设备接收来自第一网络设备的第一通告报文,第一通告报文中的网络前缀为第一网络设备的用户侧的网络前缀。第二网络设备接收来自第一网络设备的第一探测报文,第一探测报文中的网络前缀为第二网络设备的用户侧的网络前缀,第二网络设备的用户侧的网络前缀用于引导第一探测报文传输至第二网络设备。第二网络设备根据接收第一探测报文的接口以及第一网络设备的用户侧的网络前缀,生成第一源地址验证规则。The second network device receives the first advertisement message from the first network device, and the network prefix in the first advertisement message is the network prefix of the user side of the first network device. The second network device receives the first detection message from the first network device. The network prefix in the first detection message is the user-side network prefix of the second network device. The user-side network prefix of the second network device is used for Direct the first detection message to be transmitted to the second network device. The second network device generates the first source address verification rule according to the interface that receives the first detection message and the network prefix of the user side of the first network device.
本申请中,用户侧的网络前缀与用户对应,由于在实际的通信场景中大部分是用户与用户之间进行通信,并且用户侧的网络前缀更容易受到攻击,因此有必要有针对性的对用户侧的网络前缀进行验证,第一通告报文中的网络前缀为第一网络设备的用户侧的网络前缀,第一探测报文的网络前缀为第二网络设备的用户侧的网络前缀,提高了生成SAV规则的针对性,从而大幅降低了开销和提高路由变更时的协议收敛速度。In this application, the network prefix on the user side corresponds to the user. Since in actual communication scenarios, most communications are between users, and the network prefix on the user side is more vulnerable to attacks, it is necessary to target it in a targeted manner. The network prefix on the user side is verified. The network prefix in the first advertisement message is the network prefix on the user side of the first network device. The network prefix in the first detection message is the network prefix on the user side of the second network device. This improves The generated SAV rules are more targeted, thereby significantly reducing the overhead and improving the protocol convergence speed when routing changes are made.
在一种可能的实现方式中,第一源地址验证规则包括接收第一探测报文的接口和第一网络设备的用户侧的网络前缀,其中接收第一探测报文的接口为接收第一报文的合法接口,第一报文的源地址为与第一网络设备的用户侧的网络前缀对应的地址。In a possible implementation, the first source address verification rule includes an interface that receives the first detection packet and a network prefix on the user side of the first network device, where the interface that receives the first detection packet is the interface that receives the first detection packet. the legal interface of the packet, and the source address of the first packet is the address corresponding to the network prefix on the user side of the first network device.
在一种可能的实现方式中,第一探测报文以及第一通告报文还用于中继第一探测报文以及第一通告报文的网络设备生成第二源地址验证规则。In a possible implementation manner, the first detection message and the first notification message are also used for the network device that relays the first detection message and the first notification message to generate a second source address verification rule.
本申请中,中继第一探测报文以及第一通告报文的网络设备生成第二SAV规则,从而能够提前识别攻击流量。In this application, the network device that relays the first detection message and the first notification message generates the second SAV rule, so that attack traffic can be identified in advance.
在一种可能的实现方式中,第二网络设备还接收来自第一网络设备的第二通告报文,第二通告报文中的网络地址为第一网络设备的网络侧的地址。第二网络设备还生成第三源地址验证规则,第三源地址验证规则包括第二网络设备的用户侧接口和第一网络设备的网络侧的地址,第三源地址验证规则指示第二网络设备的用户侧接口为接收第二报文的非法接口,第二报文的源地址为第一网络设备的网络侧的地址。In a possible implementation, the second network device also receives a second advertisement message from the first network device, and the network address in the second advertisement message is the address of the network side of the first network device. The second network device also generates a third source address verification rule. The third source address verification rule includes the user-side interface of the second network device and the address of the network side of the first network device. The third source address verification rule indicates that the second network device The user-side interface is an illegal interface for receiving the second message, and the source address of the second message is the network-side address of the first network device.
本申请中,网络侧的地址与网络设备对应,由于在实际的通信场景还存在用户将源地址伪造成第一网络设备的网络侧的地址的非法流量,因此通过在第二网络设备生成第三SAV规则,能够在第二网络设备的用户侧接口拦截上述非法流量,提高了生成SAV规则的针对性,从而大幅降低了开销和提高路由变更时的协议收敛速度。In this application, the address on the network side corresponds to the network device. Since in actual communication scenarios there are illegal traffic in which users forge the source address into the address on the network side of the first network device, the third network device is generated by generating the third network address on the second network device. SAV rules can intercept the above-mentioned illegal traffic on the user-side interface of the second network device, improving the pertinence of generating SAV rules, thereby significantly reducing overhead and improving protocol convergence speed when routing changes.
在一种可能的实现方式中,第一探测报文以及第一通告报文为IGP报文或BGP报文。In a possible implementation manner, the first detection message and the first advertisement message are IGP messages or BGP messages.
本申请第四方面提供了一种生成验证规则的方法:The fourth aspect of this application provides a method of generating verification rules:
第二网络设备接收来自第一网络设备的通告报文,通告报文中的网络地址为第一网络设备的网络侧的地址。第二网络设备生成源地址验证规则,源地址验证规则包括第二网络设备的用户侧接口和第一网络设备的网络侧的地址,源地址验证规则指示第二网络设备的用户侧接口为接收报文的非法接口,报文的源地址为第一网络设备的网络侧的地址。The second network device receives the notification message from the first network device, and the network address in the notification message is the address of the network side of the first network device. The second network device generates a source address verification rule. The source address verification rule includes the user-side interface of the second network device and the address of the network side of the first network device. The source address verification rule indicates that the user-side interface of the second network device is to receive the report. The illegal interface of the message, the source address of the message is the network side address of the first network device.
本申请中,网络侧的地址与网络设备对应,由于在实际的通信场景存在用户将源地址伪造成第一网络设备的网络侧的地址的非法流量,因此通过在第二网络设备生成第三SAV规则,能够在第二网络设备 的用户侧接口拦截上述非法流量,提高了生成SAV规则的针对性,从而大幅降低了开销和提高路由变更时的协议收敛速度。In this application, the address on the network side corresponds to the network device. Since in actual communication scenarios there is illegal traffic in which users forge the source address into the address on the network side of the first network device, the third SAV is generated on the second network device. rules to enable the second network device The user-side interface intercepts the above-mentioned illegal traffic and improves the pertinence of generating SAV rules, thus greatly reducing the overhead and improving the protocol convergence speed when routing changes.
本申请第五方面提供了一种网络设备,该网络设备用作第一网络设备:The fifth aspect of this application provides a network device, which is used as a first network device:
包括多个功能模块,多个功能模块相互作用,实现前述第一方面或第二方面中的方法。多个功能模块可以基于软件、硬件或软件和硬件的结合实现,且所述多个功能模块可以基于具体实现进行任意组合或分割。It includes multiple functional modules, and the multiple functional modules interact to implement the method in the first aspect or the second aspect. Multiple functional modules can be implemented based on software, hardware, or a combination of software and hardware, and the multiple functional modules can be arbitrarily combined or divided based on specific implementation.
本申请第六方面提供了一种网络设备,该网络设备用作第二网络设备:The sixth aspect of this application provides a network device, which is used as a second network device:
包括多个功能模块,多个功能模块相互作用,实现前述第三方面或第四方面中的方法。多个功能模块可以基于软件、硬件或软件和硬件的结合实现,且所述多个功能模块可以基于具体实现进行任意组合或分割。It includes multiple functional modules, and the multiple functional modules interact to implement the method in the third or fourth aspect. Multiple functional modules can be implemented based on software, hardware, or a combination of software and hardware, and the multiple functional modules can be arbitrarily combined or divided based on specific implementation.
本申请第七方面提供了一种网络设备,该网络设备用作第一网络设备:The seventh aspect of this application provides a network device, which is used as a first network device:
包括处理器以及存储器,处理器与存储器耦合,存储器用于存储指令,当指令被处理器执行时,使得网络设备执行前述第一方面或第二方面中的方法。It includes a processor and a memory. The processor is coupled to the memory. The memory is used to store instructions. When the instructions are executed by the processor, the network device performs the method in the first aspect or the second aspect.
本申请第八方面提供了一种网络设备,该网络设备用作第二网络设备:The eighth aspect of this application provides a network device, which is used as a second network device:
包括处理器以及存储器,处理器与存储器耦合,存储器用于存储指令,当指令被处理器执行时,使得网络设备执行前述第三方面或第四方面中的方法。It includes a processor and a memory. The processor is coupled to the memory. The memory is used to store instructions. When the instructions are executed by the processor, the network device performs the method in the third aspect or the fourth aspect.
本申请第九方面提供了一种计算机可读存储介质,其上存储有计算机指令或程序,当计算机指令或程序被执行时,使得网络设备执行如前述各个方面中的方法。A ninth aspect of the present application provides a computer-readable storage medium on which computer instructions or programs are stored. When the computer instructions or programs are executed, the network device is caused to perform the methods in the foregoing aspects.
本申请第十方面提供了一种计算机程序产品,包括计算机指令或程序,当计算机指令或程序被执行时,使得网络设备执行如前述各个方面中的方法。A tenth aspect of the present application provides a computer program product, which includes computer instructions or programs. When the computer instructions or programs are executed, network equipment is caused to perform the methods in each of the foregoing aspects.
本申请第十一方面提供了一种网络系统,包括第一网络设备以及第二网络设备,第一网络设备用于执行前述第一方面中的方法,第二网络设备用于执行前述第三方面中的方法,或第一网络设备用于执行前述第二方面中的方法,第二网络设备用于执行前述第四方面中的方法。An eleventh aspect of this application provides a network system, including a first network device and a second network device. The first network device is used to perform the method in the first aspect, and the second network device is used to perform the third aspect. or the first network device is configured to perform the method in the aforementioned second aspect, and the second network device is configured to perform the method in the aforementioned fourth aspect.
附图说明Description of drawings
图1为SAV的一个示意图;Figure 1 is a schematic diagram of SAV;
图2为DSAV过程的一个示意图;Figure 2 is a schematic diagram of the DSAV process;
图3为DSAV过程的另一示意图;Figure 3 is another schematic diagram of the DSAV process;
图4为生成SAV规则的一个示意图;Figure 4 is a schematic diagram of generating SAV rules;
图5为SPA过程的一个示意图;Figure 5 is a schematic diagram of the SPA process;
图6为DPP过程的一个示意图;Figure 6 is a schematic diagram of the DPP process;
图7为本申请实施例中应用场景的一个示意图;Figure 7 is a schematic diagram of an application scenario in the embodiment of the present application;
图8为本申请实施例中生成验证规则的方法的一个流程示意图;Figure 8 is a schematic flow chart of a method for generating verification rules in an embodiment of the present application;
图9为本申请实施例中生成SAV规则的一个示意图;Figure 9 is a schematic diagram of generating SAV rules in the embodiment of the present application;
图10为本申请实施例中生成SAV规则的另一示意图;Figure 10 is another schematic diagram of generating SAV rules in an embodiment of the present application;
图11为本申请实施例中生成验证规则方的法的另一流程示意图;Figure 11 is another schematic flowchart of a method for generating verification rules in an embodiment of the present application;
图12为本申请实施例中网络设备的一个示意图;Figure 12 is a schematic diagram of network equipment in an embodiment of the present application;
图13为本申请实施例中网络设备的另一示意图;Figure 13 is another schematic diagram of network equipment in an embodiment of the present application;
图14为本申请实施例中网络设备的另一示意图;Figure 14 is another schematic diagram of network equipment in an embodiment of the present application;
图15为本申请实施例中网络设备的另一示意图;Figure 15 is another schematic diagram of network equipment in an embodiment of the present application;
图16为本申请实施例中网络设备的另一示意图;Figure 16 is another schematic diagram of network equipment in an embodiment of the present application;
图17为本申请实施例中网络设备的另一示意图。Figure 17 is another schematic diagram of a network device in an embodiment of the present application.
具体实施方式Detailed ways
下面结合附图,对本申请的实施例进行描述,显然,所描述的实施例仅仅是本申请一部分的实施例,而不是全部的实施例。本领域普通技术人员可知,随着技术发展和新场景的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。 The embodiments of the present application will be described below with reference to the accompanying drawings. Obviously, the described embodiments are only part of the embodiments of the present application, rather than all the embodiments. Persons of ordinary skill in the art will know that with the development of technology and the emergence of new scenarios, the technical solutions provided in the embodiments of this application are also applicable to similar technical problems.
本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的实施例能够以除了在这里图示或描述的内容以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。The terms "first", "second", etc. in the description and claims of this application and the above-mentioned drawings are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances so that the embodiments described herein can be practiced in sequences other than those illustrated or described herein. In addition, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusions, e.g., a process, method, system, product, or apparatus that encompasses a series of steps or units and need not be limited to those explicitly listed. Those steps or elements may instead include other steps or elements not expressly listed or inherent to the process, method, product or apparatus.
为了便于对本申请的理解,下面对本申请所涉及到的概念进行介绍:In order to facilitate the understanding of this application, the concepts involved in this application are introduced below:
请参阅图1,图1为源地址验证(source address validation,SAV)的原理示意图。如图1所示,R2设备上保存有SAV表,该SAV表中包括一个SAV规则,该SAV规则指示具有源前缀P1的报文到达R2设备的合法接口是a接口。也即若上述报文想要通过R2设备,必须由a接口到达R2设备,否则该报文会被R2设备丢弃。在图1中,H1设备是源前缀P1的合法持有者,则根据图1所示出的R2设备上的SAV规则,H1设备发往H3设备的具有源前缀P1的报文可以顺利通过R2设备。另一方面,若H2设备发送伪造的具有源前缀P1的报文,且该报文经过R3设备转发后到达R2设备的b接口。由于该报文无法匹配R2设备上的SAV规则,因此该报文会在R2设备处被丢弃。Please refer to Figure 1, which is a schematic diagram of the principle of source address validation (SAV). As shown in Figure 1, the R2 device stores a SAV table. The SAV table includes a SAV rule. The SAV rule indicates that the legal interface for packets with source prefix P1 to reach the R2 device is interface a. That is to say, if the above packet wants to pass through the R2 device, it must reach the R2 device through the a interface, otherwise the packet will be discarded by the R2 device. In Figure 1, the H1 device is the legal holder of the source prefix P1. According to the SAV rules on the R2 device shown in Figure 1, the packets with the source prefix P1 sent by the H1 device to the H3 device can pass through R2 smoothly. equipment. On the other hand, if the H2 device sends a forged packet with the source prefix P1, and the packet reaches the b interface of the R2 device after being forwarded by the R3 device. Because the packet cannot match the SAV rule on the R2 device, the packet will be discarded by the R2 device.
在上述例子中,R1、R2以及R3为网络中的网络设备,在执行SAV之前,网络中的各个网络设备都需要生成本地的SAV规则。在现有的技术手段中,通常采用分布式源地址验证协议(distributed source address validation,DSAV)令网络中的各个网络设备生成本地的SAV规则,下面进行详细介绍:In the above example, R1, R2, and R3 are network devices in the network. Before executing SAV, each network device in the network needs to generate local SAV rules. Among existing technical means, distributed source address validation (DSAV) is usually used to enable each network device in the network to generate local SAV rules. The following is a detailed introduction:
首先,网络中的探测初始网络设备以其他网络设备作为探测目的网络设备,向其他网络设备发送探测报文。其中,网络中的每个网络设备都可以作为探测初始网络设备,探测报文中需要携带探测初始网络设备的源前缀列表,该源前缀列表用于支持探测报文传输路径上的各个网络设备生成SAV规则,探测初始网络设备发送至各个探测目的网络设备的探测报文中的源前缀列表是一致的。另外,探测报文中还要携带目的前缀列表,该目的前缀列表包含了探测初始网络设备知晓的可达的目的前缀,也即探测目的网络设备的目的前缀,目的前缀列表用于探测报文在网络中传输。First, the initial detection network device in the network uses other network devices as detection destination network devices and sends detection packets to other network devices. Among them, each network device in the network can be used as the initial network device for detection. The detection packet needs to carry the source prefix list of the initial network device for detection. The source prefix list is used to support the generation of each network device on the transmission path of the detection packet. According to SAV rules, the source prefix list in the detection packets sent by the detection initial network device to each detection destination network device is consistent. In addition, the detection packet must also carry a destination prefix list. This destination prefix list contains the reachable destination prefixes known to the initial network device for detection, that is, the destination prefix for the detection destination network device. The destination prefix list is used for the detection packet to transmitted over the network.
包括探测目的网络设备在内的,探测报文的传输路径上的各个网络设备接收到探测报文后,会根据探测报文中的源前缀列表以及该探测报文到达的接口,生成本地的SAV规则,SAV规则体现为源前缀与合法接口的对应关系,合法接口则为探测报文到达的接口。另一方面,探测报文的传输路径上的各个网络设备还会根据探测报文中的目的前缀列表,确定该探测报文接下来的探测出口,并从该探测出口中继探测报文。此外,被中继的探测报文的目的前缀列表也需要依据上述网络设备的本地路由转发信息进行更新。After receiving the detection message, each network device on the transmission path of the detection message, including the detection destination network device, will generate a local SAV based on the source prefix list in the detection message and the interface where the detection message arrives. Rules, SAV rules are reflected in the correspondence between source prefixes and legal interfaces, and the legal interface is the interface where the detection packet arrives. On the other hand, each network device on the transmission path of the detection message will also determine the next detection exit of the detection message based on the destination prefix list in the detection message, and relay the detection message from the detection exit. In addition, the destination prefix list of the relayed probe message also needs to be updated based on the local routing and forwarding information of the above-mentioned network device.
探测报文在传输路径上被不断中继,直到探测报文到达所有探测目的网络设备,此时,探测报文的传输路径上的各个网络设备都能基于探测报文生成本地的SAV规则。The detection message is continuously relayed on the transmission path until the detection message reaches all detection destination network devices. At this time, each network device on the transmission path of the detection message can generate local SAV rules based on the detection message.
请参阅图2,下面对DSAV的流程进行示例性的说明。如图2所示,以A网络设备为探测初始网络设备为示例,B网络设备、C网络设备、D网络设备、E网络设备、F网络设备和G网络设备为探测目的网络设备。A网络设备具有合法的源前缀P1,且A网络设备具有P2、P4、P5、P6和P7的可达路由。如图2所示,A网络设备向两个探测出口发出探测报文,探测报文的本地始发合法源前缀列表均为P1,目的前缀列表则根据最短路径转发的规则确定,即A网络设备去往P2、P4、P5、P6和P7的下一跳为B网络设备,则发往B网络设备的探测报文的目的前缀列表为P2,P4,P5,P6,P7,类似地,发往C网络设备的探测报文的目的前缀列表是P3。Please refer to Figure 2 for an exemplary description of the DSAV process. As shown in Figure 2, network device A is used as the initial network device for detection as an example, and network device B, network device C, network device D, network device E, network device F and network device G are destination network devices for detection. Network device A has a legal source prefix P1, and network device A has reachable routes to P2, P4, P5, P6, and P7. As shown in Figure 2, network device A sends detection packets to two detection exits. The locally originated legal source prefix list of the detection packets is P1, and the destination prefix list is determined according to the shortest path forwarding rule, that is, network device A The next hop to P2, P4, P5, P6 and P7 is network device B, then the destination prefix list of the detection packet sent to network device B is P2, P4, P5, P6, P7. Similarly, the destination prefix list is The destination prefix list of the detection packet of network device C is P3.
请参阅图3,在上述图2所示的基础上,B网络设备收到A网络设备发出的探测报文后,便根据探测报文中的源前缀列表以及该探测报文到达B网络设备的接口,生成SAV规则。然后,B网络设备根据探测报文中的目的前缀列表中继该探测报文。具体的,B网络设备根据目的前缀列表P2,P5,P6,P7确定出B网络设备的探测出口为B-E接口和B-D接口,之后,确定发往E网络设备的探测报文的目的前缀列表为P5,P7,发往D网络设备的探测报文的目的前缀列表为P4,P6。由此可见,由于P2是B网络设备的合法源前缀,因此P2不再出现在后续的探测报文中的目的前缀列表中。后续的流程则与上述介绍的类似,此处不再赘述。 Please refer to Figure 3. Based on what is shown in Figure 2 above, after network device B receives the detection message sent by network device A, it will arrive at network device B based on the source prefix list in the detection message and the detection message. Interface to generate SAV rules. Then, network device B relays the probe message according to the destination prefix list in the probe message. Specifically, the B network device determines that the detection exits of the B network device are the BE interface and the BD interface based on the destination prefix lists P2, P5, P6, and P7, and then determines that the destination prefix list of the detection packet sent to the E network device is P5. , P7, the destination prefix list of the detection packet sent to the D network device is P4, P6. It can be seen that since P2 is the legal source prefix of network device B, P2 no longer appears in the destination prefix list in subsequent detection packets. The subsequent process is similar to that introduced above and will not be described again here.
请参阅图4,图4为生成SAV规则的示意图。示例性的,B网络设备从B-A接口接收到探测报文,因此在B网络设备上生成的一个SAV规则体现为源前缀P1与B-A接口的对应关系,其指示了具有源前缀P1的报文进入B网络设备的合法接口为B-A接口。其他SAV规则的生成方式也与上述所描述的类似,此处不再赘述。Please refer to Figure 4, which is a schematic diagram of generating SAV rules. For example, the B network device receives the probe message from the B-A interface, so a SAV rule generated on the B network device is reflected in the correspondence between the source prefix P1 and the B-A interface, which indicates that the packet with the source prefix P1 enters. The legal interface of network device B is the B-A interface. The generation method of other SAV rules is similar to that described above and will not be described again here.
由上可知,探测初始网络设备所发送的探测报文,会携带源前缀列表和目的前缀列表。其中,目的前缀列表用于指引探测报文的传输路径,源前缀列表则用于生成SAV规则。在实际场景中,网络设备所具有的源前缀和目的前缀的数量可能非常庞大,因此,这种将探测初始网络设备的源前缀列表和目的前缀列表都放入探测报文的方式,会带来很多不必要的开销。为了解决这一问题,可以将DSAV的流程解耦为源前缀通告(source prefix advertisement,SPA)过程和目的前缀探测(destination prefix probing,DPP)过程,从而减少网络开销。It can be seen from the above that the detection message sent by the initial network device will carry the source prefix list and the destination prefix list. Among them, the destination prefix list is used to guide the transmission path of detection packets, and the source prefix list is used to generate SAV rules. In actual scenarios, the number of source prefixes and destination prefixes owned by network devices may be very large. Therefore, this method of putting both the source prefix list and the destination prefix list of the initial network device into the detection packet will cause A lot of unnecessary overhead. In order to solve this problem, the DSAV process can be decoupled into the source prefix advertisement (SPA) process and the destination prefix probing (DPP) process, thereby reducing network overhead.
请参阅图5,示例性的,探测初始网络设备为A网络设备,探测初始网络设备首先生成SPA报文,在SPA报文中携带探测初始网络设备的源前缀列表和探测初始网络设备的router-id,然后执行SPA。在SPA的过程中,A网络设备可以通过洪泛或者其他协议机制的方式,将SPA报文传输至其他的网络设备。其他的网络设备接收到SPA报文后,建立探测初始网络设备的源前缀列表和router-id的对应关系。请参阅图6,在完成SPA之后,探测初始网络设备可以发起DPP的过程。探测初始网络设备将DPP报文发送至网络,在DPP报文中不再需要携带探测初始网络设备的源前缀列表,而是替换为探测初始网络设备的router-id。由于各个网络设备已经保存了探测初始网络设备的router-id与源前缀列表之间的对应关系,因此各个网络设备在收到DPP报文后根据该对应关系,查找出与该探测报文中的router-id所对应的源前缀列表,从而生成SAV规则。例如,B网络设备接收到DPP报文后,根据DPP报文中的router-id查找出探测初始网络设备的源前缀列表,并根据接收到该DPP报文的接口生成SAV规则,该SAV规则与前述图4所示的一致,此处不再赘述。基于上述设计,将源前缀列表和目的前缀列表进行解耦,当探测初始网络设备的源前缀改变时,只需要重新发起SPA的过程;当探测初始网络设备可达的目的前缀或转发规则发生改变时,只需要重新发起DPP的过程,从而大幅度降低开销。Please refer to Figure 5. For example, the initial network device for detection is network device A. The initial network device for detection first generates a SPA message. The SPA message carries the source prefix list of the initial network device for detection and the router- for the initial network device for detection. id and then execute SPA. During the SPA process, network device A can transmit SPA messages to other network devices through flooding or other protocol mechanisms. After receiving the SPA message, other network devices establish a corresponding relationship between the source prefix list and router-id of the initial network device. Referring to Figure 6, after completing SPA, the probing initial network device can initiate the DPP process. The initial network device for detection sends a DPP packet to the network. The DPP packet no longer needs to carry the source prefix list of the initial network device for detection, but is replaced with the router-id of the initial network device for detection. Since each network device has saved the corresponding relationship between the router-id of the initial network device for detection and the source prefix list, after receiving the DPP message, each network device finds out the corresponding relationship between the router-id and the source prefix list in the detection message. Source prefix list corresponding to router-id to generate SAV rules. For example, after network device B receives the DPP message, it finds the source prefix list for detecting the initial network device based on the router-id in the DPP message, and generates a SAV rule based on the interface that received the DPP message. The SAV rule is the same as The consistency shown in the aforementioned Figure 4 will not be described again here. Based on the above design, the source prefix list and the destination prefix list are decoupled. When the source prefix of the initial network device is changed, the SPA process only needs to be reinitiated; when the destination prefix or forwarding rule that is reachable by the initial network device is changed. , only the DPP process needs to be reinitiated, thereby greatly reducing the overhead.
接下来,介绍本申请实施例适用的网络场景,本申请实施例可以应用于各种域内网络,包括骨干网、城域网、数据中心网以及园区网。上述网络中包括多个网络设备,其中的网络设备可以分成两类,一类是同时具有用户侧的网络前缀以及网络侧的地址的边缘网络设备,另一类是只具有网络侧的地址的网络转发设备。需要说明的是,一台边缘网络设备的用户侧的网络前缀指示了多个用户侧的地址,源地址为上述用户侧的地址的报文通过所述边缘网络设备进入所述域内网络;一台网络转发设备的网络侧的地址通常为其网络侧接口的地址,其中包括物理接口地址以及逻辑接口地址。Next, the network scenarios applicable to the embodiments of the present application are introduced. The embodiments of the present application can be applied to various intra-domain networks, including backbone networks, metropolitan area networks, data center networks, and campus networks. The above network includes multiple network devices, and the network devices can be divided into two categories. One type is an edge network device that has both a user-side network prefix and a network-side address, and the other type is a network that only has a network-side address. forwarding device. It should be noted that the user-side network prefix of an edge network device indicates multiple user-side addresses, and packets whose source addresses are the above-mentioned user-side addresses enter the intra-domain network through the edge network device; The address of the network side of the network forwarding device is usually the address of its network side interface, which includes a physical interface address and a logical interface address.
示例性的,请参阅图7,本申请实施例适用的一个网络场景中包括网络设备A、网络设备B、网络设备C、网络设备D、网络设备E、网络设备F以及网络设备G。其中,网络设备A以及网络设备G为边缘网络设备,其余网络设备为网络转发设备。网络设备A以及网络设备G都具有用户侧接口以及网络侧接口;其余网络设备则只具有网络侧接口,且只具有网络侧的地址。上述用户侧接口用于连接用户设备,网络侧接口用于连接其他网络设备。在实际的通信中,若报文的源地址为用户侧的地址,目的地址为网络侧的地址,则属于用户与网络设备之间的通信。例如,报文中的源地址属于网络设备A的用户侧的网络前缀,目的地址为网络设备B的网络侧的地址,则该报文用于连接网络设备A的用户与网络设备B之间的通信。若报文的源地址为用户侧的地址,目的地址也为用户侧的地址,则属于用户与用户之间的通信。例如,报文中的源地址属于网络设备A的用户侧的网络前缀,目的地址属于网络设备G的用户侧的网络前缀,则该报文用于连接网络设备A的用户与连接网络设备G的用户之间的通信。若报文的源地址为网络侧的地址,目的地址也为网络侧的地址,则属于网络设备之间的通信。例如,报文中的源地址为网络设备B的网络侧的地址,目的地址为网络设备E的网络侧的地址,则该报文用于网络设备B与网络设备E之间的通信。For example, please refer to Figure 7. A network scenario applicable to the embodiment of the present application includes network device A, network device B, network device C, network device D, network device E, network device F, and network device G. Among them, network device A and network device G are edge network devices, and the remaining network devices are network forwarding devices. Network device A and network device G both have user-side interfaces and network-side interfaces; other network devices only have network-side interfaces and only have network-side addresses. The above user-side interface is used to connect to user equipment, and the network-side interface is used to connect to other network devices. In actual communication, if the source address of the message is the address on the user side and the destination address is the address on the network side, it is a communication between the user and the network device. For example, if the source address in the packet belongs to the network prefix of the user side of network device A, and the destination address is the address of the network side of network device B, then the packet is used to connect the user of network device A to network device B. communication. If the source address of the message is the user-side address and the destination address is also the user-side address, it is a user-to-user communication. For example, if the source address in the packet belongs to the user-side network prefix of network device A, and the destination address belongs to the user-side network prefix of network device G, then the packet is used to connect the user of network device A to the user of network device G. Communication between users. If the source address of the message is an address on the network side and the destination address is also an address on the network side, it is communication between network devices. For example, if the source address in the packet is the network-side address of network device B and the destination address is the network-side address of network device E, then the packet is used for communication between network device B and network device E.
在现有的DSAV过程中,以探测初始网络设备以及探测目的网络设备都为边缘网络设备为例,SPA报文中会携带探测初始网络设备的用户侧的网络前缀以及网络侧的地址,DPP报文中会携带探测目的网络设备的用户侧的网络前缀以及网络侧的地址。这样的通告方式存在两个问题:第一,实际的应用中, 大部分的通信发生在用户和用户之间,并且用户的地址比网络设备的地址更容易被伪造,所以我们说用户的地址更需要被针对性的进行验证,而网络设备的地址一般来说是被信任的,可以可选的进行验证,所以,在通告的SPA和DPP报文中携带全部的用户侧的网络前缀和网络侧的地址,极大的浪费了网络带宽资源;第二,网络中的任何一个地址发生变化,都需要全网重新通告所有的用户侧的网络前缀和网络侧的网络地址,造成收敛较慢。In the existing DSAV process, assuming that both the initial network device and the destination network device are edge network devices, the SPA message will carry the user-side network prefix and network-side address of the initial network device, and the DPP message will The article will carry the user-side network prefix and network-side address of the detection destination network device. There are two problems with this notification method: First, in actual application, Most of the communication occurs between users, and the user's address is easier to forge than the address of the network device, so we say that the user's address needs to be verified more specifically, while the address of the network device is generally Trusted ones can be optionally verified. Therefore, carrying all the user-side network prefixes and network-side addresses in the advertised SPA and DPP messages greatly wastes network bandwidth resources; secondly, in the network If any address changes, the entire network needs to re-advertise all user-side network prefixes and network-side network addresses, resulting in slower convergence.
本申请实施例提供了一种生成验证规则的方法,用于解决上述技术问题,降低生成源地址验证规则所需的开销,提高收敛速度。Embodiments of the present application provide a method for generating verification rules to solve the above technical problems, reduce the overhead required to generate source address verification rules, and improve the convergence speed.
请参阅图8,下面对本申请实施例中生成验证规则的方法的流程进行介绍,该方法可以应用在如图7所示的场景中,第一网络设备以及第二网络设备是边缘网络设备,例如第一网络设备是图7中的网络设备A,第二网络设备是图7中的网络设备G:Referring to Figure 8, the process of the method for generating verification rules in the embodiment of the present application is introduced below. This method can be applied in the scenario shown in Figure 7, where the first network device and the second network device are edge network devices, for example The first network device is network device A in Figure 7, and the second network device is network device G in Figure 7:
801、第一网络设备向第二网络设备发送第一通告报文,第一通告报文中的网络前缀为第一网络设备的用户侧的网络前缀。801. The first network device sends a first notification message to the second network device, where the network prefix in the first notification message is the user-side network prefix of the first network device.
以网络设备A作为探测初始网络设备为例进行说明,网络设备A首先生成第一通告报文,第一通告报文中的网络前缀为网络设备A的用户侧的网络前缀,此外第一通告报文中还包括网络设备A的标识,该标识例如为路由器标识router id。网络设备A的用户侧的网络前缀可以是网络设备A通过直连导入、静态路由导入、动态路由导入以及人工配置的方式获得。之后,网络设备A在网络中洪泛第一通告报文,网络设备G接收到第一通告报文后,会生成网络设备A的用户侧的网络前缀与网络设备A的标识的对应关系。Taking network device A as the initial network device for detection as an example, network device A first generates a first notification message. The network prefix in the first notification message is the network prefix of the user side of network device A. In addition, the first notification report The article also includes the identification of network device A, which is, for example, the router identification router id. The user-side network prefix of network device A can be obtained by network device A through direct connection import, static route import, dynamic route import, or manual configuration. Afterwards, network device A floods the first advertisement message in the network. After receiving the first advertisement message, network device G generates a corresponding relationship between the user-side network prefix of network device A and the identity of network device A.
802、第一网络设备向第二网络设备发送第一探测报文,第一探测报文中的网络前缀为第二网络设备的用户侧的网络前缀,第二网络设备的用户侧的网络前缀用于引导第一探测报文传输至第二网络设备,第二网络设备接收第一探测报文的接口以及第一网络设备的用户侧的网络前缀用于第二网络设备生成第一源地址验证规则。802. The first network device sends a first detection message to the second network device. The network prefix in the first detection message is the network prefix of the user side of the second network device. The network prefix of the user side of the second network device is In order to guide the transmission of the first detection message to the second network device, the interface of the second network device that receives the first detection message and the user-side network prefix of the first network device are used by the second network device to generate the first source address verification rule. .
网络设备A生成第一探测报文,在该报文中的网络前缀为网络设备G的用户侧的网络前缀,此外该报文中还包括网络设备A的标识。之后,网络设备A向网络设备G发送第一探测报文,网络设备G接收到第一探测报文后生成SAV规则。如图9所示,示例性的,网络设备G接收到第一探测报文的接口为G-E接口(G-E接口表示网络设备G上与网络设备E连接的接口),则网络设备G生成的SAV规则指示了网络设备G接收报文的合法接口为G-E接口,该报文的源地址为与网络设备A的用户侧的网络前缀对应的地址,网络设备G会在网络侧接口使能该SAV规则。在一种可选的实现方式中,中继第一通告报文以及第一探测报文的网络设备也可以根据第一通告报文以及第一探测报文生成SAV规则。例如网络设备B以及网络设备E中继了第一通告报文以及第一探测报文,则网络设备B以及网络设备E也根据第一通告报文以及第一探测报文生成SAV规则,具体与网络设备G根据第一通告报文以及第一探测报文生成SAV规则的方式类似,此处不再赘述。或者在另一种实现方式中,网络设备A也可以直接向网络设备G发送目标报文,该目标报文中的网络前缀为网络设备A以及网络设备G的用户侧的网络前缀。若网络设备G接收到目标报文的接口为G-E接口,则网络设备G生成SAV规则,该SAV规则指示网络设备G接收报文的合法接口为G-E接口,该报文的源地址为与网络设备A的用户侧的网络前缀对应的地址对应的地址,网络设备G同样会在网络侧接口使能该SAV规则。类似的,若网络设备G作为探测初始网络设备,则网络设备A可以接收到网络设备G在网络中洪泛的通告报文,该报文中的网络前缀为网络设备G的用户侧的网络前缀,此外,该报文中还包括网络设备G的标识,该标识例如为router id。网络设备A还能接收到来自网络设备G的探测报文,该报文中的网络前缀为网络设备A的用户侧的网络前缀,此外该报文中还包括网络设备G的标识。若网络设备A接收到来自网络设备G的探测报文的接口为A-B接口(A-B接口表示网络设备A上与网络设备B连接的接口),则网络设备A生成的SAV规则指示网络设备A接收报文的合法接口为A-B接口,该报文的源地址为与网络设备G的用户侧的网络前缀对应的地址,网络设备A会在网络侧接口使能该SAV规则。Network device A generates a first detection message, and the network prefix in the message is the network prefix of the user side of network device G. In addition, the message also includes the identifier of network device A. Afterwards, network device A sends a first detection message to network device G, and network device G generates a SAV rule after receiving the first detection message. As shown in Figure 9, for example, the interface through which network device G receives the first detection message is the G-E interface (G-E interface represents the interface on network device G connected to network device E), then the SAV rule generated by network device G It indicates that the legal interface for network device G to receive the packet is the G-E interface. The source address of the packet is the address corresponding to the network prefix on the user side of network device A. Network device G will enable the SAV rule on the network side interface. In an optional implementation manner, the network device that relays the first notification message and the first detection message can also generate SAV rules based on the first notification message and the first detection message. For example, network device B and network device E relay the first notification message and the first detection message, and network device B and network device E also generate SAV rules based on the first notification message and the first detection message, specifically as follows The manner in which network device G generates SAV rules based on the first notification message and the first detection message is similar and will not be described again here. Or in another implementation manner, network device A can also directly send a target packet to network device G. The network prefix in the target packet is the network prefix of the user side of network device A and network device G. If the interface on which network device G receives the target packet is the G-E interface, network device G generates a SAV rule. The SAV rule indicates that the legal interface on which network device G receives the packet is the G-E interface, and the source address of the packet is with the network device. For the address corresponding to the network prefix on the user side of A, network device G will also enable the SAV rule on the network side interface. Similarly, if network device G serves as the initial network device for detection, network device A can receive a notification message flooded by network device G in the network. The network prefix in the message is the user-side network prefix of network device G. , In addition, the message also includes the identifier of the network device G, which is, for example, router id. Network device A can also receive a detection message from network device G. The network prefix in the message is the network prefix of the user side of network device A. In addition, the message also includes the identifier of network device G. If the interface on which network device A receives the probe message from network device G is the A-B interface (the A-B interface indicates the interface on network device A connected to network device B), the SAV rule generated by network device A instructs network device A to receive the report. The legal interface of the message is the A-B interface. The source address of the message is the address corresponding to the network prefix on the user side of network device G. Network device A will enable the SAV rule on the network side interface.
上面介绍了针对用户与用户之间的通信生成SAV规则的方式,在此基础上,还需要基于各个网络设备的网络侧的地址生成SAV规则,下面进行介绍: The above describes how to generate SAV rules for communication between users. On this basis, it is also necessary to generate SAV rules based on the addresses on the network side of each network device. This is introduced below:
在实际的通信场景中,还存在用户将源地址伪造成网络侧的地址的非法流量,为了对这些非法流量进行拦截,网络中的各个网络设备需要在网络中通告本地的网络侧的地址,并由边缘网络设备生成SAV规则并在用户侧接口使能,SAV规则指示边缘网络设备的用户侧接口为接收报文的非法接口,该报文的源地址为域内网络中任一个网络设备的网络侧的地址。In actual communication scenarios, there are illegal traffic in which users forge the source address into a network-side address. In order to intercept these illegal traffic, each network device in the network needs to notify the local network-side address in the network, and The SAV rule is generated by the edge network device and enabled on the user-side interface. The SAV rule indicates that the user-side interface of the edge network device is an illegal interface for receiving packets. The source address of the packet is the network side of any network device in the intra-domain network. the address of.
示例性的,在前述实施例的基础上,网络设备A、网络设备B、网络设备C、网络设备D、网络设备E、网络设备F以及网络设备G还会在网络中洪泛通告报文,通告报文中的网络地址为网络设备网络侧的地址。例如网络设备A在网络中洪泛的通告报文中的网络地址为网络设备A的网络侧的地址,该通告报文即为第二通告报文。请参阅图10,网络设备G接收到来自各个网络设备的通告报文之后,生成SAV规则。该SAV规则指示源地址为网络设备A、网络设备B、网络设备C、网络设备D、网络设备E、网络设备F或网络设备G的网络侧的地址的报文,进入网络设备G的非法接口为网络设备G的用户侧接口,网络设备G会在用户侧接口使能该SAV规则。类似的,网络设备A也可以根据来自各个网络设备的通告报文生成SAV规则,该SAV规则指示源地址为网络设备A、网络设备B、网络设备C、网络设备D、网络设备E、网络设备F或网络设备G的网络侧的地址的报文,进入网络设备A的非法接口为网络设备A的用户侧接口,网络设备A会在用户侧接口使能该SAV规则。Exemplarily, based on the foregoing embodiments, network device A, network device B, network device C, network device D, network device E, network device F, and network device G will also flood notification messages in the network, The network address in the advertisement message is the address of the network device on the network side. For example, the network address in the notification message flooded by network device A in the network is the network-side address of network device A, and the notification message is the second notification message. Referring to Figure 10, network device G generates SAV rules after receiving notification messages from each network device. This SAV rule indicates that packets whose source address is the network side address of network device A, network device B, network device C, network device D, network device E, network device F, or network device G enter the illegal interface of network device G. It is the user-side interface of network device G. Network device G will enable the SAV rule on the user-side interface. Similarly, network device A can also generate SAV rules based on advertisement messages from various network devices. The SAV rules indicate that the source addresses are network device A, network device B, network device C, network device D, network device E, and network device For packets with the network-side address of F or network device G, the illegal interface entering network device A is the user-side interface of network device A. Network device A will enable the SAV rule on the user-side interface.
当然,在实际的通信场景中依然会存在用户与网络设备进行通信的情况,因此针对这种情况也需要生成对应的SAV规则,下面进行介绍:Of course, in actual communication scenarios, there will still be situations where users communicate with network devices. Therefore, corresponding SAV rules need to be generated for this situation, which are introduced below:
示例性的,网络管理员希望能够对网络设备B进行管理,该网络管理员与网络设备A连接。因此,网络设备A可以在网络中洪泛通告报文,该报文中的网络前缀为网络设备A的用户侧的网络前缀。之后,网络设备A向网络设备B发送探测报文,该报文中的网络地址为网络设备B的网络侧的地址。网络设备B接收到探测报文后生成SAV规则,该SAV规则指示网络设备B接收到上述探测报文的接口为接收报文的合法接口,该报文的源地址属于通告报文中的网络设备A的用户侧的网络前缀。需要说明的是,上述通告报文中的网络设备A的用户侧的网络前缀,可以是预先配置的,上述探测报文中的网络设备B的网络侧的地址,也可以是预先配置的。For example, the network administrator wants to be able to manage network device B, and the network administrator is connected to network device A. Therefore, network device A can flood the network with advertisement packets, and the network prefix in the packet is the network prefix of the user side of network device A. Afterwards, network device A sends a detection message to network device B, and the network address in the message is the network-side address of network device B. Network device B generates a SAV rule after receiving the probe message. The SAV rule indicates that the interface on which network device B received the probe message is a legal interface for receiving the message. The source address of the message belongs to the network device in the notification message. The network prefix on the user side of A. It should be noted that the user-side network prefix of network device A in the above notification message may be pre-configured, and the network-side address of network device B in the above-mentioned detection message may also be pre-configured.
本申请实施例中,能够针对性的对用户侧的网络前缀进行验证,并且在边缘网络设备的用户侧接口使能了SAV规则,用于拦截用户将源地址伪造成网络侧的地址的非法流量,从而提高了生成SAV规则的针对性,大幅降低了开销和提高路由变更时的协议收敛速度。并且,针对用户与网络设备之间的通信也能够生成了对应的SAV规则,提高了方案的泛用型。In the embodiment of this application, the user-side network prefix can be verified in a targeted manner, and SAV rules are enabled on the user-side interface of the edge network device to intercept illegal traffic in which users forge source addresses into network-side addresses. , thereby improving the pertinence of generating SAV rules, greatly reducing the overhead and improving the protocol convergence speed when routing changes. In addition, corresponding SAV rules can also be generated for communication between users and network equipment, improving the versatility of the solution.
请参阅图11,下面对本申请实施例中的验证规则生成方法的另一个流程进行介绍:Please refer to Figure 11. Another process of the verification rule generation method in the embodiment of this application is introduced below:
1101、第一网络设备生成通告报文,通告报文中的网络地址为第一网络设备的网络侧的地址;1101. The first network device generates a notification message, and the network address in the notification message is the address of the network side of the first network device;
依旧以图7为例,第一网络设备可以是网络中的任一台网络设备,例如,第一网络设备是网络设备B。第二网络设备可以是网络中的任一台边缘网络设备,例如,第二网络设备是网络设备G。网络设备A、网络设备B、网络设备C、网络设备D、网络设备E、网络设备F以及网络设备G生成通告报文,通告报文中的网络地址为网络设备本地的网络侧的地址,例如网络设备B生成的通告报文中的网络地址为网络设备B的网络侧的地址。Still taking Figure 7 as an example, the first network device can be any network device in the network. For example, the first network device is network device B. The second network device may be any edge network device in the network. For example, the second network device is network device G. Network device A, network device B, network device C, network device D, network device E, network device F and network device G generate notification messages. The network address in the notification message is the address of the local network side of the network device, for example The network address in the advertisement message generated by network device B is the address of the network side of network device B.
1102、第一网络设备向第二网络设备发送通告报文,通告报文用于第二网络设备生成源地址验证规则,源地址验证规则包括第二网络设备的用户侧接口和第一网络设备的网络侧的地址,源地址验证规则指示第二网络设备的用户侧接口为接收报文的非法接口,报文的源地址为第一网络设备的网络侧的地址。1102. The first network device sends a notification message to the second network device. The notification message is used by the second network device to generate source address verification rules. The source address verification rules include the user-side interface of the second network device and the user-side interface of the first network device. The address on the network side, the source address verification rule indicates that the user-side interface of the second network device is an illegal interface for receiving the packet, and the source address of the packet is the address on the network side of the first network device.
网络设备A、网络设备B、网络设备C、网络设备D、网络设备E、网络设备F以及网络设备G在网络中洪泛所生成的通告报文。网络中的边缘网络设备接收到其他各个网络设备的通告报文后生成SAV规则,并在用户侧接口使能该SAV规则,该SAV规则指示报文进入该边缘网络设备的非法接口为该边缘网络设备的用户侧接口,上述报文的源地址为网络中任一网络设备的网络侧的地址。例如,网络设备G接收到来自各个网络设备的通告报文之后,生成SAV规则。该SAV规则指示源地址为网络设备A、网络设备B、网络设备C、网络设备D、网络设备E、网络设备F或网络设备G的网络侧的地址的报文,进入网络设备G的非法接口为网络设备G的用户侧接口,网络设备G会在用户侧接口使能该SAV规则。类似的,网络设备A也可以根据来自各个网络设备的通告报文生成SAV规则,该SAV规则指示源地址为网络设备 A、网络设备B、网络设备C、网络设备D、网络设备E、网络设备F或网络设备G的网络侧的地址的报文,进入网络设备A的非法接口为网络设备A的用户侧接口,网络设备A会在用户侧接口使能该SAV规则。Notification messages generated by network device A, network device B, network device C, network device D, network device E, network device F, and network device G are flooded in the network. The edge network device in the network generates a SAV rule after receiving the advertisement packets from other network devices, and enables the SAV rule on the user-side interface. The SAV rule indicates that the illegal interface for the packet to enter the edge network device is the edge network. The user-side interface of the device. The source address of the above message is the network-side address of any network device in the network. For example, network device G generates SAV rules after receiving advertisement messages from various network devices. This SAV rule indicates that packets whose source address is the network side address of network device A, network device B, network device C, network device D, network device E, network device F, or network device G enter the illegal interface of network device G. It is the user-side interface of network device G. Network device G will enable the SAV rule on the user-side interface. Similarly, network device A can also generate SAV rules based on advertisement messages from various network devices. The SAV rules indicate that the source address is the network device. A. For packets with the network side address of network device B, network device C, network device D, network device E, network device F or network device G, the illegal interface entering network device A is the user-side interface of network device A. Network device A will enable the SAV rule on the user-side interface.
本申请实施例中,在边缘网络设备的用户侧接口使能了SAV规则,能够拦截用户将源地址伪造成网络侧的地址的非法流量,提高了生成SAV规则的针对性,从而大幅降低了开销和提高路由变更时的协议收敛速度。In the embodiment of this application, SAV rules are enabled on the user-side interface of the edge network device, which can intercept illegal traffic in which users forge source addresses into network-side addresses, improve the pertinence of generating SAV rules, and thus significantly reduce the overhead. And improve the protocol convergence speed when routing changes.
上面对本申请实施例中的生成验证规则的方法进行了介绍,下面对本申请实施例中的网络设备进行介绍:The method of generating verification rules in the embodiment of the present application is introduced above. The network device in the embodiment of the present application is introduced below:
请参阅图12,图12示出了网络设备的一个结构示意图,该网络设备可以是前述实施例中的任一网络设备。网络设备划分为数据平面以及控制平面,数据平面用于根据SAV规则验证接收到的业务报文的合法性,以及根据ACL表和FIB表转发业务报文。控制平面用于生成本地的通告报文以及探测报文、接收或中继来自其他网络设备的通告报文以及探测报文、根据来自其他网络设备的通告报文生成SAV规则或根据来自其他网络设备的通告报文以及探测报文生成SAV规则。数据平面在接收到来自其他网络设备的通告报文以及探测报文后,将报文上报至探测报文或通告报文处理模块。探测报文或通告报文处理模块会对报文进行处理,并生成对应的SAV规则,并将SAV规则存储至源地址验证规则数据库,之后再由源地址验证规则数据库将SAV规则下发至数据平面。探测报文或通告报文处理模块还会提取通告报文中的用户侧的网络前缀或者网络侧的地址,并分别存储至用户侧网络前缀数据库或网络侧地址数据库。探测报文或通告报文处理模块处理之后,还会将报文传输至通告报文或探测报文中继模块,由该模块基于本地FIB信息数据库中的FIB信息以及本地ACL信息数据库中的ACL信息,将探测报文以及通告报文通过数据平面中继出去。通告报文始发模块会获取本地网络侧地址数据库中相应的网络侧地址,或本地用户侧网络前缀数据库中相应的用户侧的网络前缀,生成通告报文并通过数据平面发送出去。探测报文始发模块会基于本地FIB信息数据库以及本地ACL信息数据库中的相应信息,生成探测报文并通过数据平面发送出去。Please refer to Figure 12. Figure 12 shows a schematic structural diagram of a network device. The network device can be any network device in the foregoing embodiments. Network equipment is divided into a data plane and a control plane. The data plane is used to verify the legitimacy of received service packets according to SAV rules, and to forward service packets according to the ACL table and FIB table. The control plane is used to generate local advertisement packets and probe packets, receive or relay advertisement packets and probe packets from other network devices, generate SAV rules based on advertisement packets from other network devices, or generate SAV rules based on advertisement packets from other network devices. Generate SAV rules for notification messages and probe messages. After receiving notification packets and detection packets from other network devices, the data plane reports the packets to the detection packet or notification packet processing module. The detection packet or notification packet processing module will process the packet, generate the corresponding SAV rules, and store the SAV rules in the source address verification rule database, and then the source address verification rule database will deliver the SAV rules to the data flat. The detection packet or notification packet processing module will also extract the user-side network prefix or network-side address in the notification packet, and store them in the user-side network prefix database or network-side address database respectively. After the detection message or notification message processing module processes the message, it will also transmit the message to the notification message or detection message relay module, which will use the FIB information in the local FIB information database and the ACL in the local ACL information database. information, and relays detection packets and notification packets through the data plane. The notification message originating module will obtain the corresponding network-side address in the local network-side address database or the corresponding user-side network prefix in the local user-side network prefix database, generate a notification message, and send it out through the data plane. The detection packet originating module will generate a detection packet based on the corresponding information in the local FIB information database and the local ACL information database and send it through the data plane.
请参阅图13,图13为本申请实施例中的网络设备1300的结构示意图,网络设备1300用作第一网络设备,用于执行前述图8所示实施例中第一网络设备的操作。网络设备1300包括收发单元1301以及处理单元1302。Please refer to Figure 13. Figure 13 is a schematic structural diagram of a network device 1300 in an embodiment of the present application. The network device 1300 is used as a first network device and is used to perform the operations of the first network device in the embodiment shown in Figure 8. The network device 1300 includes a transceiver unit 1301 and a processing unit 1302.
收发单元1301,用于向第二网络设备发送第一通告报文,第一通告报文中的网络前缀为第一网络设备的用户侧的网络前缀。The transceiver unit 1301 is configured to send a first notification message to the second network device, where the network prefix in the first notification message is the user-side network prefix of the first network device.
收发单元1301,还用于向第二网络设备发送第一探测报文,第一探测报文中的网络前缀为第二网络设备的用户侧的网络前缀,第二网络设备的用户侧的网络前缀用于引导第一探测报文传输至第二网络设备,第二网络设备接收第一探测报文的接口以及第一网络设备的用户侧的网络前缀用于第二网络设备生成第一源地址验证规则。The transceiver unit 1301 is also configured to send a first detection message to the second network device. The network prefix in the first detection message is the network prefix of the user side of the second network device. The network prefix of the user side of the second network device is Used to guide the transmission of the first detection message to the second network device, the interface of the second network device to receive the first detection message and the user-side network prefix of the first network device for the second network device to generate the first source address verification rule.
在一种可能的实现方式中,第一源地址验证规则包括接收第一探测报文的接口和第一网络设备的用户侧的网络前缀,其中,接收第一探测报文的接口为接收第一报文的合法接口,第一报文的源地址为与第一网络设备的用户侧的网络前缀对应的地址。In a possible implementation, the first source address verification rule includes an interface that receives the first detection message and a network prefix of the user side of the first network device, where the interface that receives the first detection message is the interface that receives the first detection message. The legal interface of the message, the source address of the first message is the address corresponding to the network prefix on the user side of the first network device.
在一种可能的实现方式中,第一探测报文以及第一通告报文还用于中继第一探测报文以及第一通告报文的网络设备生成第二源地址验证规则。In a possible implementation manner, the first detection message and the first notification message are also used for the network device that relays the first detection message and the first notification message to generate a second source address verification rule.
在一种可能的实现方式中,In one possible implementation,
处理单元1302,用于生成第二通告报文,第二通告报文中的网络地址为第一网络设备的网络侧的地址。The processing unit 1302 is configured to generate a second notification message, where the network address in the second notification message is the address of the network side of the first network device.
收发单元1301,还用于向第二网络设备发送第二通告报文,第二通告报文用于第二网络设备生成第三源地址验证规则,第三源地址验证规则包括第二网络设备的用户侧接口和第一网络设备的网络侧的地址,第三源地址验证规则指示第二网络设备的用户侧接口为接收第二报文的非法接口,第二报文的源地址为第一网络设备的网络侧的地址。The transceiver unit 1301 is also configured to send a second notification message to the second network device. The second notification message is used by the second network device to generate a third source address verification rule. The third source address verification rule includes the second network device. The user-side interface and the network-side address of the first network device. The third source address verification rule indicates that the user-side interface of the second network device is an illegal interface for receiving the second packet. The source address of the second packet is the first network. The address of the network side of the device.
在一种可能的实现方式中,第一探测报文以及第一通告报文为IGP报文或BGP报文。 In a possible implementation manner, the first detection message and the first advertisement message are IGP messages or BGP messages.
请参阅图14,图14为本申请实施例中的网络设备1400的结构示意图,网络设备1400用作第一网络设备,用于执行前述图11所示实施例中第一网络设备的操作。网络设备1400包括处理单元1401以及收发单元1402。Please refer to Figure 14. Figure 14 is a schematic structural diagram of a network device 1400 in an embodiment of the present application. The network device 1400 is used as a first network device and is used to perform the operations of the first network device in the embodiment shown in Figure 11. The network device 1400 includes a processing unit 1401 and a transceiver unit 1402.
处理单元1401,用于生成通告报文,通告报文中的网络地址为第一网络设备的网络侧的地址。The processing unit 1401 is configured to generate a notification message, where the network address in the notification message is the network side address of the first network device.
收发单元1402,用于向第二网络设备发送通告报文,通告报文用于第二网络设备生成源地址验证规则,源地址验证规则包括第二网络设备的用户侧接口和第一网络设备的网络侧的地址,源地址验证规则指示第二网络设备的用户侧接口为接收报文的非法接口,报文的源地址为第一网络设备的网络侧的地址。The transceiver unit 1402 is configured to send a notification message to the second network device. The notification message is used by the second network device to generate source address verification rules. The source address verification rules include the user-side interface of the second network device and the user-side interface of the first network device. The address on the network side, the source address verification rule indicates that the user-side interface of the second network device is an illegal interface for receiving the packet, and the source address of the packet is the address on the network side of the first network device.
请参阅图15,图15为本申请实施例中的网络设备1500的结构示意图,网络设备1500用作第二网络设备,用于执行前述图8所示实施例中第二网络设备的操作。网络设备1500包括收发单元1501以及处理单元1502。Please refer to Figure 15. Figure 15 is a schematic structural diagram of a network device 1500 in an embodiment of the present application. The network device 1500 is used as a second network device and is used to perform the operations of the second network device in the embodiment shown in Figure 8. The network device 1500 includes a transceiver unit 1501 and a processing unit 1502.
收发单元1501,用于接收来自第一网络设备的第一通告报文,第一通告报文中的网络前缀为第一网络设备的用户侧的网络前缀。The transceiver unit 1501 is configured to receive a first notification message from the first network device, where the network prefix in the first notification message is the user-side network prefix of the first network device.
收发单元1501,还用于接收来自第一网络设备的第一探测报文,第一探测报文中的网络前缀为第二网络设备的用户侧的网络前缀,第二网络设备的用户侧的网络前缀用于引导第一探测报文传输至第二网络设备。The transceiver unit 1501 is also configured to receive a first detection message from the first network device. The network prefix in the first detection message is the network prefix of the user side of the second network device. The network prefix of the user side of the second network device is The prefix is used to guide the transmission of the first detection message to the second network device.
处理单元1502,用于根据接收第一探测报文的接口以及第一网络设备的用户侧的网络前缀,生成第一源地址验证规则。The processing unit 1502 is configured to generate a first source address verification rule based on the interface that receives the first detection message and the network prefix on the user side of the first network device.
在一种可能的实现方式中,第一源地址验证规则包括接收第一探测报文的接口和第一网络设备的用户侧的网络前缀,其中,接收第一探测报文的接口为接收第一报文的合法接口,第一报文的源地址为与第一网络设备的用户侧的网络前缀对应的地址。In a possible implementation, the first source address verification rule includes an interface that receives the first detection message and a network prefix of the user side of the first network device, where the interface that receives the first detection message is the interface that receives the first detection message. The legal interface of the message, the source address of the first message is the address corresponding to the network prefix on the user side of the first network device.
在一种可能的实现方式中,第一探测报文以及第一通告报文还用于中继第一探测报文以及第一通告报文的网络设备生成第二源地址验证规则。In a possible implementation manner, the first detection message and the first notification message are also used for the network device that relays the first detection message and the first notification message to generate a second source address verification rule.
在一种可能的实现方式中,In one possible implementation,
收发单元1501,还用于接收来自第一网络设备的第二通告报文,第二通告报文中的网络地址为第一网络设备的网络侧的地址。The transceiver unit 1501 is also configured to receive a second notification message from the first network device, where the network address in the second notification message is the address of the network side of the first network device.
处理单元1502,还用于生成第三源地址验证规则,第三源地址验证规则包括第二网络设备的用户侧接口和第一网络设备的网络侧的地址,第三源地址验证规则指示第二网络设备的用户侧接口为接收第二报文的非法接口,第二报文的源地址为第一网络设备的网络侧的地址。The processing unit 1502 is also configured to generate a third source address verification rule. The third source address verification rule includes the user-side interface of the second network device and the address of the network side of the first network device. The third source address verification rule indicates the second The user-side interface of the network device is an illegal interface for receiving the second message, and the source address of the second message is the network-side address of the first network device.
在一种可能的实现方式中,第一探测报文以及第一通告报文为IGP报文或BGP报文。In a possible implementation manner, the first detection message and the first advertisement message are IGP messages or BGP messages.
请参阅图16,图16为本申请实施例中的网络设备1600的结构示意图,网络设备1600用作第二网络设备,用于执行前述图11所示实施例中第二网络设备的操作。网络设备1600包括收发单元1601以及处理单元1602。Please refer to Figure 16. Figure 16 is a schematic structural diagram of a network device 1600 in an embodiment of the present application. The network device 1600 is used as a second network device and is used to perform the operations of the second network device in the embodiment shown in Figure 11. The network device 1600 includes a transceiver unit 1601 and a processing unit 1602.
收发单元1601,用于接收来自第一网络设备的通告报文,通告报文中的网络地址为第一网络设备的网络侧的地址。The transceiver unit 1601 is configured to receive a notification message from the first network device, where the network address in the notification message is the network-side address of the first network device.
处理单元1602,用于生成源地址验证规则,源地址验证规则包括第二网络设备的用户侧接口和第一网络设备的网络侧的地址,源地址验证规则指示第二网络设备的用户侧接口为接收报文的非法接口,报文的源地址为第一网络设备的网络侧的地址。The processing unit 1602 is configured to generate a source address verification rule. The source address verification rule includes the user-side interface of the second network device and the address of the network side of the first network device. The source address verification rule indicates that the user-side interface of the second network device is The illegal interface receives the packet, and the source address of the packet is the network side address of the first network device.
图17是本申请提供的一种网络设备的结构示意图,该设备可以为第一网络设备或第二网络设备,且用于实现前述各个实施例中的方法。该网络设备1700可以包括一个或一个以上中央处理器(central processing units,CPU)1701和存储器1705,该存储器1705中存储有一个或一个以上的应用程序或数据。Figure 17 is a schematic structural diagram of a network device provided by this application. The device may be a first network device or a second network device, and is used to implement the methods in the foregoing embodiments. The network device 1700 may include one or more central processing units (CPUs) 1701 and a memory 1705, which stores one or more application programs or data.
其中,存储器1705可以是易失性存储或持久存储。存储在存储器1705的程序可以包括一个或一个以上模块,每个模块可以包括对服务器中的一系列指令操作。更进一步地,中央处理器1701可以设置为与存储器1705通信,在网络设备1700上执行存储器1705中的一系列指令操作。Among them, the memory 1705 can be volatile storage or persistent storage. The program stored in memory 1705 may include one or more modules, and each module may include a series of instruction operations on the server. Furthermore, the central processing unit 1701 may be configured to communicate with the memory 1705 and execute a series of instruction operations in the memory 1705 on the network device 1700 .
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具 体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and simplicity of description, the specific details of the systems, devices and units described above are For the overall working process, reference may be made to the corresponding processes in the foregoing method embodiments, which will not be described again here.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed systems, devices and methods can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or can be integrated into another system, or some features can be ignored, or not implemented. On the other hand, the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application can be integrated into one processing unit, each unit can exist physically alone, or two or more units can be integrated into one unit. The above integrated units can be implemented in the form of hardware or software functional units.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,read-only memory)、随机存取存储器(RAM,random access memory)、磁碟或者光盘等各种可以存储程序代码的介质。 If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or contributes to the existing technology, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in various embodiments of this application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, read-only memory), random access memory (RAM, random access memory), magnetic disk or optical disk and other media that can store program code. .

Claims (29)

  1. 一种生成验证规则的方法,其特征在于,包括:A method for generating verification rules, characterized by including:
    第一网络设备向第二网络设备发送第一通告报文,所述第一通告报文中的网络前缀为所述第一网络设备的用户侧的网络前缀;The first network device sends a first notification message to the second network device, where the network prefix in the first notification message is the network prefix of the user side of the first network device;
    所述第一网络设备向第二网络设备发送第一探测报文,所述第一探测报文中的网络前缀为所述第二网络设备的用户侧的网络前缀,所述第二网络设备的用户侧的网络前缀用于引导所述第一探测报文传输至所述第二网络设备,所述第二网络设备接收所述第一探测报文的接口以及所述第一网络设备的用户侧的网络前缀用于所述第二网络设备生成第一源地址验证规则。The first network device sends a first detection message to the second network device. The network prefix in the first detection message is the network prefix of the user side of the second network device. The network prefix of the second network device is The network prefix on the user side is used to guide the transmission of the first detection message to the second network device. The interface of the second network device that receives the first detection message and the user side of the first network device The network prefix is used by the second network device to generate the first source address verification rule.
  2. 根据权利要求1所述的方法,其特征在于,所述第一源地址验证规则包括所述接收所述第一探测报文的接口和所述第一网络设备的用户侧的网络前缀,其中,所述接收所述第一探测报文的接口为接收第一报文的合法接口,所述第一报文的源地址为与所述第一网络设备的用户侧的网络前缀对应的地址。The method according to claim 1, characterized in that the first source address verification rule includes the interface for receiving the first detection message and the network prefix of the user side of the first network device, wherein, The interface that receives the first detection message is a legal interface that receives the first message, and the source address of the first message is an address corresponding to the network prefix on the user side of the first network device.
  3. 根据权利要求1或2所述的方法,其特征在于,所述第一探测报文以及所述第一通告报文还用于中继所述第一探测报文以及所述第一通告报文的网络设备生成第二源地址验证规则。The method according to claim 1 or 2, characterized in that the first detection message and the first notification message are also used to relay the first detection message and the first notification message The network device generates a second source address verification rule.
  4. 根据权利要求1至3中任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 3, characterized in that the method further includes:
    所述第一网络设备生成第二通告报文,所述第二通告报文中的网络地址为所述第一网络设备的网络侧的地址;The first network device generates a second notification message, and the network address in the second notification message is the address of the network side of the first network device;
    所述第一网络设备向所述第二网络设备发送第二通告报文,所述第二通告报文用于所述第二网络设备生成第三源地址验证规则,所述第三源地址验证规则包括所述第二网络设备的用户侧接口和所述第一网络设备的网络侧的地址,所述第三源地址验证规则指示所述第二网络设备的用户侧接口为接收第二报文的非法接口,所述第二报文的源地址为所述第一网络设备的网络侧的地址。The first network device sends a second notification message to the second network device. The second notification message is used by the second network device to generate a third source address verification rule. The third source address verification The rules include the user-side interface of the second network device and the network-side address of the first network device, and the third source address verification rule indicates that the user-side interface of the second network device is to receive the second message. The illegal interface is an illegal interface, and the source address of the second message is the address of the network side of the first network device.
  5. 根据权利要求1至4中任一项所述的方法,其特征在于,所述第一探测报文以及所述第一通告报文为内部网关协议IGP报文或边界网关协议BGP报文。The method according to any one of claims 1 to 4, characterized in that the first detection message and the first notification message are Interior Gateway Protocol IGP messages or Border Gateway Protocol BGP messages.
  6. 一种生成验证规则的方法,其特征在于,包括:A method for generating verification rules, characterized by including:
    第一网络设备生成通告报文,所述通告报文中的网络地址为所述第一网络设备的网络侧的地址;The first network device generates a notification message, and the network address in the notification message is the address of the network side of the first network device;
    所述第一网络设备向第二网络设备发送通告报文,所述通告报文用于所述第二网络设备生成源地址验证规则,所述源地址验证规则包括所述第二网络设备的用户侧接口和所述第一网络设备的网络侧的地址,所述源地址验证规则指示所述第二网络设备的用户侧接口为接收报文的非法接口,所述报文的源地址为所述第一网络设备的网络侧的地址。The first network device sends a notification message to the second network device. The notification message is used by the second network device to generate a source address verification rule. The source address verification rule includes the user of the second network device. side interface and the address of the network side of the first network device, the source address verification rule indicates that the user-side interface of the second network device is an illegal interface for receiving the message, and the source address of the message is the The network-side address of the first network device.
  7. 一种生成验证规则的方法,其特征在于,包括:A method for generating verification rules, characterized by including:
    第二网络设备接收来自第一网络设备的第一通告报文,所述第一通告报文中的网络前缀为所述第一网络设备的用户侧的网络前缀;The second network device receives the first notification message from the first network device, and the network prefix in the first notification message is the network prefix of the user side of the first network device;
    所述第二网络设备接收来自所述第一网络设备的第一探测报文,所述第一探测报文中的网络前缀为所述第二网络设备的用户侧的网络前缀,所述第二网络设备的用户侧的网络前缀用于引导所述第一探测报文传输至所述第二网络设备;The second network device receives the first detection message from the first network device, and the network prefix in the first detection message is the network prefix of the user side of the second network device. The network prefix on the user side of the network device is used to guide the transmission of the first detection message to the second network device;
    所述第二网络设备根据接收所述第一探测报文的接口以及所述第一网络设备的用户侧的网络前缀,生成第一源地址验证规则。The second network device generates a first source address verification rule based on the interface that receives the first detection message and the network prefix of the user side of the first network device.
  8. 根据权利要求7所述的方法,其特征在于,所述第一源地址验证规则包括所述接收所述第一探测报文的接口和所述第一网络设备的用户侧的网络前缀,其中,所述接收所述第一探测报文的接口为接收第一报文的合法接口,所述第一报文的源地址为与所述第一网络设备的用户侧的网络前缀对应的地址。The method according to claim 7, wherein the first source address verification rule includes the interface for receiving the first detection message and the network prefix of the user side of the first network device, wherein, The interface that receives the first detection message is a legal interface that receives the first message, and the source address of the first message is an address corresponding to the network prefix on the user side of the first network device.
  9. 根据权利要求7或8所述的方法,其特征在于,所述第一探测报文以及所述第一通告报文还用于中继所述第一探测报文以及所述第一通告报文的网络设备生成第二源地址验证规则。The method according to claim 7 or 8, characterized in that the first detection message and the first notification message are also used to relay the first detection message and the first notification message The network device generates a second source address verification rule.
  10. 根据权利要求7至9中任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 7 to 9, characterized in that the method further includes:
    所述第二网络设备接收来自所述第一网络设备的第二通告报文,所述第二通告报文中的网络地址为所述第一网络设备的网络侧的地址;The second network device receives a second notification message from the first network device, and the network address in the second notification message is the address of the network side of the first network device;
    所述第二网络设备生成第三源地址验证规则,所述第三源地址验证规则包括所述第二网络设备的用 户侧接口和所述第一网络设备的网络侧的地址,所述第三源地址验证规则指示所述第二网络设备的用户侧接口为接收第二报文的非法接口,所述第二报文的源地址为所述第一网络设备的网络侧的地址。The second network device generates a third source address verification rule, and the third source address verification rule includes a username of the second network device. The user-side interface and the address of the network side of the first network device, the third source address verification rule indicates that the user-side interface of the second network device is an illegal interface for receiving the second packet, and the second packet The source address of the message is the address of the network side of the first network device.
  11. 根据权利要求7至10中任一项所述的方法,其特征在于,所述第一探测报文以及所述第一通告报文为内部网关协议IGP报文或边界网关协议BGP报文。The method according to any one of claims 7 to 10, characterized in that the first detection message and the first notification message are Interior Gateway Protocol IGP messages or Border Gateway Protocol BGP messages.
  12. 一种生成验证规则的方法,其特征在于,包括:A method for generating verification rules, characterized by including:
    第二网络设备接收来自第一网络设备的通告报文,所述通告报文中的网络地址为所述第一网络设备的网络侧的地址;The second network device receives a notification message from the first network device, where the network address in the notification message is the address of the network side of the first network device;
    所述第二网络设备生成源地址验证规则,所述源地址验证规则包括所述第二网络设备的用户侧接口和所述第一网络设备的网络侧的地址,所述源地址验证规则指示所述第二网络设备的用户侧接口为接收报文的非法接口,所述报文的源地址为所述第一网络设备的网络侧的地址。The second network device generates a source address verification rule, the source address verification rule includes a user-side interface of the second network device and an address of the network side of the first network device, and the source address verification rule indicates that The user-side interface of the second network device is an illegal interface for receiving messages, and the source address of the message is the network-side address of the first network device.
  13. 一种网络设备,其特征在于,所述网络设备用作第一网络设备,所述网络设备包括:A network device, characterized in that the network device is used as a first network device, and the network device includes:
    收发单元,用于向第二网络设备发送第一通告报文,所述第一通告报文中的网络前缀为所述第一网络设备的用户侧的网络前缀;A transceiver unit configured to send a first notification message to the second network device, where the network prefix in the first notification message is the network prefix of the user side of the first network device;
    所述收发单元,还用于向第二网络设备发送第一探测报文,所述第一探测报文中的网络前缀为所述第二网络设备的用户侧的网络前缀,所述第二网络设备的用户侧的网络前缀用于引导所述第一探测报文传输至所述第二网络设备,所述第二网络设备接收所述第一探测报文的接口以及所述第一网络设备的用户侧的网络前缀用于所述第二网络设备生成第一源地址验证规则。The transceiver unit is also configured to send a first detection message to a second network device. The network prefix in the first detection message is the network prefix of the user side of the second network device. The second network The network prefix on the user side of the device is used to guide the transmission of the first detection message to the second network device. The interface of the second network device that receives the first detection message and the interface of the first network device The network prefix on the user side is used by the second network device to generate the first source address verification rule.
  14. 根据权利要求13所述的网络设备,其特征在于,所述第一源地址验证规则包括所述接收所述第一探测报文的接口和所述第一网络设备的用户侧的网络前缀,其中,所述接收所述第一探测报文的接口为接收第一报文的合法接口,所述第一报文的源地址为与所述第一网络设备的用户侧的网络前缀对应的地址。The network device according to claim 13, wherein the first source address verification rule includes the interface for receiving the first detection message and a network prefix of the user side of the first network device, wherein , the interface that receives the first detection message is a legal interface that receives the first message, and the source address of the first message is an address corresponding to the network prefix on the user side of the first network device.
  15. 根据权利要求13或14所述的网络设备,其特征在于,所述第一探测报文以及所述第一通告报文还用于中继所述第一探测报文以及所述第一通告报文的网络设备生成第二源地址验证规则。The network device according to claim 13 or 14, characterized in that the first detection message and the first notification message are also used to relay the first detection message and the first notification message. The network device generates a second source address verification rule.
  16. 根据权利要求13至15中任一项所述的网络设备,其特征在于,所述网络设备还包括处理单元;The network device according to any one of claims 13 to 15, characterized in that the network device further includes a processing unit;
    所述处理单元,用于生成第二通告报文,所述第二通告报文中的网络地址为所述第一网络设备的网络侧的地址;The processing unit is configured to generate a second notification message, where the network address in the second notification message is the address of the network side of the first network device;
    所述收发单元,还用于向所述第二网络设备发送第二通告报文,所述第二通告报文用于所述第二网络设备生成第三源地址验证规则,所述第三源地址验证规则包括所述第二网络设备的用户侧接口和所述第一网络设备的网络侧的地址,所述第三源地址验证规则指示所述第二网络设备的用户侧接口为接收第二报文的非法接口,所述第二报文的源地址为所述第一网络设备的网络侧的地址。The transceiver unit is also configured to send a second notification message to the second network device. The second notification message is used by the second network device to generate a third source address verification rule. The third source The address verification rule includes the user-side interface of the second network device and the address of the network side of the first network device, and the third source address verification rule indicates that the user-side interface of the second network device is the user-side interface for receiving the second network device. The illegal interface of the message, the source address of the second message is the address of the network side of the first network device.
  17. 根据权利要求13至16中任一项所述的网络设备,其特征在于,所述第一探测报文以及所述第一通告报文为内部网关协议IGP报文或边界网关协议BGP报文。The network device according to any one of claims 13 to 16, wherein the first detection message and the first notification message are an Interior Gateway Protocol IGP message or a Border Gateway Protocol BGP message.
  18. 一种网络设备,其特征在于,所述网络设备用作第一网络设备,所述网络设备包括:A network device, characterized in that the network device is used as a first network device, and the network device includes:
    处理单元,用于生成通告报文,所述通告报文中的网络地址为所述第一网络设备的网络侧的地址;A processing unit configured to generate a notification message, where the network address in the notification message is the address of the network side of the first network device;
    收发单元,用于向第二网络设备发送通告报文,所述通告报文用于所述第二网络设备生成源地址验证规则,所述源地址验证规则包括所述第二网络设备的用户侧接口和所述第一网络设备的网络侧的地址,所述源地址验证规则指示所述第二网络设备的用户侧接口为接收报文的非法接口,所述报文的源地址为所述第一网络设备的网络侧的地址。A transceiver unit configured to send a notification message to a second network device. The notification message is used by the second network device to generate a source address verification rule. The source address verification rule includes the user side of the second network device. interface and the address of the network side of the first network device, the source address verification rule indicates that the user-side interface of the second network device is an illegal interface for receiving packets, and the source address of the packet is the third The address of the network side of a network device.
  19. 一种网络设备,其特征在于,所述网络设备用作第二网络设备,所述网络设备包括:A network device, characterized in that the network device is used as a second network device, and the network device includes:
    收发单元,用于接收来自第一网络设备的第一通告报文,所述第一通告报文中的网络前缀为所述第一网络设备的用户侧的网络前缀;A transceiver unit configured to receive a first notification message from the first network device, where the network prefix in the first notification message is the network prefix of the user side of the first network device;
    所述收发单元,还用于接收来自所述第一网络设备的第一探测报文,所述第一探测报文中的网络前缀为所述第二网络设备的用户侧的网络前缀,所述第二网络设备的用户侧的网络前缀用于引导所述第一探测报文传输至所述第二网络设备;The transceiver unit is also configured to receive a first detection message from the first network device, where the network prefix in the first detection message is the network prefix of the user side of the second network device, and the The user-side network prefix of the second network device is used to guide the transmission of the first detection message to the second network device;
    处理单元,用于根据接收所述第一探测报文的接口以及所述第一网络设备的用户侧的网络前缀,生 成第一源地址验证规则。a processing unit configured to generate a Become the first source address verification rule.
  20. 根据权利要求19所述的网络设备,其特征在于,所述第一源地址验证规则包括所述接收所述第一探测报文的接口和所述第一网络设备的用户侧的网络前缀,其中,所述接收所述第一探测报文的接口为接收第一报文的合法接口,所述第一报文的源地址为与所述第一网络设备的用户侧的网络前缀对应的地址。The network device according to claim 19, wherein the first source address verification rule includes the interface for receiving the first detection message and a network prefix of the user side of the first network device, wherein , the interface that receives the first detection message is a legal interface that receives the first message, and the source address of the first message is an address corresponding to the network prefix on the user side of the first network device.
  21. 根据权利要求19或20所述的网络设备,其特征在于,所述第一探测报文以及所述第一通告报文还用于中继所述第一探测报文以及所述第一通告报文的网络设备生成第二源地址验证规则。The network device according to claim 19 or 20, characterized in that the first detection message and the first notification message are also used to relay the first detection message and the first notification message. The network device generates a second source address verification rule.
  22. 根据权利要求19至21中任一项所述的网络设备,其特征在于,The network device according to any one of claims 19 to 21, characterized in that,
    所述收发单元,还用于接收来自所述第一网络设备的第二通告报文,所述第二通告报文中的网络地址为所述第一网络设备的网络侧的地址;The transceiver unit is also configured to receive a second notification message from the first network device, where the network address in the second notification message is the address of the network side of the first network device;
    所述处理单元,还用于生成第三源地址验证规则,所述第三源地址验证规则包括所述第二网络设备的用户侧接口和所述第一网络设备的网络侧的地址,所述第三源地址验证规则指示所述第二网络设备的用户侧接口为接收第二报文的非法接口,所述第二报文的源地址为所述第一网络设备的网络侧的地址。The processing unit is also configured to generate a third source address verification rule. The third source address verification rule includes the user-side interface of the second network device and the address of the network side of the first network device. The third source address verification rule indicates that the user-side interface of the second network device is an illegal interface for receiving the second message, and the source address of the second message is the network-side address of the first network device.
  23. 根据权利要求19至22中任一项所述的网络设备,其特征在于,所述第一探测报文以及所述第一通告报文为内部网关协议IGP报文或边界网关协议BGP报文。The network device according to any one of claims 19 to 22, wherein the first detection message and the first notification message are an interior gateway protocol IGP message or a border gateway protocol BGP message.
  24. 一种网络设备,其特征在于,所述网络设备用作第二网络设备,所述网络设备包括:A network device, characterized in that the network device is used as a second network device, and the network device includes:
    收发单元,用于接收来自第一网络设备的通告报文,所述通告报文中的网络地址为所述第一网络设备的网络侧的地址;A transceiver unit configured to receive a notification message from the first network device, where the network address in the notification message is the address of the network side of the first network device;
    所述收发单元,还用于所述第二网络设备生成源地址验证规则,所述源地址验证规则包括所述第二网络设备的用户侧接口和所述第一网络设备的网络侧的地址,所述源地址验证规则指示所述第二网络设备的用户侧接口为接收报文的非法接口,所述报文的源地址为所述第一网络设备的网络侧的地址。The transceiver unit is also configured to generate source address verification rules for the second network device, where the source address verification rules include the user-side interface of the second network device and the network-side address of the first network device, The source address verification rule indicates that the user-side interface of the second network device is an illegal interface for receiving messages, and the source address of the message is the network-side address of the first network device.
  25. 一种网络设备,其特征在于,用作第一网络设备,所述网络设备包括处理器以及存储器,所述处理器与所述存储器耦合,所述存储器用于存储指令,当指令被所述处理器执行时,使得所述网络设备执行前述权利要求1至6中任一项的方法。A network device, characterized in that it is used as a first network device. The network device includes a processor and a memory. The processor is coupled to the memory. The memory is used to store instructions. When the instructions are processed by the When the network device is executed, the network device is caused to execute the method of any one of the preceding claims 1 to 6.
  26. 一种网络设备,其特征在于,用作第二网络设备,所述网络设备包括处理器以及存储器,所述处理器与所述存储器耦合,所述存储器用于存储指令,当指令被所述处理器执行时,使得所述网络设备执行前述权利要求7至12中任一项的方法。A network device, characterized in that it is used as a second network device. The network device includes a processor and a memory. The processor is coupled to the memory. The memory is used to store instructions. When the instructions are processed by the When the processor is executed, the network device is caused to execute the method of any one of the preceding claims 7 to 12.
  27. 一种计算机可读存储介质,其上存储有计算机指令或程序,其特征在于,所述计算机指令或程序被处理器执行时,使得网络设备执行如权利要求1至12中任一项所述的方法。A computer-readable storage medium with computer instructions or programs stored thereon, characterized in that when the computer instructions or programs are executed by a processor, the network device causes the network device to execute the method described in any one of claims 1 to 12. method.
  28. 一种计算机程序产品,包括计算机指令或程序,其特征在于,所述计算机指令或程序被处理器执行时,使得网络设备执行如权利要求1至12中任一项所述的方法。A computer program product, including computer instructions or programs, characterized in that, when executed by a processor, the computer instructions or programs cause a network device to perform the method according to any one of claims 1 to 12.
  29. 一种网络系统,其特征在于,所述网络系统包括第一网络设备以及第二网络设备,所述第一网络设备用于执行权利要求1至5中任一项所述的方法,所述第二网络设备用于执行权利要求7至11中任一项所述的方法,或所述第一网络设备用于执行权利要求6所述的方法,所述第二网络设备用于执行权利要求12所述的方法。 A network system, characterized in that the network system includes a first network device and a second network device, the first network device is used to execute the method according to any one of claims 1 to 5, and the second network device Two network devices are used to perform the method described in any one of claims 7 to 11, or the first network device is used to perform the method described in claim 6, and the second network device is used to perform claim 12 the method described.
PCT/CN2023/102311 2022-06-28 2023-06-26 Method for generating validation rule, and related apparatus WO2024001987A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210742345.9A CN117353949A (en) 2022-06-28 2022-06-28 Method and related device for generating verification rule
CN202210742345.9 2022-06-28

Publications (1)

Publication Number Publication Date
WO2024001987A1 true WO2024001987A1 (en) 2024-01-04

Family

ID=89369706

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/102311 WO2024001987A1 (en) 2022-06-28 2023-06-26 Method for generating validation rule, and related apparatus

Country Status (2)

Country Link
CN (1) CN117353949A (en)
WO (1) WO2024001987A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015197978A1 (en) * 2014-06-26 2015-12-30 Orange Method of protecting a router against attacks
CN111200611A (en) * 2020-01-06 2020-05-26 清华大学 Method and device for verifying intra-domain source address based on boundary interface equivalence class
CN112929279A (en) * 2021-03-09 2021-06-08 清华大学 Distributed generation method and device for source address verification table in internet domain
CN114143257A (en) * 2020-09-03 2022-03-04 华为技术有限公司 Method for generating table entry, method, device and system for sending message

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015197978A1 (en) * 2014-06-26 2015-12-30 Orange Method of protecting a router against attacks
CN111200611A (en) * 2020-01-06 2020-05-26 清华大学 Method and device for verifying intra-domain source address based on boundary interface equivalence class
CN114143257A (en) * 2020-09-03 2022-03-04 华为技术有限公司 Method for generating table entry, method, device and system for sending message
CN112929279A (en) * 2021-03-09 2021-06-08 清华大学 Distributed generation method and device for source address verification table in internet domain

Also Published As

Publication number Publication date
CN117353949A (en) 2024-01-05

Similar Documents

Publication Publication Date Title
EP1624644B1 (en) Privileged network routing
EP1869865B1 (en) Method and apparatus for distributing group data in a tunneled encrypted virtual private network
EP2329621B1 (en) Key distribution to a set of routers
US11968174B2 (en) Systems and methods for blocking spoofed traffic
CN103907330A (en) System and method for redirected firewall discovery in a network environment
EP2285041B1 (en) Communication establishing method, system and device
CN109698791B (en) Anonymous access method based on dynamic path
CN103701700A (en) Node discovering method and system in communication network
US9722919B2 (en) Tying data plane paths to a secure control plane
US20230396624A1 (en) Extending border gateway protocol (bgp) flowspec origination authorization using path attributes
CN111194541B (en) Apparatus and method for data transmission
EP3264672B1 (en) Selective verification of signatures by network nodes
Hassan et al. Enhancing security for IPv6 neighbor discovery protocol using cryptography
CN108574690B (en) Method for relieving content poisoning attack in named data network
US8499095B1 (en) Methods and apparatus for providing shortcut switching for a virtual private network
CN106059939B (en) Message forwarding method and device
WO2024001987A1 (en) Method for generating validation rule, and related apparatus
Kambhampati et al. Epiphany: A location hiding architecture for protecting critical services from ddos attacks
Durresi et al. Efficient and secure autonomous system based traceback
JP2004134855A (en) Sender authentication method in packet communication network
EP4154467A1 (en) Route authorization with blockchain enhanced origin confirmation
WO2023221742A1 (en) Route selection method, network device, and system
US20240022602A1 (en) Method and Apparatus for Route Verification and Data Sending, Device, and Storage Medium
US20240137338A1 (en) Border gateway protocol (bgp) flowspec origination authorization using route origin authorization (roa)
JP2003298628A (en) Server protection network system, server, and router

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23830165

Country of ref document: EP

Kind code of ref document: A1