CN101917434A - Method for verifying intra-domain Internet protocol (IP) source address - Google Patents
Method for verifying intra-domain Internet protocol (IP) source address Download PDFInfo
- Publication number
- CN101917434A CN101917434A CN2010102569339A CN201010256933A CN101917434A CN 101917434 A CN101917434 A CN 101917434A CN 2010102569339 A CN2010102569339 A CN 2010102569339A CN 201010256933 A CN201010256933 A CN 201010256933A CN 101917434 A CN101917434 A CN 101917434A
- Authority
- CN
- China
- Prior art keywords
- router
- interface
- source address
- message
- ftdb
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 40
- 238000013507 mapping Methods 0.000 claims abstract description 37
- 238000001914 filtration Methods 0.000 claims abstract description 16
- 230000009191 jumping Effects 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 9
- 238000004364 calculation method Methods 0.000 claims description 8
- 230000008859 change Effects 0.000 claims description 7
- 230000015572 biosynthetic process Effects 0.000 claims description 3
- 230000000295 complement effect Effects 0.000 claims description 2
- 238000012795 verification Methods 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 7
- 230000008901 benefit Effects 0.000 description 4
- 238000009826 distribution Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 239000000654 additive Substances 0.000 description 2
- 230000000996 additive effect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000016571 aggressive behavior Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000005284 excitation Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
- 230000003442 weekly effect Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a method for verifying an intra-domain Internet protocol (IP) source address. The method comprises the following steps of: establishing a prefix of the source address, a prefix of a destination address and a mapping relation table which is called filter database (FTDB) in the invention of an inbound interface by a central controller; converting the mapping relational table which is called filter database (FTDB) in the invention into an access list and configuring the access list in an access control list (ACL) of a node; and filtering a false source address message passing through the node through the ACL by the node. In the scheme provided by the invention, the message is checked and verified by recording the source address, the destination address and an inlet port, so that the problem of the verification of the intra-domain IP source address under the conventional Ipv6 or Ipv4 protocol is solved.
Description
Technical field
The present invention relates to Internet technical field, particularly, the present invention relates to the method for verifying intra-domain Internet protocol (IP) source address.
Background technology
Along with the variation of the Internet environment for use, the defective of Internet technology comes out just gradually, and the authenticity that does not wherein guarantee source address is a major issue.Be mainly used in academic purpose at the beginning of the Internet, suppose that at that time all devices in the network all is trusty, so message do not have the authenticity of certification source address in repeating process.And under the internet environment of current complexity, the general believable situation of this network equipment has not existed already, and in contrast, each equipment all may be forged its source address and reach specific purposes.Now, assist the behavior of initiating network attack very frequent by cook source address.
The attack of the employing spoofed IP source address on the Internet is quite spread unchecked, and according to the statistics of the Internet tissue visualization, has 4000 Denial of Service attacks that adopt cook source address weekly at least.But this class is attacked has easy initiation the characteristics that are difficult to review, and this is the reason that causes cook source address aggression to spread unchecked.
There have been a lot of technology to be suggested hope at present and can have controlled this class attack.They can be divided three classes:
Path filtering class (Filtering): this class technology mainly is to use routing iinformation to filter out the message of a part of cook source address.Typical example such as ingress filtering (Ingress filtering) exactly by checking its source address of message of receiving on the gateway whether in the address space range that inserts subnet, thereby judge whether message is legal.
End to end authentication class (End-to-End Approach): this class technology adds mark at the source end to message, and this destination that is marked at message is examined the authenticity that is used for judging contained source address in the message.
Recall class (Traceback): recalling the class technology is a kind of passive technology.Its wish to obtain message on the internet the path of process, attacking when taking place, by analyzing the address that packet route obtains the attack source.
Although a lot of solutions occurred, do not have a kind of method at present and can ideally solve the forgery of source address problem.The excitation of not supporting incremental deploying and lacking operator also is the major reason that this difficult problem forms.
Disposing Ingress Filtering fully is a kind of technical simple and efficient way the most, but owing to lack incentive mechanism, we can't impose it to be disposed fully.URPF (Unicast Reverse Path Forwarding, reversal path of unicast is transmitted) be a kind of actual more replacement scheme, more existing development also are uRPF to be replenished and strengthening, but also there is fatal shortcoming in it, such as relatively poor, powerless for the forgery of source address on the same reverse path for asymmetric route effect.This situation has demand widely in the territory, add greatly developing of present IPv6 network, and a kind of intra-domain source addresses of IPv6 and IPv4 of supporting simultaneously confirms that the demand of scheme just becomes very urgent.
Therefore, be necessary to propose a kind of otherwise effective technique scheme, to solve the problem of verifying intra-domain Internet protocol (IP) source address under present IPv6 or the IPv4 agreement.
Summary of the invention
Purpose of the present invention is intended to solve at least one of above-mentioned technological deficiency, the special scheme that proposes by network node deploy the present invention in the territory, utilize source address, destination address and entry port record that message is checked and verified, to solve the problem of verifying intra-domain Internet protocol (IP) source address under present IPv6 or the IPv4 agreement.
In order to achieve the above object, embodiments of the invention have proposed a kind of method of verifying intra-domain Internet protocol (IP) source address, may further comprise the steps:
Master controller is set up the mapping relations table FTDB of source address prefix, destination address prefix and incoming interface;
Described mapping relations table FTDB is converted into access list Access-list to be configured in the access control list ACL of node;
Described node filters the cook source address message of the described node of process by described access control list ACL.
The such scheme that the present invention proposes is by to utilizing source address, destination address and entry port to write down message being checked and verified, to solve the problem of verifying intra-domain Internet protocol (IP) source address under present IPv6 or the IPv4 agreement.The such scheme that the present invention proposes can be supported IPv4 and IPv6, does not revise main frame and protocol stack, does not increase new agreement, satisfies existing address distribution.Than the ingress filtering method, it has characteristics such as fine granularity and support IPv6.Than IP Source Guard, it can support IPv6.Compare and additive method, its major advantage is not revise main frame, and can satisfy all address distribution.In addition, the such scheme that the present invention proposes, very little to the change of existing system, can not influence the compatibility of system, and realize simple, efficient.
Aspect that the present invention adds and advantage part in the following description provide, and part will become obviously from the following description, or recognize by practice of the present invention.
Description of drawings
Above-mentioned and/or additional aspect of the present invention and advantage are from obviously and easily understanding becoming the description of embodiment below in conjunction with accompanying drawing, wherein:
Fig. 1 filters CPF schematic diagram principle schematic for computer access;
Fig. 2 is the flow chart of the method for embodiment of the invention verifying intra-domain Internet protocol (IP) source address;
Fig. 3 is the schematic diagram of the module and the data flow diagram of embodiment of the invention source address verification method;
Fig. 4 is an embodiment of the invention deployment examples schematic diagram.
Embodiment
Describe embodiments of the invention below in detail, the example of described embodiment is shown in the drawings, and wherein identical from start to finish or similar label is represented identical or similar elements or the element with identical or similar functions.Below by the embodiment that is described with reference to the drawings is exemplary, only is used to explain the present invention, and can not be interpreted as limitation of the present invention.
The plan implementation that the present invention proposes is in the territory on the network node, for example on router or three-tier switch.The scheme that the present invention proposes can be verified through the source address of the prefix granularity of deployment point all, by the mapping relations that will set up source address prefix and destination address prefix and arrive dispose the interface that node enters, and these mapping relations are converted into Access-list are configured among the ACL that disposes node, with the authenticity of the source address of checking message.After the deployment, the ACL on the deployment node can filter the cook source address message through this node.The scheme that the present invention proposes is used these mapping relations of data table stores, in the present invention, this mapping relations table is called FTDB (Filter DataBase, filtered data base).
At first introduce the principle of CPF (Computer Path Filter, the computer path filters).As shown in Figure 1, filter CPF schematic diagram principle schematic for computer access.Though only writing down a hop-information in the route forwarding table of each router, if the route forwarding table of all-router in the territory is combined, just can with each single-hop orderly information be joined together and form complete forward-path.All routes are calculated under the prerequisite that all restrains in the territory, must reach between any two nodes in the territory, and the path also should be certain.Route forwarding table in each router is being stored the routing direction that arrives any purpose prefix, though each router is only known next jumping of data message forwarding, if but the routing table of all-router in the territory is all combined, just the information that one on each router jumped can be coupled together, form complete forward-path.So just can calculate the complete forward-path of any point-to-point transmission in the territory, when the assailant sends the cook source address message, since the path walked of this message with calculate good correct path and do not conform to the situation of the source address in the same subnet (forge except), therefore on forward-path, can be filtered out by filtering rule accordingly., calculate the incoming interface that comprises each jumping in the good routing information here, the incoming interface that enters router by matching message judges whether message is transmitted according to correct path, thereby filters out the message of cook source address.
In order to realize the present invention's purpose, the present invention proposes a kind of method of verifying intra-domain Internet protocol (IP) source address, may further comprise the steps:
Master controller is set up the mapping relations table FTDB of source address prefix, destination address prefix and incoming interface; Described mapping relations table FTDB is converted into access list Access-list to be configured in the access control list ACL of node; Described node filters the cook source address message of the described node of process by described access control list ACL.
As shown in Figure 2, the flow chart for the method for embodiment of the invention verifying intra-domain Internet protocol (IP) source address may further comprise the steps:
Step S110: master controller is set up the mapping relations table FTDB of source address prefix, destination address prefix and incoming interface.
Particularly, the mapping relations table FTDB that sets up source address prefix, destination address prefix and incoming interface comprises:
Master controller obtains the route forwarding table information on all nodes in the territory;
Calculate the neighbor node of all-router and the interface annexation between them by route forwarding table, neighbor table and the interface table that gets access to, thereby obtain the incoming interface that all-router is connected to its neighbor node;
Master controller goes out the complete forward-path between any two prefixes in the territory by the route forwarding table information calculations that obtains, and obtains the incoming interface of each jumping in the path by the interface mapping table between router and its neighbours;
Generate the mapping relations table of source address prefix, destination address prefix and incoming interface by all routing informations.
Wherein, master controller goes out the complete forward-path between any two prefixes in the territory by the route forwarding table information calculations that obtains, and obtains the incoming interface of each jumping in the path by the interface mapping table between router and its neighbours, specifically comprises:
Master controller travels through each the bar list item in the route forwarding table of all-router, if this list item is the type that directly links to each other, then the destination address prefix prefix with this list item notes, join in the local subnet prefix table of this router, and in the FTDB of this router table, add (a prefix, any, interface) list item, wherein interface represents the outgoing interface in this route table items; If this list item is the type that links to each other indirectly, note the destination address prefix Dst of this list item earlier, pass through next hop address then, according to the all-router that calculates and its neighbours' connected interface mapping table, calculate next hop router, and the incoming interface that enters next hop router, enter the route forwarding table of next hop router;
Search in current route forwarding table with Dst is the route table items of purpose, if this list item is directly to link to each other, expression has calculated the complete forward-path information in this path, be recorded into interface and destination address prefix this moment earlier, the routing informations all with the front combine the complete routing information of formation; If this list item is to link to each other indirectly, find next hop router and incoming interface information and record by next hop address.And be the route table items of purpose to search in the current route forwarding table with Dst, carry out recursive calculation, up to calculating complete forward-path.
Wherein, the mapping relations table by all routing informations generation source address prefix, destination address prefix and incoming interfaces comprises:
For each strips be the nexthop2 of the nexthop1 of Src → (inIf1) → (inIf2) → ... (inIfn) path of Dst, adding a strips respectively in the FTDB of nexthopi router is (Src, Dst, inIfi) (i=1,2 ..., list item n-1);
Can add (Src, filtering meter item Dst.inIfn) for the Dst router;
Print to the FTDB of all-router in the corresponding separately file and form is fixed.
Furthermore, the foundation of mapping relations table FTDB, realize successively according to the following steps:
Step (A), this method is supported incremental deploying.At first choose the deployment point, can choose some crucial Centroids, such as choosing the bigger node of linking number, select the big node of message flow, choosing in addition and be easy to the node of upgrading and being convenient to dispose, this depends primarily on the experience of network manager.
Step (B), master controller are obtained the information such as route forwarding table on all nodes in the territory.Specific practice is: network manager is opened in the territory on the SNMP agent process prerequisite on the all-router in the territory, master controller network manager in the territory obtains each node visit authority, and master controller is visited all nodes and obtained information such as route forwarding table, interface table and neighbor table by snmp protocol then.
Step (C) calculates the neighbor node of all-router and the interface annexation between them by route forwarding table, neighbor table and the interface table that gets access to, thereby obtains the incoming interface that all-router is connected to its neighbor node.Specific practice is: if next jumping in the route forwarding table is a global IP address, so can be directly specifically navigate to a port on the router by this address, this step can realize by the interface table of checking all-router; If next jumping is a link-local address, and because the neighbor table of a router is writing down its all neighbour's link-local address and the interface that this router links to each other with these neighbours, can can find the node that has this link-local address by the interface table address of checking all-router, thereby can learn all neighbours of a router, so a certain neighbours are the outgoing interface that links to each other with this neighbor node in the neighbor table of this router just to the incoming interface of this router.
Step (D), master controller goes out the complete forward-path between any two prefixes in the territory by the route forwarding table information calculations that obtains, and the router that is calculated by step (C) and the interface mapping table between its neighbours incoming interface that obtains each jumping in the path.Specific practice is:
Step (D.1) travels through for each the bar list item in the route forwarding table of all-router, if this list item is the type that directly links to each other, then the destination address prefix prefix with this list item notes, join in the local subnet prefix table of this router, and in the FTDB of this router table, add (a prefix, any, interface) list item, wherein interface represents the outgoing interface in this route table items; If this list item is the type that links to each other indirectly, note the destination address prefix Dst of this list item earlier, pass through next hop address then, and the all-router that is calculated in the step (C) and its neighbours' connected interface mapping table, calculate next hop router, and the incoming interface that enters next hop router, enter the route forwarding table of next hop router, enter step (D.2).
Step (D.2), searching in current route forwarding table with Dst is the route table items of purpose.If this list item is directly to link to each other, expression has calculated the complete forward-path information in this path, is recorded into interface and destination address prefix this moment earlier, and the routing informations all with the front combine the complete routing information of formation; If this list item is to link to each other indirectly, find next hop router and incoming interface information by next hop address, and note, enter the route forwarding table of next hop router then, enter step (D.2) and carry out recursive calculation, up to calculating complete forward-path.
Step (E) is split into filter table by all routing informations that calculate.Specific practice is: for each strips be the nexthop2 of the nexthop1 of Src → (inIf1) → (inIf2) → ... (inIfn) path of Dst, can add a strips respectively in the FTDB of nexthopi router is (Src, Dst, inIfi) (i=1,2 ..., list item n-1), can add (Src, filtering meter item Dst.inIfn) for the Dst router.FTDB with all-router prints in the corresponding separately file at last, and form is fixed.
Step S120: mapping relations table FTDB is converted into access list Access-list is configured in the access control list ACL of node.
Mapping relations table FTDB is converted into the access control list ACL that access list Access-list is configured to node to be comprised:
(inIf), the acl rule of structure rule permit source Src destination Dst becomes an Access Group with the regular weaves of all corresponding same incoming interfaces for Src, Dst to each the bar list item among the router FTDB;
In the end add rule of rule deny any any, thereafter with rule application to the Inbound of this interface.
Step S130: node filters the cook source address message of process node by access control list ACL.
Specifically comprise:
When message arrived, the ACL that arrives on the interface checked the source address and the destination address of message, by the rule that configures message is classified;
If the source address of message and matching destination address are divided into the normal message class with message and transmit to a certain permit rule;
If do not match any permit rule among the ACL Group of this interface correspondence, then expression is complementary with rule of rule deny any any, and then message is divided into cook source address message class and by deny, filters out and will not transmit.
In addition, such scheme can carry out incremental deploying to the node in the network, at first chooses Centroid and disposes, and chooses the node that is easy to upgrade and is convenient to dispose thereafter and disposes.
In addition, when network presence changes when causing routed path to change, master controller recomputates the path and upgrades mapping relations table FTDB.Mapping relations table FTDB renewal process repeats the establishment step of the aforementioned middle mapping relations table FTDB that introduces in order.
In order further to set forth the present invention, as shown in Figure 3, be the schematic diagram of the module and the data flow diagram of embodiment of the invention source address verification method.The CPF method mainly is made of three modules, is respectively to obtain router table means, and calculating path and filter table module and download filtering rule module abbreviate GET, COUNT and SET module as.Safeguarding two data simultaneously, is respectively routing table and FTDB (Filter DataBase).Wherein the GET module is responsible for obtaining routing table data, passes to the COUNT module then; And after the COUNT module carries out a series of processing and calculate routing table data, can generate the FTDB data, again the FTDB data are passed to the SET module; Last SET module is configured to the filtering rule among the FTDB in the router on request, thereby reaches filter effect.Wherein FTDB is the mapping relations of source address prefix, destination address prefix and incoming interface, is the key data foundation of authentication of message.
This programme is deployed in the territory on the network node.Following step has shown the deployment and the course of work of this scheme.
Step 1: the routing table and the interface table of all nodes in this collection step and the recording domain.Obtain the management address and the authority of all-router in the territory earlier from the network manager.Obtain information such as the routing table of all-router and interface table by the snmp agreement then.
Step 2: this step is finished the process of calculating FTDB:
Step 2.1: the interface that finds each router to link to each other by routing table data, i.e. incoming interface with its neighbor router.Specific practice has two kinds of methods: the outgoing interface by route table items comes the backstepping incoming interface; Come the backstepping incoming interface by the list item information of neighbor table;
Step 2.2: each the bar list item for the routing table among the router Src travels through, if this list item type is directly to link to each other, then the destination address prefix is noted as a subnet prefix under this router; If this list item type is to link to each other indirectly, note destination address prefix Dest, find next hop router by the next hop address in the route table items, and note the incoming interface inIf of this router to next hop router, this incoming interface calculates in step 2.1.The route forwarding table that enters this next hop router nextHop then calculates, and enters step 2.3;
Step 2.3: in the tempFTDB of current router, increase (a Src, Dest, inIf), wherein Src is the router Src (router-number) in the step 2.2, Dest is the destination address prefix of a list item of record in the step 2.2, and inIf represents current incoming interface.The route forwarding table of traversal current router, finding same is the route table items of destination address with Dest.If this list item is directly to link to each other, represent that this fullpath calculates, get back to step 2.2 and continue next bar route table items of traversal, if all traveled through, then enter step 2.4; If this list item is to link to each other indirectly, find next hop router by the next hop address in the route table items, and note the incoming interface inIf of this router to next hop router, the route forwarding table that enters this next hop router nextHop then calculates, and enters step 2.3;
Step 2.4: can obtain subnet prefix and a tempFTDB under the all-router from step 2.2 and 2.3, it is not source address prefix according to Src that not being both of this tempFTDB and FTDB wherein has an item number, but the source router numbering.Therefore for each the bar list item among the tempFTDB (Src, Dest, inIf), n the subnet prefix that Src replaces under this router constructed n bar FTDB list item (SrcPrefix, Dest inIf), joins among the FTDB of router at this tempFTDB list item place.Obtain the FTDB table of all-router at last;
Step 2.5: so far calculated the FTDB table of all-router, next filtering rule has been carried out in the deployment point and download.(inIf), wherein Src and Dst represent a subnet prefix for Src, Dst for each bar list item of the FTDB of some routers table.Setting up an acl rule is permit source Src destination Dst, is applied on the Inbound of inIf; For the all-ones subnet prefix prefix of a router, institute's corresponding interface is interface, and then can set up an acl rule is permit source prefix destination any, is applied on the Inbound of interface.After all deployment node places configure acl rule, just the message source address validation can have been carried out.
Step 3: whether the authenticity of the source address of this step checking message is abandoned a bag or is let pass by the decision of authentication of message module.Because filtering rule has been configured among the ACL that disposes node, so only need the ACL operate as normal of router just can carry out the CPF authentication of message.
Step 4: route forwarding table can constantly change, and just means that also this wants constantly the mapping relations record among the more capable FTDB.Whenever network presence changes, cause routing table to change,
Step 4.1: this method can detect the variation of routing table.Change in case detect routing table, master controller is got back to step 1 at once, obtains routing table again and recomputates FTDB;
Step 4.2: during recomputating FTDB, the authentication of message module of CPF is not checked the message that enters, till the FTDB that calculating makes new advances.Otherwise may cause false negative, false positive all to increase greatly.
As shown in Figure 4, be embodiment of the invention deployment examples schematic diagram.Host C is a main frame under the router prefix Prefix, supposes to calculate according to routing table, and host C mails to the path forwarding of the message of server S along illustrated blue dotted line.
As can be seen from the figure, message enters the A node through the if_1 interface of CPF deployment point A, will carry out the authentication of message of a CPF at this, if not by checking, then just will be dropped at A point place; Otherwise message continue to be transmitted, and the if_2 interface from CPF deployment point B enters the B node again, carries out the authentication of message of a CPF again at this, if by checking, then just will be dropped at B point place, thereby otherwise message will continue forwarding finally arrives server S.
If the source address of message is forged, for example message is to be sent by a main frame under the router D prefix PrefixD, but forgery of source address becomes the address of host C.Should enter from the if_3 interface of router-A during so through CPF deployment point A, rather than the if_1 interface enters.Because source address of claiming by message and destination address find a list item among the FTDB of the router-A that CPF calculates, the 3rd data incoming interface of this list item is if_1, and the incoming interface of the actual arrival of message router-A is if_3, incoming interface does not match like this, thus router-A can to look this message be that the cook source address message filters out.This step is to finish by the access control list ACL of router in the actual conditions.
The such scheme that the present invention proposes is by to utilizing source address, destination address and entry port to write down message being checked and verified, to solve the problem of verifying intra-domain Internet protocol (IP) source address under present IPv6 or the IPv4 agreement.The such scheme that the present invention proposes can be supported IPv4 and IPv6, does not revise main frame and protocol stack, does not increase new agreement, satisfies existing address distribution.Than the ingress filtering method, it has characteristics such as fine granularity and support IPv6.Than IP Source Guard, it can support IPv6.Compare and additive method, its major advantage is not revise main frame, and can satisfy all address distribution.In addition, the such scheme that the present invention proposes, very little to the change of existing system, can not influence the compatibility of system, and realize simple, efficient.
One of ordinary skill in the art will appreciate that and realize that all or part of step that the foregoing description method is carried is to instruct relevant hardware to finish by program, described program can be stored in a kind of computer-readable recording medium, this program comprises one of step or its combination of method embodiment when carrying out.
In addition, each functional unit in each embodiment of the present invention can be integrated in the processing module, also can be that the independent physics in each unit exists, and also can be integrated in the module two or more unit.Above-mentioned integrated module both can adopt the form of hardware to realize, also can adopt the form of software function module to realize.If described integrated module realizes with the form of software function module and during as independently production marketing or use, also can be stored in the computer read/write memory medium.
The above-mentioned storage medium of mentioning can be a read-only memory, disk or CD etc.
Claims (8)
1. the method for a verifying intra-domain Internet protocol (IP) source address is characterized in that, may further comprise the steps:
Master controller is set up the mapping relations table FTDB of source address prefix, destination address prefix and incoming interface;
Described mapping relations table FTDB is converted into access list Access-list to be configured in the access control list ACL of node;
Described node filters the cook source address message of the described node of process by described access control list ACL.
2. the method for claim 1 is characterized in that, the mapping relations table FTDB that sets up source address prefix, destination address prefix and incoming interface comprises:
Master controller obtains the route forwarding table information on all nodes in the territory;
Calculate the neighbor node of all-router and the interface annexation between them by route forwarding table, neighbor table and the interface table that gets access to, thereby obtain the incoming interface that all-router is connected to its neighbor node;
Master controller goes out the complete forward-path between any two prefixes in the territory by the route forwarding table information calculations that obtains, and obtains the incoming interface of each jumping in the path by the interface mapping table between router and its neighbours;
Generate the mapping relations table of source address prefix, destination address prefix and incoming interface by all routing informations.
3. method as claimed in claim 2, it is characterized in that, master controller goes out the complete forward-path between any two prefixes in the territory by the route forwarding table information calculations that obtains, and obtain the incoming interface of each jumping in the path by the interface mapping table between router and its neighbours, specifically comprise:
Master controller travels through each the bar list item in the route forwarding table of all-router, if this list item is the type that directly links to each other, then the destination address prefix prefix with this list item notes, join in the local subnet prefix table of this router, and in the FTDB of this router table, add (a prefix, any, interface) list item, wherein interface represents the outgoing interface in this route table items; If this list item is the type that links to each other indirectly, note the destination address prefix Dst of this list item earlier, pass through next hop address then, according to the all-router that calculates and its neighbours' connected interface mapping table, calculate next hop router, and the incoming interface that enters next hop router, enter the route forwarding table of next hop router;
Search in current route forwarding table with Dst is the route table items of purpose, if this list item is directly to link to each other, expression has calculated the complete forward-path information in this path, be recorded into interface and destination address prefix this moment earlier, the routing informations all with the front combine the complete routing information of formation; If this list item is to link to each other indirectly, find next hop router and incoming interface information and record by next hop address; To search in the current route forwarding table with Dst is the route table items of purpose, carries out recursive calculation, up to calculating complete forward-path.
4. method as claimed in claim 3 is characterized in that, the mapping relations table that generates source address prefix, destination address prefix and incoming interface by all routing informations comprises:
For each strips be the nexthop2 of the nexthop1 of Src → (inIf1) → (inIf2) → ... (inIfn) path of Dst, adding a strips respectively in the FTDB of nexthopi router is (Src, Dst, inIfi) (i=1,2 ..., list item n-1);
Can add (Src, filtering meter item Dst.inIfn) for the Dst router;
Print to the FTDB of all-router in the corresponding separately file and form is fixed.
5. method as claimed in claim 4 is characterized in that, described mapping relations table FTDB is converted into the access control list ACL that access list Access-list is configured to node comprises:
(inIf), the acl rule of structure rule permit sourceSrc destination Dst becomes an Access Group with the regular weaves of all corresponding same incoming interfaces for Src, Dst to each the bar list item among the router FTDB;
In the end add rule of rule deny any any, thereafter with described rule application to the Inbound of this interface.
6. method as claimed in claim 5 is characterized in that, the cook source address message that described node filters through described node by described access control list ACL comprises:
When message arrived, the ACL that arrives on the interface checked the source address and the destination address of described message, by the rule that configures message is classified;
If the source address of message and matching destination address are divided into the normal message class with described message and transmit to a certain permit rule;
If do not match any permit rule among the ACL Group of this interface correspondence, then expression is complementary with rule of rule deny any any, and then described message is divided into cook source address message class and by deny, filters out and will not transmit.
7. the method for claim 1 is characterized in that, the node in the network is carried out incremental deploying, at first chooses Centroid and disposes, and chooses the node that is easy to upgrade and is convenient to dispose thereafter and disposes.
8. the method for claim 1 is characterized in that, when network presence changes when causing routed path to change, described master controller recomputates the path and upgrades described mapping relations table FTDB.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102569339A CN101917434B (en) | 2010-08-18 | 2010-08-18 | Method for verifying intra-domain Internet protocol (IP) source address |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102569339A CN101917434B (en) | 2010-08-18 | 2010-08-18 | Method for verifying intra-domain Internet protocol (IP) source address |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101917434A true CN101917434A (en) | 2010-12-15 |
| CN101917434B CN101917434B (en) | 2013-04-10 |
Family
ID=43324818
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010102569339A Active CN101917434B (en) | 2010-08-18 | 2010-08-18 | Method for verifying intra-domain Internet protocol (IP) source address |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101917434B (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103607347A (en) * | 2013-11-15 | 2014-02-26 | 华为技术有限公司 | A method and a controller for establishing a transmission channel |
| CN104660597A (en) * | 2015-02-11 | 2015-05-27 | 福建星网锐捷网络有限公司 | Three-layer authentication method and device as well as three-layer authentication exchanger |
| WO2017193694A1 (en) * | 2016-05-12 | 2017-11-16 | 中兴通讯股份有限公司 | Multicast routing entry control method and device, and communications system |
| CN108600158A (en) * | 2018-03-08 | 2018-09-28 | 清华大学 | A kind of source address validation system based on software defined network |
| CN109150895A (en) * | 2018-09-13 | 2019-01-04 | 清华大学 | A kind of verification method of the intra-domain source addresses of software defined network |
| CN109495406A (en) * | 2017-09-13 | 2019-03-19 | 中兴通讯股份有限公司 | The retransmission method and forwarding device of multicasting virtual private network network VPN flow |
| WO2020043107A1 (en) * | 2018-08-30 | 2020-03-05 | 华为技术有限公司 | Message processing method and apparatus, and relevant devices |
| CN111200611A (en) * | 2020-01-06 | 2020-05-26 | 清华大学 | Method and device for verifying intra-domain source address based on boundary interface equivalence class |
| CN112929279A (en) * | 2021-03-09 | 2021-06-08 | 清华大学 | Distributed generation method and device for source address verification table in internet domain |
| CN114172731A (en) * | 2021-12-09 | 2022-03-11 | 赛尔网络有限公司 | Method, device, equipment and medium for quickly verifying and tracing IPv6 address |
| CN114745174A (en) * | 2022-04-11 | 2022-07-12 | 中国南方电网有限责任公司 | Access verification system and method for power grid equipment |
| WO2024164678A1 (en) * | 2023-02-10 | 2024-08-15 | 华为技术有限公司 | Source address validation method, and communication apparatus and system |
| CN118611955B (en) * | 2024-06-24 | 2024-11-15 | 泉城省实验室 | Source address traffic identification and control method, device, equipment and medium based on programmable data plane |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040177152A1 (en) * | 2001-08-08 | 2004-09-09 | Sharon Aviran | System and a method for accelerating communication of TCP/IP based content |
| CN101282338A (en) * | 2007-05-16 | 2008-10-08 | 清华大学 | Method for identification authentication of IPv6 broadcast source and inhibiting attack of malice/non-malice service |
| CN101567891A (en) * | 2009-05-31 | 2009-10-28 | 成都市华为赛门铁克科技有限公司 | Source address verification method, device and system |
-
2010
- 2010-08-18 CN CN2010102569339A patent/CN101917434B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040177152A1 (en) * | 2001-08-08 | 2004-09-09 | Sharon Aviran | System and a method for accelerating communication of TCP/IP based content |
| CN101282338A (en) * | 2007-05-16 | 2008-10-08 | 清华大学 | Method for identification authentication of IPv6 broadcast source and inhibiting attack of malice/non-malice service |
| CN101567891A (en) * | 2009-05-31 | 2009-10-28 | 成都市华为赛门铁克科技有限公司 | Source address verification method, device and system |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103607347A (en) * | 2013-11-15 | 2014-02-26 | 华为技术有限公司 | A method and a controller for establishing a transmission channel |
| CN104660597A (en) * | 2015-02-11 | 2015-05-27 | 福建星网锐捷网络有限公司 | Three-layer authentication method and device as well as three-layer authentication exchanger |
| CN104660597B (en) * | 2015-02-11 | 2017-11-24 | 福建星网锐捷网络有限公司 | Three layers of authentication method, device and three layers of authenticated exchange machine |
| WO2017193694A1 (en) * | 2016-05-12 | 2017-11-16 | 中兴通讯股份有限公司 | Multicast routing entry control method and device, and communications system |
| CN107370680A (en) * | 2016-05-12 | 2017-11-21 | 中兴通讯股份有限公司 | A kind of multicast routing entry control method, device and communication system |
| CN109495406A (en) * | 2017-09-13 | 2019-03-19 | 中兴通讯股份有限公司 | The retransmission method and forwarding device of multicasting virtual private network network VPN flow |
| CN108600158A (en) * | 2018-03-08 | 2018-09-28 | 清华大学 | A kind of source address validation system based on software defined network |
| CN108600158B (en) * | 2018-03-08 | 2020-05-22 | 清华大学 | Source address verification system based on software defined network |
| US11575606B2 (en) | 2018-08-30 | 2023-02-07 | Huawei Technologies Co., Ltd. | Method, apparatus, and system for generating, and processing packets according to, a flow filtering rule |
| WO2020043107A1 (en) * | 2018-08-30 | 2020-03-05 | 华为技术有限公司 | Message processing method and apparatus, and relevant devices |
| US12015556B2 (en) | 2018-08-30 | 2024-06-18 | Huawei Technologies Co., Ltd. | Method, apparatus, and system for generating, and processing packets according to, a flow filtering rule |
| CN109150895A (en) * | 2018-09-13 | 2019-01-04 | 清华大学 | A kind of verification method of the intra-domain source addresses of software defined network |
| CN111200611A (en) * | 2020-01-06 | 2020-05-26 | 清华大学 | Method and device for verifying intra-domain source address based on boundary interface equivalence class |
| CN111200611B (en) * | 2020-01-06 | 2021-02-23 | 清华大学 | Method and device for verifying intra-domain source address based on boundary interface equivalence class |
| CN112929279B (en) * | 2021-03-09 | 2021-11-30 | 清华大学 | Distributed generation method and device for source address verification table in internet domain |
| CN112929279A (en) * | 2021-03-09 | 2021-06-08 | 清华大学 | Distributed generation method and device for source address verification table in internet domain |
| CN114172731A (en) * | 2021-12-09 | 2022-03-11 | 赛尔网络有限公司 | Method, device, equipment and medium for quickly verifying and tracing IPv6 address |
| CN114745174A (en) * | 2022-04-11 | 2022-07-12 | 中国南方电网有限责任公司 | Access verification system and method for power grid equipment |
| WO2024164678A1 (en) * | 2023-02-10 | 2024-08-15 | 华为技术有限公司 | Source address validation method, and communication apparatus and system |
| CN118611955B (en) * | 2024-06-24 | 2024-11-15 | 泉城省实验室 | Source address traffic identification and control method, device, equipment and medium based on programmable data plane |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101917434B (en) | 2013-04-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101917434B (en) | Method for verifying intra-domain Internet protocol (IP) source address | |
| Maltz et al. | Routing design in operational networks: A look from the inside | |
| CN1937589B (en) | Routing configuration validation apparatus and methods | |
| Oliveira et al. | In search of the elusive ground truth: the Internet's AS-level connectivity structure | |
| CN101931628B (en) | Method and device for verifying intra-domain source addresses | |
| US7292541B1 (en) | Methods and systems for unnumbered network link discovery | |
| CN105745870B (en) | Extend operation from for detecting the serial multistage filter flowed greatly removal nose filter to remove stream to realize | |
| Marder et al. | Pushing the boundaries with bdrmapit: Mapping router ownership at internet scale | |
| US20020021675A1 (en) | System and method for packet network configuration debugging and database | |
| CN105765946A (en) | A method and system of supporting service chaining in a data network | |
| CN107005439A (en) | The passive performance measurement linked for online service | |
| CN102143007A (en) | Distribution-based hierarchical network topology discovery method | |
| CN110012119B (en) | A kind of IP address prefix authorization and management method | |
| Le et al. | Shedding light on the glue logic of the internet routing architecture | |
| Cuppens et al. | Handling stateful firewall anomalies | |
| CN101547125A (en) | System and method for abnormal network positioning of autonomous system | |
| CN108011819B (en) | Route issuing method and device | |
| WO2019196562A1 (en) | Message processing method and device, storage medium and processor | |
| Gregori et al. | A novel methodology to address the internet as-level data incompleteness | |
| CN102158497A (en) | IP address filtering method and device | |
| Gunes et al. | Inferring subnets in router-level topology collection studies | |
| US9473384B2 (en) | Validating reachability of nodes of a network of an industrial automation and control system | |
| CN102006290B (en) | IP source address tracing method | |
| CN102648604A (en) | Method of monitoring network traffic by means of descriptive metadata | |
| CN107547676A (en) | A kind of address processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |